1

Most of the repositories of my private projects are hosted on a private repository on gitlab.com (the hosted solution, not a privately hosted gitlab server). The sites are hosted on a digitalocean VPS.

I want to use gitlab CI to have every commit on the develop branch automatically deployed on the test server. Since I already have a clone of the repository on this test server the easiest way to automatically deploy seems to have gitlab-ci connect to the ssh server, and trigger a git pull.

The gitlab-ci.yml I have now (ssh before_script copied from http://docs.gitlab.com/ce/ci/ssh_keys/README.html).

deploy to test:
  environment: test
  only:
  - develop
  before_script:
    # Install ssh-agent if not already installed, it is required by Docker.
    # (change apt-get to yum if you use a CentOS-based image)
    - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
    # Run ssh-agent (inside the build environment)
    - eval $(ssh-agent -s)

    # add ssh key stored in SSH_PRIVATE_KEY variable to the agent store
    - ssh-add <(echo "$SSH_PRIVATE_KEY")

    # disable host key checking (NOTE: makes you susceptible to man-in-the-middle attacks)
    # WARNING: use only in docker container, if you use it with shell you will overwrite your user's ssh config
    - mkdir -p ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config

  script:
     # Try and connect to the test server
    - ssh [myname]@[mydomain.com] "cd /var/www/test.[projectname].com/ && git pull"

The result of a commit on develop in the gitlab pipelines:

$ ssh [myname]@[mydomain.com] "cd /var/www/test.[projectname].com/ && git pull"
Warning: Permanently added '[mydomain.com],[255.255.255.255]' (ECDSA) to the list of known hosts.

Permission denied, please try again.

Permission denied, please try again.

Permission denied (publickey,password).

ERROR: Build failed: exit code 1

I have the private key of my local user on my laptop added to the SSH_PRIVATE_KEY variable on gitlab. The private key should work since I can connect to the server from my laptop without providing a password.

Does anyone have this working, how can the gitlab.com worker connect to the ssh server?

Improve this question
3
  • Hi @vityrus, did you manage to connect using ssh and perform command on the distant host ? Commented May 28, 2017 at 8:39
  • I understand this is a 2 year old question, but for reference to an accepted answer to a similar question on ssh in GitLab CI - link Commented May 14, 2019 at 4:50
  • I am having similar issue stackoverflow.com/questions/57290734/… Commented Aug 3, 2019 at 11:20

1 Answer 1

Reset to default
0

AFAIK, you can't do this:

# add ssh key stored in SSH_PRIVATE_KEY variable to the agent store
- ssh-add <(echo "$SSH_PRIVATE_KEY")

The ssh-agent is not getting the key context, nor the FD. You should store the key in some temporary file and then add it to the agent (and potentially remove the file, if it is not needed anymore):

# add ssh key stored in SSH_PRIVATE_KEY variable to the agent store
- echo "$SSH_PRIVATE_KEY" > key
- chmod 600 key
- ssh-add key
- rm key
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks for you suggestion Jakuje! First time I tried your actual code: ` @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ Permissions 0644 for 'key' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. `
Then you probably need to make sure it has proper permissions (chmod 600 key after the writing).
I also did that (sorry, having trouble with the comments, posting code does not have multi line code). It gave exactly the same output as my original attempt: Permission denied, please try again. x 2
Then the key is probably wrong. How does it look like? Can you get verbose logs using -vvv switches to ssh? What is the output of other commands than ssh?
$ chmod 600 key $ cat key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAsGA79Fa.... Some way I can share the entire output (incl -vvv) with you? Pastebin? I saw one strange thing there... it is looking for: ` /root/.ssh/config` while I never refer to 'root'.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.