I have a github project being tracked by Travis.
Currently, I have a new dependency, which is a private repo.
For now, I just need to use the simple Deploy Key approach.
This is my understanding of the steps that are needed:
generate the public/private ssh key pair
encrypt it using travis cli
ship the encrypted key.enc to the repository
Then the CLI enlights us with command we can use to decrypt the file:
before_install:
- openssl aes-256-cbc -K $encrypted_X_key -iv $encrypted_Y_iv -in key.enc -out key -d
I can decrypt the key now.
But how do I add it to the ssh-agent at build time?
This is the required step to add the key before installing the private dependencies:
before_install:
- openssl aes-256-cbc -K $encrypted_X_key -iv $encrypted_Y_iv -in .travis/key.enc -out .travis/key -d
- chmod 600 .travis/key
- eval "$(ssh-agent -s)"
- ssh-add .travis/key
Related
First, I'm fairly new to docker. But this seems pretty straight forward.
I am working off of this dockerfile. I made some very basic modifications like installing openssl and generating some self-signed certs so I can use ssl in apache. Here is a section that I added to the linked dockerfile:
RUN mkdir /ssl-certs
RUN openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj \
"/C=../ST=../L=..../O=LAB/CN=....." \
-keyout /ssl-certs/ssl.key -out /ssl-certs/ssl.crt
RUN mkdir -p /etc/apache2/ssl/
COPY /ssl-certs/ssl.key /etc/apache2/ssl/ssl.key
COPY /ssl-certs/ssl.crt /etc/apache2/ssl/ssl.crt
However, when I compile this I get the following output:
=> CACHED [ 8/19] RUN openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=../ST=../L=.... 0.0s
=> CACHED [ 9/19] RUN mkdir -p /etc/apache2/ssl/ 0.0s
=> ERROR [10/19] COPY /ssl-certs/ssl.key /etc/apache2/ssl/ssl.key 0.0s
=> ERROR [11/19] COPY /ssl-certs/ssl.crt /etc/apache2/ssl/ssl.crt 0.0s
------
> [10/19] COPY /ssl-certs/ssl.key /etc/apache2/ssl/ssl.key:
------
------
> [11/19] COPY /ssl-certs/ssl.crt /etc/apache2/ssl/ssl.crt:
------
This basically tells me openssl isn't actually doing anything or docker doesn't wait for openssl to finish which doesn't seem likely. I've looked around and I can't seem to find anyone with a similar problem. Any pointers are appreciated.
COPY /ssl-certs/ssl.key /etc/apache2/ssl/ssl.key
COPY /ssl.crt /etc/apache2/ssl/ssl.crt
The COPY command tries to access /ssl-certs on the host, not inside the container. You may try
RUN cp /ssl-certs/ssl.key /etc/apache2/ssl/ssl.key \
&& cp /ssl.crt /etc/apache2/ssl/ssl.crt
Edit: regardless that I consider as a bad practice to
build secrets (private key) into the container, rather mount the secrets at run-time
create non-deterministic builds (generating a new random private key)
I guess or rather hope it's for dev/education purpose, but when doing ssl, let's do it properly, even for the self-signed certificates
UWSGI Version- 2.0.18
Openssl- 1.0.2k-fips
Python 2.7
Getting Error:
uwsgi: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory
When ever we do pip install uWSGI, It automatically binds to openssl libs.
But make sure you have installed openssl and openssl-devel package.
I tried with following versions:
Python- 3.6
UWSGI- 2.0.18
Commands:
Create Virtual Env and install flask and uWSGI:
virtualenv -p /usr/bin/python3.6 testing
source testing/bin/activate
pip install flask
pip install uWSGI
Create Certs:
openssl genrsa -out foobar.key 2048
openssl req -new -key foobar.key -out foobar.csr
openssl x509 -req -days 365 -in foobar.csr -signkey foobar.key -out foobar.crt
Create Sample Python file: foobar.py
def application(env, start_response):
start_response('200 OK', [('Content-Type','text/html')])
return [b"Hello World"]
Run uWSGI:
uwsgi --shared-socket 0.0.0.0:443 --uid roberto --gid roberto --https =0,foobar.crt,foobar.key --wsgi-file foobar.py
Make sure do not get confused with the uWSGI installed in a virtual environment and with root user.
Follow the documentation:
https://uwsgi-docs.readthedocs.io/en/latest/WSGIquickstart.html
I'm working on a GitLab CI pipeline that will deploy my docker stack. I'm trying to set the $DOCKER_HOST to be tcp://DROPLET_IP:2377, but I'm getting an error saying that my certificate does doesn't contain any IP SANs. I'm testing with a Digital Ocean Droplet, so I haven't set a domain name for my droplet yet.
deploy:
stage: deploy
image: docker:stable
services:
- docker:dind
variables:
DOCKER_HOST: "tcp://$DROPLET_IP:2377"
DOCKER_TLS_VERIFY: 1
before_script:
- mkdir -p ~/.docker
- echo "$TLS_CA_CERT" > ~/.docker/ca.pem
- echo "$TLS_CERT" > ~/.docker/cert.pem
- echo "$TLS_KEY" > ~/.docker/key.pem
script:
- docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
- docker info
- docker stack deploy --with-registry-auth --compose-file=docker-stack.yml mystack
Here's the error I'm getting in the output of my GitLab CI job:
$ docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error during connect: Post https://<ip-address>:2377/v1.39/auth: x509: cannot validate certificate for <ip-address> because it doesn't contain any IP SANs
I'm using the following set of commands to generate my certs (ca.pem, server-cert.pem and server-key.pem) that I'm trying to use in my deploy stage described above. I have saved TLS_CA_CERT, TLS_CERT and TLS_KEY to variables that are being used in GitLab CI.
