Setting an SSH private key

2 minute read

This task requires the following:

Many operations require the configuration of an SSH private key within your container(s) (e.g, git clone, rsync, ssh, etc).

While the task seems as simple as copying a private key right into your Docker image, this is considered highly inadvisable.

If you must have the private SSH key available during the image build (e.g., pulling dependencies) then please remove the private key before the end of the Dockerfile instruction (see the `SSH Key Option' on this page before continuing with the information below).

The suggested practice is to:

1. Generate & Store SSH Private Key to the Designated Encrypted Env Vars File

Run the following set of commands in the root of your project folder:

# Generate codeship_deploy_key and codeship_deploy_key.pub, configured to not require passphrase docker run -it --rm -v $(pwd):/keys/ codeship/ssh-helper generate "<YOUR_EMAIL>" # Store codeship_deploy_key as a one line entry in codeship.env file under `PRIVATE_SSH_KEY` docker run -it --rm -v $(pwd):/keys/ codeship/ssh-helper prepare # Remove original private key file rm codeship_deploy_key # Encrypt file jet encrypt codeship.env codeship.env.encrypted # Ensure that `.gitignore` includes all sensitive files/directories docker run -it --rm -v $(pwd):/app -w /app ubuntu:16.04 \ /bin/bash -c 'echo -e "codeship.aes\ncodeship_deploy_key\ncodeship_deploy_key.pub\ncodeship.env\n.ssh" >> .gitignore'

Check out the README page for more information on our SSH Helper tool.

2. Configure your CodeShip config files with the following as guidance

Dockerfile
FROM ubuntu:16.04 RUN apt-get update && apt-get install -y ssh
codeship-services.yml
app: build: image: codeship/setting-ssh-key-test dockerfile: Dockerfile encrypted_env_file: - codeship.env.encrypted volumes: # mapping to `.ssh` directory ensures that `id_rsa` file persists to subsequent steps # replace container pathing if $HOME is not `/root` - ./.ssh:/root/.ssh
codeship-steps.yml
- name: reinstate SSH Private Key File service: app command: /bin/bash -c "echo -e $PRIVATE_SSH_KEY >> /root/.ssh/id_rsa" - name: chmod id_rsa service: app command: chmod 600 /root/.ssh/id_rsa - name: add server to list of known hosts service: app command: /bin/bash -c "ssh-keyscan -H github.com >> /root/.ssh/known_hosts" # See https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/ - name: confirm ssh connection to server, authenticating with generated public ssh key service: app command: /bin/bash -c "ssh -T git@github.com 2>&1 | grep 'successfully authenticated'"

If you’re unfamiliar with CloudBees CodeShip Pro, then check out our step-by-step walk-through on setting up a private SSH key.