Fresh docker/k8s install - Can't ssh/git pull/

I’ve used gitlab at work for years now. And I’ve been lazy and mostly used github/bitbucket for my personal stuff so far.
I’ve decided to jump to self-hosted gitlab. And so far it’s been… painful to say the least.
But it’s running… So let’s get to it.

I’m running inside kubernetes (1.17), using the gitlab/gitlab-ce:12.9.3-ce.0 image.

So this is basically a fresh install. I’ve:

  • created a user that’s not root.
  • created a group
  • created an empty project
  • added my public ssh key to my profile

And I can’t ssh or git clone.

This is what happens in the logs when I try to git clone:

==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/api/v4/internal/authorized_keys?key=[FILTERED]" for at 2020-04-17 01:42:35 +0000
Started GET "/api/v4/internal/authorized_keys?key=[FILTERED]" for at 2020-04-17 01:42:35 +0000

==> /var/log/gitlab/gitlab-rails/api_json.log <==

==> /var/log/gitlab/sshd/current <==
2020-04-17_01:42:35.46000 Access denied for user git by PAM account configuration [preauth]

==> /var/log/gitlab/gitlab-rails/api_json.log <==

This is my ssh config:

 Host git gitlab.<domain>
   HostName gitlab.<domain>
   User git
   Preferredauthentications publickey
   IdentityFile ~/.ssh/id_rsa

And this is the extent of the gitlab.rb I have:

cat /etc/gitlab/gitlab.rb | grep -v '^#' | grep -v '^$'
external_url 'http://gitlab.<domain>/'
gitlab_rails['gitlab_ssh_host'] = 'GitLab.<domain>'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'GitLab@<domain>'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'GitLab@<domain>'
gitlab_rails['gitlab_email_subject_suffix'] = 'GitLab.<domain>'
gitlab_rails['gitlab_email_smime_enabled'] = false
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = <redacted>
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = <redacted>
gitlab_rails['smtp_password'] = <redacted>
gitlab_rails['smtp_domain'] = "<domain>"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = true
gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"
prometheus_monitoring['enable'] = false

I’ve also tried to set UsePAM to no in sshd_config, or add various entries to /etc/security/access.conf (like +:git:ALL or even +:ALL:ALL or -:ALL:ALL except root or whatever it was). No dice…

Let me know if there is any other information you need.
This is obviously a blocker for me…


I “fixed” it…
Ended up running the container with privileged = true, and I also had to completely disable SELinux, it being in permissive mode was not enough (chef would still try to apply SELinuc settings). So there is that.