MIDDLEWARE

在 Nginx 1.25+ 中开启 HTTP/3

对于Nginx来说，在编译时需要配置对于的SSL库，不管是HTTP3.0还是HTTP2.0，始终都要基于HTTPS，而加密算法这块主要有OpenSSL来提供，而BoringSSL是谷歌创建的OpenSSL分支，用于支持TLS1.3的UDP协议0-RTT数据传输的加密算法（可以理解成TLS 1.3是标准协议，BoringSSL是实现工具），BoringSSL的一些特性会在合适的时机同步给OpenSSl。Nginx从1.25.0开始支持QUIC和HTTP/3协议。此外，从1.25.0开始，Linux二进制包中提供了QUIC和HTTP/3支持 QUIC和HTTP/3支持是实验性的安装BoringSSL证书官方推荐了3种SSL库，参考文档https://nginx.org/en/docs/quic.html 我这里使用BoringSSL 使用 BoringSSL 编译 NGINX，需要满足以下要求： gcc 版本大于6 编译BoringSSL 需要go环境支持 cmake 3版本以上升级cmake: workon py_env #yum install ninja-build pip install -U cmake 升级gcc至8：添加源：

vi /etc/yum.repos.d/CentOS-SCLo-scl.repo
[centos-sclo-sclo]
name=CentOS-7 - SCLo sclo
baseurl=http://mirror.centos.org/centos/7/sclo/$basearch/rh/
#mirrorlist=http://mirrorlist.centos.org?arch=$basearch&release=7&repo=sclo-sclo
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo

vi /etc/yum.repos.d/CentOS-SCLo-scl.repo

[centos-sclo-sclo]

name=CentOS-7 - SCLo sclo

baseurl=http://mirror.centos.org/centos/7/sclo/$basearch/rh/

#mirrorlist=http://mirrorlist.centos.org?arch=$basearch&release=7&repo=sclo-sclo

gpgcheck=0

enabled=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo

yum install devtoolset-8 激活：source /opt/rh/devtoolset-8/enable 此时通过gcc –version命令可以看到，gcc版本已经变成8.x.x，值得注意的是这仅仅在当前bash生效，如果需要永久生效，可以请自行添加环境变量。 golang安装： wget https://golang.google.cn/dl/go1.21.4.linux-amd64.tar.gz tar -C /usr/local/ -zxvf go1.21.4.linux-amd64.tar.gz 拉取BoringSSL源码 git Read more…

By sean, 6 months11/08/2023 ago

MIDDLEWARE

nginx反向代理Harbor/配置https

使用docker-compose安装harbor，配置ssl证书后使用nginx反向代理到harbor.配置后安装docker可以直接用域名登录harbor，无需配置私有仓库 nginx配置 1.修改harbor配置文件

hostname: ycr.yyiuap.com
http:
  port: 81
external_url: https://ycr.yyiuap.com

hostname: ycr.yyiuap.com

http:

port: 81

external_url: https://ycr.yyiuap.com

2.nginx配置

upstream harbor {
    server x.x.x.246:81;
}

server {
    listen 81;
    server_name ycr.yyiuap.com;
    location / {
        proxy_pass http://harbor;
        client_max_body_size 0;
        proxy_connect_timeout 90;
        proxy_read_timeout 90;
        proxy_buffer_size 4k;
        proxy_buffers 6 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
    }
}


server {
    listen       443 ssl;
    listen       [::]:443;
    server_name  ycr.yyiuap.com;

    ssl_certificate /usr/local/nginx/conf/certs/ycr.yyiuap.com/ycr.yyiuap.com.cert;
    ssl_certificate_key /usr/local/nginx/conf/certs/ycr.yyiuap.com/ycr.yyiuap.com.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    client_max_body_size 0;

    chunked_transfer_encoding on;

    location /v2/ {
      proxy_pass http://harbor/v2/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
    }

    location / {
        proxy_pass http://harbor;
        client_max_body_size 0;
        proxy_connect_timeout 90;
        proxy_read_timeout 90;
        proxy_buffer_size 4k;
        proxy_buffers 6 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect http:// $scheme://;
    }
}

upstream harbor {

server x.x.x.246:81;

