GitLab CI 失败,SSH 错误加载密钥格式无效
[英]GitLab CI failing with SSH error loading key invalid format
问题描述
I am starting to get into GitLab CI for my company.
我开始为我的公司进入 GitLab CI。 We have a PrestaShop, and I want automatic deployment to the web server after a Git push.我们有一个 PrestaShop,我想在 Git 推送后自动部署到 web 服务器。
Unit testing will come later.稍后会进行单元测试。 At the moment I just need it to deal with putting a copy of the "/app" folder in the web root of the web server.目前我只需要它来处理将“/app”文件夹的副本放入 web 服务器的 web 根目录中。
So this is what I have got...所以这就是我所拥有的......
before_script:
- apt-get update -qq
- apt-get install -qq git
- 'which ssh-agent || ( apt-get install -qq openssh-client )'
- eval $(ssh-agent -s)
- ssh-add <(echo "$SSH_PRIVATE_KEY")
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
deploy_test:
type: deploy
environment:
name: test
url: [test server domain]
script:
- ssh [user]@[server] -p [port] "cd [repo folder] && git checkout master && git pull origin master && exit"
- ssh [user]@[server] -p [port] "rsync -rzvh [repo /app folder] [web server root path]"
only:
- master
Recently, gitlab-runner has started failing with the error Error loading key "/dev/fd/63": invalid format .最近,gitlab-runner 开始出现错误Error loading key "/dev/fd/63": invalid format 。
Can you help me to solve that error?你能帮我解决那个错误吗?
FYI, I have my personal private key set as $SSH_PRIVATE_KEY environment var in GitLab - the public on the web server of course.仅供参考,我在 GitLab 中将我的个人私钥设置为 $SSH_PRIVATE_KEY 环境变量——当然是在 web 服务器上的公共密钥。 SSH is enabled on the web server which has WHM and cPanel. SSH 在具有 WHM 和 cPanel 的 web 服务器上启用。 And I pre-checked out a copy of master via cPanel on the web server into the [repo folder].我通过 web 服务器上的 cPanel 将 master 的副本预先检出到 [repo 文件夹]。
2 个解决方案
解决方案1
2 2020-07-05 18:33:21
Originally, OpenSSH used the PKCS #1 format for RSA private keys.最初,OpenSSH 使用 PKCS #1 格式作为 RSA 私钥。 This format is not very secure, so newer versions have moved to a different format for storing private keys which is specific to OpenSSH.这种格式不是很安全,所以较新的版本已经转移到另一种格式来存储专用于 OpenSSH 的私钥。 This is more secure, but it's not backwards compatible.这更安全,但它不向后兼容。
While it is possible to convert the keys with ssh-keygen , it would be far better for you to create a new key that you used only for deployments.虽然可以使用ssh-keygen转换密钥,但您最好创建一个仅用于部署的新密钥。 That's a best practice because it separates your personal key from the deployments and means that if one is compromised, the other is not affected.这是一种最佳实践,因为它将您的个人密钥与部署分开,这意味着如果一个被泄露,另一个不会受到影响。
Since you'd need to create a new key anyway, you'd be better off using an Ed25519 key.由于无论如何您都需要创建一个新密钥,因此最好使用 Ed25519 密钥。 Mozilla and others recommend this format of key because it is fast, secure, and easy to make constant time. Mozilla和其他人推荐这种格式的密钥,因为它快速、安全且易于生成恒定时间。 You can create such a key with ssh-keygen -t ed25519 -f deployment-key , where deployment-key and deployment-key.pub will be the private and public keys.您可以使用ssh-keygen -t ed25519 -f deployment-key创建这样的密钥,其中deployment-key和deployment-key.pub将是私钥和公钥。
If you're using CentOS 7 on the server, it does indeed support Ed25519 keys if it have been appropriately updated with patches, and whatever you're using on GitLab should also support it.如果您在服务器上使用 CentOS 7,它确实支持 Ed25519 密钥,如果它已通过补丁适当更新,并且您在 GitLab 上使用的任何内容也应该支持它。 You'll need to add the new public key to the remote server as with your personal key.您需要将新的公钥添加到远程服务器,就像使用您的个人密钥一样。
If you really want to continue to use this key, you should be able to export it with ssh-keygen -e -m PEM .如果您真的想继续使用此密钥,您应该可以使用ssh-keygen -e -m PEM将其导出。
解决方案2
0 2022-04-13 07:12:59
Did you check the $SSH_PRIVATE_KEY run on protected branches and tags pipeline only?您是否检查了仅在受保护的分支和标签管道上运行的 $SSH_PRIVATE_KEY? if so you need to add your branch into protected.如果是这样,您需要将您的分支添加到受保护的。 Setting->Repository->Protected Branch.设置->存储库->受保护的分支。 or unchecked the option in Setting->CI/CD->Variables或取消选中 Setting->CI/CD->Variables 中的选项
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.