SSH使用Bitbucket管道从docker实例进入分级机 [英] SSH into staging machine from docker instance using Bitbucket Pipelines
问题描述
使用新的Bitbucket管道功能,我怎么可以从Docker容器中的SSH进入我的分页框?
Using the new Bitbucket Pipelines feature, how can I SSH into my staging box from the docker container it spins up?
我的管道最后一步是一个 .sh 文件,部署了必要的分期代码,但是因为我的暂存框使用公钥身份验证,并且不知道docker容器,SSH连接被拒绝。
The last step in my pipeline is an .sh file that deploys the necessary code on staging, however because my staging box uses public key authentication and doesn't know about the docker container, the SSH connection is being denied.
无需使用SSH即可使用密码认证这也是导致我的问题,不断选择通过公钥进行身份验证。)?
Anyway of getting around this without using password authentication over SSH (which is causing me issues as well by constantly choosing to authenticate over public key instead.)?
推荐答案
Bitbucket管道可以使用Docker您创建的映像,它的ssh客户端设置在您的构建期间运行,只要它托管在可公开访问的容器注册表。
Bitbucket pipelines can use a Docker image you've created, that has the ssh client setup to run during your builds, as long as it's hosted on a publicly accessible container registry.
创建Docker图片你的ssh密钥可用于某个地方。该图像还需要在容器运行的用户下保存您的环境的主机密钥 。这通常是 root 用户,但如果您的中有。 USER 命令,则可能会有所不同Dockerfile
Create a Docker image with your ssh key available somewhere. The image also needs to have the host key for your environment(s) saved under the user the container will run as. This is normally the root user but may be different if you have a USER command in your Dockerfile.
您可以复制已经填充的 known-hosts 文件,或者在图像构建时动态配置文件:
You could copy an already populated known-hosts file in or configure the file dynamically at image build time with:
RUN ssh-keyscan your.staging-host.com
发布图片
将您的图片发布到可公开访问但私人注册表。您可以托管您自己的或使用像 Docker Hub 。
Publish the image
Publish your image to a publicly accessible, but private registry. You can host your own or use a service like Docker Hub.
使用Docker映像配置管道。
Configure pipelines to build with your docker image.
如果您使用Docker Hub
If you use Docker Hub
image:
name: account-name/java:8u66
username: $USERNAME
password: $PASSWORD
email: $EMAIL
或您自己的外部注册表
name: docker.your-company-name.com/account-name/java:8u66
限制您的主机访问
您不想拥有ssh密钥来访问您的主机在世界各地飞行,所以我会还限制这些部署ssh密钥的访问,以只运行您的部署命令。
您的登台主机上的 authorized_keys 文件:
The authorized_keys file on your staging host:
command="/path/to/your/deploy-script",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-dss AAAAC8ghi9ldw== deploy@bitbucket
不幸的是,bitbucket 不要发布IP列表来限制访问,因为它们使用管道的共享基础架构。如果他们恰好在AWS上运行,那么亚马逊就可以发布IP列表。
Unfortunately bitbucket don't publish an IP list to restrict access to as they use shared infrastructure for pipelines. If they happen to be running on AWS then Amazon do publish IP lists.
from="10.5.0.1",command="",no-... etc
还要记住,他们会不定期地过期他们。我知道ssh密钥不执行日期,但这是一个好主意。
Also remember to date them an expire them from time to time. I know ssh keys don't enforce dates but it's a good idea to do it anyway.
这篇关于SSH使用Bitbucket管道从docker实例进入分级机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