}

server {

listen 81;

server_name ycr.yyiuap.com;

location / {

proxy_pass http://harbor;

client_max_body_size 0;

proxy_connect_timeout 90;

proxy_read_timeout 90;

proxy_buffer_size 4k;

proxy_buffers 6 32k;

proxy_busy_buffers_size 64k;

proxy_temp_file_write_size 64k;

}

server {

listen 443 ssl;

listen [::]:443;

server_name ycr.yyiuap.com;

ssl_certificate /usr/local/nginx/conf/certs/ycr.yyiuap.com/ycr.yyiuap.com.cert;

ssl_certificate_key /usr/local/nginx/conf/certs/ycr.yyiuap.com/ycr.yyiuap.com.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:10m;

client_max_body_size 0;

chunked_transfer_encoding on;

location /v2/ {

proxy_pass http://harbor/v2/;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_buffering off;

proxy_request_buffering off;

}

location / {

proxy_pass http://harbor;

client_max_body_size 0;

proxy_connect_timeout 90;

proxy_read_timeout 90;

proxy_buffer_size 4k;

proxy_buffers 6 32k;

proxy_busy_buffers_size 64k;

proxy_temp_file_write_size 64k;

proxy_set_header Host $host:$server_port;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_redirect http:// $scheme://;

}

另：创建证书脚本：

#!/bin/bash

registry_url="ycr.yyiuap.com"


# 生成使用的相关证书
openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$registry_url" \
    -key ca.key \
    -out ca.crt

openssl genrsa -out $registry_url.key 4096

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$registry_url" \
    -key $registry_url.key \
    -out $registry_url.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=$registry_url
DNS.2=reg.yyuap
DNS.3=`hostname`
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in $registry_url.csr \
    -out $registry_url.crt

openssl x509 -inform PEM -in $registry_url.crt -out $registry_url.cert

mkdir -p /etc/docker/certs.d/$registry_url/

cp $registry_url.cert /etc/docker/certs.d/$registry_url/
cp $registry_url.key /etc/docker/certs.d/$registry_url/
cp ca.crt /etc/docker/certs.d/$registry_url/

#将证书加入系统级别信任
cp /etc/docker/certs.d/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
systemctl daemon-reload && systemctl restart docker

#!/bin/bash

registry_url="ycr.yyiuap.com"

# 生成使用的相关证书

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$registry_url" \

-key ca.key \

-out ca.crt

openssl genrsa -out $registry_url.key 4096

openssl req -sha512 -new \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$registry_url" \

-key $registry_url.key \

-out $registry_url.csr

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=$registry_url

DNS.2=reg.yyuap

DNS.3=`hostname`

EOF

openssl x509 -req -sha512 -days 3650 \

-extfile v3.ext \

-CA ca.crt -CAkey ca.key -CAcreateserial \

-in $registry_url.csr \

-out $registry_url.crt

openssl x509 -inform PEM -in $registry_url.crt -out $registry_url.cert

mkdir -p /etc/docker/certs.d/$registry_url/

cp $registry_url.cert /etc/docker/certs.d/$registry_url/

cp $registry_url.key /etc/docker/certs.d/$registry_url/

cp ca.crt /etc/docker/certs.d/$registry_url/

#将证书加入系统级别信任

cp /etc/docker/certs.d/ca.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust extract

systemctl daemon-reload && systemctl restart docker

问题： docker pull ycr.yyiuap.com/base/golang:alphine-node-3 Error response from daemon: received unexpected HTTP status: 503 Service Unavailable 解决：去掉 http_proxy代理即可参考：https://blog.csdn.net/oscarun/article/details/121395218 1、request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)错误： [root@iZrj9j76z8dlull9vqa4tqZ ~]# docker pull harbor.xxx.cn:443/1-1/mytomcat:8.5.52 Error response from Read more…

