OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.1.3
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-993
Remote host identification has changed while checking out submodules via ssh (OD-993)
bohendo opened 3 years ago

Onedev is an amazing product & I've been using it very effectively for several months now, the CI agents in particular are very well designed & are very robust, great work! This is the first issue I've hit without a clear resolution.

I followed the manual page & added an ssh key to my build secrets for cloning a git submodule as the first step of my build pipeline. I'm running the onedev agent in an Ubuntu virtual box, from this VM I can git clone and I can also sudo git clone this submodule (I have the onedev agent setup as a systemd service so it might be running as root).

Builds are immediately failing with the following error:

Step "checkout" is failed: Failed to run command: git submodule update --init --recursive --force --quiet, return code: 1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:c1L26HW3yG5lm1RW04uzC3XIuIJIX4cL9Ybt9R23Uz8.
Please contact your system administrator.
Add correct host key in /home/oneagent/agent/work/virtualbox/temp/onedev-build1467549161291436004/user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/oneagent/agent/work/virtualbox/temp/onedev-build1467549161291436004/user/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/home/oneagent/agent/work/virtualbox/temp/onedev-build1467549161291436004/user/.ssh/known_hosts" -R "onedev"
Host key for onedev has changed and you have requested strict checking.
Host key verification failed.

I modified my /etc/hosts so that onedev points to the IP of the onedev server on my local network. I can resolve this hostname on my host browser, host git, and from git in the VM.

I'm not sure where the known_hosts file in this temp build directory is coming from, seems to be auto-generated incorrectly, I'd modify it if stuck around & persisted but looks like it needs to be reset somewhere upstream.

I first hit this error against the 1dev/server:7.4.20 docker container, I just upgraded to 1dev/server:7.7.13 & installed the new agent provided by the web ui but this issue persists.

Fwiw, I'm on a local network working on relatively harmless projects so I seriously doubt I'm actually being MITM attacked, but who knows.

If there's any other helpful info I could provide please let me know & thanks again for maintaining such a fantastic product :)

  • bohendo commented 3 years ago

    I added a pre-checkout step in an attempt to debug but the users/.ssh/known_hosts file is not present before the checkout step runs so I was not able to manually edit known hosts.

    However, I was able to replace the pre-made checkout step with a manual execution step consisting of just: git clone --recurse-submodules ssh://onedev/project .

    This is probably less efficient than the pre-made checkout step but it's gotten me past this problem & I'm unblocked for now but I'll keep an eye on this issue & remove this hack one we have a fix.

  • Robin Shen commented 3 years ago

    OneDev generates file known_hosts automatically for the host specified in property server url in system setting. Please make sure that your submodule url using same host name as server url setting.

  • Robin Shen commented 3 years ago

    BTW: Agent does not need to be upgraded manually upon upgrading OneDev server, it will be updated automatically.

  • Robin Shen commented 3 years ago

    Correct: submodule url should be using same host as SSH root url specified in system setting

  • Robin Shen changed state to 'Closed' 3 years ago
    Previous Value Current Value 
    Open
    		 
    Closed
issue 1/1
Type
Bug
Priority
Normal
Assignee
Robin Shen
Affected Versions
Not Found
Issue Votes (0)
Login to vote
Watchers (4)
Reference
OD-993
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover