英文:
Resolving Go dependencies in Docker container
问题
我想在 Docker 镜像构建期间构建我的 Go 应用程序,并将镜像的入口点设置为构建好的 Go 应用程序。问题是,我的 Go 应用程序是主包的子包,并且使用主包的一些其他子模块。这个主包是作为私有存储库在 Github 上的,所以我不能在容器内部直接使用 go get 命令。
我尝试了设置 Glide 依赖管理器,并将所有依赖项获取到容器外部的 vendor/ 目录中,但是还有另一个问题 - 每次在主私有存储库中提交后,都需要更新 glide.lock 文件。这对我来说不是一个解决方案,因为我希望其他依赖项被锁定。
有没有办法使用最新版本的主包依赖项和其他依赖项的锁定版本来构建应用程序?
英文:
I want to build my Go application during the Docker image build and set image entrypoint to built Go application. Problem is that my Go application is subpackage of the main package and uses some other submodules from the main package. This main package is on Github as private repository so I cannot just go get inside the container.
I've tried to setup Glide dependency manager and get all dependencies outside of the container into the vendor/ directory but there is another problem - glide.lock would have to be updated after each commit in main private repository. This is not solution for me because I want to have other dependencies locked.
Is there any way to build application with latest version of main package dependency and locked versions of other dependencies?
答案1
得分: 1
这不是一个关于Go的问题,而是一个关于Docker和安全性的问题。
首先,将Go应用程序作为构建的一部分并不理想。通常情况下,你应该在本地机器上构建二进制文件,以目标Dockerfile FROM设置。没有任何理由不这样做,因为每台机器都有Go编译器,你可以使用GOOS和GOARCH来针对任何机器进行构建。
但是对于你的用例,使用私有仓库,更加重要的是不要在容器内部构建,因为无论你如何将代码放入容器进行构建,你都会得到一个包含私有文件或者更糟糕的是你的SSH密钥的容器。一个你必须上传、托管和在某个地方运行的容器。
无论如何看,这都不是理想的情况。
然而,如果你决定泄露你的代码和/或密钥,你只有两个选择:
-
在被授权访问私有仓库的本地/构建机器上使用
git clone来克隆私有仓库,并在Dockerfile中使用COPY来复制它。 -
使用Dockerfile的
COPY来复制你本地机器上已经授权访问远程仓库的SSH密钥到容器中,这样你就可以运行git命令(你还需要安装git和ssh)。
再次强调,这些都不是理想的选择。在本地构建Go应用程序,针对容器的类型进行构建,并将二进制文件复制过去。这真的非常简单。
至于依赖管理,我从未使用过glide,但我写了一个关于使用/vendor版本化依赖项的流行答案。
https://stackoverflow.com/questions/37237036/how-should-i-use-vendor-in-go-1-6/37238226#37238226
英文:
This isnt a Go question. It's a Docker and Security question.
First off, it isnt ideal to build Go apps as part of the build. Typically you would build the binary locallly on ur machine targeting the Dockerfile FROM you have set. There is zero reason not to, as there is a Go complier for every machine, and you can GOOS and GOARCH target any machine.
But for your usecase, using a private repo, it is even more critical not to build within your container because regardless of how you get the code into your container to build, you'll have a container with private files or worse your ssh key. A container that you have to upload and host and run somewhere.
That is not ideal, however you look at it.
However, if you are determined to leak your code and/or key, you only have two options:
-
git clonethe private repo on your local/build machine yhat is authorized to access the private repo and useCOPYwithin ur Dockerfile to copy it. -
Use Dockerfile
COPYto copy your local machine's SSH key that you have authorized for your remote repo, into the container so that you can RUN git commands (which you'll also need git and ssh installed).
Again, those are not ideal. Build the Go app locally, target the container's type, and copy the binary over. It really couldnt be easier.
As for dependency management, i've never used glide; but, i wrote a popular answer about versioning dependencies with /vendor.
https://stackoverflow.com/questions/37237036/how-should-i-use-vendor-in-go-1-6/37238226#37238226
答案2
得分: -1
如果您只关心能够从Docker容器中使用go get获取您的私有存储库,并且在构建时不介意复制您的id_rsa,您只需将以下内容添加到Dockerfile的开头:
RUN echo "\n\tinsteadOf = https://github.com/" >> /root/.gitconfig
RUN mkdir /root/.ssh && echo "StrictHostKeyChecking no " > /root/.ssh/config
COPY id_rsa /root/.ssh/id_rsa
英文:
If you only care about being able to go get your private repos from the docker container and do not mind to copy your id_rsa when building it, you can just add this to the beginning of your Dockerfile:
RUN echo "\n\tinsteadOf = https://github.com/" >> /root/.gitconfig
RUN mkdir /root/.ssh && echo "StrictHostKeyChecking no " > /root/.ssh/config
COPY id_rsa /root/.ssh/id_rsa
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论