By sean, 11 months06/09/2023 ago

MIDDLEWARE

Jenkins迁移

以前的Jenkins是通过docker容器跑的：

/usr/bin/docker run \
  --network host \
  --restart=on-failure:5 \
  --name=jenkins \
  -u=root \
  -v /ali-nas/data/jenkins:/var/jenkins_home \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /usr/bin/docker:/usr/bin/docker \
  -v /usr/libexec/docker/cli-plugins:/usr/libexec/docker/cli-plugins \
  -v /root/.docker/buildx:/root/.docker/buildx \
  -v /usr/local/maven:/usr/local/maven \
  -v /lib64/:/lib64/ \
  -e PATH=/usr/local/maven/bin:/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH \
  jenkins/jenkins:alpine

/usr/bin/docker run \

--network host \

--restart=on-failure:5 \

--name=jenkins \

-u=root \

-v /ali-nas/data/jenkins:/var/jenkins_home \

-v /var/run/docker.sock:/var/run/docker.sock \

-v /usr/bin/docker:/usr/bin/docker \

-v /usr/libexec/docker/cli-plugins:/usr/libexec/docker/cli-plugins \

-v /root/.docker/buildx:/root/.docker/buildx \

-v /usr/local/maven:/usr/local/maven \

-v /lib64/:/lib64/ \

-e PATH=/usr/local/maven/bin:/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH \

jenkins/jenkins:alpine

此方法有一些不便，想迁移到tomcat原生方式运行首先下载安装包：

wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.75/bin/apache-tomcat-9.0.75.tar.gz
wget https://get.jenkins.io/war-stable/2.401.1/jenkins.war

1 2	wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.75/bin/apache-tomcat-9.0.75.tar.gz wget https://get.jenkins.io/war-stable/2.401.1/jenkins.war

将tomcat解压后，将jenkins.war放到webapps目录启动tomcat，打开页面报错404，查看localhost.log日志： java.lang.UnsupportedClassVersionError 原因是2.361.1以上版本的jenkins要求java11或java17，而本机为java8，而jenkins的2.401要求java11以后下载JDK:

wget https://download.java.net/java/GA/jdk11/9/GPL/openjdk-11.0.2_linux-x64_bin.tar.gz

1	wget https://download.java.net/java/GA/jdk11/9/GPL/openjdk-11.0.2_linux-x64_bin.tar.gz

创建启动文件：

cat /usr/lib/systemd/system/jenkins.service
[Unit]
Discription=tomcat server
After=network.target

[Service]
#User=tomcat
#Group=tomcat
WorkingDirectory=/data/jenkins/tomcat9
Environment="JAVA_HOME=/data/jenkins/jdk-11.0.2"
Environment="JENKINS_HOME=/data/jenkins/tomcat9/webapps"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/data/jenkins/tomcat9"
Environment="CATALINA_HOME=/data/jenkins/tomcat9"
Environment="CATALINA_OPTS=-Xms1024M -Xmx10240M -server -XX:+UseParallelGC"
Type=forking
ExecStart=/data/jenkins/tomcat9/bin/startup.sh
ExecStop=/data/jenkins/tomcat9/bin/shutdown.sh
Restart=always

[Install]
WantedBy=multi-user.target

cat /usr/lib/systemd/system/jenkins.service

[Unit]

Discription=tomcat server

After=network.target

[Service]

#User=tomcat

#Group=tomcat

WorkingDirectory=/data/jenkins/tomcat9

Environment="JAVA_HOME=/data/jenkins/jdk-11.0.2"

Environment="JENKINS_HOME=/data/jenkins/tomcat9/webapps"

Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/data/jenkins/tomcat9"

