GitLab CI/CD - SSH

Domino · May 18, 2021, 3:21pm

Hello,

Someone else tried to use CI/CD (gitlab,github) with LXD container ?
I’m trying to setup it to deploy my code instead of SFTP.

If I understand I have to “SSH Jump (lxd host)” to container by setup SSH server inside it.
I have doubt about security by multiply SSH server (extending surface attack ?)

[INTERNET] --> [LXD HOST] --> [(ssh?) (no public ip) CONTAINER]

How guys do you deal with LXD+CI/CD ?
Can we consider LXD host like a kind of SSH Bastion for containers ?
What about “lxc exec” for CI/CD instead of SSH ?

It’s so curious we don’t see tutorial about Pipeline with LXD.

I’ve spotted this

SSH vs lxc exec

SSH Jump

M.Miethke · May 19, 2021, 12:02pm

Hello Domino,

Your description is not entirely clear.

First I can say, using the lxd host as SSH Bastion is not prefer way to go.
Setup a dedicated container on the lxd host as Bastion is much better.

it is not clear where the version control system is hosted and
what functions do You need in your CI/CD pipeline.
Example: gitlab can be self hosted
gitlab_runner can run on same machine or self hosted on a different
or only a service in cloud
runner for docker or ssh possible
and so on.

Domino · May 29, 2021, 10:29am

VCS installed locally (wordpress container) on homelab.

Now I’m going to use GitHub Actions (cool marketplace) and use Continous Deploy.
For the Runner I use the free tiers offer by github on the cloud (ubuntu-vm)

My question : How can I reach the target LXD Container PROD from Github Actions Runner Cloud ?

Example .github/workflows

name: Deployment

on:
  push:
    branches: [ production ]

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2

    - uses: actions/setup-node@v1.1.0
      with:
        version: 12.x

    - name: Install dependencies
      run: |
        composer install -o
        npm install

    - name: Build
      run: npm run build
    
    - name: Sync
      env:
        dest: 'ssh-user@example.com:/mydir/wp-content/themes/mytheme'
      run: |
        echo "${{secrets.DEPLOY_KEY}}" > deploy_key
        chmod 600 ./deploy_key
        rsync -chav --delete \
          -e 'ssh -i ./deploy_key -o StrictHostKeyChecking=no' \
          --exclude /deploy_key \
          --exclude /.git/ \
          --exclude /.github/ \
          --exclude /node_modules/ \
          ./ ${{env.dest}}

What is the best once Github Action reach the LXD host with {{secrets.DEPLOY_KEY}} to connect LXD container ? SSH again or lxc exec ?

lxc commands used in workflows files (why not use lxc exec ?)

github.com

mmoscher/actions-workflow-lxd-sample/blob/master/.github/workflows/lxd-without-sudo.yml


name: LXD without sudo

on: [push]

jobs:
  build:

    runs-on: ubuntu-latest
    
    steps:
    
    - name: Add current user to LXD group
      run: |
        sudo usermod --append --groups lxd $(whoami)
            
    - name: Initialize LXD
      run: |
        sudo lxd init --auto

This file has been truncated. show original

I see that for ssh jump host ?

emcp · May 29, 2021, 2:57pm

I was using at my last workplace, gitlab runners with juju… those were running on VMWare hosts but you could just pull the charm and try it on your LXD deployment via juju

if you need the server it’s at gitlab server | Juju

artefact · May 29, 2021, 6:24pm

You may want to take a look at ssh2lxd. It was designed with CI/CD and automation in mind.