Re: [yocto] Fetch private gitlab repo using ssh with Yocto recipe #bitbake

From: "Erik Botö" <erik.boto@gmail.com>
To: Nicolas Jeker <n.jeker@delisys.ch>
Cc: VIVAVIS AG <embedded@vivavis.com>,
	Sourabh Hegde <hrsourabh011@gmail.com>,
	"yocto@lists.yoctoproject.org" <yocto@lists.yoctoproject.org>
Subject: Re: [yocto] Fetch private gitlab repo using ssh with Yocto recipe #bitbake
Date: Fri, 28 Jan 2022 13:33:05 +0100	[thread overview]
Message-ID: <CALNvYWM+E4huNkdZL5MNnDiC3D9aVy7SvziooFfqRR5Qr-TXnA@mail.gmail.com> (raw)
In-Reply-To: <90997c2cb92ea9700451b0e5d9afaeef64f4662c.camel@delisys.ch>

On Fri, Jan 28, 2022 at 11:50 AM Nicolas Jeker <n.jeker@delisys.ch> wrote:
>
> On Fri, 2022-01-28 at 10:27 +0000, VIVAVIS AG wrote:
> > Hi,
> >
> > > Von: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> Im
> > > Auftrag von Sourabh Hegde
> > > Gesendet: Freitag, 28. Januar 2022 10:47
> > >
> > > Can you please let me know how to "forward SSH_AGENT into it to be
> > > able
> > > to fetch from internal projects without the need to mount the key
> > > into the container."? I never did that before.
> >
> > I use the following options within the Docker run command:
> >   -v $SSH_AUTH_SOCK:/ssh.socket \
> >   -e SSH_AUTH_SOCK=/ssh.socket \
> >
>
> That's pretty much what I use.
>
> > Furthermore, I had to mount the .ssh folder into the container to
> > make it working (be aware of security risk).
> > Additionally, you should check that uid, gid of the user in the
> > container is the same on the host.
>
> I do something similar, my "problem" was that ssh needs the
> .ssh/known_hosts file with a matching entry in addition to your
> key/agent, but mounting the .ssh folder was not possible for me because
> of permissions. Currently, I just created a little script that wraps
> "oe-init-build-env" and populates the known_hosts file accordingly.
>
> mkdir -p ~/.ssh
>
> cat <<EOF >> ~/.ssh/known_hosts
> git.example.com ssh-ed25519 <base64key>
> EOF
>

I use my own Dockerfile based on crops/poky where I do the following,
which might be helpful if you also use this. It sets up the config
changes in /etc/skel/ since it creates users "on the fly" with
matching uid.

# Remove strict host key checking for ssh
# This is needed since the build will pull source over git-ssh
RUN mkdir -p /etc/skel/.ssh/
COPY ci-scripts/docker-stuff/config /etc/skel/.ssh/
RUN echo 'export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no"' >> /etc/skel/.bashrc

The ci-scripts/docker-stuff/config file contains:
Host *
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

Now it was ages ago I set this up, and right now I can't really
understand why I basically do the same thing twice. So you'd have to
check which of the two things that actually solves the issue :-)

Cheers,
Erik

> > Regards,
> >
> > Carsten
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#56009): https://lists.yoctoproject.org/g/yocto/message/56009
> Mute This Topic: https://lists.yoctoproject.org/mt/88691891/3618217
> Mute #bitbake:https://lists.yoctoproject.org/g/yocto/mutehashtag/bitbake
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [erik.boto@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>