Create symlinks in /etc/ssh pointing to /etc/gitlab for SSH private keys

Erik Tewsrequested to merge
etews/omnibus-gitlab:ssh-private-key-symlink into master

Create symlinks in /etc/ssh pointing to /etc/gitlab for SSH private keys to fix #8326 (closed)

The current Gitlab Docker image creates SSH host keys during build in /etc/ssh when installing openssh-server. These keys are not used. Instead, the SSH host keys for Gitlab are generated by the wrapper script and stored in /etc/gitlab.

Previously, the wrapper script overwrote the unused SSH public host keys in /etc/ssh with symlinks pointing to the keys used in /etc/gitlab. The SSH private keys were left untouched. Thus, there were SSH private keys in /etc/ssh that were not used and the corresponding public keys in /etc/ssh were symlinks to /etc/gitlab and the private and public keys did not match.

Since this is could be confusing for adminstrators, this commit alters the wrapper script so that the unused SSH private keys in /etc/ssh are replaced with symlinks to the private keys used in /etc/gitlab.

I did a manual build of the Docker container and started a new instance and Gitlab seems to run well.

@dustinmm80 Can you do a review?

Related issues

Closes #8326 (closed)

Checklist

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
    • I'm sorry, I'm out of pipeline minutes. It looks like not all pipe jobs for the master branch are currently green.
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Erik Tews

Merge request reports