To add onto the many options here, if you only need the SSH keys to be used
by Git for clones etc, you can entirely customise how GIT uses SSH using
the *GIT_SSH_COMMAND* env var
<https://git-scm.com/docs/git#Documentation/git.txt-codeGITSSHCOMMANDcode>;
set at the container level.
GIT_SSH_COMMAND="ssh -i /path/to/your/private/key"
Then you can put the private key anywhere you like (including /godata - not
just the home dir) which the GoCD server/agent has access to (as long as it
has the right file permissions (400 or 600) and is readable by
`go`/UID=1000 user, as Ram notes).
-Chad
On Tue, May 7, 2024 at 11:11 PM Sriram Narayanan <sriram...@gmail.com>
wrote:
>
>
> On Mon, May 6, 2024 at 3:30 AM Jason Smyth <jsm...@taqauto.com> wrote:
>
>> Hi Satya,
>>
>> A possible workaround to the limitation is updating the server image and
>> adding a symlink that points ~/.ssh/ to wherever you want to actually mount
>> the data.
>>
>> I have never experimented with using a symlink for the .ssh directory,
>> though, so this may not work.
>>
>
> I haven't tried this yet, but one would explore adding a custom shell
> script at the /docker-entrypoint.d/ mount point which could create such a
> symlink
>
> Nice tip, Jason.
>
>
>>
>> Hope this helps,
>> Jason
>>
>>
>> On Sunday 28 April 2024 at 12:12:16 UTC-4 Sriram Narayanan wrote:
>>
>>> On Sat, Apr 27, 2024 at 7:10 PM Satya Elipe <satya...@gmail.com> wrote:
>>>
>>>> Thank you Sriram.
>>>>
>>>> So, ".ssh" folder mounting will be separate from the rest of the data
>>>> (/godata, for plugins, pipelines, db etc)...so there would be two separate
>>>> mount points into the container ?
>>>>
>>>> I'm using ECS at the moment and not kubernetes, so my task definition
>>>> will have two mount points like below:
>>>>
>>>> ```
>>>>
>>>> "mountPoints": [
>>>> {
>>>> "sourceVolume": "efs_id:/godata",
>>>>
>>>> "containerPath": "/godata"
>>>> },
>>>> {
>>>> "sourceVolume": "efs_id:/godata/.ssh",
>>>>
>>>> "containerPath": "/home/go/.ssh"
>>>> }
>>>> ],
>>>>
>>>> ```
>>>>
>>>> So mounting /godata and efs_id:/godata/.ssh from EFS into the
>>>> container at /godata and /home/go/.ssh locations respectively (per
>>>> above code) seems to work.
>>>>
>>>> In this case entry_point.sh from the base image is able to
>>>> map/consider and execute them properly, hence the server is up and running
>>>> and functioning properly.
>>>>
>>>> Is that the way it has to be, I think the github repo for gocd server
>>>> says that I guess, but perhaps I feel that extra mount point just for .ssh
>>>> is overkill and if .ssh can also be entertained by entry_point.sh from one
>>>> single mount point /godata in my case, that would be great ?
>>>>
>>>> If I do not mount .ssh into /home/go/.ssh separately into the container
>>>> - things seem to fail complaining that "key verification failed", I'm not
>>>> sure whether I'm still missing something here.
>>>>
>>>
>>> Hey, I had got caught by surprise earlier during the "elastic agent"
>>> discussions and had assumed that you must be using EKS. Sorry, my bias had
>>> clouded my judgement then. Thankfully Chad and you cleared that up.
>>>
>>> ssh by default checks ~/.ssh/ for the keys. Within the GoCD server and
>>> agent containers, this home (~) is the /home/go directory, and hence we
>>> mount the .ssh folder there. There are use cases where the keys are made
>>> available via a different network share and not mixed with configurations
>>> that regular GoCD admins would have access to, and hence being able to
>>> mount from a separate place to ~/.ssh is helpful. You could always place
>>> the .ssh directory along side other directories that would get to godata,
>>> while also explicitly specifying a mount to /home/go. At present, GoCD does
>>> not have a configuration option to point it to a private key at a path
>>> other than ~/ssh
>>>
>>> https://docs.gocd.org/current/faq/docker_container_ssh_keys.html
>>>
>>>
>>>>
>>>> Many thanks
>>>> Satya
>>>>
>>>> On Thu, Apr 25, 2024 at 3:31 PM Sriram Narayanan <srir...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Thu, Apr 25, 2024 at 10:16 PM Satya Elipe <satya...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all
>>>>>>
>>>>>> Wonder, what's the way around to mount .ssh from EFS into the gocd
>>>>>> base container (from the image gocd/gocd-server:v22.3.0).
