Develop Reference

GitLab CI - Restart service on remote host

I have a GitLab pipeline that deploy a site and need to restart fpm service.
stages:
- deploy
Deploy:
image: gotechnies/alpine-ssh
stage: deploy
before_script:
- eval $(ssh-agent -s)
- ssh-add <(echo "$SSH_PRIVATE_KEY")
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
script:
# other steps
- ssh forge#$SERVER_IP -o "SendEnv=FORGE_PHP_FPM" -o "SendEnv=FORGE_SUDO_PWD" 'bash -O extglob -c "(flock -w 10 9 || exit 1\n echo 'Restarting FPM...'; echo "$FORGE_SUDO_PWD" | sudo -S service $FORGE_PHP_FPM reload) 9>/tmp/fpmlock"'
variables:
FORGE_PHP_FPM: php8.1-fpm
FORGE_SUDO_PWD: $PRODUCTION_SUDO_PWD
only:
- master
$PRODUCTION_SUDO_PWD is added on gitlab variables and marked as protected.
My problem is with this line:
- ssh forge#$SERVER_IP -o "SendEnv=FORGE_PHP_FPM" -o "SendEnv=FORGE_SUDO_PWD" 'bash -O extglob -c "(flock -w 10 9 || exit 1\n echo 'Restarting FPM...'; echo "$FORGE_SUDO_PWD" | sudo -S service $FORGE_PHP_FPM reload) 9>/tmp/fpmlock"'
I want to restart php8.1-fpm service but each time I run the pipeline I get:
[sudo] password for forge: Sorry, try again.
[sudo] password for forge:
sudo: no password was provided
sudo: 1 incorrect password attempt
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1
As far as I know the SendEnv should pass the value of the variable and if I remove the bash command and just add echo $FORGE_SUDO_PWD it print the value.
What am I missing?

Unable to create ~/.ssh file using .gitlab-ci.yml

The following code was from my deploy stage in my .gitlab-ci.yml file.
deploy_website:
stage: deploy
artifacts:
paths:
- public
before_script:
- "command -v ssh-agent >/dev/null || ( apk add --update openssh )"
- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- pwd && ls
- ssh-keyscan $VM_IPADDRESS >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
# - apk add bash
# - ls deploy
# - bash ./deploy/deploy.sh
- ssh $SSH_USER#$VM_IPADDRESS "hostname && echo 'Welcome!!!' > welcome.txt"
This line "ssh-keyscan $VM_IPADDRESS >> ~/.ssh/known_hosts" failed to run when I execute my pipeline. Please help :(

You can start and echo $VM_IPADDRESS to check if the IP variable is properly instanciated.
"failed to run"
Then it depends on the error message (or if the commands simply froze).
Before the keyscan, you can test if the network route is reachable from your GitLab-CI runnner with:
curl -v telnet://$VM_IPADDRESS:22
If it does not connect immediately, that would explain why the ssh-keyscan fails.

Gitlab-ci alpine image : Host key verification failed

In gitlab I build my job with a maven image, then copy the jar to the ssh server -> it works fine.
For a php project, I try to use alpine image. But I get rejected with 'Host key verification failed'.
The server and the key are the same.
Not working:
image: alpine:latest
stages:
- deploy
deploy:
before_script:
- apk add --update openssh-client bash
- eval $(ssh-agent -s)
- bash -c 'ssh-add <(echo "$SSH_PRIVATE_KEY")'
stage: deploy
script:
- ssh root#devsb01 "ls"
Working:
image: maven:3.6.0-jdk-10-slim
stages:
- deploy
deploy:
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- ssh-add <(echo "$SSH_PRIVATE_KEY")
- '[[ -f /.dockerenv ]] && mkdir -p ~/.ssh && echo "$KNOWN_HOST" > ~/.ssh/known_hosts'
- mkdir -p ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
stage: deploy
script:
- ssh root#devsb01 "ls"
I think this has to do with the way the ssh key is add.

try adding theses two lines:
- mkdir ~/.ssh
- ssh-keyscan -t rsa devsb01 >> ~/.ssh/known_hosts
It works for me!
Your file will look like that:
image: alpine:latest
stages:
- deploy
deploy:
before_script:
- apk add --update openssh-client bash
- eval $(ssh-agent -s)
- bash -c 'ssh-add <(echo "$SSH_PRIVATE_KEY")'
- mkdir ~/.ssh
- ssh-keyscan -t rsa devsb01 >> ~/.ssh/known_hosts
stage: deploy
script:
- ssh root#devsb01 "ls"

