Getting Started With Docker BuildKit In Order To Safely Use A Private SSH Key During A Build
Docker BuildKit is an overhaul of the build architecture. By integrating BuildKit, users should see an improvement on performance, storage management, feature functionality, and security. It started shipping with Docker 18.09 and later.
Most importantly, it allows additional features such as:
- the ability to use the
--secretcommand line option to allow the user to pass secret information for use during the build. - the ability to use
--sshcommand line option to allow the Docker Engine to forward SSH agent connections during the build.
Enable BuildKit
You can enable BuildKit in two different ways. Either by setting the environment variable at the point of performing the build like so:
export DOCKER_BUILDKIT=1
docker build .
Alternatively, you can enable BuildKit by default for the docker Daemon by configuring the daemon and restarting it:
sudo echo '{ "features": { "buildkit": true } }' | sudo tee /etc/docker/daemon.json && \
sudo service docker restart
Change Output
After enabling BuildKit, you will notice that the output during the build is shown in a different manner. If you would prefer to go back to a simpler output then change the progress option.
Jenkins
If using Jenkins for your pipeline, you can enable BuildKit by putting the following in your pipeline:
environment {
DOCKER_BUILDKIT='1'
}
Using Private SSH Key During A Build
Now that we have BuildKit enabled, we can make use of it in order to safely utilize a private SSH key for retrieving assets during a build, without a record of the SSH key being anywhere inside the image's layers. This way, if someone manages to get hold of the Docker image, they do not have access to you private SSH key, only the assets that it was used to retrieve.
Below is an example of setting up your Dockerfile in order to use a private SSH key to install a private python package:
FROM ubuntu:20.04
# Install required packages
RUN apt-get update && apt-get install openssh-client git
# Set up SSH and add github to our list of known hosts.
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# Install a private python package using a GitHub deploy key (private SSH key)
RUN --mount=type=ssh pip install git+ssh://git@github.com/github-username/repo-name.git@my-tag-name#egg=egg=my-package-name
# other things...
Then you can build with:
export DOCKER_BUILDKIT=1
docker build --ssh default .
References
- Stack Overflow - Using SSH keys inside docker container
- Docker Docs - Build images with BuildKit
- www.cloudsavvyit.com - What is Docker's BuildKit and Why Does It Matter?
- StackOverflow - Add variable to dockerfile{} section in Jenkinsfile to enable docker_buildkit
First published: 11th October 2021
