DEV Community

Sayed Naweed Rizvi
Sayed Naweed Rizvi

Posted on

Setting up communication between GitLab Runner and Deployment Server with SSH

If you are setting up gitlab-ci pipeline, you will need to establish a secure connection between the runner machine and server where you are going to deploy.
Here's a quick and easy way to do it.

Prerequisite

  • Gitlab CI Pipeline
  • OpenSSH client & server installed on runner and deployment server.

SSH (Secure Shell) protocol uses public-key cryptography to authenticate Client machine with a remote Server machine on a network.

Let's get started, we will first create SSH key-pair.

Ssh-keygen is a tool for creating new authentication key pairs for SSH. This is a tutorial on its use, and covers several special use cases.

Ssh-keygen is a tool for creating new authentication key pairs for SSH. This is a tutorial on its use, and covers several special use cases.

favicon ssh.com

I have created these keys for illustration on linux, SSH key paths may differ based on your OS.

Private key (~/.ssh/id_rsa)

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTL
tCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJ
L9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXwIDAQAB
AoGABCH6D7u8VQLBJRG6Dq2razuaP5vik3FSxFrYS+deLbrWy2bQBg7rN0ao1C4+
TT6B6EzCwNjAfmGgyBJVijpd0X3iQzt5iPT5vMA2TrybbpMLZnikRtbo5rkgk+Tg
m7AiqXzOSHv02ZtrpgDV3pQ+qa/Tk9FU/7hjefKMF2Ru6EkCQQDINwkKizU3Uw4T
IwMAMTITOrLiswR4tJOmsG01Xe47dMkmERrtI47fYJcPLsNgnBjs6Pus8ALscOCM
xinMBwFdAkEAo72Ir7d0BL/GmogKgmELXmVS6t1jzNok0ioi4w7EefYMaDrlMrlk
rI7VMnExScPHc8ksezRBOJSS89cIIzYy6wJABrrq3+LcEBcHoxcLM8dzknfnqX0x
CkmvqOvHUALvTipX1KLAj/YhCFs72LPOt4GnyNbwFtkekAofUjwbDZOytQJAXd8X
McX22ZIohgdgHwcLwX5NXyC1Sof1fBd0EMAym8kXq9m39LCcquDoERcbrrJy8kpv
GeMHUSy8Ytbwb19vKQJAT/lYWZqTpr+DfmTdmvRbCOz9hWOw4Hj+nfjfSsfzU9vg
bWqKz2KvKlSvYBV4uKBfxsv6ML5dkaiHb5l3pKfDUw==
-----END RSA PRIVATE KEY-----
Enter fullscreen mode Exit fullscreen mode

Public key (~/.ssh/id_rsa.pub)

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTLtCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJL9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXw==
Enter fullscreen mode Exit fullscreen mode

What Next, Where do we store these keys ?
The SSH keys created above will be stored in the following locations to enable an encrypted and authenticated session between Gitlab Runner & the deployment Server.

1. Gitlab CI Environment Variables

GitLab CI/CD variables | GitLab

Documentation for GitLab Community Edition, GitLab Enterprise Edition, Omnibus GitLab, and GitLab Runner.

docs.gitlab.com

Store both private & public key by giving them a name (SSH_PRIVATE_KEY/SSH_PUBLIC_KEY), you can store the keys at the group level and inherit it in your project by selecting from the Environment Scope dropdown.

Image description

2. Gitlab Runner Machine (SSH folder)
The private & public keys should be stored in the Gitlab Runner machine’s [~/.ssh ]folder. To do that, you need to add following bash commands in your projects .gitlab-ci.yml file.

$SSH_PRIVATE_KEY & $SSH_PUBLIC_KEY are variables which we created in the step above.

Replace gitlab.local.net with url where you have hosted your Gitlab.

before_script:
  - eval $(ssh-agent -s)
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - echo -e "Host *\n\tStrictHostKeyChecking no\n" > ~/.ssh/config;
  - cat "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
  - cat "$SSH_PUBLIC_KEY" | tr -d '\r' > ~/.ssh/id_rsa.pub
  - chmod 600 ~/.ssh/id_rsa;
  - chmod 764 ~/.ssh/id_rsa.pub;
  - ssh-keyscan -H gitlab.local.net >> ~/.ssh/known_hosts
Enter fullscreen mode Exit fullscreen mode

3. Create authorized_keys on the Server
On the server where you will be deploying your application, create a authorized_keys file inside ~/.ssh.

Now, You would either be running your application on a Physical Server (nostalgic) or a VM β€” Virtual Machine (still there) or a Container (there you are).
Then, Copy and paste the public key to the end of authorized_keysfile

~/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCAD0ZKDVKEyqPd+N+7N1O/fPjDYAHa8xL24ADRHegqurUa8cTLtCQX82ysu6uxqfVyOMY3YGOh2HCH8S+jB6GTuSY1tIsYaU46d5H9w7YXAr/MMWRJL9wkUoU7bB/I8vK3eTVHsC72ufYhohQVXDY6+ZoG3Bsxyxy7SDbJqVBqXw==
Enter fullscreen mode Exit fullscreen mode

Please note that you can append as many public keys as you want here, depending on the connections you wish to establish.

With that final step, you have successfully setup an encrypted communication channel between Gitlab Runner and the server on which you will be deploying your application.

Do keep in mind
You need to be very careful with SSH keys, set the right permissions and ownership.

Thank You !!

Discussion (0)