GitLab CI赛跑者 - 无法访问其他资源库 [英] GitLab CI runner - can't access other repository
问题描述
最近一次次要的8.x升级后,我无法执行也会获取另一个存储库的GitLab CI测试。虽然以前一切都工作,现在我得到着名的主机密钥验证失败。错误消息从ssh。这可能是什么原因?
/etc/gitlab-runner/config.toml
:
concurrent = 1
[[runners]]
name =python-runner @ localhost
#...
executor =docker
[runners.docker]
image =edoburu / python-runner
privileged = false
cap_drop = [DAC_OVERRIDE]
volumes = [
/ cache,
/home/deploy/.ssh:/root/.ssh:ro
]
#...
如您所见, .ssh
文件夹被公开,给容器列出所有已知的主机( /home/deploy/.ssh/known_hosts
)。这也给容器一个已知的SSH密钥,我已经在存储库中启用了部署密钥。
然而,现在的版本不是这样做的之前:
从git+git@git.example.org获取python-extra:myproject/python-repo.git@889f8fa0fe485d246d106ccee47aa60b2dd2523e #egg = python-extra(来自-r src / requirements.txt(第63行))
克隆git@git.example.org:myproject / python-extra.git(to 889f8fa0fe485d246d106ccee47aa60b2dd2523e)to / builds / myproject / env / src / python-extra
主机密钥验证失败。
致命:无法从远程存储库读取。
请确保您具有正确的访问权限
并且存储库存在。
命令git clone -q git@git.example.org:myproject / python-extra.git / builds / project / env / src / python-extra失败,错误代码为128 $ None
.gitlab-ci.yml
文件包含:
test:
image:edoburu / python-runner:base
stage:test
script:
- virtualenv --no-site-packages ../env
- source ../env/bin/activate
- pip install --exists-action = w -r src / requirements。 txt
- pip install coverage
- 覆盖运行--source = src --omit ='* / migrations / *'./src/runtests.py -v2
- coverage report -m
手动输入容器时,一切正常:
root@git.example.org〜$ docker run -it --volume =/ home / deploy / .ssh:/root/.ssh:roedoburu / python-runner:base / bin / bash
root @ feed357355ad:/#ssh git@git.example.org
频道0上的PTY分配请求失败
欢迎来到GitLab,Anony谅解备忘录!
连接到git.example.org关闭。
root @ feed357355ad:/#git clone git@git.example.org:myproject / python-extra.git
克隆到python-extra...
remote:计数对象: 387,完成
remote:压缩对象:100%(176/176),完成。
遥控器:总计387(增量215),重新使用374(增量208)
接收对象:100%(387/387),5.97 MiB | 0字节/秒,完成。
解决三角洲:100%(215/215),完成。
检查连接...完成。
root @ feed357355ad:/#exit
root@git.example.org〜$
有没有什么GitLab做的不同?可能会分配IP地址或其他导致我的构建失败的东西?
解决方案,结果是 - cap-drop = DAC_OVERRIDE
阻止访问该卷。通过将一些调试代码添加到 .gitlab-ci.yml
中,找到通过将其所有者更改为root来解决它。
<文件:
脚本:
- ping -c 1 git.edoburu.nl
- ssh-keyscan git.edoburu.nl
- ls -la〜/ .ssh /
- cat〜/ .ssh / known_hosts
After a recent minor 8.x upgrade, I'm unable to execute GitLab CI tests that also fetch another repository. While everything worked previously, now I get the famous Host key verification failed. error message from ssh. What could be the cause of this?
/etc/gitlab-runner/config.toml
:
concurrent = 1
[[runners]]
name = "python-runner@localhost"
# ...
executor = "docker"
[runners.docker]
image = "edoburu/python-runner"
privileged = false
cap_drop = ["DAC_OVERRIDE"]
volumes = [
"/cache",
"/home/deploy/.ssh:/root/.ssh:ro"
]
# ...
As you can see, the .ssh
folder is exposed, to give the container a list of all known hosts (/home/deploy/.ssh/known_hosts
). This also gives the container a known SSH key, that I've enabled as deployment key in the repository.
However, the build fails nowadays, which it didn't do before:
Obtaining python-extra from git+git@git.example.org:myproject/python-repo.git@889f8fa0fe485d246d106ccee47aa60b2dd2523e#egg=python-extra (from -r src/requirements.txt (line 63))
Cloning git@git.example.org:myproject/python-extra.git (to 889f8fa0fe485d246d106ccee47aa60b2dd2523e) to /builds/myproject/env/src/python-extra
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Command "git clone -q git@git.example.org:myproject/python-extra.git /builds/project/env/src/python-extra" failed with error code 128 in None
The .gitlab-ci.yml
file contains:
test:
image: edoburu/python-runner:base
stage: test
script:
- virtualenv --no-site-packages ../env
- source ../env/bin/activate
- pip install --exists-action=w -r src/requirements.txt
- pip install coverage
- coverage run --source=src --omit='*/migrations/*' ./src/runtests.py -v2
- coverage report -m
When I enter the container manually however, everything works fine:
root@git.example.org ~ $ docker run -it --volume="/home/deploy/.ssh:/root/.ssh:ro" edoburu/python-runner:base /bin/bash
root@feed357355ad:/# ssh git@git.example.org
PTY allocation request failed on channel 0
Welcome to GitLab, Anonymous!
Connection to git.example.org closed.
root@feed357355ad:/# git clone git@git.example.org:myproject/python-extra.git
Cloning into 'python-extra'...
remote: Counting objects: 387, done.
remote: Compressing objects: 100% (176/176), done.
remote: Total 387 (delta 215), reused 374 (delta 208)
Receiving objects: 100% (387/387), 5.97 MiB | 0 bytes/s, done.
Resolving deltas: 100% (215/215), done.
Checking connectivity... done.
root@feed357355ad:/# exit
root@git.example.org ~ $
Is there anything that GitLab does differently? Maybe assign IP addresses or something else that causes my builds to fail?
Solved, it turns out that --cap-drop=DAC_OVERRIDE
prevented to access the volume. Changing it's owner to root solved it.
Found by adding some debugging code to the .gitlab-ci.yml
file:
script:
- ping -c 1 git.edoburu.nl
- ssh-keyscan git.edoburu.nl
- ls -la ~/.ssh/
- cat ~/.ssh/known_hosts
这篇关于GitLab CI赛跑者 - 无法访问其他资源库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!