4

I am starting to get into GitLab CI for my company. We have a PrestaShop, and I want automatic deployment to the web server after a Git push.

Unit testing will come later. At the moment I just need it to deal with putting a copy of the "/app" folder in the web root of the web server.

So this is what I have got...

before_script:
  - apt-get update -qq
  - apt-get install -qq git
  - 'which ssh-agent || ( apt-get install -qq openssh-client )'
  - eval $(ssh-agent -s)
  - ssh-add <(echo "$SSH_PRIVATE_KEY")
  - mkdir -p ~/.ssh
  - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'


deploy_test:
  type: deploy
  environment:
    name: test
    url: [test server domain]
  script:
    - ssh [user]@[server] -p [port] "cd [repo folder] && git checkout master && git pull origin master && exit"
    - ssh [user]@[server] -p [port] "rsync -rzvh [repo /app folder] [web server root path]"
  only:
    - master

Recently, gitlab-runner has started failing with the error Error loading key "/dev/fd/63": invalid format.

Can you help me to solve that error?

FYI, I have my personal private key set as $SSH_PRIVATE_KEY environment var in GitLab - the public on the web server of course. SSH is enabled on the web server which has WHM and cPanel. And I pre-checked out a copy of master via cPanel on the web server into the [repo folder].

Jono
  • 462
  • 1
  • 10
  • 24
  • What OS and version are you running in the container? What OS and version did you generate the SSH key on? What OS and version are you trying to connect to? – bk2204 Jul 05 '20 at 17:42
  • OS in the container I dont know the answer to that - I am using GitLab.com, do you know where to find that? Would it be using my docker-compose in the repo root? Key was generated on Windows 10. Remote server is Redhat I think based on this system info: "Linux 3.10.0-957.21.2.el7.x86_64" – Jono Jul 05 '20 at 17:55
  • 1
    Just for testing, can you try with a key in the old format (-m PEM, as in https://stackoverflow.com/a/53645530/6309)? – VonC Jul 08 '20 at 22:15
  • Thanks @VonC I will try this too – Jono Jul 09 '20 at 14:14
  • Sorry @VonC - failed with the same error – Jono Jul 09 '20 at 14:27
  • 1
    Looks like I am not able to connect locally to the same server via SSH as well - related ?! – Jono Jul 09 '20 at 14:49
  • FYI, I found some advice to base64 the private key (https://stackoverflow.com/a/55523151/777885) but still the same issue – Jono Jul 09 '20 at 15:02

2 Answers2

2

Originally, OpenSSH used the PKCS #1 format for RSA private keys. This format is not very secure, so newer versions have moved to a different format for storing private keys which is specific to OpenSSH. This is more secure, but it's not backwards compatible.

While it is possible to convert the keys with ssh-keygen, it would be far better for you to create a new key that you used only for deployments. That's a best practice because it separates your personal key from the deployments and means that if one is compromised, the other is not affected.

Since you'd need to create a new key anyway, you'd be better off using an Ed25519 key. Mozilla and others recommend this format of key because it is fast, secure, and easy to make constant time. You can create such a key with ssh-keygen -t ed25519 -f deployment-key, where deployment-key and deployment-key.pub will be the private and public keys.

If you're using CentOS 7 on the server, it does indeed support Ed25519 keys if it have been appropriately updated with patches, and whatever you're using on GitLab should also support it. You'll need to add the new public key to the remote server as with your personal key.

If you really want to continue to use this key, you should be able to export it with ssh-keygen -e -m PEM.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • Great advice ! I will try it now. – Jono Jul 06 '20 at 07:29
  • I do not think it is working. I used your command to create the new key via PowerShell. Imported & activated the public key on cPanel. Updated the global var on GitLab with the new private key. Still I have the same error running CI again... `Error loading key "/dev/fd/63": invalid format` – Jono Jul 06 '20 at 07:40
  • Does your key have carriage returns in it? If so, you'll need to strip them out. – bk2204 Jul 06 '20 at 22:27
  • Removed all CR/LBs from my private key on GitLab and still the same error – Jono Jul 08 '20 at 07:10
0

Did you check the $SSH_PRIVATE_KEY run on protected branches and tags pipeline only? if so you need to add your branch into protected. Setting->Repository->Protected Branch. or unchecked the option in Setting->CI/CD->Variables

suwidadi
  • 34
  • 5