Pipeline: "ssh-keyscan": executable file not found in $PATH after upgrading from v0.13.2 to v0.14.1

Created on 16 Jul 2020  ·  9Comments  ·  Source: tektoncd/pipeline

Hi,

we have a pipeline running that is using ssh-based authentication to clone from a corporate git repository as described in https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#ssh-authentication-git.

After upgrading from v0.13.2 to v0.14.1, the pipeline starts failing with the following log output:

invalid value "corp-git-secret=github.corp" for flag -ssh-git: ssh-keyscan error: exec: "ssh-keyscan": executable file not found in $PATH
Usage of /tekton/tools/entrypoint:
  -basic-docker value
        List of secret=url pairs.
  -basic-git value
        List of secret=url pairs.
  -docker-cfg string
        Docker .dockercfg secret file.
  -docker-config string
        Docker config.json secret file.
  -entrypoint string
        Original specified entrypoint to execute
  -post_file string
        If specified, file to write upon completion
  -results string
        If specified, list of file names that might contain task results
  -ssh-git value
        List of secret=url pairs.
  -termination_path string
        If specified, file to write upon termination (default "/tekton/termination")
  -wait_file string
        Comma-separated list of paths to wait for
  -wait_file_content
        If specified, expect wait_file to have content

In the release notes of 0.14.1 I found the following paragraph:
The creds-init step is gone and its behavior is now handle by the entrypoint. This shouldn't have any impact except running as the same user as the step.

Do we now have to include ssh-keyscan (and others?) in the image that we are using for the task?

Thanks,
Fabian

kinbug
Source
picture Fabian-K

All 9 comments

oh that ain't good :sweat:
/cc @sbwsg
(this might mean we need a 0.14.2 :upside_down_face: )

vdemeester picture vdemeester on 16 Jul 2020

Ah, yeah, that's fair. Probably need to rollback the creds-init change. I'll get a PR open.

sbwsg picture sbwsg on 16 Jul 2020

@Fabian-K can you confirm whether you include the known_hosts section in your Secrets (mentioned in the auth doc).

If not then you should be able to add this known_hosts field to immediately sidestep the problem. ssh-keyscan should only run if you don't include a known_hosts entry in the Secret.

sbwsg picture sbwsg on 16 Jul 2020
👍1

I think the fix to this might be to drop use of ssh-keyscan in the creds code. I'm not sure it provides any kind of security to do that scan since Tekton will blindly trust _any_ key that it returns.

sbwsg picture sbwsg on 16 Jul 2020

Ah, yes. Currently, we don´t include known_hosts, adding it to the secret resolves the issue :)

Fabian-K picture Fabian-K on 16 Jul 2020
👍1

I think the fix to this might be to drop use of ssh-keyscan in the creds code. I'm not sure it provides any kind of security to do that scan since Tekton will blindly trust _any_ key that it returns.

Right, but this is a breaking change in behavior so… this should definitely not be in a bugfix release and will need to be handle as other deprecation.

vdemeester picture vdemeester on 16 Jul 2020

Yep, agreed: https://github.com/tektoncd/pipeline/pull/2952

sbwsg picture sbwsg on 16 Jul 2020

Thank you for the quick support & fix 🙏

Fabian-K picture Fabian-K on 17 Jul 2020
1

So this should be fix in 0.14.2 (reverted the change), and will be fixed "differently" in 0.15 :wink:
Thanks for the report @Fabian-K :hugs:

vdemeester picture vdemeester on 17 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bobcatfish picture bobcatfish  ·  4Comments
VeereshAradhya picture VeereshAradhya  ·  3Comments
bobcatfish picture bobcatfish  ·  4Comments
sbwsg picture sbwsg  ·  4Comments
objectiveous picture objectiveous  ·  3Comments