2

I need my Gitlab CI to update submodules with --remote flag so that the HEAD is set to the remote's HEAD. After a bit of Googling I found that I need to set GIT_SUBMODULE_STRATEGY to none and run git submodule update --recursive --remote --init manually:

variables:
    GIT_STRATEGY: clone
    GIT_SUBMODULE_STRATEGY: none

before_script:
  - apk add git || ( apt-get update && apt-get -y install git )
  - git submodule update --recursive --remote  --init

test:build:
  services:
  - docker:dind
  image: ubuntu
  variables:
    DOCKER_HOST: tcp://docker:2375
    DOCKER_DRIVER: overlay2
  script:
  - echo "done

Unfortunately I'm getting a CI failure (names edited):

$ git submodule update --recursive --remote  --init
Submodule 'current_project_name/submodule_project_name' (ssh://git@gitlab.someserver.net:9931/someorg/submodule_project_name.git) registered for path 'current_project_name/submodule_project_name'
Cloning into '/builds/someorg/current_project_name/current_project_name/submodule_project_name'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'ssh://git@gitlab.someserver.net:9931/someorg/submodule_project_name.git' into submodule path '/builds/someorg/current_project_name/current_project_name/submodule_project_name' failed
Failed to clone 'current_project_name/submodule_project_name'. Retry scheduled
Cloning into '/builds/someorg/current_project_name/current_project_name/submodule_project_name'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'ssh://git@gitlab.someserver.net:9931/someorg/submodule_project_name.git' into submodule path '/builds/someorg/current_project_name/current_project_name/submodule_project_name' failed
Failed to clone 'current_project_name/submodule_project_name' a second time, aborting

I can see that the CI does have permissions to clone that submodule_project_name because if I set GIT_SUBMODULE_STRATEGY e.g. to recursive, CI manages to pull it (but it's not --remote, so it doesn't work the way I want). Unfortunately when my before_script tries to do it, I'm getting the error. How can I bypass it?

d33tah
  • 10,999
  • 13
  • 68
  • 158

1 Answers1

1

I mentioned before updating the ~/.ssh/.known_hosts file, as in here.

This is not needed when fetching the submodules before the script (which is not what you are doing with GIT_SUBMODULE_STRATEGY set to NONE)

With dind (Docker In Docker), consider also this thread, regarding ssh-add for private keys, and .dockerini / .dockerenv SSH directives.

The OP d33tah confirms in the comments:

I actually didn't add any key, assuming that since Gitlab CI's defaults can pull the key, I should be able to as well.
Then I found that docs say that I needed a deploy key and I added one

Yes: adding the public key on Gitlab side is mandatory.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks. Unfortunately disabling strict host checking only changed the error to "Permission denied, please try again.". – d33tah May 31 '19 at 10:54
  • Are those private keys passphrase protected? – VonC May 31 '19 at 11:27
  • I actually didn't add any key, assuming that since Gitlab CI's defaults can pull the key, I should be able to as well. Then I found that docs say that I needed a deploy key and I added one, but couldn't re-add it to the other submodule I was using... and after some frustrating digging, I realized I don't need to re-add it, just find and enable it. So, it looks like I made a bit of (reversible) mess in the process, but the project works now. Thank you for your time! – d33tah May 31 '19 at 12:13
  • @d33tah Great! I have included your comment in the answer for more visibility. – VonC May 31 '19 at 12:16
  • sure, just wanted to double-check that CI works well before upvoting and marking as solved. Thanks for the reminder ;) – d33tah May 31 '19 at 12:51