在詹金斯管道内的码头工人Git不工作 [英] Git inside docker inside Jenkins pipeline doesnt work
问题描述
我试图在作为Jenkins管道一部分运行的Docker容器内执行一些git查询。
在docker容器的外面,sshsgent工作正常,我可以访问我的SCM没有问题。
任何人都可以帮我解决我犯的错误吗?重写> 脚本{
sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
{
sh(
ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
)
}
docker.withRegistry('https://dockerhub.banana.com','banana-dockerhub ('banana_release_base')。
{
docker.image('banana_release_base')。pull()
docker.image('banana_release_base')。inside(
'''
-v / system:/ system -v / tmp:/ tmp --privileged -u 0
'''
)
{
sshagent(['e9f7d09a-7b88- (''
echo $ SSH_AUTH_SOCK
ssh -p 7999 git@bitbucket-eng-gpk1.com whoami $ b $(
$ b $ sh b )
}
}
}
}
[docker_git_test]运行shell脚本
+ ssh -p 7999 git @ bitbucket -eng-gpk1.com whoami
d42967b44abe31d6
第二次调用(和echo) docker容器输出:
$ $ p $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ b $ echo + /mp/ssh-dSoDZMggpAU1/agent.13
/tmp/ssh-dSoDZMggpAU1/agent.13
+ ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
主机验证失败
主机密钥验证失败
容器中的SSH连接无法验证主机的(bitbucket-eng-gpk1.com)身份,这就是它失败的原因。当詹金斯提供一个容器时,它会试图限制外部世界的事物数量,比如环境变量和文件系统的位置,这些构建步骤会被隔离。在您的容器中,它在进行连接之前未接受VCS的主机密钥,并且它不是交互式终端,因此会失败。
有几种不同的方法可以解决这个问题。这里有一些我可以想到的不在我头上的: 忽略主机密钥检查(了解安全含义这个( 1 , 2 )) - 使用 在Docker镜像中创建SSH密钥(脆)
StrictHostKeyChecking 选项禁用检查。 UserKnownHostsFile 选项可用于将接受的密钥输送到其他地方。这也可以通过〜/ .ssh / config 文件中的每台主机完成。
ssh -o StrictHostKeyChecking = no -o UserKnownHostsFile = / dev / null -p 7999 git@bitbucket-eng-gpk1.com whoami
〜/。使用
I am trying to perform some git queries inside a docker container that runs as part of a Jenkins Pipeline.
Out side the docker container the sshsgent is working fine and I can access my SCM no problem. Inside the container I am getting host key verification issues.
Can anyone help with the mistake I have made?
script {
sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
{
sh("""
ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
""")
}
docker.withRegistry('https://dockerhub.banana.com', 'banana-dockerhub-credential')
{
docker.image('banana_release_base').pull()
docker.image('banana_release_base').inside(
'''
-v /system:/system -v /tmp:/tmp --privileged -u 0
'''
)
{
sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
{
sh("""
echo $SSH_AUTH_SOCK
ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
""")
}
}
}
}
First whoami call outputs:
[docker_git_test] Running shell script
+ ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
d42967b44abe31d6
Second call (and the echo) in the docker container outputs:
[docker_git_test] Running shell script
+ echo /tmp/ssh-dSoDZMggpAU1/agent.13
/tmp/ssh-dSoDZMggpAU1/agent.13
+ ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
Host key verification failed
Host key verification failed
The SSH connection in the container could not verify the host's (bitbucket-eng-gpk1.com) identity, which is why it failed. When Jenkins provisions a container it tries to limit the amount of things from the outside world such as environment variables and file system locations that it mounts into that container so that the build steps have isolation. In your container, it has not accepted the host key of your VCS before making the connection and it is not a interactive terminal so it will fail.
There are several different ways to handle this. Here is a few I can think of off the top of my head:
Ignore host-key checking (understand the security implications of this (1, 2)) - use the
StrictHostKeyCheckingoption to disable checking. TheUserKnownHostsFileoption can be useful in conjuction to pipe the accepted keys somewhere else. This can also be done per host in a~/.ssh/configfile.ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 7999 git@bitbucket-eng-gpk1.com whoamiBuild the SSH key into the Docker image (brittle)
- Mount a
~/.ssh/configfile into the container from the host with the - "Install" some SSH config files from host or use some other configuration file provider that has the verified host key into the container (possibly using the Config File Provider Plugin)
这篇关于在詹金斯管道内的码头工人Git不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
