Join Log in
Score:0
Johnczek avatar Server

How to properly set up private key for gitlab runner

ng flag
Johnczek

I would like to make this scenario possible (some problem unrelated aspects were simplified for better understanding)

Imagine we have a simple gitlab repository with only two files.

  • index.html - stores static web page
  • gitlab-ci.yml - stores pipelines for this repository

And we have Debian 11 server (with root access on it so I can do anything I want)

The mail goal is to create a gitlab pipeline which automatically ssh log in into this server and perform update (cds to proper folder and pulls master) after master merge so every change that gets into.

I´ve found many sources that leads into a steps to generate ssh key and storing private key into gitlab variable (and accessing it from pipeline).

Pipelines look always like:

stages:
  - deploy

deploy:
  image: ubuntu:latest
  stage: deploy
  only: 
    - main
  before_script:
    - apt-get -yq update
    - apt-get -yqq install ssh
    - install -m 600 -D /dev/null ~/.ssh/id_rsa
    - echo "$SSH_PRIVATE_KEY" | base64 -d > ~/.ssh/id_rsa
    - ssh-keyscan -H $SSH_HOST > ~/.ssh/known_hosts
  script:
    - ssh $SSH_USER@$SSH_HOST "cd $WORK_DIR && git checkout $MAIN_BRANCH && git pull && exit"
  after_script:
    - rm -rf ~/.ssh

Example source 1 Example source 2

Which leads me to a though, first question, if there is any better solution that could bypass working with private key? My fear is about security. I understand that risk of anyone breaching gitlab, stealing all private variables is low, but I want to ask for any possible solution that is more safe. There is even possibility to perform this via Docker containers if it helps (but as I see it, there is, at server side, only difference between performing git commands and docker commands, which does not really help in this aspect)

And if answer for first question is no, I´d like to ask another question- Whats the best way to secure this ssh key pair? Is it possible to generate ssh key for only user which has allowance only for one folder (where this repository content is stored) and has allowance only to certain commands (for example scanrio where he´ll be redirected to that folder automatically after login and has only allowance to perform git pull and nothing else? So biggest damage that anyone can do with that private key is pulling newest version of repository?

378
1 + 0
ssh
Score:0
tvlooy avatar Server
mc flag
tvlooy

The problem that I'm facing is that developers are able to modify .gitlab-ci.yml and run pipelines, so they can also do echo $SSH_PRIVATE_KEY and use that key.

If what you want is only make sure a user can do git pull, you can configure that in the sshd of your host, check the ForceCommand option. But it might be better to allow sftp-only there for that user and scp the artifact from gitlab-ci instead of pulling Git on the remote server:

Match user your-ssh-user
  ForceCommand internal-sftp

It would be nice if someone from Gitlab reviewed this and added this to the documentation because in my opinion this is a real relevant issue.

A feature where you can start a runner that has SSH keys loaded in ssh-agent (where they cannot be exfiltrated) would be interesting.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.