Environment="CATALINA_HOME=/data/jenkins/tomcat9"

Environment="CATALINA_OPTS=-Xms1024M -Xmx10240M -server -XX:+UseParallelGC"

Type=forking

ExecStart=/data/jenkins/tomcat9/bin/startup.sh

ExecStop=/data/jenkins/tomcat9/bin/shutdown.sh

Restart=always

[Install]

WantedBy=multi-user.target

在准备好必要的环境后，jenkins的迁移需要将jenkins主目录原有数据拷贝到新的机器或者新目录下，主要包含config.xml文件以及jobs、users、workspace、plugins四个目录，然后重启jenkins即可

cd /data/jenkins/tomcat9/webapps
\cp -r /ali-nas/data/jenkins/jobs/* .
\cp -r /ali-nas/data/jenkins/config.xml .
\cp -r /ali-nas/data/jenkins/users/* users/
\cp -r /ali-nas/data/jenkins/workspace .
\cp -r /ali-nas/data/jenkins/plugins/* plugins/

cd /data/jenkins/tomcat9/webapps

\cp -r /ali-nas/data/jenkins/jobs/* .

\cp -r /ali-nas/data/jenkins/config.xml .

\cp -r /ali-nas/data/jenkins/users/* users/

\cp -r /ali-nas/data/jenkins/workspace .

\cp -r /ali-nas/data/jenkins/plugins/* plugins/

By sean, 11 months06/06/2023 ago

MIDDLEWARE

nginx问题解决

nginx转发post请求静态页面405 背景:用户支付成功后的回调是个静态页面。由于from表单连续提交是post方式，所以会报405 not allowed 错误。常识:使用post方式请求js、html这样的静态文件一般的web服务器都会返回405 Method Not Allowed。因为默认情况下，nginx、apache、IIs等web服务无法响应静态页面的post请求，后端用来处理post请求，生产环境中不会有此问题（一般都不允许配置静态页面的post请求）问题:为什么默认不支持静态页面post请求呢？首先了解一下post请求方法，post请求一般用于提交表单或上传文件，post请求会导致新资源的建立或旧资源的更改。就安全方面来说（排除url地址的透明性），它对比get请求会有更改资源的情况，有些静态资源是不允许更改的，所以默认情况下web服务器上的静态资源都不允许发起post请求。网上说的有很多种，重新编译nginx，设置正则匹配可以访问html文件类啊什么的，都不好用，而且基本都是你抄我我抄你，没有实际应用过。乱糟糟，最后本人用下面这种方式解决了问题。

upstream domain_uau {
  server 192.168.6.202:5555 weight=5;
}
server {
    listen              80;
    server_name         dev-app-server.sinoif.com;
    access_log  /var/www/logs/nginx/dev-app-server.sinoif-access.log;
    location / {
        proxy_set_header Host $host;
        proxy_set_header  X-Real-IP        $remote_addr;
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://domain_uau/;
        add_header Cache-Control "no-cache, no-store";#不生成缓存
        error_page 405 =200 @fullfuck;
        proxy_intercept_errors on;
    }
    location @fullfuck {
        proxy_method GET;
        proxy_pass http://192.168.6.202:5555;
    }
 
}
#error_page 405 =200 @fullfuck 或者 error_page 405 = @fullfuck; 2种写法都可以 
#proxy_intercept_errors当上游服务器响应头回来后，可以根据响应状态码的值进行拦截错误处理，与error_page 指令相互结合。用在访问上游服务器出现错误的情况下，这个参数一定要带上并且开启on，否则下边不生效
@:定义命名location区段，这些区段客户段不能访问，只可以由内部产生的请
求来访问，如try_files或error_page等
逻辑就是如果post请求返回了405错误，那么定义405区段请求为GET方式，注意 error_page 要写在location里，而不是server里否则不生效

upstream domain_uau {

server 192.168.6.202:5555 weight=5;

