Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Retry SSH keyscan command #1971

Merged
merged 5 commits into from
Apr 24, 2019
Merged

Retry SSH keyscan command #1971

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7844e7a
Retry SSH keyscan command
stefanprodan Apr 24, 2019
4b44ef9
Combine SSH generate and verify known hosts
stefanprodan Apr 24, 2019
00a5a41
Retry known hosts validation
stefanprodan Apr 24, 2019
4421eee
Exit without waiting on ssh-keyscan max retry
hiddeco Apr 24, 2019
63b8c92
Remove duplicate code
stefanprodan Apr 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@ build/.%.done: docker/Dockerfile.%
-f build/docker/$*/Dockerfile.$* ./build/docker/$*
touch $@

build/.flux.done: build/fluxd build/kubectl docker/ssh_config docker/kubeconfig docker/verify_known_hosts.sh docker/known_hosts.sh
build/.helm-operator.done: build/helm-operator build/kubectl build/helm docker/ssh_config docker/verify_known_hosts.sh docker/known_hosts.sh docker/helm-repositories.yaml
build/.flux.done: build/fluxd build/kubectl docker/ssh_config docker/kubeconfig docker/known_hosts.sh
build/.helm-operator.done: build/helm-operator build/kubectl build/helm docker/ssh_config docker/known_hosts.sh docker/helm-repositories.yaml

build/fluxd: $(FLUXD_DEPS)
build/fluxd: cmd/fluxd/*.go
Expand Down
2 changes: 0 additions & 2 deletions docker/Dockerfile.flux
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,8 @@ RUN apk add --no-cache openssh ca-certificates tini 'git>=2.3.0' gnupg

# Add git hosts to known hosts file so we can use
# StrickHostKeyChecking with git+ssh
ADD ./verify_known_hosts.sh /home/flux/verify_known_hosts.sh
ADD ./known_hosts.sh /home/flux/known_hosts.sh
RUN sh /home/flux/known_hosts.sh /etc/ssh/ssh_known_hosts && \
rm /home/flux/verify_known_hosts.sh && \
rm /home/flux/known_hosts.sh

# Add default SSH config, which points at the private key we'll mount
Expand Down
2 changes: 0 additions & 2 deletions docker/Dockerfile.helm-operator
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,8 @@ RUN apk add --no-cache openssh ca-certificates tini 'git>=2.3.0'

# Add git hosts to known hosts file so we can use
# StrickHostKeyChecking with git+ssh
ADD ./verify_known_hosts.sh /home/flux/verify_known_hosts.sh
ADD ./known_hosts.sh /home/flux/known_hosts.sh
RUN sh /home/flux/known_hosts.sh /etc/ssh/ssh_known_hosts && \
rm /home/flux/verify_known_hosts.sh && \
rm /home/flux/known_hosts.sh

# Add default SSH config, which points at the private key we'll mount
Expand Down
44 changes: 40 additions & 4 deletions docker/known_hosts.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,53 @@ set -eu

known_hosts_file=${1}
known_hosts_file=${known_hosts_file:-/etc/ssh/ssh_known_hosts}
hosts="github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com"

retries=10
count=0
ok=false
wait=2
until ${ok}; do
ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com >> ${known_hosts_file} && \
sh /home/flux/verify_known_hosts.sh ${known_hosts_file} && ok=true || ok=false
sleep 2
ssh-keyscan ${hosts} > ${known_hosts_file} && ok=true || ok=false
hiddeco marked this conversation as resolved.
Show resolved Hide resolved
sleep ${wait}
count=$(($count + 1))
if [[ ${count} -eq ${retries} ]]; then
echo "No more retries left"
echo "ssh-keyscan failed, no more retries left"
exit 1
fi
done

# The heredoc below was generated by constructing a known_hosts using
#
# ssh-keyscan github.com gitlab.com bitbucket.org ssh.dev.azure.com vs-ssh.visualstudio.com > ./known_hosts
#
# then generating the sorted fingerprints with
#
# ssh-keygen -l -f ./known_hosts | LC_ALL=C sort
#
# then checking against the published fingerprints from:
# - github.com: https://help.github.com/articles/github-s-ssh-key-fingerprints/
# - gitlab.com: https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
# - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
# - ssh.dev.azure.com & vs-ssh.visualstudio.com: sign in, then go to User settings -> SSH Public Keys
# (this is where the public key fingerprint is shown; it's not a setting)

fingerprints=$(mktemp -t)
cleanup() {
rm -f "$fingerprints"
}
trap cleanup EXIT

# make sure sorting is in the same locale as the heredoc
export LC_ALL=C
ssh-keygen -l -f ${known_hosts_file} | sort > "$fingerprints"

diff - "$fingerprints" <<EOF
2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)
2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)
2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og ssh.dev.azure.com (RSA)
2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og vs-ssh.visualstudio.com (RSA)
2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
EOF
41 changes: 0 additions & 41 deletions docker/verify_known_hosts.sh
View file
Open in desktop

This file was deleted.