SSH into staging machine from docker instance using Bitbucket Pipelines
Using the new Bitbucket Pipelines feature, how can I SSH into my staging box from the docker container it spins up?
The last step in my pipeline is an .sh
-
Bitbucket pipelines can use a Docker image you've created, that has the ssh client setup to run during your builds, as long as it's hosted on a publicly accessible container registry.
Create a Docker image.
Create a Docker image with your ssh key available somewhere. The image also needs to have the host key for your environment(s) saved under the user the container will run as. This is normally the
rootuser but may be different if you have aUSERcommand in yourDockerfile.You could copy an already populated
known-hostsfile in or configure the file dynamically at image build time with:RUN ssh-keyscan your.staging-host.comPublish the image
Publish your image to a publicly accessible, but private registry. You can host your own or use a service like Docker Hub.
Configure Pipelines
Configure pipelines to build with your docker image.
If you use Docker Hub
image: name: account-name/java:8u66 username: $USERNAME password: $PASSWORD email: $EMAILOr Your own external registry
name: docker.your-company-name.com/account-name/java:8u66Restrict access on your hosts
You don't want to have ssh keys to access your hosts flying around the world so I would also restrict access for these deploy ssh keys to only run your deploy commands.
The
authorized_keysfile on your staging host:command="/path/to/your/deploy-script",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-dss AAAAC8ghi9ldw== deploy@bitbucketUnfortunately bitbucket don't publish an IP list to restrict access to as they use shared infrastructure for pipelines. If they happen to be running on AWS then Amazon do publish IP lists.
from="10.5.0.1",command="",no-... etcAlso remember to date them an expire them from time to time. I know ssh keys don't enforce dates but it's a good idea to do it anyway.
加载中...
- 热议问题