我有一台带有 dockerized Consul Agent (CA) 的服务器。在此 CA 中,我想从主机运行一个脚本,该脚本在服务检查中检查剩余的磁盘空间。
为此,我在CA中创建了一项服务:
{
"service": {
"name": "disk-usage-var-re7",
"tags": [
"type:check",
"env:re7"
],
"checks": [
{
"id": "disk-usage-var-re7",
"name": "Disk Usage /var RE7",
"args": [
"sh",
"-c",
"ssh consul@hostserver 'disk_usage.sh /dev/mapper/centos-var'"
],
"interval": "5s",
"timeout": "30s"
}
]
}
}
但是,当 Consul 运行他时,我收到了这个错误:Host key verification failed.
我正在使用 Consul(Alpine)的官方 Docker 镜像,版本 1.6.1,并且在容器中执行了以下命令:
docker exec consul apk add openssh
docker exec -it consul ssh-keygen -t rsa
docker cp consul:/root/.ssh/id_rsa.pub /tmp
su consul
umask 077 && mkdir ~/.ssh
umask 077 && touch ~/.ssh/authorized_keys
cat /tmp/id_rsa.pub > /home/consul/.ssh/authorized_keys
rm -f /tmp/id_rsa.pub
当我尝试
docker exec -it consul ssh consul@hostserver 'disk_usage.sh /dev/mapper/centos-var'
第一次,SSH 询问我:
The authenticity of host 'hostserver (::1)' can't be established.
ECDSA key fingerprint is SHA256:MlsT6sDr9xXuOurqBJu4e+a8m2De3Lu4ctJSB+5RNmk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'hostserver' (ECDSA) to the list of known hosts.
此后,脚本仍然有效。但无需 Consul 的检查。
我究竟做错了什么?
非常感谢。
答案1
好的,我发现发生了什么。容器中的默认用户是root,但启动 Consul 的用户是consul。
因此,您必须以consul指定的用户身份运行容器-u consul,并使用正确的用户使用 ssh-keygen。
现在看看正确的命令:
docker exec -it -u consul consul ssh-keygen -t rsa
docker cp consul:/home/consul/.ssh/id_rsa.pub /tmp
su consul
cat /tmp/id_rsa.pub > /home/consul/.ssh/authorized_keys
rm -f /tmp/id_rsa.pub
脚本成功运行!