那些遇到过的问题

来自共享 Gitlab 运行程序的 SSH 停止工作

wma*_*ash 5 ssh openssh gitlab gitlab-ci gitlab-ci-runner

这以前确实有效!

我的管道中的部署步骤是通过 SSH 连接到 DO 框并从 Docker 注册表中提取代码。如前所述,这之前是有效的,这是我当时deploy的一步,从这里.gitlab-ci.yml得到了很好的灵感:Using SSH

deploy:
  stage: deploy
  image: docker:stable-dind
  only:
    - master
  services:
    # Specifying the DinD version here as the latest DinD version introduced a timeout bug
    # Highlighted here: https://forum.gitlab.com/t/gitlab-com-ci-stuck-on-docker-build/34401/2
    - docker:19.03.5-dind
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
  environment:
    name: production
  when: manual
  before_script:
    - mkdir -p ~/.ssh
    - echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
    - chmod 600 ~/.ssh/id_rsa
    - eval "$(ssh-agent -S)"
    - ssh-add ~/.ssh/id_rsa
    - ssh-keyscan -H $DEPLOYMENT_SERVER_IP >> ~/.ssh/known_hosts
  script:
    - ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP}
      "docker stop ${CI_PROJECT_NAME};
      docker rm ${CI_PROJECT_NAME};
      docker container prune -f;
      docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH};
      docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY};
      docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;
      docker run -d -p ${HTTP_PORT}:${HTTP_PORT} --restart=always -m 800m --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;"
Run Code Online (Sandbox Code Playgroud)

有一次我只是尝试运行该deploy步骤并失败了。返回时出现此错误:

...
 $ mkdir -p ~/.ssh
 $ echo "${DEPLOYMENT_SERVER_PRIVATE_KEY}" | tr -d '\r' > ~/.ssh/id_rsa
 $ chmod 600 ~/.ssh/id_rsa
 $ eval "$(ssh-agent -s)"
 Agent pid 22
 $ ssh-add ~/.ssh/id_rsa
 Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
 $ ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 $ ssh gitlab@${DEPLOYMENT_SERVER_IP} "docker stop ${CI_PROJECT_NAME}; docker rm ${CI_PROJECT_NAME}; docker container prune -f; docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH}; docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest; docker run -d -p ${PORT}:${PORT} --restart always -m 2g --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;"
 ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
Running after_script
00:02
Uploading artifacts for failed job
00:01
 ERROR: Job failed: exit code 255
Run Code Online (Sandbox Code Playgroud)

我最初进行设置的步骤

  • ssh-keygen -t rsa -b 2048在 DO 盒上运行(无密码)
  • 将公钥添加DOauthorized_keys框中
  • 将私钥复制到 CI 变量中DEPLOYMENT_SERVER_PRIVATE_KEY

我知道该端口对 SSH 开放,因为我可以从本地计算机通过 SSH 连接到gitlab用户。我现在已将部署步骤(基于此处本文本文的评论)更改为:

deploy:
  stage: deploy
  image: docker:stable-dind
  only:
    - master
  services:
    # Specifying the DinD version here as the latest DinD version introduced a timeout bug
    # Highlighted here: https://forum.gitlab.com/t/gitlab-com-ci-stuck-on-docker-build/34401/2
    - docker:19.03.5-dind
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
  environment:
    name: production
  when: manual
  before_script:
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
    - echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
    - cat ~/.ssh/config
    - echo ${CI_REGISTRY_USER}
    - ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
  script:
    - ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP}
      "docker stop ${CI_PROJECT_NAME};
      docker rm ${CI_PROJECT_NAME};
      docker container prune -f;
      docker rmi ${CI_REGISTRY}/${CI_PROJECT_PATH};
      docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY};
      docker pull ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;
      docker run -d -p ${HTTP_PORT}:${HTTP_PORT} --restart=always -m 800m --init --name ${CI_PROJECT_NAME} --net ${NETWORK_NAME} --ip ${NETWORK_IP} ${CI_REGISTRY}/${CI_PROJECT_PATH}:latest;"
Run Code Online (Sandbox Code Playgroud)

还是没有效果!ssh吐出的详细记录:

...
 $ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
 /usr/bin/ssh-agent
 $ eval $(ssh-agent -s)
 Agent pid 18
 $ echo "$DEPLOYMENT_SERVER_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
 Identity added: (stdin) ((stdin))
 $ mkdir -p ~/.ssh
 $ chmod 700 ~/.ssh
 $ [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
 $ cat ~/.ssh/config
 Host *
    StrictHostKeyChecking no
 $ echo ${CI_REGISTRY_USER}
 gitlab-ci-token
 $ ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts
 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.209.184.138:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 # xxx.xxx.xxx.xxx:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
 $ ssh -vvv gitlab@${DEPLOYMENT_SERVER_IP}
 OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020
 debug1: Reading configuration data /root/.ssh/config
 debug1: /root/.ssh/config line 1: Applying options for *
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug2: resolve_canonicalize: hostname 134.xxx.xxx.xxx is address
 Pseudo-terminal will not be allocated because stdin is not a terminal.
 debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
 debug2: ssh_connect_direct
 debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
 debug1: connect to address xxx.xxx.xxx.xxx port 22: Connection refused
 ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
 ERROR: Job failed: exit code 255
Run Code Online (Sandbox Code Playgroud)

