{"id":5551,"date":"2019-09-12T10:24:58","date_gmt":"2019-09-12T15:24:58","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=5551"},"modified":"2019-09-12T10:44:35","modified_gmt":"2019-09-12T15:44:35","slug":"5551","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=5551","title":{"rendered":"GitLab SSH Deployment Setup"},"content":{"rendered":"

Preliminary stuff \u2013 before setting up SSH deployment in your pipeline, you\u2019ll need a user on the target box with permission to write to the files being published. You will need a public\/private key pair.<\/p>\n

On the target server, the project needs to be cloned into the deployment directory. The public key will need to be added to authorized_keys (or authorized_keys2 on older versions of Linux) file so the private key can be used for authentication.<\/p>\n

<\/p>\n

To set up your GitLab project for SSH-based deployment, you need to add some variables to the project. In the project, navigate to Settings ==> CI\/CD<\/p>\n

<\/p>\n

Expand the \u201cVariables\u201d section. You will need to add the following key\/value variable pairs:<\/p>\n\n\n\n\n\n\n\n\n\n
Key<\/strong><\/td>\nValue<\/strong><\/td>\n<\/tr>\n
SSH_KNOWN_HOSTS<\/td>\nOutput of ssh-keyscan targetserver.example.com<\/td>\n<\/tr>\n
SSH_PRIVATE_KEY<\/td>\nContent of your private key<\/td>\n<\/tr>\n
DEPLOYMENT_HOST<\/td>\nTarget hostname, e.g. targetserver.example.com<\/td>\n<\/tr>\n
DEPLOYMENT_USER<\/td>\nUsername on target server<\/td>\n<\/tr>\n
DEPLOYMENT_PATH<\/td>\nPath to which project will be deployed on target server<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Save the variables<\/p>\n

<\/p>\n

I am managing both a production and development deployment within the pipeline, so I\u2019ve got prod and dev specific variables. We use the same username for prod and dev; but the hostname, path, and target server public key are different.<\/p>\n

If your repository is publicly readable, this is sufficient. If you have a private repository, you\u2019ll need a way to authenticate and fetch the data. In this example, I am using a deployment token. Under Settings Repository, expand the \u201cDeployment Tokens\u201d section and create a deployment token. On my target servers, the remote is added as https:\/\/TokenUser:TokenSecret@gitlab.example.com\/path\/to\/project.git instead of just https:\/\/gitlab.example.com\/path\/to\/project.git<\/p>\n

<\/p>\n

Once you have defined these variables within the project, use the variables in your CI\/CD YAML. In this example, I am deploying PHP code to a web server. Changes to the development branch are deployed to the dev server, and changes to the master branch are deployed to the production server.<\/p>\n

<\/p>\n

In the before_script, I set up the key-based authentication by adding the private key to my runner environment and adding the prod and dev target server\u2019s public key to the runner environment.<\/p>\n

-\u00a0'which\u00a0ssh-agent\u00a0||\u00a0(\u00a0apt-get\u00a0update\u00a0-y\u00a0&&\u00a0apt-get\u00a0install\u00a0openssh-client\u00a0-y\u00a0)'\r\n-\u00a0eval\u00a0$(ssh-agent\u00a0-s)\r\n-\u00a0echo\u00a0\"$SSH_PRIVATE_KEY\"\u00a0|\u00a0tr\u00a0-d\u00a0'\\r'\u00a0|\u00a0ssh-add\u00a0-\u00a0>\u00a0\/dev\/null\r\n-\u00a0mkdir\u00a0-p\u00a0~\/.ssh\r\n-\u00a0chmod\u00a0700\u00a0~\/.ssh\r\n-\u00a0echo\u00a0\"$SSH_KNOWN_HOSTS_DEV\"\u00a0>\u00a0~\/.ssh\/known_hosts\r\n-\u00a0echo\u00a0\"$SSH_KNOWN_HOSTS_PROD\"\u00a0>>\u00a0~\/.ssh\/known_hosts\r\n-\u00a0chmod\u00a0644\u00a0~\/.ssh\/known_hosts<\/pre>\n
In the deployment component, username and host variables are used to connect to the target server via SSH. The commands run over that SSH session change directory into the deployment target path and use \u201cgit pull\u201d to fetch and merge the updated code. This ensures the proper branch is pulled to the production and down-level environments.<\/p>\n
production-deployment:\r\n stage: deploy\r\n  script:\r\n    - ssh $DEPLOYMENT_USER@$DEPLOYMENT_HOST_PROD \"cd '$DEPLOYMENT_PATH_PROD'; git pull origin master\"\r\n  only:\r\n    - master\r\n\r\ndevelopment-deployment:\r\n stage: deploy\r\n script:\r\n   - ssh $DEPLOYMENT_USER@$DEPLOYMENT_HOST_DEV \"cd '$DEPLOYMENT_PATH_DEV'; git pull origin development\"\r\n only:\r\n   - development<\/pre>\n
Now when I make changes to the project code,<\/p>\n
<\/p>\n
Assuming the tests still pass, the deployment will run<\/p>\n
<\/p>\n
If you click on the deployment component, you can see what changes were pulled to the target server<\/p>\n
<\/p>\n
And, yes, the updated files are on my target server.<\/p>\n
<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Preliminary stuff \u2013 before setting up SSH deployment in your pipeline, you\u2019ll need a user on the target box with permission to write to the files being published. You will need a public\/private key pair. On the target server, the project needs to be cloned into the deployment directory. The public key will need to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,30],"tags":[660,232],"class_list":["post-5551","post","type-post","status-publish","format-standard","hentry","category-coding","category-system-administration","tag-ci-cd","tag-gitlab"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5551"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5551\/revisions"}],"predecessor-version":[{"id":5563,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/5551\/revisions\/5563"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}