[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Openshift Origin using ssh key (secret) inside a build

The ssh key you are providing for git cloning is not available in the context under which "assemble" is running.  They are actually two totally separate docker containers. 

That is why you need to separately indicate you want to provide a secret to the build via this mechanism:

if indeed composer will just use the the file named ssh-key from $HOME/.ssh then you should be able to specify "/opt/app-root/src/.ssh/ssh-key" as the destinationDir for the secret.  (/opt/app-root/src is $HOME in our php image and presumably yours as well).

On Wed, Feb 3, 2016 at 9:55 AM, Johary RAVELONJATOVO <johary icloud com> wrote:

My custom s2i image is similar to your image so I thought it's the same issue. 
Here are my log on level 5 
*As you see, the ssh-privatekey used when it clone the project is the same that I want to use during the "composer install"
I0203 14:24:50.378994 1 scmauths.go:27] Finding auth for "ssh-privatekey"
4 I0203 14:24:50.379052 1 scmauths.go:30] Found SCMAuth "ssh-privatekey" to handle "ssh-privatekey"
5 I0203 14:24:50.379075 1 scmauths.go:45] Setting up SCMAuth "ssh-privatekey"
6 I0203 14:24:50.379644 1 sti.go:167] With force pull false, setting policies to if-not-present
*   Here the git repo is added to the known host so it used correctly the ssh-key
18 I0203 14:24:50.399258 1 sti.go:140] Preparing to build
19 I0203 14:24:50.399610 1 source.go:96] git ls-remote ssh://git stash xxxxxxxxxx lan:7999/cr/xxxxxxxxxx-xxxxxxxxxx.git --heads
20 I0203 14:24:50.399663 1 repository.go:275] Executing git ls-remote ssh://git stash xxxxxxxxxx lan:7999/cr/xxxxxxxxxx-xxxxxxxxxx.git --heads
21 I0203 14:24:50.900606 1 repository.go:305] Err: Warning: Permanently added '[stash.xxxxxxxxxx.lan]:7999,[x.x.x.x]:7999' (RSA) to the list of known hosts.
22 I0203 14:24:50.900649 1 source.go:119] Warning: Permanently added '[stash.xxxxxxxxxx.lan]:7999,[x.x.x.x]:7999' (RSA) to the list of known hosts.
23 I0203 14:24:50.900662 1 source.go:189] Cloning source from ssh://git stash xxxxxxxxxx lan:7999/cr/xxxxxxxxxx-xxxxxxxxxx.git
24 I0203 14:24:50.900677 1 repository.go:275] Executing git clone --recursive ssh://git stash xxxxxxxxxx lan:7999/cr/xxxxxxxxxx-xxxxxxxxxx.git /tmp/s2i-build583749303/upload/src
25 I0203 14:24:58.501440 1 repository.go:300] Out: Cloning into '/tmp/s2i-build583749303/upload/src'...
26 I0203 14:24:58.501483 1 repository.go:275] Executing git config --get remote.origin.url
27 I0203 14:24:58.502624 1 repository.go:300] Out: ssh://git stash xxxxxxxxxx lan:7999/cr/xxxxxxxxxx-xxxxxxxxxx.git
28 I0203 14:24:58.502650 1 repository.go:275] Executing git rev-parse --abbrev-ref HEAD
29 I0203 14:24:58.504043 1 repository.go:300] Out: develop
30 I0203 14:24:58.504064 1 repository.go:275] Executing git rev-parse --verify HEAD
41 I0203 14:24:58.520643 1 repository.go:300] Out: Thu Dec 17 13:42:16 2015 -0500
42 I0203 14:24:58.520667 1 repository.go:275] Executing git --no-pager show -s --format=%<(80,trunc)%s HEAD
43 I0203 14:24:58.522358 1 repository.go:300] Out: Automatic merge from master -> develop
44 I0203 14:24:58.522392 1 common.go:78] Setting build revision to &api.GitSourceRevision{Commit:"1da37a9c4395024f4f934a9fdb91185058055b99", Author:api.SourceControlUser{Name:"Johary Ravelonjatovo", Email:"johary xxxxxxxxxx com"}, Committer:api.SourceControlUser{Name:"Johary Ravelonjatovo", Email:"johary xxxxxxxxxx com"}, Message:"Automatic merge from master -> develop"}
45 I0203 14:24:58.598255 1 docker.go:224] Image openshift/php-55-centos7 sha256:2efdf864cdff3795138d0bae5c9a198dc6b8cf0815ed845a99ef372021bbb8c3 available locally
46 I0203 14:24:58.598279 1 docker.go:344] Image contains io.openshift.s2i.scripts-url set to 'image:///usr/libexec/s2i'
47 I0203 14:24:58.598308 1 download.go:57] Using image internal scripts from: image:///usr/libexec/s2i/assemble
48 I0203 14:24:58.598319 1 download.go:57] Using image internal scripts from: image:///usr/libexec/s2i/run
49 I0203 14:24:58.600501 1 docker.go:224] Image openshift/php-55-centos7 sha256:2efdf864cdff3795138d0bae5c9a198dc6b8cf0815ed845a99ef372021bbb8c3 available locally
50 I0203 14:24:58.600513 1 docker.go:344] Image contains io.openshift.s2i.scripts-url set to 'image:///usr/libexec/s2i'