Gitlab - failed to authenticate remote server for CI and CD build

I am getting "Enter passphrase for /dev/fd/63" error when my ".gitlab-ci.yml" tries to remote to my Ubuntu server for executing SSH commands.
I have created a new variable called "STAGING_PRIVATE_KEY" and the value is the private key that I personally use to SSH to the server, but providing the same key to ".gitlab-ci.yml" fails to authenticate.
Below is my yml file:
deploy_staging:
stage: deploy
before_script:
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
- mkdir -p ~/.ssh
- eval $(ssh-agent -s)
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
script:
- ssh-add <(echo "$STAGING_PRIVATE_KEY" | base64 --decode)
- cd test
- git pull
- echo "deployed to staging server"
environment:
name: staging
url: MY SERVER

I use the below snippet to ssh using .gitlab-ci.yml job, STAGING_SSH_KEY is stored as a variable under Settings -> CI/CD -> Variables
variables:
GIT_SSL_NO_VERIFY: "true"
image: someimage:latest #replace with any valid image which has ssh installed
before_script:
- mkdir -p ~/.ssh
- echo -e "$STAGING_SSH_KEY" > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
stages:
- deploy
deploy_STAGING_job:
stage: deploy
script:
- echo "ssh into the below random IP"
- ssh myuser#10.200.200.200"
echo "Login using ssh to remote instance"
"

Since openssh is package with Git for Windows, try and use an opeenssh key (generated with ssh-keygen), without (for now) a passphrase (to avoid needing an ssh-agent)
Register your openssh public key (default id_rsa.pub) on the AWS side.
As in, for instance, "Importing Your Own Public Key to Amazon EC2".

SSH example does not work with docker:git / dind image

I'm reading the documentation: https://gitlab.ida.liu.se/help/ci/ssh_keys/README.md
I'm using the current gitlab-ci.yml:
image: docker:git
services:
- docker:dind
stages:
- node_test
- docker_one
variables:
DOCKER_DRIVER: overlay
before_script:
# Install ssh-agent if not already installed, it is required by Docker.
# (change apt-get to yum if you use a CentOS-based image)
- 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
# Run ssh-agent (inside the build environment)
- eval $(ssh-agent -s)
# Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
- ssh-add <(echo "$SSH_PRIVATE_KEY")
# For Docker builds disable host key checking. Be aware that by adding that
# you are suspectible to man-in-the-middle attacks.
# WARNING: Use this only with the Docker executor, if you use it with shell
# you will overwrite your user's SSH config.
- mkdir -p ~/.ssh
- ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
- ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
- '[[ -f /.dockerinit ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
node_test:
image: node:7.3.0
stage: node_test
script:
- ls
docker_one:
stage: docker_one
script:
- docker info
node_test passes:
Running with gitlab-ci-multi-runner 1.10.4 (b32125f)
Using Docker executor with image node:7.3.0 ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Waiting for services to be up and running...
Pulling docker image node:7.3.0 ...
Running on runner-4e4528ca-project-2641294-concurrent-0 via runner-4e4528ca-machine-1487244621-a8ff6b11-digital-ocean-4gb...
Cloning repository...
Cloning into '/builds/instanty/test'...
Checking out 0b261283 as master...
Skipping Git submodules setup
Identity added: /dev/fd/63 (rsa w/o comment)
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 11
$ ssh-add <(echo "$SSH_PRIVATE_KEY")
$ mkdir -p ~/.ssh
$ ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# gitlab.com SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# gitlab.com SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# gitlab.com SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
$ ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
# gitlab.com SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# gitlab.com SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# gitlab.com SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
$ [[ -f /.dockerinit ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
$ ls
Build succeeded
It fails when I use the image docker:git and service dind:
Running with gitlab-ci-multi-runner 1.10.4 (b32125f)
Using Docker executor with image docker:git ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Waiting for services to be up and running...
Pulling docker image docker:git ...
Running on runner-4e4528ca-project-2641294-concurrent-0 via runner-4e4528ca-machine-1487244733-2b616928-digital-ocean-4gb...
Cloning repository...
Cloning into '/builds/instanty/test'...
Checking out 0b261283 as master...
Skipping Git submodules setup
$ which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
/usr/bin/ssh-agent
$ eval $(ssh-agent -s)
Agent pid 14
$ ssh-add <(echo "$SSH_PRIVATE_KEY")
/bin/sh: eval: line 50: syntax error: unexpected "("
ERROR: Build failed: exit code 2
Why does this image fail?

The syntax you are using is not recognized by the shell used by your image :
ssh-add <(echo "$SSH_PRIVATE_KEY")
ssh-add takes a file as an argument. So to fix this, you can replace this line with :
echo "$SSH_PRIVATE_KEY" > ssh.priv
ssh-add ssh.priv