2

I've installed the latest gitlab using docker on centos 7

docker run -d --hostname git.xxxx.com \
-p 8082:80 -p 22:22 \
--name gitlab \
--restart always \
-v /srv/gitlab/config:/etc/gitlab:Z \
-v /srv/gitlab/logs:/var/log/gitlab:Z \
-v /srv/gitlab/data:/var/opt/gitlab:Z \
gitlab/gitlab-ce:latest

I also changed the host ssh port to 10022 and let gitlab use port 22. Gitlab ran successful. Cloning worked using http but fails when using ssh.

git clone [email protected]:yphc/dt-dd-miniprogram.git

Cloning into 'dt-dd-miniprogram'...
ssh: connect to host git.xxxx.com port 22: Bad file number
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

Output from checking Gitlab status:

root@git:/# gitlab-ctl status
run: gitaly: (pid 472) 241405s; run: log: (pid 467) 241405s
run: gitlab-monitor: (pid 474) 241405s; run: log: (pid 465) 241405s
run: gitlab-workhorse: (pid 471) 241405s; run: log: (pid 464) 241405s
run: logrotate: (pid 15611) 203s; run: log: (pid 456) 241405s
run: nginx: (pid 475) 241405s; run: log: (pid 469) 241405s
run: node-exporter: (pid 460) 241406s; run: log: (pid 459) 241406s
run: postgres-exporter: (pid 453) 241406s; run: log: (pid 452) 241406s
run: postgresql: (pid 470) 241406s; run: log: (pid 463) 241406s
run: prometheus: (pid 482) 241406s; run: log: (pid 476) 241406s
run: redis: (pid 396) 241408s; run: log: (pid 395) 241408s
run: redis-exporter: (pid 455) 241406s; run: log: (pid 454) 241406s
run: sidekiq: (pid 473) 241406s; run: log: (pid 468) 241406s
warning: sshd: unable to open supervise/ok: access denied
run: unicorn: (pid 466) 241406s; run: log: (pid 458) 241406s

warning: sshd: unable to open supervise/ok: access denied

I tried the ssh command in the gitlab container which worked. I also added port 22 to the firewall.

[root@localhost zones]# firewall-cmd --list-all 
    public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: ssh dhcpv6-client
  ports: 2022/tcp 10022/tcp 22/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

And when I close firewall it says

    Cloning into 'dt-dd-miniprogram'...
ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I looked around on the internet for a long time but couldn't find anything. I'd be grateful for any help or ideas on how to solve this.

Improve this question
1

4 Answers 4

Reset to default
1

In my case was a permission problem. It seems that the ssh keys are saved with 0777 permission, that prevents ssh from starting.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/etc/gitlab/ssh_host_xxxxxxx_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private: bad permissions
Could not load host key: /etc/gitlab/ssh_host_xxxxxxx_key

You can login inside your dockerize Gitlab with docker exec -it gitlab_web_1 /bin/bash

check why is not started with cat /var/log/gitlab/sshd/current

If you see similar logs a quick fix is chmod 0770 /etc/gitlab/ssh_host_*

Then restart ssh service with /etc/init.d/ssh restart

Now you should see something like this in the log file

Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.

Another (related) problem can be that the volume that you use for the config folder is on a windows fs (ntfs?). In this case:

  • if you use a linux host BUT the volumes are on a ntfs mount, try setting only for config folder a different path BUT on a linux fs (that supports file permission). On my ntfs mount for example I have all files with 0777 permissions and cannot be changed
  • if you use windows try setting files to more restrictive permission
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I've ended up in the same situation with the official gitlab-ce docker image after migrating from kvm.

root@gitlab:/opt/gitlab# /opt/gitlab/embedded/bin/sv start sshd
warning: sshd: unable to open supervise/ok: access denied

I've found that this sv generates the error:

root@gitlab:/opt/gitlab# /opt/gitlab/embedded/bin/sv start sshd
warning: sshd: unable to open supervise/ok: access denied

Because /opt/gitlab/sv/sshd/supervise/ok pipe is not accessible for root:

root@gitlab:/opt/gitlab/sv/sshd/supervise# cat ok
cat: ok: Permission denied

And just as a test I've updated it with 777 permissions, but still no luck

root@gitlab:/opt/gitlab/# /opt/gitlab/embedded/bin/sv start sshd
fail: sshd: runsv not running

The workaround I've used is in my Dockerfile that is based on gitlab-ce:latest:

RUN sed -i '/gitlab-ctl reconfigure/a service ssh start' /assets/wrapper

This would start up ssh and now I can connect with git user via ssh to push and pull :)

Don't forget you would need proper env set up for the ports you want to use https://docs.gitlab.com/omnibus/docker/

  environment:
    GITLAB_OMNIBUS_CONFIG: |
      external_url 'http://gitlab.m31.com:3080'
      gitlab_rails['gitlab_shell_ssh_port'] = 3022

So things are working now, but keep in mind that this is an odd/ugly workaround and I'm sure there is a better way to make this work.

Improve this answer

Comments

0

I do the same thing on another centos 7, everything is OK , so I guess the OS has some error, the gitlab docker is OK, but I can't find it up till now thx

Improve this answer

Comments

0

The easiest way to have two servers on one host use the same port 22 is to bind them to separate IP addresses. By default, both gitlab and sshd bind to 0.0.0.0 and therefore reserve that port on all addresses and interfaces.

Allocating additional public ip addresses to your machine is possible by your hosting provider, they should register in ifconfig on the host.

Your local ssh server should bind to your primary ip address. Look in /etc/ssh/sshd_config for

ListenAddress 0.0.0.0

Docker can port-forward to specific ip's using -p <secondary_ip>:22:22

You can setup sub-domains such as git.example.com for the secondary ip, and server.example.com for the primary ip.

Improve this answer

1 Comment

Another alternative, of course, is to put a TCP load balancer in front of the system.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.