Permission denied in Gitlab Runner - gitlab

I have a Gitlab runner running in a VPS, now is facing this error:
Running on vps...
Getting source from Git repository
00:02
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /home/gitlab-runner/builds/-Jgf7oJG/0/agency/project/app/.git/
Checking out 67b23db2 as testing...
Removing .env
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:00
$ mkdir -p ~/.ssh
$ echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
$ chmod 700 ~/.ssh/id_rsa
$ eval "$(ssh-agent -s)"
Agent pid 929369
$ ssh-add ~/.ssh/id_rsa
Identity added: /home/gitlab-runner/.ssh/id_rsa (/home/gitlab-runner/.ssh/id_rsa)
$ ssh-keyscan -H $SSH_HOST >> ~/.ssh/known_hosts
bash: line 133: /home/gitlab-runner/.ssh/known_hosts: Permission denied
Cleaning up file based variables
00:00
ERROR: Job failed: exit status 1
I've tryed with the following commands inside the vps that have the runner:
$ sudo usermod -a -G sudo gitlab-runner
$ sudo visudo
And adding this to the bottom of the file.
gitlab-runner ALL=(ALL) NOPASSWD: ALL

make sure that your known_hosts file has the following group & permissions.
-rw-r--r-- 1 gitlab-runner gitlab-runner 444 Aug 2 00:00 known_hosts

from sshd manual
~/.ssh/known_hosts
Contains a list of host keys for all hosts the user has logged into that are not already in the systemwide list of known host keys. The format of this file is described above. This file should be writable only by root/the owner and
can, but need not be, world-readable.
chmod 600/644 for ~/.ssh/known_hosts

Related

ssh-add on command argument to su

I want to start a docker container that adds a ssh key at startup :
My entrypoint looks like this :
#!/bin/bash
set -e
service ssh start
su anotherUser -s /bin/bash -c "eval \"$(ssh-agent)\" && ssh-add /Keys/id_rsa"
I've seen many posts that use sudo, but I do not have sudo available. I've found this solution but at the startup it shows me :
[....] Starting OpenBSD Secure Shell server: sshd 7[ ok 8.
Agent pid 36
Error connecting to agent: Permission denied
But when I execute the same lines at the promp everythings is ok :
xxx# su anotherUser
anotherUser#xxx:~$ eval $(ssh-agent)
Agent pid 47
anotherUser#xxx:~$ ssh-add /keys/id_rsa
Identity added: /keys/id_rsa (yyy#yyy-HP-EliteBook-850-G4)
You are running ssh-agent before su runs. The $ needs to be escaped so that the literal command substitution is passed to bash for execution.
su anotherUser -s /bin/bash -c 'eval $(ssh-agent) && ssh-add /Keys/id_rsa'
(Untested; probably needs more details about how the container is run and why ssh-add needs to be run as a different user.)
It may be simpler, though, to run your entry point with ssh-agent. For example,
# In the Dockerfile...
ENTRYPOINT ["ssh-agent", "entry.sh"]
Inside entry.sh, your environment will already have access to the agent.
#!/bin/bash
set -e
service ssh start
su anotherUser -s ssh-add /Keys/id_rsa

GIT not running at substituted user - /bin/git: /bin/git: cannot execute binary file

I've just installed git on my CentOS 6 (yum install). And I'd like to clone a repository, but keeping in mind that runing GIT as root user is insecure, I try to do it as admin (whose password I don't remember really). Below is a command flow.
[root#angkor public_html]# runuser -l admin 'git'
/bin/git: /bin/git: cannot execute binary file
[root#angkor public_html]# su - admin git
Last login: Tue May 28 11:00:08 UTC 2019 on pts/0
/bin/git: /bin/git: cannot execute binary file
[root#angkor public_html]# git
usage: git [--version] [--help] [-c name=value]
[--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
[-p|--paginate|--no-pager] [--no-replace-objects] [--bare]
[--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
<command> [<args>]
As we can see git starts when I run it as root but some error reported whan I try to run it as admin. Why and how to fix it?
This is expected, unfortunately:
https://bugzilla.redhat.com/show_bug.cgi?id=1245780
Use this instead:
runuser -l admin -c 'git'

