此完成以前可以完成!
我在管道SSH中的部署步骤进入DO框,并从Docker注册表中提取代码。如前所述,这以前有效,这是我在deploy
的{{1}}步骤中的得益于.gitlab-ci.yml
下here的启发:
Using SSH
我刚尝试执行deploy:
stage: deploy
image: docker:stable-dind
only:
- master
services:
# Specifying the DinD version here as the latest DinD version introduced a timeout bug
# Highlighted here: https://forum.gitlab.com/t/gitlab-com-ci-stuck-on-docker-build/34401/2
- docker:19.03.5-dind
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
environment:
name: production
when: manual
before_script:
- mkdir -p ~/.ssh
- echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- eval "$(ssh-agent -S)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -H $DEPLOYMENT_SERVER_IP >> ~/.ssh/known_hosts
script:
- ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP}
"docker stop ${CI_PROJECT_NAME};
docker rm ${CI_PROJECT_NAME};
docker container prune -f;
docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH};
docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY};
docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;
docker run -d -p ${HTTP_PORT}:${HTTP_PORT} --restart=always -m 800m --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;"
步骤,但失败了。再次出现此错误:
deploy
我最初采取的步骤
...
$ mkdir -p ~/.ssh
$ echo "${DEPLOYMENT_SERVER_PRIVATE_KEY}" | tr -d '\r' > ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa
$ eval "$(ssh-agent -s)"
Agent pid 22
$ ssh-add ~/.ssh/id_rsa
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
$ ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
# xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
$ ssh gitlab@${DEPLOYMENT_SERVER_IP} "docker stop ${CI_PROJECT_NAME}; docker rm ${CI_PROJECT_NAME}; docker container prune -f; docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH}; docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest; docker run -d -p ${PORT}:${PORT} --restart always -m 2g --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;"
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
Running after_script
00:02
Uploading artifacts for failed job
00:01
ERROR: Job failed: exit code 255
(无密码) ssh-keygen -t rsa -b 2048
中添加了公共键authorized_keys
我知道该端口已为SSH打开,因为我能够从本地计算机SSH到DEPLOYMENT_SERVER_PRIVATE_KEY
用户。我现在将部署步骤(基于here,this article和this one的评论)更改为:
gitlab
仍然无济于事! deploy:
stage: deploy
image: docker:stable-dind
only:
- master
services:
# Specifying the DinD version here as the latest DinD version introduced a timeout bug
# Highlighted here: https://forum.gitlab.com/t/gitlab-com-ci-stuck-on-docker-build/34401/2
- docker:19.03.5-dind
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
environment:
name: production
when: manual
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
- cat ~/.ssh/config
- echo ${CI_REGISTRY_USER}
- ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
script:
- ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP}
"docker stop ${CI_PROJECT_NAME};
docker rm ${CI_PROJECT_NAME};
docker container prune -f;
docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH};
docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY};
docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;
docker run -d -p ${HTTP_PORT}:${HTTP_PORT} --restart=always -m 800m --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;"
的详细记录吐出:
ssh
我还添加了...
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 18
$ echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
Identity added: (stdin) ((stdin))
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ cat ~/.ssh/config
Host *
StrictHostKeyChecking no
$ echo ${CI_REGISTRY_USER}
gitlab-ci-token
$ ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
# xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
# xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
$ ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP}
OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 134.xxx.xxx.xxx is address
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug2: ssh_connect_direct
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: connect to address xxx.xxx.xxx.xxx port 22: Connection refused
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
ERROR: Job failed: exit code 255
选项suggested here以禁用伪tty分配,但是所做的只是从日志中删除了伪行。
编辑
查看DO框( -T
)上的日志,发现错误:
/var/log/auth.log
搜索此错误,常见原因似乎是由于OpenSSH放弃了对DSA密钥的支持。但是,不确定为什么会在生成RSA密钥对时对我产生影响。无论如何,运行Jun 22 15:53:37 exchange-apis sshd[16159]: Connection closed by 35.190.162.232 port 49750 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16160]: Connection closed by 35.190.162.232 port 49754 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16162]: Connection closed by 35.190.162.232 port 49752 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16163]: Unable to negotiate with 35.190.162.232 port 49756: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
Jun 22 15:53:38 exchange-apis sshd[16161]: Unable to negotiate with 35.190.162.232 port 49758: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]
会弹出:
dpkg --list | grep openssh
&ii openssh-client 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
吐出:
sshd -v
尽管如此,答案还是有用的。 here和here,现在我的OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
阶段是:
deploy
仍然没有看到它,我在跑步者的输出和DO框中的日志中得到了相同的错误。有什么想法吗?
答案 0 :(得分:1)
理想情况下,如果可以登录到DO框,则将停止ssh服务并启动/usr/bin/sshd -de
,以便在SSH守护程序端建立调试会话,并在stderr上写日志(而不是系统消息)
但是,如果不能,请至少尝试生成没有密码短语的rsa密钥以进行测试。这意味着您不需要ssh-agent。
并尝试使用ssh -Tv gitlab@${DEPLOYMENT_SERVER_IP} ls
来查看在那里生成的日志。
ssh-keygen -t rsa -P "" -m PEM
在对管道进行了更多编辑之后,我注意到实际上是这一行引起了该问题:
ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
可能会导致~/.ssh/known_hosts
格式错误,尤其是${DEPLOYMENT_SERVER_IP}
设置不正确的情况。
尝试向echo "DEPLOYMENT_SERVER_IP='${DEPLOYMENT_SERVER_IP}'"
部分添加cat ~/.ssh/known_hosts
和before_script
命令,以了解更多信息。