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=<ip-address>" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:<ip-address> >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
I see you have included the IP address in the subjectAltName
echo subjectAltName = IP:<ip-address> >> extfile.cnf
Check, as in here, if this is a configuration issue:
I put subjectAltName in the wrong section. Working method: Basically I edited openssl.cnf, in section [v3_ca] I added 'subjectAltName = IP:192.168.2.107'.
Produced new certificate and added to server + client.
You need to make sure your extension is declared in the v3_ca part, as shown here.
As of OpenSSL 1.1.1, providing subjectAltName directly on command line becomes much easier, with the introduction of the -addext flag to openssl req
Example:
export HOST="my.host"
export IP="127.0.0.1"
openssl req -newkey rsa:4096 -nodes -keyout ${HOST}.key -x509 -days 365 -out ${HOST}.crt -addext 'subjectAltName = IP:${IP}' -subj '/C=US/ST=CA/L=SanFrancisco/O=MyCompany/OU=RND/CN=${HOST}/'
Inspired by link
I have installed and configured:
an on-premises GitLab Omnibus on ServerA running on HTTPS
an on-premises GitLab-Runner installed as Docker Service in ServerB
ServerA certificate is generated by a custom CA Root
The Configuration
I've have put the CA Root Certificate on ServerB:
/srv/gitlab-runner/config/certs/ca.crt
Installed the Runner on ServerB as described in Run GitLab Runner in a container - Docker image installation and configuration:
docker run -d --name gitlab-runner --restart always \
-v /srv/gitlab-runner/config:/etc/gitlab-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:latest
Registered the Runner as described in Registering Runners - One-line registration command:
docker run --rm -t -i
-v /srv/gitlab-runner/config:/etc/gitlab-runner
--name gitlab-docker-runner gitlab/gitlab-runner register \
--non-interactive \
--executor "docker" \
--docker-image alpine:latest \
--url "https://MY_PRIVATE_REPO_URL_HERE/" \
--registration-token "MY_PRIVATE_TOKEN_HERE" \
--description "MyDockerServer-Runner" \
--tag-list "TAG_1,TAG_2,TAG_3" \
--run-untagged \
--locked="false"
This command gave the following output:
Updating CA certificates...
Runtime platform arch=amd64 os=linux pid=5 revision=cf91d5e1 version=11.4.2
Running in system-mode.
Registering runner... succeeded runner=8UtcUXCY
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
I checked with
$ docker exec -it gitlab-runner bash
and once in the container with
$ awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
and the custom CA root is correctly there.
The Problem
When running Gitlab-Runner from GitLab-CI, the pipeline fails miserably telling me that:
$ git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}#ServerA/foo/bar/My-Project.wiki.git
Cloning into 'My-Project.wiki'...
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx#ServerA/foo/bar/My-Project.wiki.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
ERROR: Job failed: exit code 1
It does not recognize the Issuer (my custom CA Root), but according to The self-signed certificates or custom Certification Authorities, point n.1, it should out-of-the-box:
Default: GitLab Runner reads system certificate store and verifies the GitLab server against the CA’s stored in system.
I've then tried the solution from point n.3, editing
/srv/gitlab-runner/config/config.toml:
and adding:
[[runners]]
tls-ca-file = "/srv/gitlab-runner/config/certs/ca.crt"
But it still doesn't work.
How can I make Gitlab Runner read the CA Root certificate?
You have two options:
Ignore SSL verification
Put this at the top of your .gitlab-ci.yml:
variables:
GIT_SSL_NO_VERIFY: "1"
Point GitLab-Runner to the proper certificate
As outlined in the official documentation, you can use the tls-*-file options to setup your certificate, e.g.:
[[runners]]
...
tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
[runners.docker]
...
As the documentation states, "this file will be read every time when runner tries to access the GitLab server."
Other options include tls-cert-file to define the certificate to be used if needed.
While I've still not got why it doesn't work out-of-the-box, I've found the Egg of Columbus:
Gitlab-Runner configuration:
[[runners]]
name = "MyDockerServer-Runner"
url = "https://MY_PRIVATE_REPO_URL_HERE/"
token = "MY_TOKEN_HERE"
executor = "docker"
...
[runners.docker]
image = "ubuntu:latest"
# The trick is the following:
volumes = ["/cache","/srv/gitlab-runner/config:/etc/gitlab-runner"]
...
