Looking for IP/subnet mask

Hello all!
First time setting up a pipeline from scratch. DISCLAIMER: I’m not a sysadmin or CI/CD engineer and I don’t play either on TV, sooo…

I’ve managed to stumble through creating .gitlab-ci.yml files for all my branches and have them successfully running on the rules I’ve set, so I’m super stoked!!

ONLY issue now is that I have to add GitLab’s IP/netmask so I can get around the firewall. I’m having a tough time finding it. I’ve got the inbound firewall on Linode set to TCP for port 22. Here’s my .gitlab-ci.yml file:

  - deploy

  image: ubuntu:latest
  stage: deploy
    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "dev"
    - if: $CI_PIPELINE_SOURCE == "merge_requests"
    - if: $CI_PIPELINE_SOURCE == "web"
    - apt-get -yq update
    - apt-get -yqq install ssh
    - install -m 600 -D /dev/null ~/.ssh/id_rsa
    - echo "$SSH_PRIVATE_KEY_DEV" | base64 -d > ~/.ssh/id_rsa
    - ssh-keyscan -H $SSH_HOST_DEV > ~/.ssh/known_hosts
    - ssh $SSH_USER_DEV@$SSH_HOST_DEV "cd $WORK_DIR_DEV && git checkout $BRANCH_DEV && git pull && exit"
    - rm -rf ~/.ssh

Can anyone help me navigate this last step??? HUGE thanks in advance!

Ugh… thought I found it but I did not. Tried using:

and the pipeline failed.

UPDATE: If I allow all for port 22 (it’s a test server, they can’t kill anything) everything works. But when I remove that, the pipe fails here:

$ ssh-keyscan -H $SSH_HOST_DEV > ~/.ssh/known_hosts

Where is GitLab running, invoking the tcp connect session (i.e. with ssh commands)? Self managed or GitLab.com SaaS? For self managed, the external IP address can be determined with ip a.

The target host firewall needs the source ip, destination port 22.

/32 is the subnet mask for a single IP. The calculation formula is roughly this:

2^ (32 - subnetmask) = number of ips

/32 = 2 ^ (32 - 32) = 1
/31 = 2 ^ (32 - 31) = 2
/24 = 2 ^ (32 - 24) = 256 (typically found with, ranging from 0. to .255)

You rule, GREAT advice. The repo is up on gitlab.com tho, it’s not self-hosted. And because of the firewall issues, we decided to go the webhook route. Thank you SO much for taking the time to respond… I appreciate that!!!

AWESOME to know about the subnet mask info!!

1 Like

My pleasure. It took me quite some time to learn subnet masks myself. I did not understand them in my studies. It needed production use cases in my time at the University of Vienna, ACO.net and managing .at DNS records :upside_down_face:

For GitLab.com SaaS IP ranges - they are documented here. If they change, this will be announced to all users. Maybe this helps in case you want to try the ssh option again.