Search code examples
gcloudgoogle-cloud-build

gcloud scp in cloud build fails due to known hosts problem

One step in my cloud build is to copy files from a VM in another project. After a series of problems, I've set up the service account access, and can successfully do this scp from my own workstation. However, in cloud build itself, I get this error on this step:

2022-08-03 22:21:32.170 EDTStep #4 - "Copy in static images": Failed to add the host to the list of known hosts (/builder/home/.ssh/google_compute_known_hosts).

The step runs a shell script. The pertinent part does this:

    args:
      - '-c'
      - ./auto-image-xfer.sh
    id: Copy in static images 
    entrypoint: bash

The shell script does this: gcloud compute scp --recurse user@vmname:/path/to/images ./destination --zone us-central1-a --ssh-key-file=./google_compute_engine --project "projectname"

Again, I hasten to add that I worked out a series of service account issues that originally prevented my ssh key from working prior to this, so I think it's just down to not being able to write the known_hosts file.

I looked into the -o ssh options to specify an alternative known hosts file, but these aren't valid for the gcloud compute scp command, and can't seem to be passed through with the scp-flags option.

I'm wondering if I need a custom builder for this, or is there an easier solution I'm overlooking?

Solution

  • This stack overflow post was very informative: Using SSH keys with Google Container Builder

    As was this documentation item about using ssh to access github from within a build: https://cloud.google.com/build/docs/access-github-from-build

    It turned out it was necessary to get the known hosts file into the build.

    My solution was cribbed from one of the stack overflow comments. I added this step:

      - name: gcr.io/google.com/cloudsdktool/cloud-sdk
    args:
      - '-c'
      - ./copy-known-hosts.sh
    id: Copy in known hosts
    entrypoint: sh

    The shell script does this:

    
exitfn () {
  trap SIGINT
  rm ./google_compute_*
}

trap "exitfn" INT

gcloud secrets versions access 1 --secret=known-hosts > google_compute_known_hosts
mkdir -p /builder/home/.ssh
cp ./google_compute_known_hosts /builder/home/.ssh/google_compute_known_hosts
chmod 400 /builder/home/.ssh

exitfn