Pipelines : host key verification failed while cloning private repository with docker-in-docker
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
This document is to explain how to resolve the "Host key verification failed" error when cloning another private repository from Bitbucket pipelines with docker-in-docker.
Cause
There might be a lot of scenarios where you have to clone another private repository from within a pipeline build. For instance, node or composer packages from another private repository are included in your current build, and during the build, these dependency repositories are cloned.
If your command(that clones the repositories) is directly present in the bitbucket-pipelines.yml file, this document doesn't apply to you. For example,
npm installcommand here has some dependencies to be downloaded from other private repositories.1 2 3 4 5 6 7pipelines: branches: master: - step: script: - npm installIn case you are using the docker-in-docker feature executing commands such as
docker buildordocker composeand including commands likegit cloneornpm installoryarn installorcomposer installin your configuration as shown in the example below, you might encounter the "host key verification failed" error.Sample bitbucket-pipelines.yml file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14image: name: atlassian/default-image:4 pipelines: branches: main: - step: name: Build and Test Dev script: - echo "testing" - docker build -t testrepo/mytest:$BITBUCKET_BUILD_NUMBER . services: - dockerSample Dockerfile that's used in the above build:
1 2 3 4FROM ubuntu RUN apt-get install git -y RUN git clone git@bitbucket.org:myworkspace/mytestrepo.gitIf you run the above build, you might encounter a "host key verification failed" error. This is because, in bitbucket pipelines, we automatically add a known_hosts file entry for bitbucket.org during the build setup phase in the build container. While you are running
docker buildordocker compose,you are using docker-in-docker here(docker service container). So the container that spun up by default doesn't have bitbucket.org host key entries. We automatically add these host keys in known_hosts only during the build setup in your build container and not the service containers spun up during the build.
Solution
To resolve this issue, you'll have to include a command to manually add the known_hosts file entries for bitbucket.org before the command that clones the other private repositories.
Example: We used docker build command in this case. So the Dockerfile would look like,
1
2
3
4
5
6
7
FROM ubuntu
RUN mkdir ~/.ssh && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts
RUN apt-get install git -y
RUN git clone git@bitbucket.org:myworkspace/mytestrepo.gitThe new RUN instructions are to fetch the host keys of bitbucket.org and add them to your docker build.
docker build is used as an example in this article. Your scenario might be npm install command inside your Dockerfile and your package-lock.json file might have a few dependencies from other private repositories or any other similar setup with build tools like yarn, composer etc.
Was this helpful?