Private SSH key and LXC profiles

LXC
1

Hello!

I would like to automate the creation of a container in order to automate the deployment of a Python webapp. Basically, I would like to automatically:

  1. Create a container on my host
  2. Pull the source code of my Python webapp from a private Git repository into the container
  3. Configure stuff (python virtual environment, environment variables, etc.)
  4. Run the Python webapp and make it available not only to my host, but also to other devices on the same network as my host

I followed @simos’s great blog post to get started, and I’m happy to report I got things working fairly easily on my test host!

I am now trying to automate the whole process so that I could create a Jenkins job in our Jenkins instance at work, and redeploy my Python webapp easily when a new version is released, for instance.

Therefore, I have a few questions:

  1. Is it possible to create a profile based on a yaml file? So far, I found that I need to (1) create a profile, then (2) edit it, because only the edit command can read from a yaml file (lxc profile edit myprofile < profile-config.yaml)
  2. I need to setup a specific SSH private key in the container to be able to git clone ... from the private Git repository. I’m currently pasting the content of the key directly in the yaml file I feed to my profile as shown in the documentation examples, like so:
config:
  user.user-data: |
    #cloud-config
    # Apply updates & upgrades using apt
    package_update: true
    package_upgrade: true
    packages:
      - python3-venv
    locale: C.UTF-8
    write_files:
      - content: |
          Host *
            StrictHostKeyChecking no
            IdentityFile /etc/ssh/ssh_host_rsa_key
        path: /root/.ssh/config
        permissions: '0600'
    ssh_keys:
      rsa_private: |
        -----BEGIN OPENSSH PRIVATE KEY-----
        ...
        -----END OPENSSH PRIVATE KEY-----
    runcmd:
      - cd /root/
      - git clone --depth 1 git+ssh://...
      - ...

This works, but our Jenkins instance has its own security vault where it stores that private key, and it’s accessible from the job build script by using an environment variable that points to the key file ($SSHKEY). Since I’d like to store my profile yaml file in version control, I don’t want to store the private SSH key in it, and I’d rather use the data from Jenkins. How can I do that?

  1. Finally, what’s the best way to expose the Python app not only to the host, but also to the other devices connected to the same network? My Python app runs on port 8080, so I can access it from http://<container_IP>:8080 on my host, but I cannot access it from another device on the same LAN as my host…

Thanks in advance for your information!