gitlab-ci ssh connexion fail

I would like run ssh connexion on my production server from gitlab-ci runner :
deploy_prod:
stage: deploy
script:
- echo "====== Deploy to production server ======"
- apk update && apk upgrade
- apk add git openssh bash
# Add target server`s secret key
- mkdir ~/.ssh
- echo $SSH_PRIVATE_KEY > ~/.ssh/id_rsa
- chmod 700 ~/.ssh && chmod 600 ~/.ssh/*
- cat ~/.ssh/id_rsa
- echo "Test ssh connection"
- ssh -o StrictHostKeyChecking=no -T "$TARGET_SERVER_USER#$TARGET_SERVER_HOST"
# Delploy
- echo "make deploy"
- pm2 deploy ecosystem.config.js production
The ssh test failed with this error :
$ ssh -o StrictHostKeyChecking=no -T "$TARGET_SERVER_USER#$TARGET_SERVER_HOST"
Warning: Permanently added 'xxxxxxx' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
My all variable is add on secret variable on gitlab project
Anyone can help me ?

Script for root to git pull as another user

I have a script that I would like to have do a git pull inside another user's git directory. This script is run by the root user. For example:
cd /home/username/GitProject
sudo -u username -i git pull
When I run this, I get:
fatal: Not a git repository (or any of the parent directories): .git
Is there a way to have my script do a git pull as username?
Try without the -i option to sudo. That option is documented as first changing to the target user's home directory, which undoes the directory change you so carefully do before that. Alternatively, use the appropriate options to git to specify the directory, something like this:
sudo -u username -i git --git-dir=/home/username/GitProject/.git --work-tree=/home/username/GitProject pull
This can be done without sudo. This assumes you have password-less ssh keys since you are talking about a script. Here's the failure:
# git clone <user>#<host>:/path/to/repo
Cloning into 'repo'...
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
This shows that ~ properly expands to the user's homedir:
# MYUSER=somebody
# su - $MYUSER -c "echo ~"
/home/somebody
And here's the actual command used to clone into the home directory along with some extra proofs:
# su - $MYUSER -c "git clone <user>#<host>:/path/to/repo"
Cloning into 'repo'...
remote: Counting objects: 13, done.
<..>
# ls -l /home/$MYUSER/repo/.git/config
-rw-r--r-- 1 somebody somebody 275 Nov 8 23:55 /home/somebody/repo/.git/config
# su - $MYUSER -c "cd ~/repo; git remote -v"
origin <user>#<host>:/path/to/repo (fetch)
origin <user>#<host>:/path/to/repo (push)
# su - $MYUSER -c "cd ~/repo; git pull"
Already up-to-date.

How do I set up an SSH key for some user, if I'm root?

If a root user is running a bash script that configure some stuff on machine for a user. The script would configure a git repository and an ssh key for password-less github communication, then it would clone the repository.
This will only happens once.
I'm new to bash, how would I do this?
My solution so far (this script is run as root):
USERNAME="vagrant"
HOMEDIR="/home/$USERNAME"
apt-get update -y
apt-get install git -y
cp id_rsa* $HOMEDIR/.ssh #copying predefined keys
su -c "eval `ssh-agent -s` ssh-add $HOMEDIR/.ssh/id_rsa" $USERNAME
chmod 400 $HOMEDIR/.ssh/id_rsa
cat $HOMEDIR/.ssh/id_rsa.pub > $HOMEDIR/.ssh/known_hosts
This doesn't work because the key is not being added, I get the error:
Could not open a connection to your authentication agent.
With a root user that has no login on a remote host, and /root/.ssh does not exist, I can interactively ssh in with:
su - $USERNAME -c "ssh $USERNAME#<remotehost>"
It reads USERNAME's ~/.ssh/known_hosts file (or prompts for verification). If correct keys exist in USERNAME's ~/.ssh it uses them. When done, there is still no /root/.ssh, i.e. this is completely done as USERNAME, not root.
Likewise with git cloning:
su - $USERNAME -c "git clone remoteuser#host:/path/to/repo"
Just be careful of quoting. If you want a variable dereferenced at the time you run su, use double quotes. If you want a variable dereferenced after su has handed off to the user's shell, use single quotes. Example:
su - myuser -c "echo $HOME"
/root
su - myuser -c 'echo $HOME'
/home/myuser

Resources