我还添加了此处建议的-T选项来禁用伪 tty 分配,但所做的只是从日志中删除伪行。

编辑

查看 DO 框 ( /var/log/auth.log) 上的日志,我收到错误:

Jun 22 15:53:37 exchange-apis sshd[16159]: Connection closed by 35.190.162.232 port 49750 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16160]: Connection closed by 35.190.162.232 port 49754 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16162]: Connection closed by 35.190.162.232 port 49752 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16163]: Unable to negotiate with 35.190.162.232 port 49756: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
Jun 22 15:53:38 exchange-apis sshd[16161]: Unable to negotiate with 35.190.162.232 port 49758: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]
Run Code Online (Sandbox Code Playgroud)

谷歌搜索这个错误,常见原因似乎是由于 OpenSSH 放弃了对 DSA 密钥的支持。但是,不知道为什么这会影响我,因为我生成了 RSA 密钥对。无论如何,跑步dpkg --list | grep openssh会吐出:

ii  openssh-client                         1:7.6p1-4ubuntu0.3                              amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                         1:7.6p1-4ubuntu0.3                              amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                    1:7.6p1-4ubuntu0.3                              amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
Run Code Online (Sandbox Code Playgroud)

&sshd -v吐出:

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
Run Code Online (Sandbox Code Playgroud)

尽管如此,答案还是有效的;这里这里所以我的deploy舞台现在是:

Jun 22 15:53:37 exchange-apis sshd[16159]: Connection closed by 35.190.162.232 port 49750 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16160]: Connection closed by 35.190.162.232 port 49754 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16162]: Connection closed by 35.190.162.232 port 49752 [preauth]
Jun 22 15:53:38 exchange-apis sshd[16163]: Unable to negotiate with 35.190.162.232 port 49756: no matching host key type found. Their offer: sk-ecdsa-sha2-nistp256@openssh.com [preauth]
Jun 22 15:53:38 exchange-apis sshd[16161]: Unable to negotiate with 35.190.162.232 port 49758: no matching host key type found. Their offer: sk-ssh-ed25519@openssh.com [preauth]
Run Code Online (Sandbox Code Playgroud)

仍然没有看到这个&我在跑步者的输出和DO框上的日志中得到了同样的错误。有任何想法吗?

Von*_*onC 2

理想情况下,如果您可以登录到 DO 框,您将停止 ssh 服务并启动/usr/bin/sshd -de,以便在 SSH 守护进程端建立调试会话,并将日志写入 stderr (而不是系统消息)

但如果你不能,至少尝试生成一个没有密码的 rsa 密钥来进行测试。这意味着您不需要 ssh 代理。
并尝试ssh -Tv gitlab@${DEPLOYMENT_SERVER_IP} ls查看那里生成了什么日志。

尝试使用经典的 PEM 格式

ssh-keygen -t rsa -P "" -m PEM
Run Code Online (Sandbox Code Playgroud)

对管道进行更多编辑后,我注意到实际上是这一行导致了问题:ssh-keyscan -H ${DEPLOYMENT_SERVER_IP} >> ~/.ssh/known_hosts

如果它导致格式错误~/.ssh/known_hosts,尤其${DEPLOYMENT_SERVER_IP}是设置不正确,则可能会出现这种情况。
尝试将echo "DEPLOYMENT_SERVER_IP='${DEPLOYMENT_SERVER_IP}'"、 和 acat ~/.ssh/known_hosts命令添加到该before_script部分,以了解更多信息。

归档时间:

查看次数:

1647 次

最近记录:

5 年,6 月 前
由于stdin不是终端,因此不会分配伪终端 316
无法与XX.XXX.XX.XX协商:未找到匹配的主机密钥类型.他们的提议:ssh-dss 106
Jenkins:Credentials中私钥的正确格式是什么 10
更多相关链接
相关归档
如何在gitlab wiki上创建表? 11
如何在 gitlab-ci 上使用不断变化的参数多次执行作业 9
当密钥仍然有效时,为什么 Gitlab CI 会重新上传缓存 9
sshuttle连接错误:packet_write_wait:连接到<server>端口22:管道断开(archlinux) 6
使用特定提交 ID 构建手动 GitlabCI 管道作业 6
sudo gitlab-runner 结果命令未找到但 gitlab-runner 只能运行 3
github/gitlab 可以创建多少个分支? 3
Git 子模块失败,无法访问子模块 3
在 gitlab 页面上使用 mike 自动部署 mkdocs 并进行版本控制 3
远程主机上的Bash命令替换 0
难疑归档
如何让Git"忘记"一个被跟踪但现在位于.gitignore的文件? 4888
@staticmethod和@classmethod有什么区别? 3360
如何通过引用传递变量? 2480
你如何设置,清除和切换一个位? 2454
如何在JavaScript中清空数组? 2198
将字节转换为字符串? 1968
删除文件或文件夹 1910
wait()和sleep()之间的区别 1158
异步与同步执行,它到底意味着什么? 1126
如何将div的内容与底部对齐? 1098