This was quite hard to set up and we should document it. @ribalba please add what you think is important.
here my journey:
Make GMT cluster accept SSH keys from a user via the Dashboard
- an RSA PEM-Format public key must be configured in the encryption_public_key_file directive in
config.yml
- Note that this key must NOT be OpenSSH Format
- It is recommended to place the key in ./.rsa/pub.key and make the file readable 755
- 755 is needed as the gunicorn container runs as root and 400 would thus make it unreadable in the container
- Placing this keys is a security concern only if server/cluster and runner are the same machine and publically accessible. This is not a security threat GMT has any concern for at the moment as this mode is only encouraged in one person developer mode
- The key can be created with
# Generate private key (2048-bit)
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
# Extract public key
openssl rsa -pubout -in private_key.pem -out public_key.pem
Make Runner use SSH keys
- an RSA PEM-Format private key must be configured in the encryption_private_key_file in the
config.yml
- Note that this key must NOT be OpenSSH Format
- Via the Dashboard an OpenSSH Private Key block must be submitted under
/settings.html
- Note that this key must NOT be PEM Format
This was quite hard to set up and we should document it. @ribalba please add what you think is important.
here my journey:
Make GMT cluster accept SSH keys from a user via the Dashboard
config.ymlMake Runner use SSH keys
config.yml/settings.html