Mount .ssh from EFS to the container (from the image gocd/gocd-server:v22.3.0)

17 views
Skip to first unread message

Satya Elipe

unread,
Apr 25, 2024, 10:16:08 AMApr 25
to go...@googlegroups.com
Hi all 

Wonder, what's the way around to mount .ssh from EFS into the gocd base container (from the image gocd/gocd-server:v22.3.0).


We have saved all our content into EFS under /godata and maps that into the container as /godata.


We are using gocd/gocd-server:v22.3.0.


It all runs good, mapping was fine too but just one thing that’s not happening is “.ssh” folder.


I have .ssh with all required keys in EFS under /godata and /godata within the container also has .ssh but not /go-working-dir.


Is that supported, am I mis-configuring it, or do we need to handle that outside of the base image ?


Many thanks in advance !

Sriram Narayanan

unread,
Apr 25, 2024, 10:31:25 AMApr 25
to go...@googlegroups.com
At a high level, the .ssh folder should be mounted into /home/go. e.g. docker run -v /path/to/godata:/godata -v /path/to/home-dir:/home/go gocd/gocd-server:v23.5.0
IMPORTANT: You must set the user ID of the files within .ssh to 1000. This is the user ID of the gocd process within the container.


Given that you are using Kubernetes, please see the Helm chart documentation here https://github.com/gocd/helm-chart/blob/master/gocd/README.md

It provides info on just about every configurable attribute for the GoCD server and the agent.

Of particular importance for you are these two attributes:
server.persistence.subpath.homego
agent.persistence.subpath.homego

Please see that document and jot down your action plan since you will need to provide the SSH keys to the server _and_ the agent containers.

IMPORTANT: You must set the user ID of the files within .ssh to 1000. This is the user ID of the gocd process within the container.

 


Many thanks in advance !

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CADKEDRrQOX11i951ZPiUYeOdMqThbCoZG7_WAqgBJFg1BxqxfQ%40mail.gmail.com.

Satya Elipe

unread,
Apr 27, 2024, 7:10:18 AMApr 27
to go...@googlegroups.com
Thank you Sriram.

So, ".ssh" folder mounting will be separate from the rest of the data (/godata, for plugins, pipelines, db etc)...so there would be two separate mount points into the container ? 

I'm using ECS at the moment and not kubernetes, so my task definition will have two mount points like below:

```
            "mountPoints": [
                {
                    "sourceVolume": "efs_id:/godata",
                    "containerPath": "/godata"
                },
                {
                    "sourceVolume": "efs_id:/godata/.ssh",
                    "containerPath": "/home/go/.ssh"
                }
            ],
```

So mounting /godata and efs_id:/godata/.ssh from EFS into the container at /godata and /home/go/.ssh locations respectively (per above code) seems to work. 

In this case entry_point.sh from the base image is able to map/consider and execute them properly, hence the server is up and running and functioning properly.

Is that the way it has to be, I think the github repo for gocd server says that I guess, but perhaps I feel that extra mount point just for .ssh is overkill and if .ssh can also be entertained by entry_point.sh from one single mount point /godata in my case, that would be great ?

If I do not mount .ssh into /home/go/.ssh separately into the container - things seem to fail complaining that "key verification failed", I'm not sure whether I'm still missing something here.

Many thanks
Satya

Sriram Narayanan

unread,
Apr 28, 2024, 12:12:16 PMApr 28
to go...@googlegroups.com
On Sat, Apr 27, 2024 at 7:10 PM Satya Elipe <satya...@gmail.com> wrote:
Thank you Sriram.

So, ".ssh" folder mounting will be separate from the rest of the data (/godata, for plugins, pipelines, db etc)...so there would be two separate mount points into the container ? 

I'm using ECS at the moment and not kubernetes, so my task definition will have two mount points like below:

```
            "mountPoints": [
                {
                    "sourceVolume": "efs_id:/godata",
                    "containerPath": "/godata"
                },
                {
                    "sourceVolume": "efs_id:/godata/.ssh",
                    "containerPath": "/home/go/.ssh"
                }
            ],
```

So mounting /godata and efs_id:/godata/.ssh from EFS into the container at /godata and /home/go/.ssh locations respectively (per above code) seems to work. 

In this case entry_point.sh from the base image is able to map/consider and execute them properly, hence the server is up and running and functioning properly.

Is that the way it has to be, I think the github repo for gocd server says that I guess, but perhaps I feel that extra mount point just for .ssh is overkill and if .ssh can also be entertained by entry_point.sh from one single mount point /godata in my case, that would be great ?

If I do not mount .ssh into /home/go/.ssh separately into the container - things seem to fail complaining that "key verification failed", I'm not sure whether I'm still missing something here.

Hey, I had got caught by surprise earlier during the "elastic agent" discussions and had assumed that you must be using EKS. Sorry, my bias had clouded my judgement then. Thankfully Chad and you cleared that up.

ssh by default checks ~/.ssh/ for the keys. Within the GoCD server and agent containers, this home (~) is the /home/go directory, and hence we mount the .ssh folder there. There are use cases where the keys are made available via a different network share and not mixed with configurations that regular GoCD admins would have access to, and hence being able to mount from a separate place to ~/.ssh is helpful. You could always place the .ssh directory along side other directories that would get to godata, while also explicitly specifying a mount to /home/go. At present, GoCD does not have a configuration option to point it to a private key at a path other than ~/ssh

 

Jason Smyth

unread,
May 5, 2024, 3:30:06 PMMay 5
to go-cd
Hi Satya,

A possible workaround to the limitation is updating the server image and adding a symlink that points ~/.ssh/ to wherever you want to actually mount the data.

I have never experimented with using a symlink for the .ssh directory, though, so this may not work.

Hope this helps,
Jason

Sriram Narayanan

unread,
May 7, 2024, 11:11:23 AMMay 7
to go...@googlegroups.com
On Mon, May 6, 2024 at 3:30 AM Jason Smyth <jsm...@taqauto.com> wrote:
Hi Satya,

A possible workaround to the limitation is updating the server image and adding a symlink that points ~/.ssh/ to wherever you want to actually mount the data.

I have never experimented with using a symlink for the .ssh directory, though, so this may not work.

I haven't tried this yet, but one would explore adding a custom shell script at the /docker-entrypoint.d/ mount point which could create such a symlink

Nice tip, Jason.
 

Chad Wilson

unread,
May 7, 2024, 11:27:51 AMMay 7
to go...@googlegroups.com
To add onto the many options here, if you only need the SSH keys to be used by Git for clones etc, you can entirely customise how GIT uses SSH using the GIT_SSH_COMMAND env var; set at the container level.

GIT_SSH_COMMAND="ssh -i /path/to/your/private/key"

Then you can put the private key anywhere you like (including /godata - not just the home dir) which the GoCD server/agent has access to (as long as it has the right file permissions (400 or 600) and is readable by `go`/UID=1000 user, as Ram notes).

-Chad

Reply all
Reply to author
Forward
0 new messages