Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,560,415
Community Members
 
Community Events
185
Community Groups

Using docker compose build ssh with BuildKit when --mount=type=ssh is disabled

Edited
Seth Miller
Seth Miller Apr 26, 2023

Since `RUN --mount=type=ssh` is disabled, how can I configure SSH with the running ssh-agent in my CI container? We are using the common docker-in-docker setup of running our own CI container and having docker compose build the image for us. It is failing due to your unfortunate limitations:

```

service:
    build:
        context: .
        ssh:
          - default

```

and the Dockerfile requires a
```

RUN --mount=type=ssh pip install [...]
```


Produces:

```

docker compose run app ./util/lint

+ docker compose run app ./util/lint

Network build_default Creating

Network build_default Created

app Pulling

app Warning

#1 [internal] booting buildkit

#1 pulling image moby/buildkit:buildx-stable-1

#1 pulling image moby/buildkit:buildx-stable-1 2.7s done

#1 creating container buildx_buildkit_default done

#1 ERROR: Error response from daemon: authorization denied by plugin pipelines: --privileged=true is not allowed

------

> [internal] booting buildkit:

------

Error response from daemon: authorization denied by plugin pipelines: --privileged=true is not allowed
```

Which is a bit silly. How are we supposed to work around these limitations?

Also how far out is the plan to ditch Kubernetes so we can have features your competitors offer like not having to work around trivial things and mutli-arch builds? That would be great!

 

No Markdown formatting for a product who's only made for developers? Another oops.

Answer
Watch
Like Be the first to like this
362 views

3 answers

1 accepted

0 votes
Answer accepted
Seth Miller
Seth Miller May 02, 2023

Bitbucket Pipelines does not support modern BuildX environments and therefore many features of Docker Compose V2 are unavailable. Since Docker Compose V1 is EOL in June 2023,

Our choices are:

  1. Switch to a more modern competitor like GitLab or Github
  2. Wait for https://jira.atlassian.com/browse/BCLOUD-22599 to be implemented at Atlassians leisure.
Reply
1 vote
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Apr 27, 2023 • edited

Hello @Seth Miller ,

Thank you for reaching out to Atlassian Community!

While using Bitbucket Pipelines with Docker BuildKit enabled, that are some restrictions applied due to security reasons, which are listed in Docker BuildKit restrictions.

One of those restrictions is that the directive RUN --mount=type=ssh  is currently disabled in the pipeline environment. However, you can use the --ssh argument to provide the SSH key to the docker command, as in the below example : 

--ssh default=$BITBUCKET_SSH_KEY_FILE

The BITBUCKET_SSH_KEY_FILE is a default variable that contains the path of the SSH key configured in your pipelines (Repository Settings > SSH keys under pipelines).  This should allow you to use that key when connecting to external services.

As for allowing building multi-architecture images in pipelines, we do have a feature request open to implementing that functionality : 

We encourage you to add your Vote and mark yourself as a Watcher in that feature ticket so you will be notified whenever there's any update.

As a workaround, while that feature is not available, it's possible to build multi-architectural images when using Linux Docker self-hosted runners, as they allow you to configure a custom docker-in-docker service. Our engineering team has posted an example of using runners to build multi-arch images in this comment of that feature request.

Thank you, @Seth Miller !

Patrik S

View More Comments
Seth Miller
Seth Miller Apr 27, 2023 • edited

Patrik,

Thanks for your response and clarification. It's a shame we can't use many of those best practices features but it is what it is.

I might actually have sent us down a red herring path. I can't get BuildKit to run at all. I think it's due to auto buildx inclusion??? Do you know how I can use BuildKit properly? I see the announcement but I'm unable to get it to work. I believe I've stumbled upon this related issue: https://community.atlassian.com/t5/Jira-Work-Management-Questions/Can-t-run-compose-in-bitbucket-pipelines-getting-privileged-true/qaq-p/2233411

Perhaps this as well: https://jira.atlassian.com/browse/BCLOUD-22599?filter=98686

I'm not trying anything fancy, just docker compose build.

Thanks!

Like
Seth Miller
Seth Miller May 01, 2023

@Patrik S- I'm still looking for an update on this. Docker Compose V1 seems to be the only supported version of Docker Compose on Pipelines and it's EOL in June of 2023. What does your roadmap look like concerning this?

Thanks

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 02, 2023 • edited

Hello @Seth Miller ,

When enabling BuildKit and using Docker Compose V2, the compose build command will use by default buildx, which is currently not supported in pipelines (see Docker BuildKit restrictions and BCLOUD-22066 ).

Currently, we don't have a provision to disable buildx only while keeping the BuildKit enabled. To solve this issue, you may need to downgrade the docker-compose version to 1.29.2. 

If you want to keep using Docker Compose V2, you would have to disable BuildKit, so compose build will not try to use buildx. The following command can be used to disable BuildKit in the pipelines environment : 

export DOCKER_BUILDKIT=0

We also have an open feature request to implement an option to only disable BuildX for the Docker Compose Version 2, while keeping the BuildKit enabled. You can access the feature using the link below : 

I see you have already voted for that feature request and added yourself as a watcher, so whenever there's any update on that feature you will be notified. Please note that all features are implemented with this policy in mind.

Thank you, @Seth Miller !

Patrik S

Like Amit Giri likes this
Seth Miller
Seth Miller May 02, 2023

@Patrik S,

Thank you for your response. It seems like the Docker team might be partially at fault here too as they seem to be abandoning non-buildx environments. I appreciate you chiming in. I'll rally as much support as I can for that feature!

Have a great day!

-Seth

Like Patrik S likes this
Reply
0 votes
Riley Venable (Atlas Bench)
Riley Venable (Atlas Bench)
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Apr 26, 2023

To configure SSH with the running ssh-agent in your CI container when --mount=type=ssh is disabled in Docker Compose, you can copy your SSH keys into the container during the build process. You can use the Dockerfile example provided in the context, which copies the `id_rsa` and `id_rsa.pub` files into the container's `/root/.ssh` directory, and configures SSH to use the `id_rsa` key. It also installs `openssh-client` and starts the `ssh-agent` in the container. When you run your container, you can then add your SSH key to the agent using the `ssh-add` command:

```
ssh-add /root/.ssh/id_rsa
```

As for your second question, Atlassian has not announced any plans to ditch Kubernetes or offer multi-arch builds that competitors already have.

View More Comments
Seth Miller
Seth Miller Apr 27, 2023

> you can copy your SSH keys into the container during the build process.

That's my trouble is that the keys are baked into the image forever and I was doing all sorts of funky multi-stage build stuff to ensure that didn't happen. My Dockerfile was looking pretty complex.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

See all events