> > one I think would be nice is one that basically takes an SSH_AGENT from > the Jenkins user and exposes its keys as SSH keys (so good an idea I may > implement it myself... if I get spare time or if my employer agrees it is a > good idea) >
In my reading I came across some references to mounting $SSH_AUTH_SOCK as a volume in the container and using that for ssh-agent forwarding. I didn't really understand what I was doing, I'll need to read more about ssh-agent forwarding, but I think that it will fail at least for the same reason as mounting ~/.ssh/ as a volume fails: the uid will inherit from the host, and not match the container uid. 2. Seed the JENKINS_HOME volume with unencrypted credentials.xml and have > an init.groovy.d script trigger a save (which will encrypt them on first > start) > This sounds like a workable way forward. On Tuesday, 3 January 2017 19:51:09 UTC, Stephen Connolly wrote: > > there are two other options: > > 1. Bake the secret key used to encrypt Jenkins secrets into your image > (downside, anyone with access to the image can decrypt they keys) > > 2. Seed the JENKINS_HOME volume with unencrypted credentials.xml and have > an init.groovy.d script trigger a save (which will encrypt them on first > start) > > Outside of that, you could look into implementing a plugin that extends > from CredentialsProvider and exposes your ssh credentials how you see fit. > > one I think would be nice is one that basically takes an SSH_AGENT from > the Jenkins user and exposes its keys as SSH keys (so good an idea I may > implement it myself... if I get spare time or if my employer agrees it is a > good idea) > > That way you could mount the SSH_AGENT socket into docker and away you > go... of course none of that is written yet... so fit now just hack it > working > > On Tue 3 Jan 2017 at 14:21, Barry Laffoy <[email protected] <javascript:>> > wrote: > >> Hi >> >> I'm trying to set-up our Jenkins master in a reproducible way using the >> Docker image here: https://github.com/jenkinsci/docker >> >> One problem I am having is how to make ssh private keys (e.g. for polling >> git repos) available within the container in a secure manner. Ideally, I >> would like to be able set the private keys at runtime for the container, as >> a way to test the configuration in a safe environment before it is promoted >> to production. >> >> Copying the keys at build time fails this second requirement (and may >> have security implications if it would make a user's private key visible to >> anybody with permission to run the container?). >> >> Mounting the key location as volume with `docker run -v >> /path/to/keys:/var/jenkins_home/.ssh` does not work, as the mount point in >> the container inherits the uid/gid of the host directory, which does not >> match the uid/gid of the "jenkins" user within the container. There are >> solutions to this available, using gosu, but that seems to be strongly >> discouraged by the community. >> >> What is the advised/best practise way of injecting ssh private keys into >> the Jenkins master container? >> >> Thanks >> >> >> >> >> >> >> >> >> -- >> >> >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/8d8d6fd2-11c2-4946-93b3-07981944af23%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-users/8d8d6fd2-11c2-4946-93b3-07981944af23%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > Sent from my phone > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/683eb024-58cf-49b6-941c-6ad5add0c1bb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
