test-infra: clonerefs: could not create/append to /root/.ssh/known_hosts

What happened:

$ kubectl logs b4e7d8f6-494f-11e9-ad67-00155d19cd6a -c clonerefs
{"component":"clonerefs","error":"could not create/append to /root/.ssh/known_hosts: open /root/.ssh/known_hosts: no such file or directory","level":"error","msg":"failed to add host fingerprints","time":"2019-03-18T07:30:59Z"}

What you expected to happen:

Clonerefs processes SSHHostFingerprints configuration successfully.

How to reproduce it (as minimally and precisely as possible):

Note: This should be reproducible by replacing cbuchacher/testrepo with a public repo, and removing ssh_key_secrets (not ssh_host_fingerprints).

$ kubectl create secret generic prow-github-ssh-key --from-file=ssh-privatekey=/path/to/id_rsa
$ kubectl create secret generic prow-github-ssh-knownhosts --from-file=known_hosts=/path/to/known_hosts
$ go get -u k8s.io/test-infra/prow/cmd/mkpj
$ mkpj --github-token-path=github-access-token --job=bar-job --config-path=config.yaml >bar-job.yaml
$ kubectl create -f bar-job.yaml
  • config.yaml
plank:
  job_url_template: 'https://example.com/{{.Spec.Job}}/{{.Status.BuildID}}/'
  report_template: '[Full PR test history](https://example.com/?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}).'
  job_url_prefix: https://example.com/view/gcs/
  pod_pending_timeout: 60m
  default_decoration_config:
    timeout: 7200000000000 # 2h
    grace_period: 15000000000 # 15s
    utility_images:
      clonerefs: "gcr.io/k8s-prow/clonerefs:v20190312-abfe0e0"
      initupload: "gcr.io/k8s-prow/initupload:v20190312-abfe0e0"
      entrypoint: "gcr.io/k8s-prow/entrypoint:v20190312-abfe0e0"
      sidecar: "gcr.io/k8s-prow/sidecar:v20190312-abfe0e0"
    gcs_configuration:
      bucket: "... SNIP ..."
      path_strategy: "legacy"
      default_org: "cbuchacher"
      default_repo: "testrepo"
    gcs_credentials_secret: "prow-service-account"

presubmits:
  cbuchacher/testrepo:
  - name: bar-job
    always_run: true
    decorate: true
    decoration_config:
      ssh_key_secrets:
      - prow-github-ssh-key
      ssh_host_fingerprints:
      - prow-github-ssh-knownhosts
    clone_uri: "git@github.com:cbuchacher/testrepo.git"
    skip_report: false
    spec:
      containers:
      - image: gcr.io/cloud-builders/docker
        command:
        - "/usr/bin/docker"
        args: ['build', '-f', 'Dockerfile', '.']
        volumeMounts:
        - name: docker-socket
          mountPath: /var/run/docker.sock
      volumes:
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock
          type: Socket

Please provide links to example occurrences, if any:

Anything else we need to know?:

Related to #9450.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 20 (17 by maintainers)

Most upvoted comments

I think adding the EmptyDir would be preferred โ€“ it also ensures that we will have write access to that dir. Prow generally prefers this method and we mount an EmptyDir for /tmp in other components as well.

/cc @droslean

+1
stevekuznetsov on Sep 25, 2019

Oh, sorry. I misremembered how it was working. Your second approach sounds good! Do we fail today when we try to update ~/.ssh/known_hosts as well>

Okay perfect. Depends on how you define failing ๐Ÿ˜ƒ. I got an error in the log (because the file did not exist) and then the git clone or whatever itโ€™s doing later fails because the known_hosts had not been updated/created. So I would say if somebody depends on entries in known_hosts Iโ€™m not sure how it could work with the current code.

+1
sbueringer on Sep 24, 2019

We could set the environment variable GIT_SSH_COMMAND='ssh -o UserKnownHostsFile=/path/to/known_hosts' if this is needed only for git commands.

+1
ghost on Mar 20, 2019
Read more comments on GitHub
← test-infra: `/cherrypick <branch>` doesn't work in k/k
test-infra: ClusterLoader tests are failing to find scripts →