Export / validate Subversion in Dockerfile without printing password to screen
I want to write a Dockerfile that exports a directory from a remote Subversion repository to a build context so that I can work with those files in subsequent commands. The repository is protected by user / password authentication.
This Dockerfile might look like this:
# base image
FROM ubuntu
# install subversion client
RUN apt-get -y update && apt-get install -y subversion
# export my repository
RUN svn export --username=myUserName --password=myPassword http://subversion.myserver.com/path/to/directory
# further commands, e.g. on container start run a file just downloaded from the repository
CMD ["/bin/bash", "path/to/file.sh"]
However, this has the disadvantage of printing my username and password on the screen, or whatever log file stdout is in, as in Step 2 : RUN svn export --username=myUserName --password=myPassword http://subversion.myserver.com/path/to/directory
. In my case, this is the Jenkins build log, which is also available to other people who shouldn't see the credentials.
What would be the easiest way to hide user echo and password on exit?
So far, I haven't found a way to execute the commands RUN
in the Dockerfile while creating the image. Can the password be imported from elsewhere and attached to the command ahead of time so that it no longer needs to be typed? Or are there any passwordless authentication methods in Subversion that will work in the context of the Dockerfile (in terms of configuring them without interaction)?
The Subversion server runs remotely at my company, not on my local machine or on the Docker host. As far as I know, I don't have access to it except to access my repository via username and password authentication, so copying any root key files to some server folders can be difficult.
source to share
One solution is the ADD
entire SVN directory that you checked out in your builder's filesystem beforehand (or added as svn:externals
if yours Dockerfile
itself is in the SVN repository, like: svn propset svn:externals 'external_svn_directory http://subversion.myserver.com/path/to/directory' .
then do a svn up
).
Then in yours, Dockerfile
you can just get the following:
ADD external_svn_directory /tmp/external_svn_directory
RUN svn export /tmp/external_svn_directory /path/where/to/export/to
RUN rm -rf /tmp/external_svn_directory
source to share
The Dockerfile RUN command is always executed and cached when the docker image is created, so the variables to be authenticated must be provided at build time. You can move the svn export call when docker startup is in progress to avoid similar problems. To do this, you can create a bash script and declare it as a docker entry point and pass environment variables for username and password. Example
# base image
FROM ubuntu
ENV REPOSITORY_URL http://subversion.myserver.com/path/to/directory
# install subversion client
RUN apt-get -y update && apt-get install -y subversion
# make it executable before you add it here otherwise docker will coplain
ADD docker-entrypoint.sh /enrypoint.sh
ENTRYPOINT /entrypoint.sh
docker-entrypoint.sh
#!/bin/bash
# maybe here some validation that variables $REPO_USER $REPO_PASSOWRD exists.
svn export --username="$REMOTE_USER" --password="$REMOTE_PASSWORD" "$REPOSITORY_URL"
# continue execution
path/to/file.sh
Run the image:
docker run -e REPO_USER=jane -e REPO_PASSWORD=secret your/image
Or you can put variables in a file:
.svn-credentials
REPO_USER=jane
REPO_PASSWORD=secret
Then run:
docker run --env-file .svn-credentials your/image
Remove the .svn-credentials file when done.
source to share
Perhaps using SVN
c SSH
is the solution for you? You can create a public / private key pair. The private key can be added to the image, while the public key is added to the server.
For more information you can look at fooobar.com/questions/212268 / ... .
source to share
Subversion stores authentication data (if not disabled in configuration) on the client side and uses the saved username | a password on demand for subsequent operations on the same URL.
So - you should run (successfully) svn export in Dockerfile with username | password only once and allow SVN to use cached credentials (remove credentials from command line) later
source to share