On Mon, May 6, 2024 at 3:30 AM Jason Smyth <[email protected]> wrote:
> Hi Satya, > > A possible workaround to the limitation is updating the server image and > adding a symlink that points ~/.ssh/ to wherever you want to actually mount > the data. > > I have never experimented with using a symlink for the .ssh directory, > though, so this may not work. > I haven't tried this yet, but one would explore adding a custom shell script at the /docker-entrypoint.d/ mount point which could create such a symlink Nice tip, Jason. > > Hope this helps, > Jason > > > On Sunday 28 April 2024 at 12:12:16 UTC-4 Sriram Narayanan wrote: > >> On Sat, Apr 27, 2024 at 7:10 PM Satya Elipe <[email protected]> wrote: >> >>> Thank you Sriram. >>> >>> So, ".ssh" folder mounting will be separate from the rest of the data >>> (/godata, for plugins, pipelines, db etc)...so there would be two separate >>> mount points into the container ? >>> >>> I'm using ECS at the moment and not kubernetes, so my task definition >>> will have two mount points like below: >>> >>> ``` >>> >>> "mountPoints": [ >>> { >>> "sourceVolume": "efs_id:/godata", >>> >>> "containerPath": "/godata" >>> }, >>> { >>> "sourceVolume": "efs_id:/godata/.ssh", >>> >>> "containerPath": "/home/go/.ssh" >>> } >>> ], >>> >>> ``` >>> >>> So mounting /godata and efs_id:/godata/.ssh from EFS into the container >>> at /godata and /home/go/.ssh locations respectively (per above code) seems >>> to work. >>> >>> In this case entry_point.sh from the base image is able to map/consider >>> and execute them properly, hence the server is up and running and >>> functioning properly. >>> >>> Is that the way it has to be, I think the github repo for gocd server >>> says that I guess, but perhaps I feel that extra mount point just for .ssh >>> is overkill and if .ssh can also be entertained by entry_point.sh from one >>> single mount point /godata in my case, that would be great ? >>> >>> If I do not mount .ssh into /home/go/.ssh separately into the container >>> - things seem to fail complaining that "key verification failed", I'm not >>> sure whether I'm still missing something here. >>> >> >> Hey, I had got caught by surprise earlier during the "elastic agent" >> discussions and had assumed that you must be using EKS. Sorry, my bias had >> clouded my judgement then. Thankfully Chad and you cleared that up. >> >> ssh by default checks ~/.ssh/ for the keys. Within the GoCD server and >> agent containers, this home (~) is the /home/go directory, and hence we >> mount the .ssh folder there. There are use cases where the keys are made >> available via a different network share and not mixed with configurations >> that regular GoCD admins would have access to, and hence being able to >> mount from a separate place to ~/.ssh is helpful. You could always place >> the .ssh directory along side other directories that would get to godata, >> while also explicitly specifying a mount to /home/go. At present, GoCD does >> not have a configuration option to point it to a private key at a path >> other than ~/ssh >> >> https://docs.gocd.org/current/faq/docker_container_ssh_keys.html >> >> >>> >>> Many thanks >>> Satya >>> >>> On Thu, Apr 25, 2024 at 3:31 PM Sriram Narayanan <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Thu, Apr 25, 2024 at 10:16 PM Satya Elipe <[email protected]> >>>> wrote: >>>> >>>>> Hi all >>>>> >>>>> Wonder, what's the way around to mount .ssh from EFS into the gocd >>>>> base container (from the image gocd/gocd-server:v22.3.0). >>>>> >>>>> >>>>> We have saved all our content into EFS under /godata and maps that >>>>> into the container as /godata. >>>>> >>>>> >>>>> We are using gocd/gocd-server:v22.3.0. >>>>> >>>>> >>>>> It all runs good, mapping was fine too but just one thing that’s not >>>>> happening is “.ssh” folder. >>>>> >>>>> >>>>> I have .ssh with all required keys in EFS under /godata and /godata >>>>> within the container also has .ssh but not /go-working-dir. >>>>> >>>>> >>>>> Is that supported, am I mis-configuring it, or do we need to handle >>>>> that outside of the base image ? >>>>> >>>> >>>> At a high level, the .ssh folder should be mounted into /home/go. >>>> e.g. docker run -v /path/to/godata:/godata -v /path/to/home-dir:/home/go >>>> gocd/gocd-server:v23.5.0 >>>> IMPORTANT: You must set the user ID of the files within .ssh to 1000. >>>> This is the user ID of the gocd process within the container. >>>> >>>> See: >>>> https://github.com/gocd/docker-gocd-server?tab=readme-ov-file#mounting-volumes >>>> >>>> Given that you are using Kubernetes, please see the Helm chart >>>> documentation here >>>> https://github.com/gocd/helm-chart/blob/master/gocd/README.md >>>> >>>> It provides info on just about every configurable attribute for the >>>> GoCD server and the agent. >>>> >>>> Of particular importance for you are these two attributes: >>>> server.persistence.subpath.homego >>>> agent.persistence.subpath.homego >>>> >>>> Please see that document and jot down your action plan since you will >>>> need to provide the SSH keys to the server _and_ the agent containers. >>>> >>>> IMPORTANT: You must set the user ID of the files within .ssh to 1000. >>>> This is the user ID of the gocd process within the container. >>>> >>>> >>>> >>>>> >>>>> Many thanks in advance ! >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "go-cd" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/go-cd/CADKEDRrQOX11i951ZPiUYeOdMqThbCoZG7_WAqgBJFg1BxqxfQ%40mail.gmail.com >>>>> <https://groups.google.com/d/msgid/go-cd/CADKEDRrQOX11i951ZPiUYeOdMqThbCoZG7_WAqgBJFg1BxqxfQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "go-cd" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/go-cd/CANiY96aM47Ck0vc%3D1BnjnMd%2BT9eu4BKokLqLXMG0mNAezT2V_A%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/go-cd/CANiY96aM47Ck0vc%3D1BnjnMd%2BT9eu4BKokLqLXMG0mNAezT2V_A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "go-cd" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/go-cd/CADKEDRoj%2BrFqeT%2B3%2BF_TYnOn6C03kTJyzDzdtChoDOEc_BWxzg%40mail.gmail.com >>> <https://groups.google.com/d/msgid/go-cd/CADKEDRoj%2BrFqeT%2B3%2BF_TYnOn6C03kTJyzDzdtChoDOEc_BWxzg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/go-cd/196247a2-32f4-473c-9fc5-9e709bc204a9n%40googlegroups.com > <https://groups.google.com/d/msgid/go-cd/196247a2-32f4-473c-9fc5-9e709bc204a9n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CANiY96bRFcLXgWRBf4G39DainuLM94b5JnN7bFPN3_YP10ToNg%40mail.gmail.com.