Gitlab-ci.yml pipeline:
MyJob:
image: ubuntu:latest
script:
- awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
- git clone https://gitlab-ci-token:${CI_BUILD_TOKEN}#ServerA/foo/bar/My-Project.wiki.git
- wget -O foo.png https://ServerA/foo/bar/foo.png
before_script:
- apt-get update -y >/dev/null
- apt-get install -y apt-utils dialog >/dev/null
- apt-get install -y git >/dev/null
- apt-get install -y wget >/dev/null
# The trick is the following:
- cp /etc/gitlab-runner/certs/ca.crt /usr/local/share/ca-certificates/ca.crt
- update-ca-certificates
That's it:
Mount the volume once (per Docker executor)
Update the CA certificates once (per job)
And everything will work as expected: git clone, wget https, etc...
A great workaround, until someone at GitLab will fix it or explain me where I'm wrong (be my guest!)
Not sure it's the best approach, but at least it worked for me. You can create a customized gitlab runner image and add your root CA inside:
├── Dockerfile
└── myca.crt
# Dockerfile
FROM gitlab/gitlab-runner:latest
COPY myca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
Build it:
docker build -t custom-gitlab-runner .
And rerun all your commands, just remember to use this new image name.
Off-topic, but related and might be useful
Dockerized gitlab-runner seem to also ignore entries in your /etc/hosts, so if you have launched Gitlab on a custom domain, e.g. https://gitlab.local.net, you need to pass the values from /etc/hosts when launching/registering gitlab runner:
docker run -d --name gitlab-runner --restart always \
--add-host="gitlab.local.net:192.168.1.100" \
...
If you want to launch docker:dind (docker in docker service) container to build docker images, you also need to set these values inside /srv/gitlab-runner/config/config.toml:
[[runners]]
url = "https://gitlab.local.net/"
executor = "docker"
pre_clone_script = "echo '192.168.1.100 gitlab.local.net registry.local.net' >> /etc/hosts"
...
From the output you provided i think that the certificate might be OK but you are lacking the CRL file : server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
The CRL file is used to verify that even if the certificate is valid is hasn't been revoked by the CA owner. You shoudl then need to :
1) Generate a CRL file based on your CA:
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem
source: https://blog.didierstevens.com/2013/05/08/howto-make-your-own-cert-and-revocation-list-with-openssl/
2) Instruct the runner to use it :
[[runners]]
...
tls-ca-file = "/etc/gitlab-runner/ssl/ca-bundle.crt"
crl-file = "/etc/gitlab-runner/ssl/ca.crl"
3) Of course setting GIT_SSL_NO_VERIFY will work but you will be more sensitive to man-in-the-middle attacks
I'm trying to follow this set of instructions.
My travis log is here.
0.01s$ openssl aes-256-cbc -K $encrypted_4b2755af321b_key -iv $encrypted_4b2755af321b_iv -in etc/deploy.enc -out ~/.ssh/publish-key -d
before_install.2
0.00s$ chmod u=rw,og= ~/.ssh/publish-key
before_install.3
0.00s$ echo "Host github.com" >> ~/.ssh/config
before_install.4
0.00s$ echo " IdentityFile ~/.ssh/publish-key" >> ~/.ssh/config
before_install.5
0.00s$ git --version
git version 1.8.5.6
before_install.6
0.01s$ git remote set-url origin git#github.com:zaun/riot-ui.git
$ git fetch origin -f gh-pages:gh-pages
Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts.
Enter passphrase for key '/home/travis/.ssh/publish-key':
Done: Job Cancelled
The job hangs with /home/travis/.ssh/publish-key. The key has no password. Hitting Enter would make the script continue.
My before_install step to deal with the key is this:
before_install:
- openssl aes-256-cbc -K $encrypted_4b2755af321b_key -iv $encrypted_4b2755af321b_iv -in etc/deploy.enc -out ~/.ssh/publish-key -d
- chmod u=rw,og= ~/.ssh/publish-key
- ssh-keyscan github.com >> ~/.ssh/known_hosts
- echo "Host github.com" >> ~/.ssh/config
- echo " IdentityFile ~/.ssh/publish-key" >> ~/.ssh/config
- git --version
- git remote set-url origin git#github.com:zaun/riot-ui.git
- git fetch origin -f gh-pages:gh-pages
What am I doing wrong? how do I get this to work?
Try to use ssh agent instead.
addons:
ssh_known_hosts: github.com
before_script:
- openssl aes-256-cbc -K $encrypted_4b2755af321b_key -iv $encrypted_4b2755af321b_iv -in etc/deploy.enc -out publish-key -d
- chmod 600 publish-key
- eval `ssh-agent -s`
- ssh-add publish-key
And it can be more secure to do this as late as possible to avoid third party scripts to expose your keys. I personally do this in my after_success script, just before using git commands.
You can have a look at this repository for a complete example.
If git is waiting for input, you can try feeding it a newline:
before_install:
⋮
- echo | git fetch origin -f gh-pages:gh-pages