onedev/server

#993 Remote host identification has changed while checking out submodules via ssh

Closed

Activities

bohendo opened 1 year ago

Onedev is an amazing product & I've been using it very effectively for several months now, the CI agents in particular are very well designed & are very robust, great work! This is the first issue I've hit without a clear resolution.

I followed the manual page & added an ssh key to my build secrets for cloning a git submodule as the first step of my build pipeline. I'm running the onedev agent in an Ubuntu virtual box, from this VM I can git clone and I can also sudo git clone this submodule (I have the onedev agent setup as a systemd service so it might be running as root).

Builds are immediately failing with the following error:

Step "checkout" is failed: Failed to run command: git submodule update --init --recursive --force --quiet, return code: 1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:c1L26HW3yG5lm1RW04uzC3XIuIJIX4cL9Ybt9R23Uz8.
Please contact your system administrator.
Add correct host key in /home/oneagent/agent/work/virtualbox/temp/onedev-build1467549161291436004/user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/oneagent/agent/work/virtualbox/temp/onedev-build1467549161291436004/user/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/home/oneagent/agent/work/virtualbox/temp/onedev-build1467549161291436004/user/.ssh/known_hosts" -R "onedev"
Host key for onedev has changed and you have requested strict checking.
Host key verification failed.

I modified my /etc/hosts so that onedev points to the IP of the onedev server on my local network. I can resolve this hostname on my host browser, host git, and from git in the VM.

I'm not sure where the known_hosts file in this temp build directory is coming from, seems to be auto-generated incorrectly, I'd modify it if stuck around & persisted but looks like it needs to be reset somewhere upstream.

I first hit this error against the 1dev/server:7.4.20 docker container, I just upgraded to 1dev/server:7.7.13 & installed the new agent provided by the web ui but this issue persists.

Fwiw, I'm on a local network working on relatively harmless projects so I seriously doubt I'm actually being MITM attacked, but who knows.

If there's any other helpful info I could provide please let me know & thanks again for maintaining such a fantastic product :)

bohendo commented 1 year ago

I added a pre-checkout step in an attempt to debug but the users/.ssh/known_hosts file is not present before the checkout step runs so I was not able to manually edit known hosts.

However, I was able to replace the pre-made checkout step with a manual execution step consisting of just: git clone --recurse-submodules ssh://onedev/project .

This is probably less efficient than the pre-made checkout step but it's gotten me past this problem & I'm unblocked for now but I'll keep an eye on this issue & remove this hack one we have a fix.

Robin Shen commented 1 year ago

OneDev generates file known_hosts automatically for the host specified in property server url in system setting. Please make sure that your submodule url using same host name as server url setting.

Robin Shen commented 1 year ago

BTW: Agent does not need to be upgraded manually upon upgrading OneDev server, it will be updated automatically.

Robin Shen commented 1 year ago

Correct: submodule url should be using same host as SSH root url specified in system setting

Robin Shen changed state to 'Closed' 1 year ago

Previous Value	Current Value
Open	Closed

Type	Bug
Priority	Normal
Assignee	Robin Shen
Affected Versions	Not Found

Issue Votes (0)

Watchers (4)

Reference

onedev/server#993