GitLab CI/CD - SSH


Someone else tried to use CI/CD (gitlab,github) with LXD container ?
I’m trying to setup it to deploy my code instead of SFTP.

If I understand I have to “SSH Jump (lxd host)” to container by setup SSH server inside it.
I have doubt about security by multiply SSH server (extending surface attack ?)

[INTERNET] --> [LXD HOST] --> [(ssh?) (no public ip) CONTAINER]

How guys do you deal with LXD+CI/CD ?
Can we consider LXD host like a kind of SSH Bastion for containers ?
What about “lxc exec” for CI/CD instead of SSH ?

It’s so curious we don’t see tutorial about Pipeline with LXD.

I’ve spotted this

  • SSH vs lxc exec
  • SSH Jump

Hello Domino,

Your description is not entirely clear.

First I can say, using the lxd host as SSH Bastion is not prefer way to go.
Setup a dedicated container on the lxd host as Bastion is much better.

it is not clear where the version control system is hosted and
what functions do You need in your CI/CD pipeline.
Example: gitlab can be self hosted
gitlab_runner can run on same machine or self hosted on a different
or only a service in cloud
runner for docker or ssh possible
and so on.

VCS installed locally (wordpress container) on homelab.

Now I’m going to use GitHub Actions (cool marketplace) and use Continous Deploy.
For the Runner I use the free tiers offer by github on the cloud (ubuntu-vm)

My question : How can I reach the target LXD Container PROD from Github Actions Runner Cloud ?

Example .github/workflows

name: Deployment

    branches: [ production ]

    runs-on: ubuntu-latest

    - uses: actions/checkout@v2

    - uses: actions/setup-node@v1.1.0
        version: 12.x

    - name: Install dependencies
      run: |
        composer install -o
        npm install

    - name: Build
      run: npm run build
    - name: Sync
        dest: ''
      run: |
        echo "${{secrets.DEPLOY_KEY}}" > deploy_key
        chmod 600 ./deploy_key
        rsync -chav --delete \
          -e 'ssh -i ./deploy_key -o StrictHostKeyChecking=no' \
          --exclude /deploy_key \
          --exclude /.git/ \
          --exclude /.github/ \
          --exclude /node_modules/ \
          ./ ${{env.dest}}

What is the best once Github Action reach the LXD host with {{secrets.DEPLOY_KEY}} to connect LXD container ? SSH again or lxc exec ?

lxc commands used in workflows files (why not use lxc exec ?)

I see that for ssh jump host ?

I was using at my last workplace, gitlab runners with juju… those were running on VMWare hosts but you could just pull the charm and try it on your LXD deployment via juju

if you need the server it’s at gitlab server | Juju

You may want to take a look at ssh2lxd. It was designed with CI/CD and automation in mind.