Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify scanned keys in same build step as scan #1908

Merged
merged 1 commit into from Apr 8, 2019

Conversation

@squaremo
Copy link
Member

squaremo commented Apr 8, 2019

ssh-keyscan can get keys which then fail verification (e.g., if it misses out a host for some reason), but nonetheless Docker will cache the intermediate image, which will cause subsequent builds to fail. This is a pain to recover from.

This commit changes the Dockerfiles such the verification is done in the same step as the keyscan -- so if it fails, the intermediate image won't be cached, and subsequent builds will do the keyscan again.

ssh-keyscan can get keys which then fail verification (e.g., if it
misses out a host for some reason), but nonetheless cache the
intermediate image, which will cause subsequent builds to fail. This
is a pain to recover from.

This commit changes the Dockerfiles such the verification is done in
the same step as the keyscan -- so if it fails, the intermediate image
won't be cached, and subsequent builds will do the keyscan again.
@2opremio

This comment has been minimized.

Copy link
Collaborator

2opremio commented Apr 8, 2019

ssh-keyscan can get keys which then fail verification

I wonder why ssh-keyscan doesn't exit with non-zero when that happens. It seems to be by design

@squaremo squaremo merged commit c32e28b into master Apr 8, 2019
4 checks passed
4 checks passed
tag-filter tag-filter
Details
ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: e2e-testing Your tests passed on CircleCI!
Details
helm-lint helm-lint
Details
@squaremo squaremo deleted the build/fail-on-bad-keyscan branch Apr 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.