Secure credentials handling on Docker in build step

Completed

Permanently deleted user

Created January 07, 2020 14:17

We have a build step that needs a username and password to be able to connect to another server. This build step needs to run in a docker container since it needs a specific image and installs some packages for testing.

What is the proper way of sending creds to a docker container in a build step since config, system and env parameters aren't sent to the container?

Adding them as export to the args of the container shows them as clear text in the build logs.

Thanks

2 comments

Mikhail Efremov

Created January 09, 2020 14:48

Hi Mats,

TeamCity passes environmental variables from the build configuration to the docker container, but not from the agent. You should be able to use %env.your_var_name% in your script.

You can then configure specs for this parameter so that it is not displayed as plain-text in logs. Edit such a parameter, click edit in the "Specs" field, select type:Password and display:Hidden For instance:

As a result, such a parameter will be hidden with asterisks in the build log:

  Running step within Docker container kroniak/ssh-client:latest
  Starting: /bin/sh -c "docker pull kroniak/ssh-client:latest && . /Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp/docker-wrapper-8187643361303029391.sh && docker run --rm -w /Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140 --label jetbrains.teamcity.buildId=649 -v "/Users/mikhail.efremov/TeamCity/buildAgent/lib:/Users/mikhail.efremov/TeamCity/buildAgent/lib:ro" -v "/Users/mikhail.efremov/TeamCity/buildAgent/tools:/Users/mikhail.efremov/TeamCity/buildAgent/tools:ro" -v "/Users/mikhail.efremov/TeamCity/buildAgent/plugins:/Users/mikhail.efremov/TeamCity/buildAgent/plugins:ro" -v "/Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140:/Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140" -v "/Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp:/Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp" -v "/Users/mikhail.efremov/TeamCity/buildAgent/temp/buildTmp:/Users/mikhail.efremov/TeamCity/buildAgent/temp/buildTmp" -v "/Users/mikhail.efremov/TeamCity/buildAgent/system:/Users/mikhail.efremov/TeamCity/buildAgent/system" --env-file /Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp/docker-wrapper-5073258648189295363.envList --entrypoint /bin/sh "kroniak/ssh-client:latest" /Users/mikhail.efremov/TeamCity/buildAgent/temp/agentTmp/docker-shell-script-6391805751634820226.sh"
  in directory: /Users/mikhail.efremov/TeamCity/buildAgent/work/8065d60185475140
  latest: Pulling from kroniak/ssh-client
  Digest: sha256:18429e5cf196e23b7ec67499714d08c213f0e8c364908e619dc75a51ddfb4e81
  Status: Image is up to date for kroniak/ssh-client:latest
  docker.io/kroniak/ssh-client:latest
  Pseudo-terminal will not be allocated because stdin is not a terminal.
  Warning: Permanently added 'server.name' (ECDSA) to the list of known hosts.
  Permission denied, please try again.
  Permission denied, please try again.
  user:*******@server.name: Permission denied (publickey,password).
  Process exited with code 255

The above log snippet stands for a simple command-line build step executed in a docker container. Contents of the script are as follows:

Best regards,

Mikhail Efremov

Created January 09, 2020 14:51

Looks like I somehow lost the contents of the script while posting the above reply, my apologies.

ssh -o StrictHostKeyChecking=no user:%env.pass_for_docker%@server.name

Please sign in to leave a comment.