git subsodule更新具有访问令牌不一致的行为
上下文
自我管理的gitlab实例的 ,有多个用户和组, 我正在尝试在.gitlab-ci.yml main_project 的.gitlab-ci.yml中进行git子模型更新 - init - init-recursive。此存储库包含一个suppodule(filter_lib),本身包含一个subpodule(helper_funcs):
main_project
├── app
│ └── filter_lib <- submodule
│ ├── .gitmodules
│ ├── lib
│ └── helper_funcs <- submodule
│ └── funcs
├── .gitmodules
├── .gitlab-ci.yml
├── .gi
└── tests
└── test_stuff.py
main_project在一个gitlab组中> group1 )和两个子模型(filter_lib和helper_funcs)在另一个gitlab组中彼此没有正确的操作:
my_gitlab_instance
├── group1
│ └── main_project
└── group2
└── subgroupA
├── filter_lib
└── helper_funcs
我想要init所有子模型。 首先,我在.gitlab-ci.yml的开头尝试了此代码:
variables:
GIT_SUBMODULE_STRATEGY: recursive
此CI在尝试运行我的脚本之前在以下错误中失败:
Updating/initializing submodules recursively with git depth set to 50...
Submodule 'app/filter_lib' (https://gitlab-ci-token:[MASKED]@my_gitlab_instance.com/group2/subgroupA/filter_lib.git) registered for path 'app/filter_lib'
Cloning into '/builds/group1/main_project/app/filter_lib'...
Submodule path 'app/filter_lib': checked out '28d6c0f2d0bc691c29a406f44ae9b69b4e00f2b2'
Submodule 'helper_funcs' (git@gitlab:group2/subgroupA/helper_funcs) registered for path 'app/filter_lib/helper_funcs'
Cloning into '/builds/group1/main_project/app/filter_lib/helper_funcs'...
error: cannot run ssh: No such file or directory
fatal: unable to fork
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs'. Retry scheduled
Cloning into '/builds/group1/main_project/app/filter_lib/helper_funcs'...
error: cannot run ssh: No such file or directory
fatal: unable to fork
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs' a second time, aborting
Failed to recurse into submodule path 'app/filter_lib'
这是一种预期,因为group11 /main_project在group2中没有任何repo的读取权。
因此,我尝试通过将git_submodule_strategy更改为正常,并允许group1/main_project访问group> group> group2/subgroupa/filter_lib和group2 /subgroupa/helper_funcs以下方式:
对于filter_lib,我进入了repo settings&gt;访问令牌并生成一个具有所有可用范围的令牌和navener角色。然后,我在 main_project&gt中添加了这个令牌。设置&gt; CI/CD&GT;变量作为蒙版变量,名为 filter_lib_clone_key 。 我对helper_funcs进行了相同的操作,而变量为 helper_funcs_clone_key 。
请注意以下所有命令均通过.gitlab-ci.yml main_project。
。 main_project 在尝试git subpodule Update之前,以便在CI阶段看起来像这样:
$ cat .gitmodules
[submodule "app/filter_lib"]
path = app/filter_lib
url = https://gitlab-ci-token:[MASKED(FILTER_LIB_CLONE_KEY)]@my_gitlab_instance.com/group2/subgroupA/filter_lib.git
运行git subpodule Update-init in main_project /code>成功克隆了group2/subgroupa/filter_lib的内容:
$ cd app/filter_lib
$ ls -al
total 23
drwxrwxrwx 4 root root 4096 May 17 10:51 .
drwxrwxrwx 3 root root 4096 May 17 09:24 ..
-rw-rw-rw- 1 root root 40 May 17 09:24 .git
-rw-rw-rw- 1 root root 137 May 17 10:51 .gitmodules
drwxrwxrwx 2 root root 4096 May 17 10:52 helper_funcs
drwxrwxrwx 6 root root 4096 May 17 09:24 lib
我在app/filter_lib/.gitmodules 中所做的相同:
$ cat app/filter_lib/.gitmodules
[submodule "helper_funcs"]
path = helper_funcs
url = https://gitlab-ci-token:[MASKED(HELPER_FUNCS_CLONE_KEY)]@my_gitlab_instance.com/group2/subgroupA/helper_funcs.git
ignore = dirty
在filter_lib中,我做到了:
$ git submodule update
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs'. Retry scheduled
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs' a second time, aborting
但是,用 helper_funcs_clone_key_key works在正确的位置手动克隆helper_funcs repo。
为什么可以使用相同的repo url git克隆 ?
为什么git子模块更新在第一个子模块上工作,而在第二个子模块上也不能,即使访问权限是相同的?