}

server {

listen 80;

server_name dev-app-server.sinoif.com;

access_log /var/www/logs/nginx/dev-app-server.sinoif-access.log;

location / {

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-NginX-Proxy true;

proxy_pass http://domain_uau/;

add_header Cache-Control "no-cache, no-store";#不生成缓存

error_page 405 =200 @fullfuck;

proxy_intercept_errors on;

}

location @fullfuck {

proxy_method GET;

proxy_pass http://192.168.6.202:5555;

}

#error_page 405 =200 @fullfuck 或者 error_page 405 = @fullfuck; 2种写法都可以

#proxy_intercept_errors当上游服务器响应头回来后，可以根据响应状态码的值进行拦截错误处理，与error_page 指令相互结合。用在访问上游服务器出现错误的情况下，这个参数一定要带上并且开启on，否则下边不生效

@:定义命名location区段，这些区段客户段不能访问，只可以由内部产生的请

求来访问，如try_files或error_page等

逻辑就是如果post请求返回了405错误，那么定义405区段请求为GET方式，注意 error_page 要写在location里，而不是server里否则不生效

Nginx配置跨域请求 Access-Control-Allow-Origin * 当出现403跨域错误的时候 No ‘Access-Control-Allow-Origin’ header is present on the requested resource，需要给Nginx服务器配置响应的header参数：一、解决方案只需要在Nginx的配置文件中配置以下参数：

location / {  
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
    add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

    if ($request_method = 'OPTIONS') {
        return 204;
    }
}

location / {

add_header Access-Control-Allow-Origin *;

add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';

add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

if ($request_method = 'OPTIONS') {

return 204;

}

二、解释 1. Access-Control-Allow-Origin

服务器默认是不被允许跨域的。给Nginx服务器配置`Access-Control-Allow-Origin *`后，表示服务器可以接受所有的请求源（Origin）,即接受所有跨域的请求。

1	服务器默认是不被允许跨域的。给Nginx服务器配置`Access-Control-Allow-Origin *`后，表示服务器可以接受所有的请求源（Origin）,即接受所有跨域的请求。

2. Access-Control-Allow-Headers 是为了防止出现以下错误： Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response. 这个错误表示当前请求Content-Type的值不被支持。其实是我们发起了”application/json”的类型请求导致的。这里涉及到一个概念：预检请求（preflight request）,请看下面”预检请求”的介绍。 3. Access-Control-Allow-Methods 是为了防止出现以下错误： Content-Type Read more…

By sean, 1 year03/23/2023 ago

MIDDLEWARE

Jenkinsfile配置submodule

最近在搞Jenkinsfile进行项目自动构建，有一个项目配置了远程子模块依赖，遇到了很多问题，如下是尝试的步骤： 1, 利用checkbox

    stages {
        stage('拉取代码'){
            steps {
                  checkout([
                    $class: 'GitSCM', 
                    branches: [[name: "${params.xxx_branch}"]], 
                    doGenerateSubmoduleConfigurations: false, 
                    extensions: [[
                      $class: 'SubmoduleOption',
                      disableSubmodules: false,
                      parentCredentials: true,
                      recursiveSubmodules: true,
                      reference: '',
                      trackingSubmodules: false
                  ]],
                    submoduleCfg: [], 
                    userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${xxx_git_address}"]]
                  ])
            }
        }

stages {

stage('拉取代码'){

steps {

checkout([

$class: 'GitSCM',

branches: [[name: "${params.xxx_branch}"]],

doGenerateSubmoduleConfigurations: false,

extensions: [[

$class: 'SubmoduleOption',

disableSubmodules: false,

parentCredentials: true,

recursiveSubmodules: true,

reference: '',

trackingSubmodules: false

]],

submoduleCfg: [],

userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${xxx_git_address}"]]

])

