skip to Main Content

I have a Dockerfile whose base layer includes git, configures git’s global and and that starts openssh-server.

The Dockerfile is along the lines of this (simplified to remove perceived irrelevancies):

FROM debian as base
RUN apt-get update && 
    apt-get -qy full-upgrade && 
    apt-get install -qy git && 
    apt-get install -qy openssh-server && 
    sed -i 's|session    required|session    optional|g' /etc/pam.d/sshd && 
    mkdir -p /var/run/sshd && 
    groupadd builders -g 1111111112 && 
    useradd -l -u 1111111111 -g 1111111112 -m -s /bin/bash bob && 
    echo "bob ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && 
    echo "bob:youruncle" | chpasswd && 
    git config --global "bob" && 
    git config --global "[email protected]"

CMD /usr/sbin/sshd -D

When I build and run this container:

$ docker build -t tmp:tmp .
[+] Building 59.2s (6/6) FINISHED
 => [internal] load .dockerignore                                 0.1s
 => => transferring context: 2B                                   0.0s
 => [internal] load build definition from Dockerfile              0.0s
 => => transferring dockerfile: 692B                              0.0s
 => [internal] load metadata for  0.0s
 => CACHED [1/2] FROM                    0.0s
 => [2/2] RUN apt-get update &&     apt-get -qy full-upgrade &&  55.4s
 => exporting to image                                            3.6s
 => => exporting layers                                           3.5s
 => => writing image sha256:cceaae2883b393ccb7dc0d977d846e5df1... 0.0s
 => => naming to                        0.0s
$ docker run tmp:tmp

…and attach to it, I see bob’s expected git config:

$ docker exec -it peaceful_einstein bash
root@3ca48a22fe98:/# git config --list
[email protected]

…but when I ssh to the container as bob, I don’t see the expected git config:

$ docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' peaceful_einstein
$ ssh [email protected]
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:mIyf7TvG0nDSo3fWDipWGGPxFipb6THmoYt7dwtR77w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux 3ca48a22fe98 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bob@3ca48a22fe98:~$ git config --list

Why isn’t bob’s git config info available when ssh’ing to the container?
Is there a way to make the git config statements in the Dockerfile "apply" to bob’s ssh session?



  1. Chosen as BEST ANSWER

    I was able to use @torek's explanation to cobble together this solution that does the git config work in a USER bob "section" of the Dockerfile:

    FROM debian as base
    RUN apt-get update && 
        apt-get -qy full-upgrade && 
        apt-get install -qy git && 
        apt-get install -qy openssh-server && 
        sed -i 's|session    required|session    optional|g' /etc/pam.d/sshd && 
        mkdir -p /var/run/sshd && 
        groupadd builders -g 1111111112 && 
        useradd -l -u 1111111111 -g 1111111112 -m -s /bin/bash bob && 
        echo "bob ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && 
        echo "bob:youruncle" | chpasswd
    EXPOSE 22
    USER bob
    RUN git config --global "bob" && 
        git config --global "[email protected]"
    USER root
    CMD /usr/sbin/sshd -D

    I have no idea how clean/proper/conformant to prevailing practice that solution is, but it does satisfy the need of the original post.

  2. Running docker exec uses the directory from the Dockerfile (the WORKDIR) unless you override it, and—more importantly in this case—the user from the -u option, or the user from the Dockerfile. (See also What's the default user for docker exec?) In your case those are / and root (uid 0).

    Running ssh into a container starts a login shell, which uses the user’s home directory, getting the user from the login. In this case those are bob and so, probably /home/bob.

    Git uses or sets the current user’s --global config, so you’re getting root’s configuration with docker exec and bob’s with ssh.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top