search

ros-industrial / industrial_ci

Easy continuous integration repository for ROS repositories
Apache License 2.0
248 stars 129 forks source link

Cloning of private bitbucket repos #883

Closed AndyZe closed 1 month ago

AndyZe commented 1 month ago

In bitbucket-pipelines.yaml, adding this line causes my pipeline to hang:

...
         script:
           - export TRACE=true
           - export DOCKER_IMAGE="ros:humble"
           # This line causes the pipeline to hang
           #- export UPSTREAM_WORKSPACE="git+ssh://git@bitbucket.org/my_org/aladdin_resources#main git+ssh://git@bitbucket.org/my_org/isaac_ros_cumotion#main github:PickNikRobotics/bio_ik#ros2"
           - git clone --quiet --depth 1 https://github.com/ros-industrial/industrial_ci .industrial_ci -b master
           - .industrial_ci/bitbucket.sh ROS_DISTRO=humble
...

Specifically, the log says it hangs here:

d92d07b72e74: Pull complete
bd82b3fc9b82: Pull complete
Digest: sha256:482ae18aa5d4813dd5c59aee9e4cd830eac94c60587f494e9ff343e6aaf3aba3
Status: Downloaded newer image for ros:humble
docker.io/library/ros:humble
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
'pull_docker_image' returned with code '0' after 0 min 14 sec
TRACE:util.sh:208 ici_hook after_pull_docker_image
$ docker create --init --env-file /opt/atlassian/pipelines/agent/build/.industrial_ci/industrial_ci/src/isolation/docker.env --rm -v /opt/atlassian/pipelines/agent/build:/opt/atlassian/pipelines/agent/build:ro -e TARGET_REPO_PATH=/opt/atlassian/pipelines/agent/build -v /opt/atlassian/pipelines/agent/build/.industrial_ci/industrial_ci/src:/opt/atlassian/pipelines/agent/build/.industrial_ci/industrial_ci/src:ro -e ICI_SRC_PATH=/opt/atlassian/pipelines/agent/build/.industrial_ci/industrial_ci/src -t --entrypoint  -w /opt/atlassian/pipelines/agent/build ros:humble /bin/bash /opt/atlassian/pipelines/agent/build/.industrial_ci/industrial_ci/src/run.sh source_tests run_source_tests
TRACE:isolation/docker.sh:153 ici_guard docker inspect --format={{.Config.Image}} 8ebe7a8f38f06ba9e81cfdf2c7325c57152ec3277201690ab1602ac6f2d4272e
Copy credentials: /root/.ssh
$ docker start -a 8ebe7a8f38f06ba9e81cfdf2c7325c57152ec3277201690ab1602ac6f2d4272e
^ hangs here until the job times out
AndyZe commented 1 month ago

I guess you'll tell me to set - export VERBOSE_OUTPUT=true so we can see what's going on.

Edit: that doesn't give any new info.

AndyZe commented 1 month ago

My guess is, it's a permissions issue with cloning the other repos in our org.

AndyZe commented 1 month ago

OK, I've verified that it is a permissions issue with cloning the other repos in our org. Now need to find a way to circumvent this with Bitbucket...

AndyZe commented 1 month ago

I think what I need to do is place a private ssh key in the docker container somehow.

gavanderhoorn commented 1 month ago

Another option could be to use a deploy token or other kind of token, and then use Git's insteadOf functionality (docs). You can use that to essentially 'redirect' git clones of private repositories to URLs including the (deploy) token (so it would still be the same repository URL, it would now just have authentication information embedded).

In case you do that by generating a .gitconfig file, you'd write that secret to disk, so consider the implications. You can however also pass Git config elements on the command line, for single invocations, which would avoid that. That would however perhaps be difficult to use with a vcs based workflow.

AndyZe commented 1 month ago

Well I haven't tried what gavanderhoorn suggested yet. I'm not that desperate yet. I did try GIT_SSH_COMMAND which seemed promising to me, but no luck still.

In bitbucket-pipelines.yml:

         variables:
           # Set SSH keys in industrial_ci container
           - DOCKER_RUN_OPTS='-e GIT_SSH_COMMAND="ssh -i .my_repo_name/private_key"'

I still get this error when running. (Which is the same error without it.)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
setup_upstream_workspace
...
Setting up openssh-client (1:8.9p1-3ubuntu0.10) ...
TRACE:workspace.sh:180 ici_guard vcs import --recursive --force /root/upstream_ws/src
=== /root/upstream_ws/src/aladdin_resources (git) ===
Could not determine ref type of version: no such identity: /opt/atlassian/pipelines/agent/ssh/id_rsa: No such file or directory
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.
gavanderhoorn commented 1 month ago

I haven't tried what gavanderhoorn suggested yet. I'm not that desperate yet.

it's not such an awful way to do this :) I've seen it used in production at pretty large orgs.

Is it the prettiest? No. But depending on the exact circumstances (ephemeral containers on self-hosted infrastructure fi) it could be an acceptable way to get this to work.

Proper SSH setup would indeed be better though.

AndyZe commented 1 month ago

OK, i got it working by cloning my private deps into the CI build/ folder before running the .industrial_ci/bitbucket.sh script :+1:

image: docker:git
pipelines:
  default:
     - step:
         size: 2x # More memory
         services:
           - docker
         script:
           - export DOCKER_IMAGE="ros:humble"
           - apk add --update bash coreutils tar
           # Move aladdin_monitors_1 files from build/ to build/aladdin_monitors_1 so we can clone deps in the same ws
           - mkdir ./aladdin_monitors_1
           - mv $(ls --ignore=aladdin_monitors_1) ./aladdin_monitors_1
           # Clone deps
           # After this, we should have several packages in this build folder
           - git clone -b main git@bitbucket.org:my_org/aladdin_resources.git
           # Other dependencies go in the upstream workspace
           - export UPSTREAM_WORKSPACE="github:PickNikRobotics/bio_ik#ros2"
           - git clone --quiet --depth 1 https://github.com/ros-industrial/industrial_ci .industrial_ci -b master
           - .industrial_ci/bitbucket.sh ROS_DISTRO=humble