}

报错：

Caused: java.io.IOException: Could not perform submodule update

1	Caused: java.io.IOException: Could not perform submodule update

2. 尝试配置公钥认证

stage('构建'){
  steps {
      container (JOB_NAME) {
        withCredentials([
          sshUserPrivateKey(credentialsId: 'jenkins_server_pri_key', keyFileVariable: 'SSH_KEY')
          ]) {
          sh 'GIT_SSH_COMMAND="ssh -i $SSH_KEY" git submodule update --init --recursive'

stage('构建'){

steps {

container (JOB_NAME) {

withCredentials([

sshUserPrivateKey(credentialsId: 'jenkins_server_pri_key', keyFileVariable: 'SSH_KEY')

]) {

sh 'GIT_SSH_COMMAND="ssh -i $SSH_KEY" git submodule update --init --recursive'

报错：

+ GIT_SSH_COMMAND=ssh -i **** git submodule update --init --recursive
fatal: detected dubious ownership in repository at '/home/jenkins/agent/workspace/xxx-nginx-downloads'
To add an exception for this directory, call:

	git config --global --add safe.directory /home/jenkins/agent/workspace/xxx-nginx-downloads

+ GIT_SSH_COMMAND=ssh -i **** git submodule update --init --recursive

fatal: detected dubious ownership in repository at '/home/jenkins/agent/workspace/xxx-nginx-downloads'

To add an exception for this directory, call:

git config --global --add safe.directory /home/jenkins/agent/workspace/xxx-nginx-downloads

需要增加 git config –global –add safe.directory ${WORKSPACE} 报错：

+ GIT_SSH_COMMAND='ssh -i ****'
+ git config --global --add safe.directory /home/jenkins/agent/workspace/plugin-xxx-cluster-nginx-downloads
+ git submodule update --init --recursive
Submodule 'xx-plugin' (http://git.xxx.com/xxx/xxx-plugin) registered for path 'xxx-plugin'
Submodule 'xxx-downloader' (http://git.xxx.com/xxx/xxx-downloader.git) registered for path 'xxx-downloader'
Cloning into '/home/jenkins/agent/workspace/plugin-xxx-cluster-nginx-downloads/xxx-plugin'...
fatal: could not read Username for 'http://git.xxx.com': No such device or address
fatal: clone of 'http://git.xxx.com/iUAP_gPaaS/xxx-plugin' into submodule path '/home/jenkins/agent/workspace/plugin-xxx-cluster-nginx-downloads/xxx-plugin' failed
Failed to clone 'xxx-plugin'. Retry scheduled

+ GIT_SSH_COMMAND='ssh -i ****'

+ git config --global --add safe.directory /home/jenkins/agent/workspace/plugin-xxx-cluster-nginx-downloads

+ git submodule update --init --recursive

Submodule 'xx-plugin' (http://git.xxx.com/xxx/xxx-plugin) registered for path 'xxx-plugin'

Submodule 'xxx-downloader' (http://git.xxx.com/xxx/xxx-downloader.git) registered for path 'xxx-downloader'

Cloning into '/home/jenkins/agent/workspace/plugin-xxx-cluster-nginx-downloads/xxx-plugin'...

fatal: could not read Username for 'http://git.xxx.com': No such device or address

fatal: clone of 'http://git.xxx.com/iUAP_gPaaS/xxx-plugin' into submodule path '/home/jenkins/agent/workspace/plugin-xxx-cluster-nginx-downloads/xxx-plugin' failed