>>>>>>
>>>>>>
>>>>>> We have saved all our content into EFS under /godata and maps that
>>>>>> into the container as /godata.
>>>>>>
>>>>>>
>>>>>> We are using gocd/gocd-server:v22.3.0.
>>>>>>
>>>>>>
>>>>>> It all runs good, mapping was fine too but just one thing that’s not
>>>>>> happening is “.ssh” folder.
>>>>>>
>>>>>>
>>>>>> I have .ssh with all required keys in EFS under /godata and /godata
>>>>>> within the container also has .ssh but not /go-working-dir.
>>>>>>
>>>>>>
>>>>>> Is that supported, am I mis-configuring it, or do we need to handle
>>>>>> that outside of the base image ?
>>>>>>
>>>>>
>>>>> At a high level, the .ssh folder should be mounted into /home/go.
>>>>> e.g. docker run -v /path/to/godata:/godata -v /path/to/home-dir:/home/go
>>>>> gocd/gocd-server:v23.5.0
>>>>> IMPORTANT: You must set the user ID of the files within .ssh to 1000.
>>>>> This is the user ID of the gocd process within the container.
>>>>>
>>>>> See:
>>>>> https://github.com/gocd/docker-gocd-server?tab=readme-ov-file#mounting-volumes
>>>>>
>>>>> Given that you are using Kubernetes, please see the Helm chart
>>>>> documentation here
>>>>> https://github.com/gocd/helm-chart/blob/master/gocd/README.md
>>>>>
>>>>> It provides info on just about every configurable attribute for the
>>>>> GoCD server and the agent.
>>>>>
>>>>> Of particular importance for you are these two attributes:
>>>>> server.persistence.subpath.homego
>>>>> agent.persistence.subpath.homego
>>>>>
>>>>> Please see that document and jot down your action plan since you will
>>>>> need to provide the SSH keys to the server _and_ the agent containers.
>>>>>
>>>>> IMPORTANT: You must set the user ID of the files within .ssh to 1000.
>>>>> This is the user ID of the gocd process within the container.
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Many thanks in advance !
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "go-cd" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to go-cd+un...@googlegroups.com.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/d/msgid/go-cd/CADKEDRrQOX11i951ZPiUYeOdMqThbCoZG7_WAqgBJFg1BxqxfQ%40mail.gmail.com
>>>>>> <https://groups.google.com/d/msgid/go-cd/CADKEDRrQOX11i951ZPiUYeOdMqThbCoZG7_WAqgBJFg1BxqxfQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "go-cd" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to go-cd+un...@googlegroups.com.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/go-cd/CANiY96aM47Ck0vc%3D1BnjnMd%2BT9eu4BKokLqLXMG0mNAezT2V_A%40mail.gmail.com
>>>>> <https://groups.google.com/d/msgid/go-cd/CANiY96aM47Ck0vc%3D1BnjnMd%2BT9eu4BKokLqLXMG0mNAezT2V_A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "go-cd" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to go-cd+un...@googlegroups.com.
>>>>
>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/go-cd/CADKEDRoj%2BrFqeT%2B3%2BF_TYnOn6C03kTJyzDzdtChoDOEc_BWxzg%40mail.gmail.com
>>>> <https://groups.google.com/d/msgid/go-cd/CADKEDRoj%2BrFqeT%2B3%2BF_TYnOn6C03kTJyzDzdtChoDOEc_BWxzg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "go-cd" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to go-cd+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/go-cd/196247a2-32f4-473c-9fc5-9e709bc204a9n%40googlegroups.com
>> <https://groups.google.com/d/msgid/go-cd/196247a2-32f4-473c-9fc5-9e709bc204a9n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "go-cd" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-cd+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/go-cd/CANiY96bRFcLXgWRBf4G39DainuLM94b5JnN7bFPN3_YP10ToNg%40mail.gmail.com
> <https://groups.google.com/d/msgid/go-cd/CANiY96bRFcLXgWRBf4G39DainuLM94b5JnN7bFPN3_YP10ToNg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/go-cd/CAA1RwH-jh25KrJLtN3Fm_rB-40_xK5mULejRL3rktKi%3D-e9dMw%40mail.gmail.com.
