1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone used Habitus with Docker

Discussion in 'HTML, Graphics & Programming' started by hargi, Jul 16, 2018.

  1. hargi

    Wise Guy

    Joined: Jul 19, 2006

    Posts: 1,844

    looking for some help ... just started looking at Docker and docker-compose, however, some of our gems are in a private repo which means that the build fails as the container does not have access to my ssh keys. There is very little documentation out there on this, but what I can gather is if you add them to the container then they stay in history and if you do a docker push then they are accessible to the world.

    Have seen that https://www.habitus.io/ can solve this problem but can't find any real tutorials on this?

    All I need to do is build a rails server but pulling gems from our private repo while been secure.

    Thanks
     
  2. Azza

    Caporegime

    Joined: Dec 6, 2005

    Posts: 33,578

    Location: Birmingham

    I haven't used Ruby so not sure how this would translate but I imagine it would be a very similar concept to npm packages. Passing in the key or token into the Gemfile or config file for bundler?

    To get our private npm packages I've setup a multistage build so the Dockerfile essentially looks like this.


    Code:
    #First build
    FROM base-image AS build
    ARG NPM_TOKEN
    COPY . .
    RUN echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc && \
    npm install --production && \
    rm -f .npmrc
    # Second build
    FROM base-image
    COPY --from=build . .

    The NPM_TOKEN is configured in the Travis repo settings, .travis.yml has a docker build cmd that passes in the build-arg

    Code:
    docker build -t image_name --build-arg NPM_TOKEN=$NPM_TOKEN .

    So that will throw the registry with the required npm_token into an .npmrc file which npm reads when it does the install. Reason for doing a multi stage build is because it's possible to extract the file from an intermediate layer and you can see the token in the history of the image as well. Multi stage builds only keep the history of the final image, so providing your CI gets rid of the images it makes during the build process and bins off the cache then it's all good.


    Only 3 years since this issue about Docker and secrets was opened - https://github.com/moby/moby/issues/13490
     
  3. hargi

    Wise Guy

    Joined: Jul 19, 2006

    Posts: 1,844

    Thanks Azza,

    I have got habitus working with a multibuild which seams to have worked and taken out the ssh keys.

    Would the workflow then be to use docker-compose to then spin up a db and the new image I built
     
  4. Azza

    Caporegime

    Joined: Dec 6, 2005

    Posts: 33,578

    Location: Birmingham

    Yeah or just point your app to a db thats running in the normal fashion.

    You'll probably want a volume with your db if you run it as a container so you don't lose your things if it's important.