Closed jackchuong closed 9 months ago
First, that's a pretty old git-sync (more than 3.5 years old!) - I would encourage you to use something more recent if you care about CVEs. v3.6.9 is the latest v3 and v4.0.0 is even more modern but has some incompatible changes.
From what I understand, git-sync is working, but your Spark CRD is not setting something up properly?
I don't know anything about that, and I am afraid you are not going to find much of an answer here. You can crank up the --v
level to 6 and get better logs, which MIGHT help (again, that is such an old version it will be hard to say for sure). You can at least compare git-sync logs from the success case and the fail case.
Another approach might be to run it with command
set to sleep
and args set to inf
, and the kubectl exec
into a shell to see what is going wrong - permissions or secret not mounted or who knows..
Hi @thockin
I changed image for both spark-master-0 and nginx-deployment
image: registry.k8s.io/git-sync/git-sync:v3.6.5
and this is log from git-sync container in spark-master-0 pod
kubectl -n ebis logs -f -c git-sync-sparks-job spark-master-0
INFO: detected pid 1, running init handler
I0922 02:14:53.822649 12 main.go:401] "level"=0 "msg"="starting up" "pid"=12 "args"=["/git-sync"]
I0922 02:14:53.838928 12 main.go:950] "level"=0 "msg"="cloning repo" "origin"="git@gitlab.mydomain.com:ebis1/sparks-job.git" "path"="/data"
E0922 02:14:53.967181 12 main.go:547] "msg"="too many failures, aborting" "error"="Run(git clone -v --no-checkout -b main git@gitlab.mydomain.com:ebis1/sparks-job.git /data): exit status 128: { stdout: "", stderr: "Cloning into '/data'...\nFailed to add the ECDSA host key for IP address '192.168.0.11' to the list of known hosts (/etc/git-secret/known_hosts).\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: UNPROTECTED PRIVATE KEY FILE! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nPermissions 0440 for '/etc/git-secret/ssh' are too open.\r\nIt is required that your private key files are NOT accessible by others.\r\nThis private key will be ignored.\r\nLoad key \"/etc/git-secret/ssh\": bad permissions\r\ngit@gitlab.mydomain.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists." }" "failCount"=1
this is log from git-sync container in nginx-deployment pod
kubectl -n ebis logs -f -c git-sync nginx-deployment-5786486d45-sr6jb
INFO: detected pid 1, running init handler
I0922 02:11:15.442456 12 main.go:401] "level"=0 "msg"="starting up" "pid"=12 "args"=["/git-sync"]
I0922 02:11:15.478253 12 main.go:950] "level"=0 "msg"="cloning repo" "origin"="git@gitlab.mydomain.com:ebis1/sparks-job.git" "path"="/data"
I0922 02:11:15.807335 12 main.go:760] "level"=0 "msg"="syncing git" "rev"="HEAD" "hash"="7a1b1b612486f7b6ce8a9bd98ae8abdc0fcef2b1"
I0922 02:11:15.825159 12 main.go:800] "level"=0 "msg"="adding worktree" "path"="/data/7a1b1b612486f7b6ce8a9bd98ae8abdc0fcef2b1" "branch"="origin/main"
I0922 02:11:15.830422 12 main.go:860] "level"=0 "msg"="reset worktree to hash" "path"="/data/7a1b1b612486f7b6ce8a9bd98ae8abdc0fcef2b1" "hash"="7a1b1b612486f7b6ce8a9bd98ae8abdc0fcef2b1"
I0922 02:11:15.830472 12 main.go:865] "level"=0 "msg"="updating submodules"
If I add command sleep to spark-master-0 , so it can start successfully then I can see that it can map spark-ssh-git-secret to path /etc/git-secret/ssh and /etc/git-secret/known_hosts in container git-sync
ls /etc/git-secret
known_hosts ssh
So again, the simple deployment is working but spark is messing something up, right?
Are the permissions right? SSH is very particular about who can read/write keys and it is saying "Permissions 0440 for '/etc/git-secret/ssh' are too open".
You may also want to set the KNOWN_HOSTS flag to "false".
