Hello all!
First time setting up a pipeline from scratch. DISCLAIMER: I’m not a sysadmin or CI/CD engineer and I don’t play either on TV, sooo…
I’ve managed to stumble through creating .gitlab-ci.yml files for all my branches and have them successfully running on the rules I’ve set, so I’m super stoked!!
ONLY issue now is that I have to add GitLab’s IP/netmask so I can get around the firewall. I’m having a tough time finding it. I’ve got the inbound firewall on Linode set to TCP for port 22. Here’s my .gitlab-ci.yml file:
stages:
- deploy
deploy:
image: ubuntu:latest
stage: deploy
rules:
- if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "dev"
- if: $CI_PIPELINE_SOURCE == "merge_requests"
- if: $CI_PIPELINE_SOURCE == "web"
before_script:
- apt-get -yq update
- apt-get -yqq install ssh
- install -m 600 -D /dev/null ~/.ssh/id_rsa
- echo "$SSH_PRIVATE_KEY_DEV" | base64 -d > ~/.ssh/id_rsa
- ssh-keyscan -H $SSH_HOST_DEV > ~/.ssh/known_hosts
script:
- ssh $SSH_USER_DEV@$SSH_HOST_DEV "cd $WORK_DIR_DEV && git checkout $BRANCH_DEV && git pull && exit"
after_script:
- rm -rf ~/.ssh
Can anyone help me navigate this last step??? HUGE thanks in advance!
Ugh… thought I found it but I did not. Tried using:
35.185.44.232/32
and the pipeline failed.
UPDATE: If I allow all for port 22 (it’s a test server, they can’t kill anything) everything works. But when I remove that, the pipe fails here:
$ ssh-keyscan -H $SSH_HOST_DEV > ~/.ssh/known_hosts
Where is GitLab running, invoking the tcp connect session (i.e. with ssh commands)? Self managed or GitLab.com SaaS? For self managed, the external IP address can be determined with ip a.
The target host firewall needs the source ip, destination port 22.
/32 is the subnet mask for a single IP. The calculation formula is roughly this:
2^ (32 - subnetmask) = number of ips
/32 = 2 ^ (32 - 32) = 1
/31 = 2 ^ (32 - 31) = 2
/24 = 2 ^ (32 - 24) = 256 (typically found with 192.168.1.0/24, ranging from 0. to .255)
You rule, GREAT advice. The repo is up on gitlab.com tho, it’s not self-hosted. And because of the firewall issues, we decided to go the webhook route. Thank you SO much for taking the time to respond… I appreciate that!!!
AWESOME to know about the subnet mask info!!
1 Like
My pleasure. It took me quite some time to learn subnet masks myself. I did not understand them in my studies. It needed production use cases in my time at the University of Vienna, ACO.net and managing .at DNS records 
For GitLab.com SaaS IP ranges - they are documented here. If they change, this will be announced to all users. Maybe this helps in case you want to try the ssh option again.