search

tailscale / github-action

A GitHub Action to connect your workflow to your Tailscale network.
BSD 3-Clause "New" or "Revised" License
519 stars 78 forks source link

Unable to ssh into machine: Host key verification failed #83

Closed gf3 closed 10 months ago

gf3 commented 10 months ago

Currently unable to ssh into a target machine using Github actions in our CI/CD workflow.

Steps

      - name: Tailscale
        uses: tailscale/github-action@v2
        with:
          args: --accept-dns=true
          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
          tags: tag:ci
          version: 1.48.1

      - name: Test SSH Connection
        run: |
          ssh root@wharf-stag-droplet-0 'echo "connected to $(hostname)"'

Full job

 ```yaml build_and_deploy: name: Build & Deploy runs-on: ubuntu-latest needs: [determine_environment] environment: name: ${{ needs.determine_environment.outputs.environment }} env: APP_ENV: ${{ needs.determine_environment.outputs.environment }} steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.workflow_run.head_branch }} - uses: ruby/setup-ruby@v1 with: ruby-version: 3.2.2 bundler-cache: true - name: Configure 1Password Service Account uses: 1password/load-secrets-action/configure@v1 with: service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Install 1Password CLI uses: 1password/install-cli-action@v1 - name: Expose GitHub Runtime uses: crazy-max/ghaction-github-runtime@v2 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v2 with: install: true - name: Tailscale uses: tailscale/github-action@v2 with: args: --accept-dns=true oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} tags: tag:ci version: 1.48.1 - name: Test SSH Connection run: | ssh root@wharf-stag-droplet-0 'echo "connected to $(hostname)"' - name: Install Kamal run: | gem install kamal - name: Envify env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} run: | kamal envify -d $APP_ENV - name: Deploy env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} MIX_ENV: prod run: | kamal deploy -d $APP_ENV ```

Output

Tailscale

 ``` Run tailscale/github-action@v2 Run if [ X64 = "ARM64" ]; then % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 64 100 64 0 0 264 0 --:--:-- --:--:-- --:--:-- 265 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 24.2M 100 24.2M 0 0 29.6M 0 --:--:-- --:--:-- --:--:-- 29.5M tailscale.tgz: OK Run sudo -E tailscaled --state=mem: ${ADDITIONAL_DAEMON_ARGS} 2>~/tailscaled.log & Run if [ -z "${HOSTNAME}" ]; then if [ -z "${HOSTNAME}" ]; then HOSTNAME="github-$(cat /etc/hostname)" fi if [ -n "***" ]; then TAILSCALE_AUTHKEY="***?preauthorized=true&ephemeral=true" TAGS_ARG="--advertise-tags=tag:ci" fi timeout 5m sudo -E tailscale up ${TAGS_ARG} --authkey=${TAILSCALE_AUTHKEY} --hostname=${HOSTNAME} --accept-routes ${ADDITIONAL_ARGS} shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} env: MIX_ENV: prod APP_ENV: stag OP_SERVICE_ACCOUNT_TOKEN: *** ACTIONS_RUNTIME_URL: https://pipelinesghubeus14.actions.githubusercontent.com/Vb5Ii5pc6JAen1JpQMIV3UQa18j7NvPGRNshHPuBg9aUE4BIrs/ ACTIONS_RUNTIME_TOKEN: *** ACTIONS_CACHE_URL: https://acghubeus2.actions.githubusercontent.com/Vb5Ii5pc6JAen1JpQMIV3UQa18j7NvPGRNshHPuBg9aUE4BIrs/ TAILSCALE_AUTHKEY: ADDITIONAL_ARGS: --accept-dns=true HOSTNAME: TS_EXPERIMENT_OAUTH_AUTHKEY: true ```

Test SSH Connection

 ``` Run ssh root@wharf-stag-droplet-0 'echo "connected to $(hostname)"' ssh root@wharf-stag-droplet-0 'echo "connected to $(hostname)"' shell: /usr/bin/bash -e {0} env: MIX_ENV: prod APP_ENV: stag OP_SERVICE_ACCOUNT_TOKEN: *** ACTIONS_RUNTIME_URL: https://pipelinesghubeus14.actions.githubusercontent.com/Vb5Ii5pc6JAen1JpQMIV[3](https://github.com/freshlineapp/wharf/actions/runs/5971619863/job/16200934656#step:9:3)UQa18j7NvPGRNshHPuBg9aUE[4](https://github.com/freshlineapp/wharf/actions/runs/5971619863/job/16200934656#step:9:4)BIrs/ ACTIONS_RUNTIME_TOKEN: *** ACTIONS_CACHE_URL: https://acghubeus2.actions.githubusercontent.com/Vb[5](https://github.com/freshlineapp/wharf/actions/runs/5971619863/job/16200934656#step:9:5)Ii5pc[6](https://github.com/freshlineapp/wharf/actions/runs/5971619863/job/16200934656#step:9:6)JAen1JpQMIV3UQa18j[7](https://github.com/freshlineapp/wharf/actions/runs/5971619863/job/16200934656#step:9:7)NvPGRNshHPuBg[9](https://github.com/freshlineapp/wharf/actions/runs/5971619863/job/16200934656#step:9:9)aUE4BIrs/ Host key verification failed. Error: Process completed with exit code 255. ```

Note

I am able to access the machine if I use tailscale ssh directly, e.g.:

tailscale ssh root@wharf-stag-droplet-0 'echo "connected to $(hostname)"'

However this will not work with the other tools I am using.

gf3 commented 10 months ago

I added a tailscale status in there and I'm now also seeing this in the output:

# Health check:
#     - not connected to home DERP region 1
davidchase commented 10 months ago

I was able to ssh when i setup Tailscale ssh and used the option ssh -o StrictHostKeyChecking=no otherwise i had similar issues

gf3 commented 10 months ago

@davidchase That was what was recommended by tailscale support! I ended up adding to to the SSH config in the GH actions runner:

Host *
  ForwardAgent yes
  LogLevel VERBOSE
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  VisualHostKey yes