CODEWITHSUNDEEP
gitjenkinsjenkins-pipeline
apr_1985
apr_1985

Reputation: 1962

Git inside docker inside Jenkins pipeline doesnt work

I am trying to perform some git queries inside a docker container that runs as part of a Jenkins Pipeline. Out side the docker container the sshsgent is working fine and I can access my SCM no problem. Inside the container I am getting host key verification issues.
Can anyone help with the mistake I have made?

script {
    sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
    {
        sh("""
            ssh -p 7999 [email protected] whoami
        """)
    }
    docker.withRegistry('https://dockerhub.banana.com', 'banana-dockerhub-credential') 
    {
        docker.image('banana_release_base').pull()
        docker.image('banana_release_base').inside(
        '''
           -v /system:/system -v /tmp:/tmp --privileged -u 0
        '''
       )
       {
             sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
             {
                 sh("""
                     echo $SSH_AUTH_SOCK
                     ssh -p 7999 [email protected] whoami
                 """)
             }
        }
    }
}

First whoami call outputs:

[docker_git_test] Running shell script
+ ssh -p 7999 [email protected] whoami
d42967b44abe31d6

Second call (and the echo) in the docker container outputs:

[docker_git_test] Running shell script
+ echo /tmp/ssh-dSoDZMggpAU1/agent.13
/tmp/ssh-dSoDZMggpAU1/agent.13
+ ssh -p 7999 [email protected] whoami
Host key verification failed

Upvotes: 2

Views: 4512

Answers (2)

apr_1985
apr_1985

Reputation: 1962

Just to show my work. On mkobits advice I have added two lines to the sh command to write the ssh config file which resolves the issue.

sshagent(['e9f7d09a-7b88-4bf7-814c-464f811d9519'])
         {
             sh("""
                 echo $SSH_AUTH_SOCK
                 mkdir ~/.ssh
                 echo 'Host *\n    StrictHostKeyChecking no' > ~/.ssh/config
                 ssh -p 7999 [email protected] whoami
             """)
         }

It could be built into the dockerfile, but as I am using a shared image this way suits my purposes.

Edit: I have added to a dockerfile to so here we are:

RUN useradd -r -u 1000 builder
COPY config /home/builder/.ssh/config
RUN chown builder:builder /home/builder/.ssh/*
USER builder
ENTRYPOINT ["/bin/bash"]

Add a non root user so that files don't get left in the workspace as root. Need to run chown as and files added get added with root as owner. Config file that gets added is:

Host *
    StrictHostKeyChecking no

Cheers!

Upvotes: 4

mkobit
mkobit

Reputation: 47249

Host key verification failed

The SSH connection in the container could not verify the host's (bitbucket-eng-gpk1.com) identity, which is why it failed. When Jenkins provisions a container it tries to limit the amount of things from the outside world such as environment variables and file system locations that it mounts into that container so that the build steps have isolation. In your container, it has not accepted the host key of your VCS before making the connection and it is not a interactive terminal so it will fail.

There are several different ways to handle this. Here is a few I can think of off the top of my head:

  • Ignore host-key checking (understand the security implications of this (1, 2)) - use the StrictHostKeyChecking option to disable checking. The UserKnownHostsFile option can be useful in conjuction to pipe the accepted keys somewhere else. This can also be done per host in a ~/.ssh/config file.

    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 7999 [email protected] whoami

  • Build the SSH key into the Docker image (brittle)

  • Mount a ~/.ssh/config file into the container from the host with the
  • "Install" some SSH config files from host or use some other configuration file provider that has the verified host key into the container (possibly using the Config File Provider Plugin)

Upvotes: 3

Related Questions