SSH Access to Gitlab instance not working
-
@BrutalBirdie So just to clarify, I can only ever use HTTPS clone urls as well?
@kaxline No you can clone / push / pull via ssh.
But since the default port22is used by the root system cloudron assigns the gitlab app a custom ssh port.If you install gitlab you get this window:
(alt. text: picture of the gitlab app installation showing the SSH Port configuration)This means for my gitlab app on cloudron the custom ssh port
29418will be used.
For example https://git.cloudron.io/cloudron is also hosted on cloudron (figures).And if you want to clone the gitlab-app repo:
(alt. text: a screenshot from git.cloudron.io showing the custom clone url with the custom ssh port)the custom port will be configured in the clone urls.
git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.gitThis then will look like this on your local machine.
╭─eha@BrutalBirdie in repo: n8n-app on master [!?] took 372ms ╰─λ git remote -v 22:07:50 origin ssh://git@git.cloudron.io:6000/cloudron/n8n-app.git (fetch) origin ssh://git@git.cloudron.io:6000/cloudron/n8n-app.git (push)Hope this makes it a bit clearer
For more documentation about the gitlab app you can also visit the official documentation.
https://docs.cloudron.io/apps/gitlab/ -
@kaxline No you can clone / push / pull via ssh.
But since the default port22is used by the root system cloudron assigns the gitlab app a custom ssh port.If you install gitlab you get this window:
(alt. text: picture of the gitlab app installation showing the SSH Port configuration)This means for my gitlab app on cloudron the custom ssh port
29418will be used.
For example https://git.cloudron.io/cloudron is also hosted on cloudron (figures).And if you want to clone the gitlab-app repo:
(alt. text: a screenshot from git.cloudron.io showing the custom clone url with the custom ssh port)the custom port will be configured in the clone urls.
git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.gitThis then will look like this on your local machine.
╭─eha@BrutalBirdie in repo: n8n-app on master [!?] took 372ms ╰─λ git remote -v 22:07:50 origin ssh://git@git.cloudron.io:6000/cloudron/n8n-app.git (fetch) origin ssh://git@git.cloudron.io:6000/cloudron/n8n-app.git (push)Hope this makes it a bit clearer
For more documentation about the gitlab app you can also visit the official documentation.
https://docs.cloudron.io/apps/gitlab/@brutalbirdie Thanks for the detailed response. I've actually tried all that and that led me to the issue I was trying to describe originally. Sorry I'm not being clear.
git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.gitGives me an
Operation timed outerror.Any ideas how to debug? Would this be on the Gitlab side or the Cloudron side?
-
@brutalbirdie Thanks for the detailed response. I've actually tried all that and that led me to the issue I was trying to describe originally. Sorry I'm not being clear.
git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.gitGives me an
Operation timed outerror.Any ideas how to debug? Would this be on the Gitlab side or the Cloudron side?
@kaxline sorry but what are you trying to achieve here?
First you write about the ssh problem with your own gitlab app, now there is a problem with the git.cloudron.io.
TheOperation timed outis a different problem then your initial problem.What is your goal exactly? Just see that clone via ssh is working?
It could have been that you ran into the automated server restart at night time that is why you got the
Operation timed out.
You could have checked against that by pinginggit.cloudron.ioWhen I try to clone the gitlab app via ssh from a random system I get this:
~/tmp # git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.git Cloning into 'gitlab-app'... The authenticity of host '[git.cloudron.io]:6000 ([45.55.2.141]:6000)' can't be established. ECDSA key fingerprint is SHA256:5Z0PZclabDgIVpQ8VPxkR8L0SDVNylIYWUisPvYYS3A. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[git.cloudron.io]:6000,[45.55.2.141]:6000' (ECDSA) to the list of known hosts. git@git.cloudron.io's password:which is expected! Since this random system has no permission and/or authentication (ssh-key) in this system to clone via ssh!
Doing this via https works tho:
~/tmp # git clone https://git.cloudron.io/cloudron/gitlab-app.git Cloning into 'gitlab-app'... remote: Enumerating objects: 3241, done. remote: Counting objects: 100% (320/320), done. remote: Compressing objects: 100% (186/186), done. remote: Total 3241 (delta 201), reused 228 (delta 134), pack-reused 2921 Receiving objects: 100% (3241/3241), 503.65 KiB | 788.00 KiB/s, done. Resolving deltas: 100% (2134/2134), done.If I now fork the app, then I can clone via ssh because my user account has my ssh-key.
╭─eha@BrutalBirdie in ~/Develop/cloudron took 6m ╰─λ git clone ssh://git@git.cloudron.io:6000/BrutalBirdie/gitlab-app.git 08:57:35 Cloning into 'gitlab-app'... remote: Enumerating objects: 3241, done. remote: Counting objects: 100% (320/320), done. remote: Compressing objects: 100% (148/148), done. remote: Total 3241 (delta 200), reused 282 (delta 172), pack-reused 2921 Receiving objects: 100% (3241/3241), 504.69 KiB | 1.42 MiB/s, done. Resolving deltas: 100% (2133/2133), done.I guess your desired outcome is to see that the ssh functionality from cloudron gitlab-app is working, but I am struggling to replicate your problem.
Maybe we should take a step back and you describe what you are trying to do and achieve. -
Was it working before?
I searched the forum and found the following that may help you: https://forum.cloudron.io/topic/1780/cloudron-overrides-iptables-persistent/12
As well, from the official documentation: https://docs.cloudron.io/networking/#whitelist-ports.
