[users at bb.net] Using SSH keys with GitPoller and Git step?

Pierre Tardy tardyp at gmail.com
Mon Mar 13 15:59:27 UTC 2017 

Hi Chris,

Automatic *provisioning* of ssh key is not yet supported on buildbot, but
this does not mean buildbot does not support ssh keys.
Buildbot is not doing anything magic here. It is just using the
configuration of the user that is running the buildbot-worker program.

You should first try to do the git clone manually with your buildbot user,
and make sure that user is able to clone the repository.

Here you problem is "Host key verification failed." This is a common
problem with automatiting ssh. whenever ssh will encounter a new host, he
will ask a human to accept its key. Here, as buildbot is not human, it will
just fail.
If you run the git clone manually, he will ask you to verify the host key,
and then remember that choice, so any further automated connection will
work.

Pierre

Le lun. 13 mars 2017 à 16:50, Chris Spencer <chrisspen at gmail.com> a écrit :

> I've done that, but Buildbot is giving me the following error:
>
>     git fetch -t git at bitbucket.org:myproject/myproject.git branch1
>      in dir
> /usr/local/myproject/src/buildbot/worker/myproject_runtests/build (timeout
> 1200 secs)
>      watching logfiles {}
>      argv: ['git', 'fetch', '-t', 'git at bitbucket.org:myproject/myproject.git',
> 'branch1']
>      environment:
>       HOME=/home/ubuntu
>       LANG=en_US.UTF-8
>       LOGNAME=buildbot
>       MAIL=/var/mail/buildbot
>       OLDPWD=/home/ubuntu
>       PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>       PWD=/usr/local/myproject/src/buildbot/worker/myproject_runtests/build
>       SHELL=/bin/bash
>       SHLVL=1
>       SUDO_COMMAND=/bin/bash -c cd /usr/local/myproject/src/buildbot;
> /usr/local/myproject/.env/bin/buildbot-worker restart worker
>       SUDO_GID=1000
>       SUDO_UID=1000
>       SUDO_USER=ubuntu
>       TERM=vt100
>       USER=buildbot
>       USERNAME=buildbot
>       _=/usr/local/myproject/.env/bin/buildbot-worker
>      using PTY: False
>     Host key verification failed.
>     fatal: Could not read from remote repository.
>
> Presumably, the problem is that Buildbot is using /home/ubuntu for HOME
> instead of /var/lib/buildbot. However, Buildbot is running as the buildbot
> user, so I'm unsure why it would be using the ubuntu user's home directory.
> How do I fix this?
>
> On Mon, Mar 13, 2017 at 11:41 AM, Bob Drummond <bob.drummond at netronome.com
> > wrote:
>
> Assuming /var/lib/buildbot is the home directory of your buildbot
> worker/slave user, yes, that's all you should have to do. If you can log in
> interactively as the buildbot user and SSH without a password, you should
> be set. I've found the "ssh -v" flag is useful in debugging what key is
> actually being used.
>
> Bob Drummond
> Software Engineer
>
>
> Netronome | 3159 Unionville Road, Suite 100 Cranberry Twp., PA 16066
>
> Phone: +1 (724) 778-3295 <(724)%20778-3295> |  www.netronome.com
>
> On Mar 13, 2017 11:08, "Chris Spencer" <chrisspen at gmail.com> wrote:
>
> My preference would be to use SSH keys. However, since there's no official
> documentation explaining how to use them with Buildbot, and these replies
> have mentioned a lot of caveats, I was acting as though SSH keys are
> officially not supported.
>
> I posted this question to SO over a year ago, and the only reply I
> received was essentially "just use a username and password".
>
> How do I configure Buildbot to use SSH keys? I only have a single slave
> running on the same server as master, so can I simply upload my custom SSH
> key to /var/lib/buildbot/.ssh/mykey.pem or do I need to update something in
> my tac or cfg files?
>
> On Mon, Mar 6, 2017 at 2:47 PM, Pierre Tardy <tardyp at gmail.com> wrote:
>
> It is not implemented because people are supposed to use SSH keys. Is
> there a reason why you can't use SSH keys ?
>
> Buildbot has capabilities to redact password from commands. It's used I
> think in svn
>
> Le lun. 6 mars 2017 20:32, Chris Spencer <chrisspen at gmail.com> a écrit :
>
> Is there any way to suppress the output of the Git step (
> http://docs.buildbot.net/latest/manual/cfg-buildsteps.html#step-Git), so
> my password isn't visible in the logs? It doesn't appear to accept any type
> of "gitbin" option.
>
> On Thu, Mar 2, 2017 at 6:42 PM, Will Rosecrans <wrosecrans at gmail.com>
> wrote:
>
> As far as I know, the GitPoller doesn't directly support that.  I have
> mostly used salt to set up the buildslave machine, and included ssh and git
> config as part of the buildslave's system config rather than the buildbot
> config.  If you are using GitHub, it's also easy to set up token passwords
> on an account and use that for service work.  It uses a password rather
> than an actual key, but the password is a long string of gibberish, and you
> can use the token as a sub account, with different permissions for the
> tokens and the ability tp revoke them individually.
>
> You can also set the GitPoller's gitbin to point to a script that runs git
> with whatever key setup you like, and have buildbot just invoke that script.
>
>
> On Wed, Mar 1, 2017 at 5:18 PM, Chris Spencer <chrisspen at gmail.com> wrote:
>
> How do you specify the ssh key to use with the Gitpoller and Git step
> classes?
>
> I'm currently hard-coding my username/password in the repourl, and I'd
> like to move away from that for security reasons. However, even after
> reading the docs and looking at the source, I can see no obvious way to
> specify the pem key file to checkout and fetch via ssh.
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20170313/a3226aa0/attachment.html>

More information about the users mailing list