Yet Another Reason I Cannot Use Docker

I would love to use Docker but keep finding edge cases that block its usage. Today the hurdle is with our private repositories and docker build.

The sites we build have external dependencies on private libraries we have written, both Python and Javascript. These dependencies are currently fetched via mercurial/git over ssh, but at build time a docker container doesn’t have access to private keys with permission to access them. The current solutions I’ve seen are to copy in a password-less private key with access to the repositories you need. But then you’re in the horrible situation of either passing around a password-less private key or everyone generating one of their own. Both options being a security risk.

Someone raised a ticket 6 months ago addressing this, Forward ssh key agent into container #6396 which would nicely solve this problem by giving access to SSH_AUTH_SOCK. But only a little discussion has been had on the ticket since and it doesn’t look like it is even in the docker road-map right now. So I am left either:

  • Ignoring the security risks.
  • Taking on the ticket myself.
  • Providing another way of adding dependencies.

The latter is the way I will likely go as I am not happy with ignoring security risks and I don’t know much Go in order to contribute usefully to Docker. However it isn’t clear at this stage what other implementation can be used. Python has devpi but you still need a username/password to access private indexes. Bower can only pull things from Git repositories, so that one might be a real blocker. Though I at least know Javascript so adding a new way for Bower to retrieve packages might be an option.