ssh - ssh 无法连接但 scp 在 gitlab-ci 中工作
问题描述
我正在使用 gitlab 机密来传递 ssh 私钥,以便它连接到远程服务器。对于 scp 工作正常,但运行 ssh 没有。
当 gitlab 管道运行并尝试执行 ssh 时,我什至可以在服务器上看到 ssh 日志。
这是 gitlab-pipeline 的输出:
ssh -i /root/.ssh/id_rsa -vvv root@$DEPLOYMENT_SERVER_IP "docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY};"
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "157.245.xxx.xxx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 157.245.xxx.xxx [157.245.xxx.xxx] port 22.
debug1: connect to address 157.245.xxx.xxx port 22: Connection refused
ssh: connect to host 157.245.xxx.xxx port 22: Connection refused
这是我的 gitlab 管道失败:
deploy_production:
stage: deploy
image: python:3.6-alpine
before_script:
- 'which ssh-agent || ( apk update && apk add openssh-client)'
- eval "$(ssh-agent -s)"
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- ssh-add ~/.ssh/id_rsa
- apk add gcc musl-dev libffi-dev openssl-dev iputils
- ssh-keyscan $DEPLOYMENT_SERVER_IP >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
- scp -r ./docker-compose.yml root@${DEPLOYMENT_SERVER_IP}:~/
- scp -r ./env/production/docker-compose.yml root@${DEPLOYMENT_SERVER_IP}:~/docker-compose-prod.yml
- ssh -i /root/.ssh/id_rsa -vvv root@$DEPLOYMENT_SERVER_IP "docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY};"
environment: production
only:
- "master"
sshd 身份验证日志:
sshd[27552]: Connection closed by 35.231.235.202 port 53870 [preauth]
sshd[27554]: Connection closed by 35.231.235.202 port 53872 [preauth]
sshd[27553]: Connection closed by 35.231.235.202 port 53874 [preauth]
sshd[27558]: Accepted publickey for root from 35.231.235.202 port 53876 ssh2: RSA SHA256:bS8IsyG4kyKcTtfrW+h4kw1JXbBSQfO6Jk6X/JKL1CU
sshd[27558]: pam_unix(sshd:session): session opened for user root by (uid=0)
systemd-logind[945]: New session 649 of user root.
sshd[27558]: Received disconnect from 35.231.235.202 port 53876:11: disconnected by user
sshd[27558]: Disconnected from user root 35.231.235.202 port 53876
sshd[27558]: pam_unix(sshd:session): session closed for user root
systemd-logind[945]: Removed session 649.
sshd[27560]: Received disconnect from 222.186.15.160 port 64316:11: [preauth]
sshd[27560]: Disconnected from authenticating user root 222.186.15.160 port 64316 [preauth]
sshd[27685]: Accepted publickey for root from 35.231.235.202 port 53878 ssh2: RSA SHA256:bS8IsyG4kyKcTtfrW+h4kw1JXbBSQfO6Jk6X/JKL1CU
sshd[27685]: pam_unix(sshd:session): session opened for user root by (uid=0)
systemd-logind[945]: New session 650 of user root.
sshd[27685]: Received disconnect ected by user
sshd[27685]: Disconnected from user root 35.231.235.202 port 53878
sshd[27685]: pam_unix(sshd:session): session closed for user root
systemd-logind[945]: Removed session 650.
解决方案
终于明白为什么会这样了。我发现问题出在我服务器上 ssh 的 ufw 防火墙规则上。它是速率限制的,因为在我的 gitlab-pipeline 中我执行 scp 2 次,然后执行 ssh,这可能发生得太快,服务器拒绝连接。
它在 gitlab 管道之外工作,因为手动操作会很慢。
推荐阅读
- sql - SQL JOIN 给出双倍值
- typescript - 具有枚举值的 TypeGraphql InputType 字段不允许输入字符串(引用文本)
- python - DevStack 放置-api 没有启动
- java - 如何将多个段落包装在一个元素中?
- r - 地址正确时如何修复错误的邮政编码
- java - 在 android 启动器中,如何阻止对某些应用程序的访问?
- c++ - 固定分配 std::vector
- python - 尝试仅使用 [HH:DD] 转换 Pandas 列,但返回 [YYYY-DD-MM HH:MM:SS]
- security - 如何在 Yesod 应用程序中向所有端点添加标头?
- mulesoft - 在 Mulesoft 中关闭注销