Failed to clone 'xxx-plugin'. Retry scheduled

3. 重新添加覆盖 .gitmodules

stage('构建'){
  steps {
      container (JOB_NAME) {
        withCredentials([
          usernamePassword(credentialsId: "${git_auth}", passwordVariable: 'git_password', usernameVariable: 'git_username'),
          ]) {
          sh '''#!/bin/bash
            set -ex
            git config --global --add safe.directory ${WORKSPACE}
            git submodule add -f http://$git_username:$git_password@git.xxx.com/xxx/xxx-plugin xxx-plugin || true
            git submodule add -f http://$git_username:$git_password@git.xxx.com/xxx/api-station.git api-station || true
            git submodule add -f http://$git_username:$git_password@git.xxx.com/xxx/xxx-downloader.git xxx-downloader || true
            cat .gitmodules
            git submodule update --init --recursive

stage('构建'){

steps {

container (JOB_NAME) {

withCredentials([

usernamePassword(credentialsId: "${git_auth}", passwordVariable: 'git_password', usernameVariable: 'git_username'),

]) {

sh '''#!/bin/bash

set -ex

git config --global --add safe.directory ${WORKSPACE}

git submodule add -f http://$git_username:$git_password@git.xxx.com/xxx/xxx-plugin xxx-plugin || true

git submodule add -f http://$git_username:$git_password@git.xxx.com/xxx/api-station.git api-station || true

git submodule add -f http://$git_username:$git_password@git.xxx.com/xxx/xxx-downloader.git xxx-downloader || true

cat .gitmodules

git submodule update --init --recursive

报错： fatal: could not read Username for ‘http://git.xxx.com‘: No such device or address 4. 修改.gitmodules 下面是原来的

$ cat .gitmodules
[submodule "xxx-plugin"]
        path = xxx-plugin
        url = http://git.xxx.com/xxx/xxx-plugin
[submodule "api-station"]
        path = api-station
        url = http://git.xxx.com/xxx/api-station.git
[submodule "xxx-downloader"]
        path = xxx-downloader
        url = http://git.xxx.com/xxx/xxx-downloader.git

$ cat .gitmodules

[submodule "xxx-plugin"]

path = xxx-plugin

url = http://git.xxx.com/xxx/xxx-plugin

[submodule "api-station"]

path = api-station

url = http://git.xxx.com/xxx/api-station.git

[submodule "xxx-downloader"]

path = xxx-downloader

url = http://git.xxx.com/xxx/xxx-downloader.git

通过sed进行修改

stage('构建'){
      steps {
          container (JOB_NAME) {
            withCredentials([
              usernamePassword(credentialsId: "${git_auth}", passwordVariable: 'git_password', usernameVariable: 'git_username'),
              usernamePassword(credentialsId: "${webmin_auth}", passwordVariable: 'webmin_password', usernameVariable: 'webmin_username')
              ]) {
              sh '''#!/bin/bash
                set -ex
                git config --global --add safe.directory ${WORKSPACE}
                git config --global --add safe.directory ${WORKSPACE}/xxx-plugin
                git config --global --add safe.directory ${WORKSPACE}/api-station
                git config --global --add safe.directory ${WORKSPACE}/xxx-downloader
                sed -i -E "s/(^\\s*.url = http:\\/\\/)(.*)$/\\1$git_username:$git_password@\\2/g" .gitmodules
                cat .gitmodules
                git submodule update --init --recursive

stage('构建'){

steps {

container (JOB_NAME) {

withCredentials([

usernamePassword(credentialsId: "${git_auth}", passwordVariable: 'git_password', usernameVariable: 'git_username'),

usernamePassword(credentialsId: "${webmin_auth}", passwordVariable: 'webmin_password', usernameVariable: 'webmin_username')

]) {

sh '''#!/bin/bash

set -ex

git config --global --add safe.directory ${WORKSPACE}

git config --global --add safe.directory ${WORKSPACE}/xxx-plugin

git config --global --add safe.directory ${WORKSPACE}/api-station

git config --global --add safe.directory ${WORKSPACE}/xxx-downloader

sed -i -E "s/(^\\s*.url = http:\\/\\/)(.*)$/\\1$git_username:$git_password@\\2/g" .gitmodules

cat .gitmodules

git submodule update --init --recursive

最后拉取成功。有时间再细细研究原因

By sean, 1 year02/21/2023 ago