Docker jenkins容器,主机密钥验证失败

时间:2016-11-07 06:20:48

标签: git jenkins docker ssh configuration

我正在使用Vagrant,Ansible和Docker创建CI管道和开发环境。我的目标是使用单个命令自动完成所有操作,不涉及手动配置。使用单个 ansible-playbook 命令,我应该拥有功能齐全的连续部署管道,所有服务都是停靠的。

现在问题出在这里。当我运行官方Jenkins docker容器并尝试为git配置身份验证时,我收到以下错误

host key verification failed

我知道我第一次登录时可以登录Jenkins容器,手动登录到git并接受主机密钥为可信任。但这绝对是禁忌,连接也应该自动处理。

当可用工具是docker,ansible和vagrant时,如何将Jenkins docker容器配置为在创建时信任git服务器?

2 个答案:

答案 0 :(得分:0)

您可以使用Ansible's known_hosts模块解决此问题。

此模块将主机密钥添加到服务器的~/.ssh/known_hosts文件中,类似于您描述的手动步骤。

请注意模块的限制:

  

如果要管理的主机密钥数量非常多,您会发现template模块更有用。

答案 1 :(得分:0)

我正在构建与封装在由Kubernetes编排的容器中的管道阶段相似的东西,并且能够使用hashicorp/terraform:light基于图像的容器中的ssh-agent Jenkins插件从我的私有bitbucket服务器中获取模块通过git + ssh无缝连接。当我尝试通过ansible/ansible-runner从同一位存储桶服务器下载角色时,我在ansible-galaxy映像中遇到了与您相同的问题。

我尝试做与terraform和ssh-agent相同的操作

我相关的管道代码片段如下:

container('ansible') {
   ...
   sshagent([ssh_key]) {
      ...
      stage('get ansible roles') {
         sh 'ansible-galaxy install -r requirements.yaml -p roles/'
         ...
     }
   }
}

失败了,ansible-galaxy实际上很好地隐藏了问题:

+ ansible-galaxy install -r requirements.yaml -p roles/
 [WARNING]: - ans_rol_test was NOT installed successfully: - command
 /usr/bin/git clone ssh://git@mybitbucketserver.org/project/ans_rol_test.git
 ans_rol_test failed in directory /root/.ansible/tmp/ansible-local-
 106DvbAa0/tmp09xwe_ (rc=128)
 ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

看到这只是一个简单的git克隆后,我尝试从管道中克隆存储库:

+ /usr/bin/git clone ssh://git@mybitbucketserver.org/project/ans_rol_test.git
Cloning into 'ans_rol_test'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

然后我尝试将ssh插入bitbucket服务器。 

+ ssh git@mybitbucketserver.org
Pseudo-terminal will not be allocated because stdin is not a terminal.
Host key verification failed.

我意识到当我通过-oStrictHostKeyChecking=no进行ssh时,主机密钥仍然被保存,但是ssh客户端由于sshd而返回255,并且管道失败,所以我放置了|| true最后。

Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added 'mybitbucketserver.org,10.5.132.51' (RSA) to the list of known hosts.
shell request failed on channel 0
+ true

此后,主机密钥已被“验证”,因此git clone ssh://也有效,因此ansible-galaxy也是如此。

...
stage('get ansible roles') {
    sh 'ssh -oStrictHostKeyChecking=no git@mybitbucketserver.org || true'
    sh 'ansible-galaxy install -r requirements.yaml -p roles/'
    ...
 }
...

输出:

+ ssh -oStrictHostKeyChecking=no git@mybitbucketserver.org
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added 'mybitbucketserver.org,10.5.132.51' (RSA) to the list of known hosts.
shell request failed on channel 0
+ true
[Pipeline] sh
+ /usr/bin/git clone ssh://git@mybitbucketserver.org/project/ans_rol_test.git
Cloning into 'ans_rol_test'...
[Pipeline] sh
+ ansible-galaxy install -r requirements.yaml -p roles/
- extracting ans_rol_test to /home/jenkins/agent/workspace/configuration/roles/ans_rol_test
- ans_rol_test (1.0.0) was installed successfully

值得注意的是,将GIT_SSH_COMMAND环境变量设置为

"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

不起作用。

相关问题
最新问题