Jenkins 管道内的 docker 内的 Git 不起作用 [英] Git inside docker inside Jenkins pipeline doesnt work

问题描述

我正在尝试在作为 Jenkins 管道的一部分运行的 docker 容器中执行一些 git 查询.在 docker 容器之外，sshsgent 工作正常，我可以毫无问题地访问我的 SCM.在容器内部，我遇到了主机密钥验证问题.
任何人都可以帮助我解决我犯的错误吗?

I am trying to perform some git queries inside a docker container that runs as part of a Jenkins Pipeline. Out side the docker container the sshsgent is working fine and I can access my SCM no problem. Inside the container I am getting host key verification issues.
Can anyone help with the mistake I have made?

script {
    sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
    {
        sh("""
            ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
        """)
    }
    docker.withRegistry('https://dockerhub.banana.com', 'banana-dockerhub-credential') 
    {
        docker.image('banana_release_base').pull()
        docker.image('banana_release_base').inside(
        '''
           -v /system:/system -v /tmp:/tmp --privileged -u 0
        '''
       )
       {
             sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
             {
                 sh("""
                     echo $SSH_AUTH_SOCK
                     ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
                 """)
             }
        }
    }
}

第一个 whoami 呼叫输出:

First whoami call outputs:

[docker_git_test] Running shell script
+ ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
d42967b44abe31d6

docker 容器输出中的第二次调用(和回声):

Second call (and the echo) in the docker container outputs:

[docker_git_test] Running shell script
+ echo /tmp/ssh-dSoDZMggpAU1/agent.13
/tmp/ssh-dSoDZMggpAU1/agent.13
+ ssh -p 7999 git@bitbucket-eng-gpk1.com whoami
Host key verification failed

推荐答案

主机密钥验证失败

Host key verification failed

容器中的 SSH 连接无法验证主机(bitbucket-eng-gpk1.com)的身份，这就是它失败的原因.当 Jenkins 配置一个容器时，它会尝试限制来自外部世界的事物的数量，例如它安装到该容器中的环境变量和文件系统位置，以便构建步骤具有隔离性.在您的容器中，它在建立连接之前尚未接受 VCS 的主机密钥，并且它不是交互式终端，因此会失败.

The SSH connection in the container could not verify the host's (bitbucket-eng-gpk1.com) identity, which is why it failed. When Jenkins provisions a container it tries to limit the amount of things from the outside world such as environment variables and file system locations that it mounts into that container so that the build steps have isolation. In your container, it has not accepted the host key of your VCS before making the connection and it is not a interactive terminal so it will fail.

有几种不同的方法来处理这个问题.以下是我能想到的几个:

There are several different ways to handle this. Here is a few I can think of off the top of my head:

• 忽略主机密钥检查(了解此操作的安全含义(1, 2)) - 使用 StrictHostKeyChecking 选项禁用检查.UserKnownHostsFile 选项可用于结合将接受的密钥通过管道传输到其他地方.这也可以在 ~/.ssh/config 文件中按主机完成.

• Ignore host-key checking (understand the security implications of this (1, 2)) - use the StrictHostKeyChecking option to disable checking. The UserKnownHostsFile option can be useful in conjuction to pipe the accepted keys somewhere else. This can also be done per host in a ~/.ssh/config file.

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 7999 git@bitbucket-eng-gpk1.com whoami

将 SSH 密钥构建到 Docker 镜像中(脆弱)

Build the SSH key into the Docker image (brittle)

这篇关于Jenkins 管道内的 docker 内的 Git 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！