Anyone used Habitus with Docker

hargi · 16 Jul 2018 at 12:16

looking for some help ... just started looking at Docker and docker-compose, however, some of our gems are in a private repo which means that the build fails as the container does not have access to my ssh keys. There is very little documentation out there on this, but what I can gather is if you add them to the container then they stay in history and if you do a docker push then they are accessible to the world.

Have seen that https://www.habitus.io/ can solve this problem but can't find any real tutorials on this?

All I need to do is build a rails server but pulling gems from our private repo while been secure.

Thanks

Azza · 16 Jul 2018 at 21:49

I haven't used Ruby so not sure how this would translate but I imagine it would be a very similar concept to npm packages. Passing in the key or token into the Gemfile or config file for bundler?

To get our private npm packages I've setup a multistage build so the Dockerfile essentially looks like this.

Code:

#First build
FROM base-image AS build
ARG NPM_TOKEN
COPY . .
RUN echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc && \
npm install --production && \
rm -f .npmrc
# Second build
FROM base-image
COPY --from=build . .

The NPM_TOKEN is configured in the Travis repo settings, .travis.yml has a docker build cmd that passes in the build-arg

Code:

docker build -t image_name --build-arg NPM_TOKEN=$NPM_TOKEN .

So that will throw the registry with the required npm_token into an .npmrc file which npm reads when it does the install. Reason for doing a multi stage build is because it's possible to extract the file from an intermediate layer and you can see the token in the history of the image as well. Multi stage builds only keep the history of the final image, so providing your CI gets rid of the images it makes during the build process and bins off the cache then it's all good.

Only 3 years since this issue about Docker and secrets was opened - https://github.com/moby/moby/issues/13490

hargi · 18 Jul 2018 at 07:56

Thanks Azza,

I have got habitus working with a multibuild which seams to have worked and taken out the ssh keys.

Would the workflow then be to use docker-compose to then spin up a db and the new image I built

Azza · 18 Jul 2018 at 21:08

Yeah or just point your app to a db thats running in the normal fashion.

You'll probably want a volume with your db if you run it as a container so you don't lose your things if it's important.