GitLab CI亚军 - 无法访问其他存储库

Question

在最近的一次小的8.x升级之后，我无法执行也读取另一个存储库的GitLab CI测试。虽然以前的一切工作，现在我得到着名的主机密钥验证失败。来自ssh的错误消息。这可能是什么原因？

/etc/gitlab-runner/config.toml：

concurrent = 1 

[[runners]] 
    name = "python-runner@localhost" 
    # ... 
    executor = "docker" 
    [runners.docker] 
    image = "edoburu/python-runner" 
    privileged = false 
    cap_drop = ["DAC_OVERRIDE"] 
    volumes = [ 
     "/cache", 
     "/home/deploy/.ssh:/root/.ssh:ro" 
    ] 
    # ... 

正如你所看到的，.ssh文件夹被暴露，给容器中的所有已知主机（/home/deploy/.ssh/known_hosts）的列表。这也给容器一个已知的SSH密钥，我已经在存储库中启用了部署密钥。

然而，如今构建失败，它以前并没有这样做：

Obtaining python-extra from git+git@git.example.org:myproject/python-repo.git@889f8fa0fe485d246d106ccee47aa60b2dd2523e#egg=python-extra (from -r src/requirements.txt (line 63)) 
    Cloning git@git.example.org:myproject/python-extra.git (to 889f8fa0fe485d246d106ccee47aa60b2dd2523e) to /builds/myproject/env/src/python-extra 
Host key verification failed. 
fatal: Could not read from remote repository. 

Please make sure you have the correct access rights 
and the repository exists. 
Command "git clone -q git@git.example.org:myproject/python-extra.git /builds/project/env/src/python-extra" failed with error code 128 in None 

的.gitlab-ci.yml文件包含：

test: 
    image: edoburu/python-runner:base 
    stage: test 
    script: 
    - virtualenv --no-site-packages ../env 
    - source ../env/bin/activate 
    - pip install --exists-action=w -r src/requirements.txt 
    - pip install coverage 
    - coverage run --source=src --omit='*/migrations/*' ./src/runtests.py -v2 
    - coverage report -m 

手动然而，当我进入容器中，一切工作正常：

root@git.example.org ~ $ docker run -it --volume="/home/deploy/.ssh:/root/.ssh:ro" edoburu/python-runner:base /bin/bash 
root@feed357355ad:/# ssh git@git.example.org 
PTY allocation request failed on channel 0 
Welcome to GitLab, Anonymous! 
Connection to git.example.org closed. 
root@feed357355ad:/# git clone git@git.example.org:myproject/python-extra.git 
Cloning into 'python-extra'... 
remote: Counting objects: 387, done. 
remote: Compressing objects: 100% (176/176), done. 
remote: Total 387 (delta 215), reused 374 (delta 208) 
Receiving objects: 100% (387/387), 5.97 MiB | 0 bytes/s, done. 
Resolving deltas: 100% (215/215), done. 
Checking connectivity... done. 
root@feed357355ad:/# exit 
root@git.example.org ~ $ 

GitLab有什么不同吗？也许分配IP地址或其他导致我的构建失败的东西？

Answer 1

解决了，事实证明--cap-drop=DAC_OVERRIDE阻止访问卷。改变它的所有者为根解决它。

通过添加一些调试代码到.gitlab-ci.yml文件实测值：

script: 
    - ping -c 1 git.edoburu.nl 
    - ssh-keyscan git.edoburu.nl 
    - ls -la ~/.ssh/ 
    - cat ~/.ssh/known_hosts