Hi,
I’ve used gitlab at work for years now. And I’ve been lazy and mostly used github/bitbucket for my personal stuff so far.
I’ve decided to jump to self-hosted gitlab. And so far it’s been… painful to say the least.
But it’s running… So let’s get to it.
I’m running inside kubernetes (1.17), using the gitlab/gitlab-ce:12.9.3-ce.0 image.
So this is basically a fresh install. I’ve:
- created a user that’s not root.
- created a group
- created an empty project
- added my public ssh key to my profile
And I can’t ssh or git clone.
This is what happens in the logs when I try to git clone:
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/api/v4/internal/authorized_keys?key=[FILTERED]" for 127.0.0.1 at 2020-04-17 01:42:35 +0000
Started GET "/api/v4/internal/authorized_keys?key=[FILTERED]" for 127.0.0.1 at 2020-04-17 01:42:35 +0000
==> /var/log/gitlab/gitlab-rails/api_json.log <==
{"time":"2020-04-17T01:42:35.248Z","severity":"INFO","duration":79.72,"db":18.34,"view":61.379999999999995,"status":200,"method":"GET","path":"/api/v4/internal/authorized_keys","params":[{"key":"key","value":"[FILTERED]"}],"host":"127.0.0.1","remote_ip":"127.0.0.1","ua":"Go-http-client/1.1","route":"/api/:version/internal/authorized_keys","correlation_id":"0415aaff-6825-468e-8ce3-f6deb5469732"}
==> /var/log/gitlab/sshd/current <==
2020-04-17_01:42:35.46000 Access denied for user git by PAM account configuration [preauth]
==> /var/log/gitlab/gitlab-rails/api_json.log <==
{"time":"2020-04-17T01:42:35.453Z","severity":"INFO","duration":72.68,"db":18.5,"view":54.18000000000001,"status":200,"method":"GET","path":"/api/v4/internal/authorized_keys","params":[{"key":"key","value":"[FILTERED]"}],"host":"127.0.0.1","remote_ip":"127.0.0.1","ua":"Go-http-client/1.1","route":"/api/:version/internal/authorized_keys","correlation_id":"31e585b2-4047-4a9e-80e6-9dfcc5714ed5"}
This is my ssh config:
Host git gitlab.<domain>
HostName gitlab.<domain>
User git
Preferredauthentications publickey
IdentityFile ~/.ssh/id_rsa
And this is the extent of the gitlab.rb I have:
cat /etc/gitlab/gitlab.rb | grep -v '^#' | grep -v '^$'
external_url 'http://gitlab.<domain>/'
gitlab_rails['gitlab_ssh_host'] = 'GitLab.<domain>'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'GitLab@<domain>'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'GitLab@<domain>'
gitlab_rails['gitlab_email_subject_suffix'] = 'GitLab.<domain>'
gitlab_rails['gitlab_email_smime_enabled'] = false
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = <redacted>
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = <redacted>
gitlab_rails['smtp_password'] = <redacted>
gitlab_rails['smtp_domain'] = "<domain>"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = true
gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"
prometheus_monitoring['enable'] = false
I’ve also tried to set UsePAM to no in sshd_config, or add various entries to /etc/security/access.conf (like +:git:ALL or even +:ALL:ALL or -:ALL:ALL except root or whatever it was). No dice…
Let me know if there is any other information you need.
This is obviously a blocker for me…
Thanks!
Alexis