I’m trying to implement CD for my containerized(Docker, nginx) Django app using gitlab on DigitalOcean droplet.
I have created a pair of SSH keys and add the public key to DigitalOcean platform. I can login to my droplet using that SSH key.
Now, I have added the private key as the environment variable at gitlab as: $PRIVATE_KEY , so now when I run the deployment it return the permission denied error.
Here’s my : .gitlab-ci.yml:
image:
name: docker/compose:1.29.2
entrypoint: [""]
services:
- docker:dind
stages:
- build
- deploy
variables:
DOCKER_HOST: tcp://docker:2375
DOCKER_DRIVER: overlay2
before_script:
- export IMAGE=$CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
- export WEB_IMAGE=$IMAGE/web:web
- export NGINX_IMAGE=$IMAGE/nginx:nginx
- apk add --no-cache openssh-client bash
- chmod +x ./setup_env.sh
- bash ./setup_env.sh
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
build:
stage: build
script:
- docker pull $IMAGE/web:web || true
- docker pull $IMAGE/nginx:nginx || true
- docker-compose -f docker-compose.prod.yml build
- docker push $IMAGE/web:web
- docker push $IMAGE/nginx:nginx
deploy:
stage: deploy
script:
- mkdir -p ~/.ssh
- echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
- cat ~/.ssh/id_ed25519
- chmod 700 ~/.ssh/id_ed25519
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_ed25519
- ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
- chmod +x ./deploy.sh
- scp -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/Pythonist.org
- bash ./deploy.sh
The build stage is passed but the deploy is failed with the following error:
$ chmod +x ./setup_env.sh
$ bash ./setup_env.sh
$ docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ mkdir -p ~/.ssh
$ echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
$ cat ~/.ssh/id_ed25519
<MY_PRIVATE_KEY>
$ chmod 700 ~/.ssh/id_ed25519
$ eval "$(ssh-agent -s)"
Agent pid 27
$ ssh-add ~/.ssh/id_ed25519
Identity added: /root/.ssh/id_ed25519 (<COMMENT>)
$ ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
$ chmod +x ./deploy.sh
$ scp -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/app
Warning: Permanently added '143.198.103.99' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
root@143.198.103.99: Permission denied (publickey,password).
lost connection
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1
Here’s my deploy.sh:
#!/bin/sh
ssh -o StrictHostKeyChecking=no root@$DO_PUBLIC_IP_ADDRESS << 'ENDSSH'
cd /root/Pythonist.org
export $(cat .env | xargs)
docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
docker pull $IMAGE/web:web
docker pull $IMAGE/nginx:nginx
docker-compose -f docker-compose.prod.yml up -d
ENDSSH
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello,
What I could suggest trying is to add a new line at the end of the PRIVATE_KEY variable so that it matches the required format.
If this does not work, what I could suggest is adding the -vvv debug flag for the scp command so that you could see the actual error rather than just the permission denied message. This extra output might give you more information on why the connection is failing.
Let me know how it goes! Regards, Bobby
Heya,
Ensure the private key stored in the PRIVATE_KEY environment variable in GitLab is in the correct format. It should start with:
-----BEGIN OPENSSH PRIVATE KEY-----
and end with:
-----END OPENSSH PRIVATE KEY-----
If the key isn’t in this format, update the environment variable in GitLab with the correct key.
2. Check Key Permissions
In your GitLab CI job:
chmod 600 ~/.ssh/id_ed25519
Update the deploy stage to include the fixes:
deploy:
stage: deploy
script:
- mkdir -p ~/.ssh
- echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
- chmod 600 ~/.ssh/id_ed25519
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_ed25519
- ssh-keyscan -H $DO_PUBLIC_IP_ADDRESS >> ~/.ssh/known_hosts
- chmod +x ./deploy.sh
- scp -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/app
- bash ./deploy.sh
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.