-
@kaxline sorry but what are you trying to achieve here?
First you write about the ssh problem with your own gitlab app, now there is a problem with the git.cloudron.io.
TheOperation timed outis a different problem then your initial problem.What is your goal exactly? Just see that clone via ssh is working?
It could have been that you ran into the automated server restart at night time that is why you got the
Operation timed out.
You could have checked against that by pinginggit.cloudron.ioWhen I try to clone the gitlab app via ssh from a random system I get this:
~/tmp # git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.git Cloning into 'gitlab-app'... The authenticity of host '[git.cloudron.io]:6000 ([45.55.2.141]:6000)' can't be established. ECDSA key fingerprint is SHA256:5Z0PZclabDgIVpQ8VPxkR8L0SDVNylIYWUisPvYYS3A. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[git.cloudron.io]:6000,[45.55.2.141]:6000' (ECDSA) to the list of known hosts. git@git.cloudron.io's password:which is expected! Since this random system has no permission and/or authentication (ssh-key) in this system to clone via ssh!
Doing this via https works tho:
~/tmp # git clone https://git.cloudron.io/cloudron/gitlab-app.git Cloning into 'gitlab-app'... remote: Enumerating objects: 3241, done. remote: Counting objects: 100% (320/320), done. remote: Compressing objects: 100% (186/186), done. remote: Total 3241 (delta 201), reused 228 (delta 134), pack-reused 2921 Receiving objects: 100% (3241/3241), 503.65 KiB | 788.00 KiB/s, done. Resolving deltas: 100% (2134/2134), done.If I now fork the app, then I can clone via ssh because my user account has my ssh-key.
╭─eha@BrutalBirdie in ~/Develop/cloudron took 6m ╰─λ git clone ssh://git@git.cloudron.io:6000/BrutalBirdie/gitlab-app.git 08:57:35 Cloning into 'gitlab-app'... remote: Enumerating objects: 3241, done. remote: Counting objects: 100% (320/320), done. remote: Compressing objects: 100% (148/148), done. remote: Total 3241 (delta 200), reused 282 (delta 172), pack-reused 2921 Receiving objects: 100% (3241/3241), 504.69 KiB | 1.42 MiB/s, done. Resolving deltas: 100% (2133/2133), done.I guess your desired outcome is to see that the ssh functionality from cloudron gitlab-app is working, but I am struggling to replicate your problem.
Maybe we should take a step back and you describe what you are trying to do and achieve.@brutalbirdie Sorry, still messing up communication despite my best efforts.
In my previous post, I only cited this command as an example:
git clone ssh://git@git.cloudron.io:6000/cloudron/gitlab-app.gitSince I didn't want to post my actual connection string, which is something like:
git clone ssh://git@gitlab.mydomain.com:XXXXX/cloudron/my-repo.gitAnd that's the one that is not working and has
Operation timed outas the error. Again, this is not an issue with reachinggit.cloudron.io. It's an issue with reachinggitlab.mydomain.com.I'm just trying to use the ssh links for my repos hosted on my Cloudron instance of Gitlab. Nothing fancy. I just can't connect to them from my machine, even though I can ssh into the server that is running Cloudron.
Does that make sense?
-
Was it working before?
I searched the forum and found the following that may help you: https://forum.cloudron.io/topic/1780/cloudron-overrides-iptables-persistent/12
As well, from the official documentation: https://docs.cloudron.io/networking/#whitelist-ports.
-
@scooke No, it was never working. I've always had to use the HTTPS links for repos.
Thanks for those links! I'll check them out and post back here if they work.
-
@kaxline Does
telnet gitlab.mydomain.com portconnect? (replace port with your gitlab ssh port). I think if it doesn't connect, it's some firewall/networking issue and we should start from there. -
@girish Thanks for chiming in here. Indeed
telnet gitlab.mydomain.com porthangs for me as well.I white listed the port and restarted the
cloudron-firewallservice, but still no love.Any other ideas of what to test/debug?
-
@girish Thanks for chiming in here. Indeed
telnet gitlab.mydomain.com porthangs for me as well.I white listed the port and restarted the
cloudron-firewallservice, but still no love.Any other ideas of what to test/debug?
@kaxline there's no need to white list the ports in cloudron-firewall, it's all automatic for the apps. As @mehdi asked, which VPS provider are you using? Some providers like azure/aws ec2/gce block all ports by default. So you have to add the port manually to the security group or equivalent. Other providerse like DO, linode, vultr, usually have everything open by default. But I think these days DO has added some tagging/labeling feature that can be mixed with their firewall to block ports by default for new VPS (not 100% sure about this).
-
@kaxline there's no need to white list the ports in cloudron-firewall, it's all automatic for the apps. As @mehdi asked, which VPS provider are you using? Some providers like azure/aws ec2/gce block all ports by default. So you have to add the port manually to the security group or equivalent. Other providerse like DO, linode, vultr, usually have everything open by default. But I think these days DO has added some tagging/labeling feature that can be mixed with their firewall to block ports by default for new VPS (not 100% sure about this).
-
-
Followed this up on support@, the issue was that the gitlab instance was behind Cloudflare. Cloudflare, of course, cannot proxy non-http ports. This is why the ssh+clone wasn't working. I will look into adding a warning about this when trying to install apps which require a port and a Cloudflare domain is used.
