New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

secret hosts aren't possible #7043

Closed
rgetz opened this Issue Dec 16, 2016 · 13 comments

Comments

Projects
None yet
5 participants
@rgetz
Copy link

rgetz commented Dec 16, 2016

I tried doing something like this (which I agree isn't necessary - but I thought it was better to not to broadcast machine names I don't admin):

addons:
  ssh_known_hosts:
    secure: "..."

but the log shows:

Adding ssh known hosts (BETA)
0.29s$ ssh-keyscan -t $TRAVIS_SSH_KEY_TYPES -H <plaintext_hostname> 2>&1 | tee -a $HOME/.ssh/known_hosts
# <plaintext_hostname> SSH-1.99-Server-VIII-hpn14v2
# <plaintext_hostname> SSH-1.99-Server-VIII-hpn14v2
no hostkey alg
# <plaintext_hostname> SSH-1.99-Server-VIII-hpn14v2

Which again - for me isn't a huge deal - I just thought you might like to know.

-Robin

@sunyang713

This comment has been minimized.

Copy link

sunyang713 commented May 6, 2017

+1, I'd like to use a repository environment variable $DEPLOY_HOST, but for some reason it's automatically escaped into \$DEPLOY_HOST.

travis file:

. . .
addons:
  ssh_known_hosts: $DEPLOY_HOST
. . .

And the resulting travis build log:

. . .
$ ssh-keyscan -t $TRAVIS_SSH_KEY_TYPES -H \$DEPLOY_HOST 2>&1 | tee -a $HOME/.ssh/known_hosts
getaddrinfo $DEPLOY_HOST: Name or service not known
. . .

Putting quotes around $DEPLOY_HOST in the .travis.yml, i.e. "$DEPLOY_HOST" doesn't work either.

@slifty

This comment has been minimized.

Copy link

slifty commented Jul 17, 2017

Just wanted to note that I faced the exact same problem / use case as @sunyang713
I'd love to be able to have encrypted host names.

@rgetz

This comment has been minimized.

Copy link
Author

rgetz commented Jul 17, 2017

@slifty & @sunyang713 : you can have a look at the travis file I use.

https://github.com/analogdevicesinc/libiio/blob/master/.travis.yml#L60

but like I stated in the original description - this doesn't really help. Looking in the log on travis will tell you what the host is...

-Robin

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Sep 9, 2017

This addon needs to be applied before we disable sudo (because it modifies /etc/hosts), but, for security reasons, we do not export environment variables (including secrets) until sudo is disabled.

@sunyang713

This comment has been minimized.

Copy link

sunyang713 commented Sep 9, 2017

@BanzaiMan from what I've found, this is the only command that is executed regarding adding the known host:

- ssh-keyscan -t $TRAVIS_SSH_KEY_TYPES -H $DEPLOY_HOST 2>&1 | tee -a $HOME/.ssh/known_hosts

In my current project, I've added that line manually in the before_deploy step, and it works fine. Seems like the add on doesn't need sudo, unless sudo is reenabled for that step.

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Sep 9, 2017

You might be right. I may have confused this with hosts.

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Sep 9, 2017

Ah, right. ssh_knonw_host's main use case is checking out dependencies. This must happen before git clone, which must happen before disabling sudo.

@sunyang713

This comment has been minimized.

Copy link

sunyang713 commented Sep 13, 2017

@BanzaiMan Okay. Is there a way to solve for both the main use case and our use case? I think the use case in this issue is legitimate, because often you'll need to add deploy hosts secretly to the configuration.

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Sep 13, 2017

@sunyang713
In your case, I think you can just set the secret $DEPLOY_HOST (either in Settings or in .travis.yml) and add:

before_deploy: # or anywhere before the secret ssh host is needed
  - ssh-keyscan -t $TRAVIS_SSH_KEY_TYPES -H $DEPLOY_HOST 2>&1 | tee -a $HOME/.ssh/known_hosts
@rgetz

This comment has been minimized.

Copy link
Author

rgetz commented Sep 13, 2017

The issue I reported wasn't exposing it in the yaml file - but in the log file (when the shell var is set, and captured). Is that going to be resolved?

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Sep 14, 2017

@rgetz The work will have to be prioritized, but I cannot say when that may happen.

You can add the host key with the secret as I mentioned above. If you need this host to check out code, you would also need to take some extra steps to check out the code, too.

poligarcia added a commit to datosgobar/series-tiempo-ar-api that referenced this issue Jan 2, 2018

@stale

This comment has been minimized.

Copy link

stale bot commented Apr 13, 2018

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically closing the issue. This is often because the request was already solved in some way and it just wasn't updated or it's no longer applicable. If that's not the case, please do feel free to either reopen this issue or open a new one. We'll gladly take a look again! You can read more here: https://blog.travis-ci.com/2018-03-09-closing-old-issues

@stale stale bot added the stale label Apr 13, 2018

@stale stale bot closed this Apr 16, 2018

@tnguyen14

This comment has been minimized.

Copy link

tnguyen14 commented Jun 3, 2018

can this be reopened?

ozyx added a commit to CSUF-ACM/acmwebsite that referenced this issue Jan 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment