GitLab CI运行程序-无法访问其他存储库 [英] GitLab CI runner - can't access other repository
问题描述
最近一次较小的8.x升级后,我无法执行GitLab CI测试,该测试还可以获取另一个存储库.尽管以前一切正常,但现在我收到了著名的主机密钥验证失败.的错误消息,来自ssh.可能是什么原因造成的?
After a recent minor 8.x upgrade, I'm unable to execute GitLab CI tests that also fetch another repository. While everything worked previously, now I get the famous Host key verification failed. error message from ssh. What could be the cause of this?
/etc/gitlab-runner/config.toml :
concurrent = 1
[[runners]]
name = "python-runner@localhost"
# ...
executor = "docker"
[runners.docker]
image = "edoburu/python-runner"
privileged = false
cap_drop = ["DAC_OVERRIDE"]
volumes = [
"/cache",
"/home/deploy/.ssh:/root/.ssh:ro"
]
# ...
如您所见, .ssh 文件夹已公开,为容器提供了所有已知主机的列表(/home/deploy/.ssh/known_hosts ).这也为容器提供了一个已知的SSH密钥,我已将其作为存储库中的部署密钥启用.
As you can see, the .ssh folder is exposed, to give the container a list of all known hosts (/home/deploy/.ssh/known_hosts). This also gives the container a known SSH key, that I've enabled as deployment key in the repository.
但是,如今该构建失败了,这在以前是没有做到的:
However, the build fails nowadays, which it didn't do before:
Obtaining python-extra from git+git@git.example.org:myproject/python-repo.git@889f8fa0fe485d246d106ccee47aa60b2dd2523e#egg=python-extra (from -r src/requirements.txt (line 63))
Cloning git@git.example.org:myproject/python-extra.git (to 889f8fa0fe485d246d106ccee47aa60b2dd2523e) to /builds/myproject/env/src/python-extra
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Command "git clone -q git@git.example.org:myproject/python-extra.git /builds/project/env/src/python-extra" failed with error code 128 in None
.gitlab-ci.yml 文件包含:
test:
image: edoburu/python-runner:base
stage: test
script:
- virtualenv --no-site-packages ../env
- source ../env/bin/activate
- pip install --exists-action=w -r src/requirements.txt
- pip install coverage
- coverage run --source=src --omit='*/migrations/*' ./src/runtests.py -v2
- coverage report -m
但是,当我手动输入容器时,一切正常:
When I enter the container manually however, everything works fine:
root@git.example.org ~ $ docker run -it --volume="/home/deploy/.ssh:/root/.ssh:ro" edoburu/python-runner:base /bin/bash
root@feed357355ad:/# ssh git@git.example.org
PTY allocation request failed on channel 0
Welcome to GitLab, Anonymous!
Connection to git.example.org closed.
root@feed357355ad:/# git clone git@git.example.org:myproject/python-extra.git
Cloning into 'python-extra'...
remote: Counting objects: 387, done.
remote: Compressing objects: 100% (176/176), done.
remote: Total 387 (delta 215), reused 374 (delta 208)
Receiving objects: 100% (387/387), 5.97 MiB | 0 bytes/s, done.
Resolving deltas: 100% (215/215), done.
Checking connectivity... done.
root@feed357355ad:/# exit
root@git.example.org ~ $
GitLab有什么不同之处吗?也许分配IP地址或其他导致我的构建失败的东西?
Is there anything that GitLab does differently? Maybe assign IP addresses or something else that causes my builds to fail?
推荐答案
已解决,事实证明-cap-drop = DAC_OVERRIDE 不能访问该卷.将其所有者更改为root即可解决该问题.
Solved, it turns out that --cap-drop=DAC_OVERRIDE prevented to access the volume. Changing it's owner to root solved it.
通过将一些调试代码添加到 .gitlab-ci.yml 文件中找到:
Found by adding some debugging code to the .gitlab-ci.yml file:
script:
- ping -c 1 git.edoburu.nl
- ssh-keyscan git.edoburu.nl
- ls -la ~/.ssh/
- cat ~/.ssh/known_hosts
这篇关于GitLab CI运行程序-无法访问其他存储库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
