Skip to content

GitLab Shell: fix host key walking for gitlab-sshd config

Jason Plum requested to merge shell-fix-keywalk into master

What does this MR do?

gitlab-org/build/CNG!1081 (merged) remove the container's incidental shipping of /etc/ssh/ssh_host_*_key

The config.yml.tpl would walk /etc/ssh statically, and we "got away" with this because the container should not have had those files in the first place.

This updates the template to walk KEYS_DIRECTORY, and fall back to /etc/ssh if not present.

Details

$ docker run -ti --rm --entrypoint ''  registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v14.9.0 ls -l /etc/ssh
total 608
-rw-r--r-- 1 git git 577771 Jul  1 22:37 moduli
-rw-r--r-- 1 git git   1650 Jul  1 22:37 ssh_config
drwxr-xr-x 1 git git   4096 Jul  1 22:37 ssh_config.d
-rw------- 1 git git    513 Aug  1 15:15 ssh_host_ecdsa_key
-rw-r--r-- 1 git git    179 Aug  1 15:15 ssh_host_ecdsa_key.pub
-rw------- 1 git git    411 Aug  1 15:15 ssh_host_ed25519_key
-rw-r--r-- 1 git git     99 Aug  1 15:15 ssh_host_ed25519_key.pub
-rw------- 1 git git   2602 Aug  1 15:15 ssh_host_rsa_key
-rw-r--r-- 1 git git    571 Aug  1 15:15 ssh_host_rsa_key.pub
-rw-rw-rw- 1 git git   3461 Aug  1 15:11 sshd_config
drwxr-xr-x 1 git git   4096 Jul  1 22:37 sshd_config.d
$ docker run -ti --rm --entrypoint ''  registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:main ls -l /etc/ssh
total 580
-rw-r--r-- 1 root root 577771 Jul  1 22:37 moduli
-rw-r--r-- 1 root root   1650 Jul  1 22:37 ssh_config
drwxr-xr-x 2 root root   4096 Jul  1 22:37 ssh_config.d
-rw-rw-rw- 1 git  git    3461 Aug  4 10:44 sshd_config

Related issues

gitlab-com/gl-infra/production#7551 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened

Merge request reports