51 I0203 14:24:58.600532 1 download.go:57] Using image internal scripts from: image:///usr/libexec/s2i/save-artifacts
52 I0203 14:24:58.600543 1 sti.go:221] Using assemble from image:///usr/libexec/s2i
53 I0203 14:24:58.600550 1 sti.go:221] Using run from image:///usr/libexec/s2i
54 I0203 14:24:58.600555 1 sti.go:221] Using save-artifacts from image:///usr/libexec/s2i
55 I0203 14:24:58.600756 1 ignore.go:58] .s2iignore file does not exist
56 I0203 14:24:58.600771 1 sti.go:148] Clean build will be performed
57 I0203 14:24:58.600777 1 sti.go:151] Performing source build from file:///tmp/s2i-build583749303/upload/src
58 I0203 14:24:58.600782 1 sti.go:164] Running "assemble" in ""
59 I0203 14:24:58.600795 1 sti.go:412] Using image name openshift/php-55-centos7 sha256:2efdf864cdff3795138d0bae5c9a198dc6b8cf0815ed845a99ef372021bbb8c3
60 I0203 14:24:58.600805 1 sti.go:416] No .sti/environment provided (no environment file found in application sources)
61 I0203 14:24:58.601069 1 tar.go:177] Adding to tar: /tmp/s2i-build583749303/upload/src/.bowerrc as src/.bowerrc
62 I0203 14:24:58.604169 1 docker.go:344] Image contains io.openshift.s2i.scripts-url set to 'image:///usr/libexec/s2i'
63 I0203 14:24:58.604183 1 docker.go:399] Base directory for STI scripts is '/usr/libexec/s2i'. Untarring destination is '/tmp'.
64 I0203 14:24:58.604194 1 docker.go:529] Creating container using config: {Hostname: Domainname: User: Memory:0 MemorySwap:0 CPUShares:0 CPUSet: AttachStdin:false AttachStdout:true AttachStderr:false PortSpecs:[] ExposedPorts:map[] Tty:false OpenStdin:true StdinOnce:true Env:[OPENSHIFT_BUILD_NAME=xxxxxxxxxx-xxxxxxxxxx-6 OPENSHIFT_BUILD_NAMESPACE=xxxxxxxxxx OPENSHIFT_BUILD_SOURCE=ssh://git stash xxxxxxxxxx lan:7999/cr/xxxxxxxxxx-xxxxxxxxxx.git BUILD_LOGLEVEL=5] Cmd:[/bin/sh -c tar -C /tmp -xf - && /usr/libexec/s2i/assemble] DNS:[] Image:openshift/php-55-centos7 sha256:2efdf864cdff3795138d0bae5c9a198dc6b8cf0815ed845a99ef372021bbb8c3 Volumes:map[] VolumeDriver: VolumesFrom: WorkingDir: MacAddress: Entrypoint:[] NetworkDisabled:false SecurityOpts:[] OnBuild:[] Mounts:[] Labels:map[]}
65 I0203 14:24:58.800445 1 docker.go:543] Attaching to container
66 I0203 14:24:58.801636 1 docker.go:549] Starting container
I0203 14:25:01.784555 1 sti.go:492] ---> Installing application source...
1804 I0203 14:25:01.933378 1 sti.go:492] Found 'composer.json', installing dependencies using composer.phar...
1805 I0203 14:25:08.812637 1 sti.go:492] All settings correct for using Composer
1806 I0203 14:25:08.815421 1 sti.go:492] Downloading...
1807 I0203 14:25:10.314763 1 sti.go:492]
1808 I0203 14:25:10.314782 1 sti.go:492] Composer successfully installed to: /opt/app-root/src/composer.phar
1809 I0203 14:25:10.314788 1 sti.go:492] Use it: php composer.phar
1810 E0203 14:25:10.471708 1 util.go:91] Loading composer repositories with package information
1811 E0203 14:25:10.471807 1 util.go:91] Installing dependencies (including require-dev) from lock file
1812 E0203 14:25:10.523105 1 util.go:91] - Installing twig/twig (v1.18.1)
1813 E0203 14:25:10.523559 1 util.go:91] Downloading
* Here it didn't use any ssh-key. 
1849 E0203 14:25:15.074480 1 util.go:91] [RuntimeException]
1850 E0203 14:25:15.074494 1 util.go:91] Failed to execute git clone --no-checkout 'ssh://git stash xxxxxxxxxx lan:7999/components/doctrine-migrations.git' '/opt/app-root/src/vendor/doctrine/migrations' && cd '/opt/app-root/src/vendor/doctrine/migrations' && git remote add composer 'ssh://git stash xxxxxxxxxx lan:7999/components/doctrine-migrations.git' && git fetch composer
1851 E0203 14:25:15.074500 1 util.go:91] Host key verification failed.
1852 E0203 14:25:15.074504 1 util.go:91] fatal: Could not read from remote repository.
1853 E0203 14:25:15.074509 1 util.go:91] Please make sure you have the correct access rights
1854 E0203 14:25:15.074514 1 util.go:91] and the repository exists.
1855 E0203 14:25:15.074518 1 util.go:91]
1856 E0203 14:25:15.074526 1 util.go:91]
1857 E0203 14:25:15.074530 1 util.go:91] install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-plugins] [--no-custom-installers] [--no-autoloader] [--no-scripts] [--no-progress] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--ignore-platform-reqs] [--] [<packages>]...
1858 E0203 14:25:15.074535 1 util.go:91]
1859 I0203 14:25:15.288977 1 docker.go:481] Container wait returns with 1 and <nil>

