Docker jenkins 容器,主机密钥验证失败
[英]Docker jenkins container, host key verification failed
问题描述
I'm creating a CI pipeline and development environment with Vagrant, Ansible and Docker.
我正在使用 Vagrant、Ansible 和 Docker 创建 CI 管道和开发环境。 My goal is to have everything automated with a single command, no manual configuration involved.我的目标是通过一个命令让一切自动化,不涉及手动配置。 With single ansible-playbook command I should have fully functional continuous deployment pipeline, all the services dockerized.使用单个ansible-playbook命令,我应该拥有功能齐全的持续部署管道,所有服务都已docker化。
Now here's the problem.现在问题来了。 When I run the official Jenkins docker container and try to configure authentication for git, I get the following error当我运行官方 Jenkins docker 容器并尝试为 git 配置身份验证时,出现以下错误
host key verification failed
I understand I could login into Jenkins container, ssh to git manually and accept the host key as trusted, when login for the first time.我知道我可以在第一次登录时登录 Jenkins 容器,手动 ssh 到 git 并接受主机密钥为受信任的。 But this is absolute no-no, the connectivity should be handled automatically too.但这绝对是禁忌,连接也应该自动处理。
How do I configure Jenkins docker container to trust the git server at creation, when the available tools are docker, ansible and vagrant?当可用工具为 docker、ansible 和 vagrant 时,如何配置 Jenkins docker 容器以在创建时信任 git 服务器?
2 个解决方案
解决方案1
4 2019-11-06 12:38:22
I'm building something similar with my pipeline stages encapsulated in containers orchestrated by Kubernetes and I'm able to source modules from my private bitbucket server using the ssh-agent Jenkins plug-in inside hashicorp/terraform:light image based container via git+ssh seamlessly.我正在构建与封装在由 Kubernetes 编排的容器中的管道阶段类似的东西,我能够使用hashicorp/terraform:light image based container 内的 ssh-agent Jenkins 插件从我的私有 bitbucket 服务器中通过 git+ 获取模块ssh 无缝连接。 I faced the same issue as yours from the ansible/ansible-runner image when I tried to download my roles via ansible-galaxy from the same bitbucket server.当我尝试通过ansible-galaxy从同一个 bitbucket 服务器下载我的角色时,我在ansible/ansible-runner图像中遇到了与您相同的问题。
I tried to do the same as with terraform and ssh-agent我试着用 terraform 和 ssh-agent 做同样的事情
My relevant pipeline snippet looks like this:我的相关管道片段如下所示:
container('ansible') {
...
sshagent([ssh_key]) {
...
stage('get ansible roles') {
sh 'ansible-galaxy install -r requirements.yaml -p roles/'
...
}
}
}
It failed and ansible-galaxy is actually hiding the problem pretty well:它失败了, ansible-galaxy实际上很好地隐藏了问题:
+ ansible-galaxy install -r requirements.yaml -p roles/
[WARNING]: - ans_rol_test was NOT installed successfully: - command
/usr/bin/git clone ssh://git@mybitbucketserver.org/project/ans_rol_test.git
ans_rol_test failed in directory /root/.ansible/tmp/ansible-local-
106DvbAa0/tmp09xwe_ (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
After I saw this is just a plain git clone, I tried to clone a repository from the pipeline:在我看到这只是一个普通的 git clone 之后,我尝试从管道中克隆一个存储库:
+ /usr/bin/git clone ssh://git@mybitbucketserver.org/project/ans_rol_test.git
Cloning into 'ans_rol_test'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Then I tried just ssh into the bitbucket server.然后我尝试通过 ssh 进入 bitbucket 服务器。
+ ssh git@mybitbucketserver.org
Pseudo-terminal will not be allocated because stdin is not a terminal.
Host key verification failed.
I realized when I ssh via the -oStrictHostKeyChecking=no the host key is saved anyways but the ssh client returns with 255 because of sshd and the pipeline fails so I've put a || true我意识到当我通过-oStrictHostKeyChecking=no ssh 时,无论如何都会保存主机密钥,但是由于 sshd 并且 ssh 客户端返回255并且管道失败,所以我放了一个|| true || true at the end. || true 。
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added 'mybitbucketserver.org,10.5.132.51' (RSA) to the list of known hosts.
shell request failed on channel 0
+ true
After this the host key is 'verified' so git clone ssh:// works therefore ansible-galaxy too.在此之后,主机密钥被“验证”,因此git clone ssh://也ansible-galaxy工作,因此ansible-galaxy也是如此。
...
stage('get ansible roles') {
sh 'ssh -oStrictHostKeyChecking=no git@mybitbucketserver.org || true'
sh 'ansible-galaxy install -r requirements.yaml -p roles/'
...
}
...
output:输出:
+ ssh -oStrictHostKeyChecking=no git@mybitbucketserver.org
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added 'mybitbucketserver.org,10.5.132.51' (RSA) to the list of known hosts.
shell request failed on channel 0
+ true
[Pipeline] sh
+ /usr/bin/git clone ssh://git@mybitbucketserver.org/project/ans_rol_test.git
Cloning into 'ans_rol_test'...
[Pipeline] sh
+ ansible-galaxy install -r requirements.yaml -p roles/
- extracting ans_rol_test to /home/jenkins/agent/workspace/configuration/roles/ans_rol_test
- ans_rol_test (1.0.0) was installed successfully
Worth noting that setting GIT_SSH_COMMAND environment variable with值得注意的是设置GIT_SSH_COMMAND环境变量
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
is not working.不工作。
解决方案2
0 2016-11-07 08:29:09
You can use Ansible's known_hosts module for solving this problem.你可以使用Ansible 的 known_hosts模块来解决这个问题。
This module adds the host key into the server's ~/.ssh/known_hosts file, similar to what you describe as a manual step.此模块将主机密钥添加到服务器的~/.ssh/known_hosts文件中,类似于您描述的手动步骤。
Please note the limitations of the module as well:请注意模块的限制:
If you have a very large number of host keys to manage, you will find the template module more useful.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.