我目前正在尝试从Gitlab CI / CD Docker容器中触发远程计算机上的脚本。作业配置如下:
stages:
- deploy
image: maven:3.3.9
server-deploy:
stage: deploy
allow_failure: false
script:
## Install ssh agent
- apt update && apt install openssh-client -y
- eval $(ssh-agent -s)
## Create SSH key file
- "echo \"-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZAAAAJiGKEEKhihB
CgAAAAtzc2gtZWQyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZA
AAAEAKbObQgJGXbrKQt4wdCy3YQfpVBqkT5RNEt2IYU5pv3HKMkEZPbUCudr+mKtZVdCoY
Cv9qzOpDkfO+sDYzNUNkAAAAFHN2ZW5AREVTS1RPUC0xTjVKUjRSAQ==
-----END OPENSSH PRIVATE KEY-----\" > deploy-key"
## Fix permissions on key file and .ssh folder
- chmod 700 deploy-key; mkdir -p ~/.ssh; chmod 700 ~/.ssh
## Import SSH key
- ssh-add -k deploy-key
## Make sure that ssh will trust the new host, instead of asking
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
## Run script on the remote server
- ssh -t user@255.255.255.255 "./deploy-master"
(SSH密钥只是一个临时密钥,专门针对SO问题生成) 现在,当作业到达“ ssh-add -k deploy-key”命令并要求输入密码时,该作业将失败,例如:
$ ssh-add -k deploy-key
Enter passphrase for deploy-key: ERROR: Job failed: exit code 1
SSH密钥显然没有附加密码,我可以通过在自己的Linux机器上运行完全相同的命令来验证这一点,它们在此处可以正常工作。
所以我的问题是:如何防止ssh-add要求输入密码?而且我也很好奇为什么这只发生在Gitlab CI Docker容器上而不是在我自己的PC上。
谢谢!
答案 0 :(得分:1)
在Yaml中使用块可能会起作用。
stages:
- deploy
image: maven:3.3.9
server-deploy:
stage: deploy
allow_failure: false
script:
## Install ssh agent
- apt update && apt install openssh-client -y
- eval $(ssh-agent -s)
## Create SSH key file
- |
echo '-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZAAAAJiGKEEKhihB
CgAAAAtzc2gtZWQyNTUxOQAAACByjJBGT21Arna/pirWVXQqGAr/aszqQ5HzvrA2MzVDZA
AAAEAKbObQgJGXbrKQt4wdCy3YQfpVBqkT5RNEt2IYU5pv3HKMkEZPbUCudr+mKtZVdCoY
Cv9qzOpDkfO+sDYzNUNkAAAAFHN2ZW5AREVTS1RPUC0xTjVKUjRSAQ==
-----END OPENSSH PRIVATE KEY-----' > deploy-key
## Fix permissions on key file and .ssh folder
- chmod 700 deploy-key; mkdir -p ~/.ssh; chmod 700 ~/.ssh
## Import SSH key
- ssh-add -k deploy-key
## Make sure that ssh will trust the new host, instead of asking
- echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
## Run script on the remote server
- ssh -t user@255.255.255.255 "./deploy-master"
答案 1 :(得分:0)
好的,我知道了。事实证明,ssh-add对文件格式特别是换行符非常挑剔。 .gitlab-ci.yml中的换行没有直接传送到命令,因此密钥最终变成了一行。
这是我解决的方法:
table2通过这种方式,可以自动创建文件中的换行符,然后通过ssh-add选择格式。
答案 2 :(得分:0)
此解决方案在变量 SSH_PRIVATE_KEY 中有一个 ed25519 加密的 ssh 密钥,在变量 SSH_PRIVATE_KEY 中有用于解密它的密码。
image: ubuntu:trusty
before_script:
##
## Install ssh-agent if not already installed, it is required by Docker.
## (change apt-get to yum if you use an RPM-based image)
##
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git -y )'
##
## Run ssh-agent (inside the build environment)
##
- eval $(ssh-agent -s)
##
## Create the SSH directory and give it the right permissions
##
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
## Create a shell script that will echo the environment variable SSH_PASSPHRASE
- echo 'echo $SSH_PASSPHRASE' > ~/.ssh/tmp && chmod 700 ~/.ssh/tmp
##
## Why would you encrypt your private keys? Can I echo the value to stdout?
- echo $SSH_PRIVATE_KEY
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
## We're using tr to fix line endings which makes ed25519 keys work
## without extra base64 encoding.
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
##
## If ssh-add needs a passphrase, it will read the passphrase from the current
## terminal if it was run from a terminal. If ssh-add does not have a terminal
## associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the
## program specified by SSH_ASKPASS and open an X11 window to read the
## passphrase. This is particularly useful when calling ssh-add from a
## .xsession or related script. Setting DISPLAY=None drops the use of X11.
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | DISPLAY=None SSH_ASKPASS=~/.ssh/tmp ssh-add -
##
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
## with your own domain name. You can copy and repeat that command if you have
## more than one server to connect to.
##
- ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
##
## Alternatively, assuming you created the SSH_SERVER_HOSTKEYS variable
## previously, uncomment the following two lines instead.
##
#- echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
#- chmod 644 ~/.ssh/known_hosts