GitLab CI赛跑者 - 无法访问其他资源库 [英] GitLab CI runner - can't access other repository

问题描述

最近一次次要的8.x升级后，我无法执行也会获取另一个存储库的GitLab CI测试。虽然以前一切都工作，现在我得到着名的主机密钥验证失败。错误消息从ssh。这可能是什么原因？

/etc/gitlab-runner/config.toml ：

  concurrent = 1 
 
 [[runners]] 
 name =python-runner @ localhost 
＃... 
 executor =docker
 [runners.docker] 
 image =edoburu / python-runner
 privileged = false 
 cap_drop = [DAC_OVERRIDE] 
 volumes = [
/ cache，
/home/deploy/.ssh:/root/.ssh:ro
] 
＃... 
  

如您所见， .ssh 文件夹被公开，给容器列出所有已知的主机（ /home/deploy/.ssh/known_hosts ）。这也给容器一个已知的SSH密钥，我已经在存储库中启用了部署密钥。

然而，现在的版本不是这样做的之前：

 从git+git@git.example.org获取python-extra：myproject/python-repo.git@889f8fa0fe485d246d106ccee47aa60b2dd2523e ＃egg = python-extra（来自-r src / requirements.txt（第63行））
克隆git@git.example.org：myproject / python-extra.git（to 889f8fa0fe485d246d106ccee47aa60b2dd2523e）to / builds / myproject / env / src / python-extra 
主机密钥验证失败。 
致命：无法从远程存储库读取。 
 
请确保您具有正确的访问权限
并且存储库存在。 
命令git clone -q git@git.example.org：myproject / python-extra.git / builds / project / env / src / python-extra失败，错误代码为128 $ None 
  

.gitlab-ci.yml 文件包含：

  test：
 image：edoburu / python-runner：base 
 stage：test 
 script：
  -  virtualenv --no-site-packages ../env 
  -  source ../env/bin/activate 
  -  pip install --exists-action = w -r src / requirements。 txt 
  -  pip install coverage 
  - 覆盖运行--source = src --omit ='* / migrations / *'./src/runtests.py -v2 
  -  coverage report -m 
  

手动输入容器时，一切正常：

  root@git.example.org〜$ docker run -it --volume =/ home / deploy / .ssh：/root/.ssh：roedoburu / python-runner：base / bin / bash 
 root @ feed357355ad：/＃ssh git@git.example.org 
频道0上的PTY分配请求失败
欢迎来到GitLab，Anony谅解备忘录！ 
连接到git.example.org关闭。 
 root @ feed357355ad：/＃git clone git@git.example.org：myproject / python-extra.git 
克隆到python-extra... 
 remote：计数对象： 387，完成
 remote：压缩对象：100％（176/176），完成。 
遥控器：总计387（增量215），重新使用374（增量208）
接收对象：100％（387/387），5.97 MiB | 0字节/秒，完成。 
解决三角洲：100％（215/215），完成。 
检查连接...完成。 
 root @ feed357355ad：/＃exit 
 root@git.example.org〜$ 
  

有没有什么GitLab做的不同？可能会分配IP地址或其他导致我的构建失败的东西？

解决方案

解决方案，结果是 - cap-drop = DAC_OVERRIDE 阻止访问该卷。通过将一些调试代码添加到 .gitlab-ci.yml 中，找到通过将其所有者更改为root来解决它。

<文件：

 脚本：
  -  ping -c 1 git.edoburu.nl 
  -  ssh-keyscan git.edoburu.nl 
  -  ls -la〜/ .ssh / 
  -  cat〜/ .ssh / known_hosts 
  

After a recent minor 8.x upgrade, I'm unable to execute GitLab CI tests that also fetch another repository. While everything worked previously, now I get the famous Host key verification failed. error message from ssh. What could be the cause of this?

/etc/gitlab-runner/config.toml:

concurrent = 1

[[runners]]
  name = "python-runner@localhost"
  # ...
  executor = "docker"
  [runners.docker]
    image = "edoburu/python-runner"
    privileged = false
    cap_drop = ["DAC_OVERRIDE"]
    volumes = [
        "/cache",
        "/home/deploy/.ssh:/root/.ssh:ro"
    ]
    # ...

As you can see, the .ssh folder is exposed, to give the container a list of all known hosts (/home/deploy/.ssh/known_hosts). This also gives the container a known SSH key, that I've enabled as deployment key in the repository.

However, the build fails nowadays, which it didn't do before:

Obtaining python-extra from git+git@git.example.org:myproject/python-repo.git@889f8fa0fe485d246d106ccee47aa60b2dd2523e#egg=python-extra (from -r src/requirements.txt (line 63))
  Cloning git@git.example.org:myproject/python-extra.git (to 889f8fa0fe485d246d106ccee47aa60b2dd2523e) to /builds/myproject/env/src/python-extra
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Command "git clone -q git@git.example.org:myproject/python-extra.git /builds/project/env/src/python-extra" failed with error code 128 in None

The .gitlab-ci.yml file contains:

test:
  image: edoburu/python-runner:base
  stage: test
  script:
  - virtualenv --no-site-packages ../env
  - source ../env/bin/activate
  - pip install --exists-action=w -r src/requirements.txt
  - pip install coverage
  - coverage run --source=src --omit='*/migrations/*' ./src/runtests.py -v2
  - coverage report -m

When I enter the container manually however, everything works fine:

root@git.example.org ~ $ docker run -it --volume="/home/deploy/.ssh:/root/.ssh:ro" edoburu/python-runner:base /bin/bash
root@feed357355ad:/# ssh git@git.example.org
PTY allocation request failed on channel 0
Welcome to GitLab, Anonymous!
Connection to git.example.org closed.
root@feed357355ad:/# git clone git@git.example.org:myproject/python-extra.git  
Cloning into 'python-extra'...
remote: Counting objects: 387, done.
remote: Compressing objects: 100% (176/176), done.
remote: Total 387 (delta 215), reused 374 (delta 208)
Receiving objects: 100% (387/387), 5.97 MiB | 0 bytes/s, done.
Resolving deltas: 100% (215/215), done.
Checking connectivity... done.
root@feed357355ad:/# exit
root@git.example.org ~ $

Is there anything that GitLab does differently? Maybe assign IP addresses or something else that causes my builds to fail?

解决方案

Solved, it turns out that --cap-drop=DAC_OVERRIDE prevented to access the volume. Changing it's owner to root solved it.

Found by adding some debugging code to the .gitlab-ci.yml file:

 script:
  - ping -c 1 git.edoburu.nl
  - ssh-keyscan git.edoburu.nl
  - ls -la ~/.ssh/
  - cat ~/.ssh/known_hosts

这篇关于GitLab CI赛跑者 - 无法访问其他资源库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！