New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOCKER Expose SSH Argument. (Secrets Flag) #11255
Comments
Plus one for this! |
This would be super helpful for me also! |
Hello, thanks for reporting @GetOnMyLvl97. Is there a reason why |
Well I don't think so but, there is no option in the current serverless set-up that adds the ssh flag to the docker command as I see it from this article. The docker command that gets generated is in my case this one
EDIT: |
Sorry @GetOnMyLvl97, I've missed that it's with As for using the |
Sorry from my side. I should have written flag instead of buildarg... corrected it now. Well, passing the absolute path to the ssh key instead of passing the content as arg won't work because the absolute path of your resources refers to an absolute path within the build context, not an absolute path on the host os.
Why do you think using ssh is a niche use case? e.g. In my company, we're using our own lambda decorators hosted in a private git repo across all serverless services. |
No worries, I misread the docker docs!
What I was thinking of was something along those lines in your Dockerfile:
Wouldn't that work? I might be missing something here of course
Of course, I might be mistaken here, but when I used Docker more extensively in the past, the checkout of git repo that the contents of were later baked into image usually happened before btw, I'm not saying one or the other is better/worse, I'm trying to understand the use case as much as I can 👍 |
All the resources need to be in the dir that you run the build, i.e. where your Dockerfile is. You cant use an absolute path from elsewhere, think of it from the build perspective. For a couple of years, it was a pain in the ass to build dockers with private git but they improved dramatically. Imagine I would need to clone 4-5 repos in my builddir, copy them into the image and hit for everyone the setup.py. This will add a lot of unnecessary complexity. Instead, I can use the --mount=type=ssh pip install -r requiremenets.txt. |
Thanks for the clarification @GetOnMyLvl97 and description of your use case. Let's gather more feedback on this and we can consider it as a potential feature (the |
Makes sense! What do you think the implementation could look like? serverless/lib/plugins/aws/provider.js Line 2155 in bb37f4f
Adding something similar like for platform? I'm happy to contribute, serverless is a nice piece of software:) |
Hey @GetOnMyLvl97 - yeah, the implementation should probably be similar as for platform - related PR for inspiration: https://github.com/serverless/serverless/pull/10237/files. One thing that I'm not sure is how the ssh config should be scoped - should it be redefined for each image if you have more of them? |
Hey folks, came across this issue as i'm running into the same exact unsolved use case of needing to pip install from private repos. It would be really nice for serverless to support the As a side note, it would also be nice to support a more general way to pass arbitrary flags to the Docker build process so that each build option doesn't need a sls counterpart. For example, maybe something like |
Any news on this? |
We are in desperate needs of a way to pass arbitrary options to the |
+1 this would be really useful |
Hey @martinezpl - I think that makes sense, but I'm not sure if the Serverless team will have capacity to work on that (I'm no longer a part of the team) |
Is there an existing issue for this?
Use case description
Hello all,
I need to access my private GitHub repos and want that serverless to handle the creation of the ECR Repo and building/push to ECR.
Currently, it's only possible to use buildArgs so I tried to cat my key and put it as build arg in the image.
Unfourtanetly it seems like
is actually not doing the operation as I get the cat command in my ARG instead of the ssh key.
Proposed solution (optional)
In my opinion, the ssh flag which will use the SSH_AUTH_SOCK would be perfect to handle this.
https://docs.docker.com/develop/develop-images/build_enhancements/
We could add something like this:
which will modify the docker build command to include
Like this, it would be possible to make use of the mount and even use multiple sockets per build
The text was updated successfully, but these errors were encountered: