July 20, 2021, 6:35am
We have specific issue. Because of legacy things we have decided to run all build tasks inside container build with ECR plugin. The problem we have is that we don’t know how to grant access to our private repositories on build. We know that we can do the same thing with just moving building parts into steps, but It would require changing not only code, but also developers local workflow which we would like to avoid for now.
We know that Drone is using
.netrc file to authenticate to repositories, but this obviously doesn’t work by default with Dockerfiles. Our goal is to not store git credentials inside docker container, so adding command like
COPY .netrc inside Dockerfile is not an option.
Does anybody have problem like this? Maybe somebody have any suggestion to this issue?
If possible could you please share your drone yaml file for our review, as I am not clear with use case here so after looking into yaml we can suggest acordingly.
As I can think of one way is to pass below as env variable:
The question was asked how Drone clones a repository. I wanted to document this in Discourse so that others could benefit from the answer (and ask follow-up questions). A common misconception is that the agent clones the repository, or that the repository is cloned inside the agent container, which is not the case.
Drone adds a default clone step to every Pipeline. The clone steps executes the clone plugin, which is pretty much just a vanilla Drone plugin that handles cloning the repository. Yo…
July 23, 2021, 11:41am
@csgit I will provide my PoC code.
- name: test ECR
RUN git clone https://github.com/path/to/private/repo.git
Do you know how to use described variables inside Dockerfile to authenticate?
July 23, 2021, 12:59pm
By default this is everything what we have when we are using amazonlinux image to build:
Step 3/8 : RUN env
---> Running in 5792c735e97a
Removing intermediate container 5792c735e97a
Step 4/8 : RUN find / -type f -name ".netrc"
Running in fa4c230b43b0
We would like to have
.netrc file mounted in tmpfs or git token inside build container as environment variable.
July 23, 2021, 1:24pm
just asking a clarifying question here.
You want your dockerfile that is being built to do the checkout of the private git repository.
July 23, 2021, 1:29pm
If that is the case you could use build_args as mentioned here
Docker | Drone to pass through information to the docker plugin, then into your dockerfile
September 8, 2021, 11:27am
@TP_Honey I was able to pass credentials with build_args. The problem I can see with that aproach is that It needs to persist somewhere in the container. Honestly I don’t believe that all teams will remember to remove credentials file from created image. I need solution like the one described in this PR: Add build secret flag by nashiox · Pull Request #264 · drone-plugins/drone-docker · GitHub
To enable this feature we also need to enable DockerBuildKit:
Build images with BuildKit | Docker Documentation inside the plugin.
This will solve my issue, because I will be able to pass
.netrc file as a secret in Docker build and it will not persist on container image.
Can you look again at provided PR or just think about your implementation of this feature. I think that there will be a lot of people which will like to use it in their pipelines.
September 16, 2021, 1:37pm
I have created
PR with support for secrets and also I have added comment to existing secret issue