来自共享Gitlab运行程序的SSH停止工作

时间:2020-06-21 18:38:40

标签: ssh gitlab gitlab-ci gitlab-ci-runner openssh

完成以前可以完成!

我在管道SSH中的部署步骤进入DO框,并从Docker注册表中提取代码。如前所述,这以前有效,这是我在deploy的{​​{1}}步骤中的得益于.gitlab-ci.ymlhere的启发:

Using SSH

我刚尝试执行deploy: stage: deploy image: docker:stable-dind only: - master services: # Specifying the DinD version here as the latest DinD version introduced a timeout bug # Highlighted here: https://forum.gitlab.com/t/gitlab-com-ci-stuck-on-docker-build/34401/2 - docker:19.03.5-dind variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" environment: name: production when: manual before_script: - mkdir -p ~/.ssh - echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa - eval "$(ssh-agent -S)" - ssh-add ~/.ssh/id_rsa - ssh-keyscan -H $DEPLOYMENT_SERVER_IP >> ~/.ssh/known_hosts script: - ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP} "docker stop ${CI_PROJECT_NAME}; docker rm ${CI_PROJECT_NAME}; docker container prune -f; docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH}; docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest; docker run -d -p ${HTTP_PORT}:${HTTP_PORT} --restart=always -m 800m --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;" 步骤,但失败了。再次出现此错误:

deploy

我最初采取的步骤

  • 在DO框上运行... $ mkdir -p ~/.ssh $ echo "${DEPLOYMENT_SERVER_PRIVATE_KEY}" | tr -d '\r' > ~/.ssh/id_rsa $ chmod 600 ~/.ssh/id_rsa $ eval "$(ssh-agent -s)" Agent pid 22 $ ssh-add ~/.ssh/id_rsa Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) $ ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 $ ssh gitlab@${DEPLOYMENT_SERVER_IP} "docker stop ${CI_PROJECT_NAME}; docker rm ${CI_PROJECT_NAME}; docker container prune -f; docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH}; docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest; docker run -d -p ${PORT}:${PORT} --restart always -m 2g --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;" ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused Running after_script 00:02 Uploading artifacts for failed job 00:01 ERROR: Job failed: exit code 255 (无密码)
  • 在DO框上的ssh-keygen -t rsa -b 2048中添加了公共
  • 私有键复制到CI变量authorized_keys

我知道该端口已为SSH打开,因为我能够从本地计算机SSH到DEPLOYMENT_SERVER_PRIVATE_KEY用户。我现在将部署步骤(基于herethis articlethis one的评论)更改为:

gitlab

仍然无济于事! deploy: stage: deploy image: docker:stable-dind only: - master services: # Specifying the DinD version here as the latest DinD version introduced a timeout bug # Highlighted here: https://forum.gitlab.com/t/gitlab-com-ci-stuck-on-docker-build/34401/2 - docker:19.03.5-dind variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" environment: name: production when: manual before_script: - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )' - eval $(ssh-agent -s) - echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null - mkdir -p ~/.ssh - chmod 700 ~/.ssh - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config' - cat ~/.ssh/config - echo ${CI_REGISTRY_USER} - ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts script: - ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP} "docker stop ${CI_PROJECT_NAME}; docker rm ${CI_PROJECT_NAME}; docker container prune -f; docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH}; docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest; docker run -d -p ${HTTP_PORT}:${HTTP_PORT} --restart=always -m 800m --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;" 的详细记录吐出:

ssh

我还添加了... $ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y ) /usr/bin/ssh-agent $ eval $(ssh-agent -s) Agent pid 18 $ echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null Identity added: (stdin) ((stdin)) $ mkdir -p ~/.ssh $ chmod 700 ~/.ssh $ [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config $ cat ~/.ssh/config Host * StrictHostKeyChecking no $ echo ${CI_REGISTRY_USER} gitlab-ci-token $ ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 $ ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP} OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020 debug1: Reading configuration data /root/.ssh/config debug1: /root/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug2: resolve_canonicalize: hostname 134.xxx.xxx.xxx is address Pseudo-terminal will not be allocated because stdin is not a terminal. debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug2: ssh_connect_direct debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: connect to address xxx.xxx.xxx.xxx port 22: Connection refused ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused ERROR: Job failed: exit code 255 选项suggested here以禁用伪tty分配,但是所做的只是从日志中删除了伪行。

编辑

查看DO框( -T )上的日志,发现错误:

/var/log/auth.log

搜索此错误,常见原因似乎是由于OpenSSH放弃了对DSA密钥的支持。但是,不确定为什么会在生成RSA密钥对时对我产生影响。无论如何,运行Jun 22 15:53:37 exchange-apis sshd[16159]: Connection closed by 35.190.162.232 port 49750 [preauth] Jun 22 15:53:38 exchange-apis sshd[16160]: Connection closed by 35.190.162.232 port 49754 [preauth] Jun 22 15:53:38 exchange-apis sshd[16162]: Connection closed by 35.190.162.232 port 49752 [preauth] Jun 22 15:53:38 exchange-apis sshd[16163]: Unable to negotiate with 35.190.162.232 port 49756: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth] Jun 22 15:53:38 exchange-apis sshd[16161]: Unable to negotiate with 35.190.162.232 port 49758: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth] 会弹出:

dpkg --list | grep openssh

ii openssh-client 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.6p1-4ubuntu0.3 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines 吐出:

sshd -v

尽管如此,答案还是有用的。 herehere,现在我的OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 阶段是:

deploy

仍然没有看到它,我在跑步者的输出和DO框中的日志中得到了相同的错误。有什么想法吗?

1 个答案:

答案 0 :(得分:1)

理想情况下,如果可以登录到DO框,则将停止ssh服务并启动/usr/bin/sshd -de,以便在SSH守护程序端建立调试会话,并在stderr上写日志(而不是系统消息)

但是,如果不能,请至少尝试生成没有密码短语的rsa密钥以进行测试。这意味着您不需要ssh-agent。
并尝试使用ssh -Tv gitlab@${DEPLOYMENT_SERVER_IP} ls来查看在那里生成的日志。

尝试使用classic PEM format 

ssh-keygen -t rsa -P "" -m PEM

在对管道进行了更多编辑之后,我注意到实际上是这一行引起了该问题:ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts

可能会导致~/.ssh/known_hosts格式错误,尤其是${DEPLOYMENT_SERVER_IP}设置不正确的情况。
尝试向echo "DEPLOYMENT_SERVER_IP='${DEPLOYMENT_SERVER_IP}'"部分添加cat ~/.ssh/known_hostsbefore_script命令,以了解更多信息。

相关问题
最新问题