gpgp 密钥请求在 dockerfile 中失败但没有 bash

gpgp key request fails in dockerfile but not bash

我遇到一个问题,在构建 docker 容器时,我尝试接收 gpg 密钥失败。当在命令行执行时,我提供的命令可以正常工作。

/etc/systemd/system/docker.service.d/http-proxy.conf中:

[Service]
Environment="HTTP_PROXY=http://<corporate proxy>/" "HTTPS_PROXY="<corporate proxy>/" "NO_PROXY=localhost,127.0.0.1,.domain.local,.corp"

我使用 build.sh shell 脚本构建图像:

#/bin/bash
docker build -t hgk/test-container .

shell 脚本与我的 Docker 文件位于同一位置。这些是该目录中仅有的两件事。

FROM openjdk:8
ARG KEYSERV=hkp://p80.pool.sks-keyservers.net:80
ARG THEPROXY=<my corporate proxy>

# grab gosu for easy step-down from root
# (see docker-sonarqube pull request #115)
RUN set -x \
    && wget -e https_proxy=$THEPROXY -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture)" \
    && wget -e https_proxy=$THEPROXY-O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture).asc" \
    && export GNUPGHOME="$(mktemp -d)" \
    && gpg --version \
    && gpg -vv --keyserver $KEYSERV --keyserver-options http-proxy=$THEPROXY --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
    && gpg --list-keys \
    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
    && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
    && chmod +x /usr/local/bin/gosu \
    && gosu nobody true

这两个 wget 命令工作正常并且它们检索了文件。第一个 gpg 命令最终超时:

+ mktemp -d
+ export GNUPGHOME=/tmp/tmp.LJ1EVFQmpO
+ gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /tmp/tmp.LJlEVFQmpO
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
+ gpg -vv --keyserver hkp://p80.pool.sks-keyservers.net:80 --keyserver-options http-proxy=<corp proxy> --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
gpg: keybox '/tmp/tmp.LJlEVFQmpO/pubring.kbx' created
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established

[[I am hung here - It just waits for ... something? I'll update the question if anything prints after this]] 

我把 gpg --list-keys 命令放在 Docker 文件中,看看我们是否通过了那里。但是,如果我通过命令行 运行 它,它会成功检索密钥:

[root@me foo]# printenv | grep proxy
[root@me foo]# gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --
keyserver-options http-proxy=<corp proxy> --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key BF357DD4 from hkp server p80.pool.sks-keyservers.net
Version: SKS 1.1.6
gpg: armor header:
Comment: Hostname: sks.okoyono.de
gpg: armor header:
gpg: pub  4096R/BF357DD4 2014-02-28  Tianon Gravi <tianon@debian.org>
gpg: key BF357DD4: removed multiple subkey binding
gpg: key BF357DD4: removed multiple subkey binding
gpg: /tmp/tmp.DIX6yQQf25/trustdb.gpg: trustdb created
gpg: using PGP trust model
gpg: key BF357DD4: public key "Tianon Gravi <tianon@tianon.xyz>" imported
gpg: 1 keys cached (126 signatures)
gpg: 0 keys processed (0 validity counts cleared)
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

[root@me foo]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   4096R/BF357DD4 2014-02-28 [expires: 2019-07-06]
uid                  Tianon Gravi <tianon@tianon.xyz>
uid                  Tianon Gravi <tianon@debian.org>
uid                  Tianon Gravi <tianon@dockerproject.org>
uid                  Andrew Page (tianon) <andrew@infosiftr.com>
uid                  Andrew Page (tianon) <andrew@vitalroute.com>
uid                  Andrew Page (Tianon Gravi) <admwiggin@gmail.com>
uid                  Tianon Gravi (Andrew Page) <tianon@infosiftr.com>
sub   4096R/769826E6 2014-02-28 [expires: 2019-07-06]

我尝试过具有相同行为的不同 sks-keyservers(ubuntu、MIT 和其他 sks)- 从 bash 开始正确,从 Docker 开始错误。

任何 thoughts/tips/suggestions?

更新:我的"openjdk:8"版本已经有一段时间没有更新了(从8u121开始)。我发现我是 运行ning gpg v1.4.18。我做了一个 docker image pull openjdk:8,它使我达到了 8u151 和 gpg 2.1.18。 CentOS 7机器上的gpg版本是2.0.22。

我对问题的解决方案(是否是 正确的 解决方案还有待商榷)是添加 http_proxyhttps_proxy 环境Dockerfile 的变量。

FROM openjdk:8
ARG KEYSERV=hkp://p80.pool.sks-keyservers.net:80
ARG THEPROXY=<my corporate proxy>
ENV http_proxy $THEPROXY
ENV https_proxy $THEPROXY

# grab gosu for easy step-down from root
# (see docker-sonarqube pull request #115)
RUN set -x \
    && wget -e https_proxy=$THEPROXY -O /usr/local/bin/gosu 
"https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture)" \
    && wget -e https_proxy=$THEPROXY-O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture).asc" \
    && export GNUPGHOME="$(mktemp -d)" \
    && gpg --version \
    && gpg -vv --keyserver $KEYSERV --keyserver-options http-proxy=$THEPROXY --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
    && gpg --list-keys \
    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
    && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
    && chmod +x /usr/local/bin/gosu \
    && gosu nobody true

我对此修复的解释是 gpg 旋转起来 dirmngrdirmngr "is a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves." 这暗示需要某种形式的网络连接。阅读 [dirmngr 选项][2] 页面,有一个 --http-proxy 参数似乎没有传递给 dirmngr 的启动参数。

不知何故,将 http_proxy 添加到环境中允许 dirmngr 成功完成它的工作。

我不确定这是否是一个错误(在 gnupg 源代码中有一个 --honor-http-proxy 选项默认设置为 0,所以我不确定为什么它会选择http_proxy,但我的解决方案正在运行并满足我的需求。本周末我将尝试更详细地阅读源代码,但这对我和我的团队来说不再是高优先级。

构建 Docker 图像时,您的 systemd 单元文件的环境变量不会传递到容器中。相反,使用 --build-arg 参数来传递代理值:

docker build --build-arg=HTTP_PROXY=http://<corporate proxy>/ --build-arg=HTTPS_PROXY=http://<corporate proxy>/ -t hgk/test-container .

您不应将代理变量等运行时选项烘焙到 Docker 文件中,始终通过环境变量(或此构建参数)传递配置。

附加提示:most applications rely on http_proxy and https_proxy -- 虽然大多数环境变量确实全部大写,但代理变量有更广泛的小写用法。