The permission is 777 at /etc/git-secret in both spark-master-0 (fail) and nginx-deployment (ok)
ls -lh
total 0
lrwxrwxrwx 1 root 1001 18 Sep 22 03:52 known_hosts -> ..data/known_hosts
lrwxrwxrwx 1 root 1001 10 Sep 22 03:52 ssh -> ..data/ssh
chmod 600 known_hosts
chmod: changing permissions of 'known_hosts': Read-only file system
chmod 600 ssh
chmod: changing permissions of 'ssh': Read-only file system
I added
- name: GIT_SYNC_SSH_KNOWN_HOSTS
value: "false"
But issue still exist I tried exec into container git-sync-sparks-job in pod spark-master-0
kubectl -n ebis exec -it -c git-sync-sparks-job spark-master-0 -- sh
# cd /data
# ls
# git clone -v --no-checkout -b main git@gitlab.mydomain.com:ebis1/sparks-job.git
Cloning into 'sparks-job'...
The authenticity of host 'gitlab.mydomain.com (192.168.0.11)' can't be established.
ECDSA key fingerprint is SHA256:AZiBro/EmLwwohRn1ywqxl6RpyTvYdfOGpihbDSTVUc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'gitlab.mydomain.com,192.168.0.11' (ECDSA) to the list of known hosts.
git@gitlab.mydomain.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
What permissions on the actual key file (after the symlink)?
Please run git-sync with -v6 to get more complete logs of the commands being run.
On Thu, Sep 21, 2023, 9:13 PM jackchuong @.***> wrote:
The permission is 777 at /etc/git-secret in both spark-master-0 (fail) and nginx-deployment (ok)
ls -lh total 0 lrwxrwxrwx 1 root 1001 18 Sep 22 03:52 known_hosts -> ..data/known_hosts lrwxrwxrwx 1 root 1001 10 Sep 22 03:52 ssh -> ..data/ssh chmod 600 known_hosts chmod: changing permissions of 'known_hosts': Read-only file system chmod 600 ssh chmod: changing permissions of 'ssh': Read-only file system
I added
- name: GIT_SYNC_SSH_KNOWN_HOSTS value: "false"
But issue still exist I tried exec into container git-sync-sparks-job in pod spark-master-0
kubectl -n ebis exec -it -c git-sync-sparks-job spark-master-0 -- sh
cd /data
ls
git clone -v --no-checkout -b main @.***:ebis1/sparks-job.git
Cloning into 'sparks-job'... The authenticity of host 'gitlab.mydomain.com (192.168.0.11)' can't be established. ECDSA key fingerprint is SHA256:AZiBro/EmLwwohRn1ywqxl6RpyTvYdfOGpihbDSTVUc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'gitlab.mydomain.com,192.168.0.11' (ECDSA) to the list of known @.***: Permission denied (publickey). fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
— Reply to this email directly, view it on GitHub https://github.com/kubernetes/git-sync/issues/819#issuecomment-1730776654, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKWAVBVKFYV6XZ5J5WEIYTX3UF6BANCNFSM6AAAAAA5BDK7CQ . You are receiving this because you were mentioned.Message ID: @.***>
Sorry I don't understand your question These files are created from mounting secret/spark-ssh-git-secret into container .
git clone -v6 --no-checkout -b main git@gitlab.mydomain.com:ebis1/sparks-job.git /data
Cloning into '/data'...
ssh: Could not resolve hostname gitlab.mydomain.com: No address associated with hostname
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I think the reason here : somehow container git-sync
in pod spark-master-0
cannot resolve domain gitlab.mydomain.com ?
But ontainer git-sync
in pod nginx-deployment
can, so it works fine
Earlier it said the key file was 0440, which SSH does not like if the current UID is the same as the key file's owner. I bet the file is owned by root and you are running as root. Don't run as root if you can avoid it.
Failing DNS is yet another new failure mode, not at all what you showed before, so I am not sure how I can be of help.
Obviously, make DNS work, first. Then make sure permissions and UID are correct.
This does not appear to be a bug, per se, so I'm going to close this for house-keeping's sake. Please let me know if you still can't get it working.
Hi all, I want to create a git-sync sidecar container in spark master pod , it will sync data from my private git repo periodical (60s) using SSH. Here my chart values:
I created a secret contain ssh key
User can use this ssh key to push/pull git repo already. But Pod Spark master not ready 1/2 and CrashLoopBackOff
Meanwhile, this test.yaml works fine
container
git-sync
can sync data from git repo each 60s and I can see data in containernginx-helloworld
at /usr/share/nginx/html , podnginx-deployment
running without error