Jenkins ssh-agent启动,然后立即在管道构建中停止

时间:2018-03-14 10:26:33

标签: jenkins jenkins-pipeline ssh-agent

我有一个简单的jenkins管道构建,这是我的jenkinsfile:

pipeline {
    agent any
    stages {
        stage('deploy-staging') {
            when {
                branch 'staging'
            }
            steps {
                sshagent(['my-credentials-id']) {
                    sh('git push joe@repo:project')
                }
            }
        }
    }
}

我正在使用sshagent推送到远程服务器上的git repo。我已经创建了指向Jenkins master~ / .ssh中的私钥文件的凭据。

当我运行构建时,我得到了这个输出(我用*' s替换了一些敏感信息):

[ssh-agent] Using credentials *** (***@*** ssh key)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-cjbm7oVQaJYk/agent.11558
SSH_AGENT_PID=11560
$ ssh-add ***
Identity added: ***
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 11560 killed;
[ssh-agent] Stopped.
[TDBNSSBFW6JYM3BW6AAVMUV4GVSRLNALY7TWHH6LCUAVI7J3NHJQ] Running shell script
+ git push joe@repo:project
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

如您所见,ssh-agent启动,之后立即停止,然后运行git push命令。奇怪的是,它确实可以正常工作,但这似乎是完全随机的。

我还是詹金斯的新手 - 我错过了一些明显的东西吗?任何帮助表示感谢,谢谢。

编辑:我正在运行多分支管道,以防万一。

2 个答案:

答案 0 :(得分:3)

我最近有一个类似的问题,虽然它是在一个docker容器里面。 日志给人的印象是ssh-agent退出得太早,但实际上问题是我忘了将git服务器添加到已知主机。

我建议ssh-ing到你的jenkins master并尝试执行与ssh-agent(cli)管道相同的步骤。然后你会看到问题所在。

E.g:

eval $(ssh-agent -s)
ssh-add ~/yourKey
git clone

正如on help.github.com

所解释的那样

更新: 这里有一个util,用于添加knownHosts(如果尚未添加):

/**
 * Add hostUrl to knownhosts on the system (or container) if necessary so that ssh commands will go through even if the certificate was not previously seen.
 * @param hostUrl
 */
void tryAddKnownHost(String hostUrl){
    // ssh-keygen -F ${hostUrl} will fail (in bash that means status code != 0) if ${hostUrl} is not yet a known host
    def statusCode = sh script:"ssh-keygen -F ${hostUrl}", returnStatus:true
    if(statusCode != 0){
        sh "mkdir -p ~/.ssh"
        sh "ssh-keyscan ${hostUrl} >> ~/.ssh/known_hosts"
    }
}

答案 1 :(得分:0)

我在docker内部使用了它,并将其添加到我的Jenkins管理员的known_hosts上有点混乱,所以我选择了这样的东西:

  1. 在Jenkins中,创建一个类型为“秘密文本”的新凭据(我们将其称为GITHUB_HOST_KEY),并将其值设置为主机密钥,例如:
# gets the host for github and copies it. You can run this from
# any computer that has access to github.com (or whatever your
# git server is)
ssh-keyscan github.com | clip
  1. 在您的Jenkins文件中,将字符串保存到known_hosts
pipeline {
    agent { docker { image 'node:12' } }
    stages {
        stage('deploy-staging') {
            when { branch 'staging' }
            steps {
                withCredentials([string(credentialsId: 'GITHUB_HOST_KEY', variable: 'GITHUB_HOST_KEY')]) {
                    sh 'mkdir ~/.ssh && echo "$GITHUB_HOST_KEY" >> ~/.ssh/known_hosts'
                }
                sshagent(['my-credentials-id']) {
                    sh 'git push joe@repo:project'
                }
            }
        }
    }
}

这可确保您使用的是“受信任的”主机密钥。