Context
On a self-managed GitLab instance, with multiple users and groups,
I'm trying to do a git submodule update --init --recursive in the .gitlab-ci.yml of main_project. This repo contains a submodule (filter_lib), itself containing a submodule (helper_funcs):
main_project
├── app
│ └── filter_lib <- submodule
│ ├── .gitmodules
│ ├── lib
│ └── helper_funcs <- submodule
│ └── funcs
├── .gitmodules
├── .gitlab-ci.yml
├── .gi
└── tests
└── test_stuff.py
main_project is in one GitLab group (let's call it group1) and both submodules (filter_lib and helper_funcs) are in another GitLab group and subgroup (group2/subgroupA), with no acces right to each other:
my_gitlab_instance
├── group1
│ └── main_project
└── group2
└── subgroupA
├── filter_lib
└── helper_funcs
Problem
I want to init all submodules.
First, I tried with this code at the beginning of my .gitlab-ci.yml:
variables:
GIT_SUBMODULE_STRATEGY: recursive
This CI failed with the following error before attempting to run my scripts:
Updating/initializing submodules recursively with git depth set to 50...
Submodule 'app/filter_lib' (https://gitlab-ci-token:[MASKED]@my_gitlab_instance.com/group2/subgroupA/filter_lib.git) registered for path 'app/filter_lib'
Cloning into '/builds/group1/main_project/app/filter_lib'...
Submodule path 'app/filter_lib': checked out '28d6c0f2d0bc691c29a406f44ae9b69b4e00f2b2'
Submodule 'helper_funcs' (git@gitlab:group2/subgroupA/helper_funcs) registered for path 'app/filter_lib/helper_funcs'
Cloning into '/builds/group1/main_project/app/filter_lib/helper_funcs'...
error: cannot run ssh: No such file or directory
fatal: unable to fork
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs'. Retry scheduled
Cloning into '/builds/group1/main_project/app/filter_lib/helper_funcs'...
error: cannot run ssh: No such file or directory
fatal: unable to fork
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs' a second time, aborting
Failed to recurse into submodule path 'app/filter_lib'
It is kind of expected because group1/main_project doesn’t have read rights to any repo in group2.
So I tried another way, by changing the GIT_SUBMODULE_STRATEGY to normal and allowing group1/main_project to access group2/subgroupA/filter_lib and group2/subgroupA/helper_funcs the following way:
For filter_lib, I went into the repo Settings > Access Tokens and generated a token with all available scopes and the Maintainer role. I then added this token in main_project > Settings > CI/CD > Variables as a masked variable named FILTER_LIB_CLONE_KEY.
I did the same for helper_funcs, with the variable named HELPER_FUNCS_CLONE_KEY.
Please note all the following commands were executed through the .gitlab-ci.yml of main_project.
I then sed the .gitmodules of main_project before attempting to git submodule update, so that it looked like this during the CI stage:
$ cat .gitmodules
[submodule "app/filter_lib"]
path = app/filter_lib
url = https://gitlab-ci-token:[MASKED(FILTER_LIB_CLONE_KEY)]@my_gitlab_instance.com/group2/subgroupA/filter_lib.git
Running git submodule update --init in main_project successfully cloned the content of group2/subgroupA/filter_lib:
$ cd app/filter_lib
$ ls -al
total 23
drwxrwxrwx 4 root root 4096 May 17 10:51 .
drwxrwxrwx 3 root root 4096 May 17 09:24 ..
-rw-rw-rw- 1 root root 40 May 17 09:24 .git
-rw-rw-rw- 1 root root 137 May 17 10:51 .gitmodules
drwxrwxrwx 2 root root 4096 May 17 10:52 helper_funcs
drwxrwxrwx 6 root root 4096 May 17 09:24 lib
I did the same for app/filter_lib/.gitmodules, which looked like this during the CI after the sed:
$ cat app/filter_lib/.gitmodules
[submodule "helper_funcs"]
path = helper_funcs
url = https://gitlab-ci-token:[MASKED(HELPER_FUNCS_CLONE_KEY)]@my_gitlab_instance.com/group2/subgroupA/helper_funcs.git
ignore = dirty
In filter_lib, I then did:
$ git submodule update
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs'. Retry scheduled
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@gitlab:group2/subgroupA/helper_funcs' into submodule path '/builds/group1/main_project/app/filter_lib/helper_funcs' failed
Failed to clone 'helper_funcs' a second time, aborting
However, manually cloning the helper_funcs repo at the right place with HELPER_FUNCS_CLONE_KEY works.
Why is it possible to git clone but not to git submodule update with the same repo url?
Why does the git submodule update works on the first submodule but not on the second, even though access rights are the same?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如
我遇到了同样的问题。就我而言,我在工作中安装了
openssh。不安装openssh是Git开始使用HTTPS的方法。更确切地说,我的安装命令从:
直到
仍然,我不确定当安装
openssh时,我不确定为什么git在https One上使用SSH方法。As @torek tells in the comments, git is still using an authentication via ssh and not https as you want.
I had the same problem. In my case, I was installing
opensshinside my job. Not installingopensshwas the way to go for git to start using https.More precisely, my install command went from:
to
Still, I am not sure as to why git uses the ssh method over the https one when
opensshis installed.