Normally composer use the ssh-key from $HOME/.ssh to install private repo but here I don't understand the mecanism. I just want to use the same ssh-key on the beginning during the build

You can try it by adding this on your composer.json 
    "require": {
        "vendor/my-private-repo": "dev-master"
    "repositories": [
            "type": "vcs",
            "url":  "git bitbucket org:vendor/my-private-repo.git"

Le 2 février 2016 à 15:45, Ben Parees <bparees redhat com> a écrit :

I thought you had a custom s2i builder image, but it looks like you're just using our image.  Our image(and the assemble script it includes) is not going to pass any credential secrets when invoking composer.  Are you providing a custom assemble script in your source repo that invokes composer directly?  If so, how are you intending to tell composer about the ssh credentials?

It might also help if you provide build logs with level 5 tracing enabled:


On Tue, Feb 2, 2016 at 5:19 PM, Johary RAVELONJATOVO <johary icloud com> wrote:
I saw the doc today and try to use it but my origin was not up to date :p.

I try it once I update Origin (There's a lot of change) but I still have the same issue.

 Here are my build config secret part 

The "scmsecret" is my secret test key from ssh-key. Is there something that I'm doing wrong? 


Le 2 février 2016 à 12:29, Ben Parees <bparees redhat com> a écrit :

we've just added a feature which allows you to inject secrets into the build process so they are available during the "assemble" invocation, which sounds like what you need.  You'll need to be on the latest origin (the code just dropped in the last week or so), here are the docs:


Once you setup the build to inject your secret value, you can modify your assemble script to use it when invoking composer.

On Tue, Feb 2, 2016 at 3:07 PM, Johary RAVELONJATOVO <johary icloud com> wrote:
Hi everyone,

I actually try to deploy a symfony 2 project with OpenShift Origin. The source code of my project is on a private repository and I have create a secret with my ssh key to access on it "private-repo-secret". With that I have no problem to access on the source code with OpenShift Origin. 
After that I create a STI custom image, which detects if there's a composer.json on the project and if so it launched "composer install" command.

I made some test and it works. It detects the composer.json and after that it launches the "composer install" command.

The problem is when it did the "composer install", it's correct with public dependencies but not with private. I got an issue with ssh key because it needs the "private-repo-secrets" during the build with "composer install" 

users mailing list
users lists openshift redhat com

Ben Parees | OpenShift

Ben Parees | OpenShift

Ben Parees | OpenShift

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]