gitlab-runner on Windows not getting .ssh config settings

Question

I've got a repo that is dependent upon some other repos.

I'm trying to clone the secondary repo onto a Windows box using gitlab-runner.

My gitlab-ci.yml looks like this:

# Deploy to a staging server
deploy_staging:
  stage: deploy
  tags:
    - my_gitlab_runner 
  script:
    - echo "Deploy to staging server"
    - cd C:/
    - git clone git@gitlab.com:test_group/test_ci
  environment:
    name: staging
    url: https://127.0.0.1
  only:
    - master

If I log into the windows box - I can use git bash to clone down repos manually (I've setup my ssh settings in C:/Users/myusername/.ssh)

My .ssh config looks like this:

Host gitlab.com
    Hostname altssh.gitlab.com
    user git
    Port 443
    PreferredAuthentications publickey
    IdentityFile C:/git_keys/my_gitlab_rsa

I have to use port 443 - and it works when doing it through gitbash without issue.

The job continually fails with this error:

Cloning into 'test_ci'...
Host key verification failed.
fatal: Could not read from remote repository.

I've added my my_gitlab_rsa.pub to the repo as a deploy_key - and it works for cloning locally - just not through the gitlab-runner.

My config.toml for the gitlab-runner looks like this:

[[runners]]
  name = "TestDesktop"
  url = "https://gitlab.com"
  token = "_yt...32fjJb"
  tls-ca-file = "C:/my_certs/my_self_signed_ca.pem"
  executor = "shell"
  shell = "cmd"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]

Any ideas?

score 1 · Answer 1 · answered Oct 20 '20 at 11:50

This is only a partial answer but answers the question I asked!

It boiled down to the known_hosts file.

When I ran it as my local user and it would ask me to verify the fingerprint - it added it to the known_hosts file.

I just copied/pasted the known_hosts file from my local user to the system account .ssh directory and then the job succeeded without issue.

That said - I'm not sure the best way to automate that - because I don't want to have to run it as a local user manually first to 'accept the fingerprint' every time - but I suppose this mostly answers my question.

Kapitan · Answer 2 · 2022-02-28T18:37:22.287

Somewhere in your process you need to "manually" accept the fingerprint in known_hosts file.

That is what it is for. For someone to test that the entry in the file is safe so that all further automation can be as safe as possible.

So I usually have kind of "setup" script, where one of the parameters is the known_hosts file.

However I found this question because I would like to have better location for my .ssh folder. Somehow placing it in "system" does not feel right for me.

Moreover if you run it as a script you can call (your shell equivalent) to specify your keys and known_host file.

set GIT_SSH_COMMAND=ssh -i {/path/to/}id_rsa -o UserKnownHostsFile={/path/to/}known_hosts

gitlab-runner on Windows not getting .ssh config settings

2 Answers2