-
Notifications
You must be signed in to change notification settings - Fork 5
Adds the documenation for ssh keys #135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ribalba
wants to merge
3
commits into
main
Choose a base branch
from
ssh-keys
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| --- | ||
| title: "Private repositories" | ||
| description: "Configure user supplied SSH keys for private repository measurements" | ||
| date: 2026-04-27T00:00:00+00:00 | ||
| weight: 1006 | ||
| --- | ||
|
|
||
| GMT can use SSH keys submitted by users through the Dashboard or the command line when measuring private Git repositories in a cluster setup. | ||
|
|
||
| There are two different key types involved, and they are used on different machines: | ||
|
|
||
| - The GMT Dashboard server uses an RSA PEM public key configured in `config.yml` to encrypt user supplied SSH keys before storing them. | ||
| - Each runner or cluster machine that executes measurements uses the matching RSA PEM private key configured in `config.yml` to decrypt the stored SSH key before cloning a repository. | ||
| - The user submits an OpenSSH private key through the Dashboard or command line. This is the key used by Git, through ssh, when cloning the measured repository. | ||
|
|
||
| We do this so that when the Dashboard machine or the database is leaked we do not expose any SSH keys. | ||
|
|
||
| Do not mix these formats. The encryption keys configured in `config.yml` must be RSA PEM files. The user supplied SSH key submitted through the Dashboard or passed on the command line must be an OpenSSH private key block. | ||
|
|
||
| ## Configure the web server to accept SSH keys from users | ||
|
|
||
| On the GMT Dashboard server, configure an RSA PEM-format public key in `config.yml`: | ||
|
|
||
| ```yml | ||
| security: | ||
| encryption_public_key_file: /var/www/green-metrics-tool/.rsa/public_key.pem | ||
| ``` | ||
|
|
||
| Create the RSA key pair with: | ||
|
|
||
| ```bash | ||
| # Generate private key (2048-bit) | ||
| openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048 | ||
|
|
||
| # Extract public key | ||
| openssl rsa -pubout -in private_key.pem -out public_key.pem | ||
| ``` | ||
|
|
||
| Recommended placement on the Dashboard server: | ||
|
|
||
| ```bash | ||
| mkdir -p /var/www/green-metrics-tool/.rsa/ | ||
| mv public_key.pem /var/www/green-metrics-tool/.rsa/public_key.pem | ||
| chmod 755 /var/www/green-metrics-tool/.rsa/public_key.pem | ||
| ``` | ||
|
|
||
| The file must be readable by the GMT API process. In the default container setup the Gunicorn container runs as root, and a restrictive mode such as `400` can make the mounted file unreadable inside the container. Use `755` for the public key file. | ||
|
|
||
| ## Configure runners to use submitted SSH keys | ||
|
|
||
| On each runner that needs to execute jobs with user supplied SSH keys, configure the matching RSA PEM-format private key in `config.yml`: | ||
|
|
||
| ```yml | ||
| security: | ||
| encryption_private_key_file: /path/to/repo/rsa/private_key.pem | ||
|
ribalba marked this conversation as resolved.
|
||
| ``` | ||
|
|
||
| The private key must match the public key configured as `security.encryption_public_key_file` on the GMT Dashboard server. Keep this private key available only to runner or cluster machines that execute measurements and to administrators who need runner access. | ||
|
|
||
| ## Allow users to save SSH keys | ||
|
|
||
| To submit an SSH key through the Dashboard, the user must be allowed to update the `ssh_private_key` setting. This is controlled through the user's `capabilities` JSON: | ||
|
|
||
| ```json | ||
| { | ||
| "user": { | ||
| "updateable_settings": [ | ||
| "ssh_private_key" | ||
| ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| The Dashboard also needs access to the settings API routes: | ||
|
|
||
| ```json | ||
| { | ||
| "api": { | ||
| "routes": [ | ||
| "/v1/user/setting", | ||
| "/v1/user/settings" | ||
| ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| The default seeded user includes this capability. For existing or restricted users, add `ssh_private_key` to `user.updateable_settings`; otherwise the Dashboard will reject the setting update. | ||
|
|
||
| ## Submit a user SSH key through the Dashboard | ||
|
|
||
| Users can add their repository SSH key in the Dashboard under: | ||
|
|
||
| ```text | ||
| /settings.html | ||
| ``` | ||
|
|
||
| Paste an OpenSSH private key block into the SSH private key setting. This key is used by the runner for Git clone operations. | ||
|
|
||
| The Dashboard key should look like: | ||
|
|
||
| ```text | ||
| -----BEGIN OPENSSH PRIVATE KEY----- | ||
| ... | ||
| -----END OPENSSH PRIVATE KEY----- | ||
| ``` | ||
|
|
||
| After saving the setting, new measurements for private Git repositories can use the stored SSH key. | ||
|
|
||
| ## Use an SSH key from the command line | ||
|
|
||
| When running a measurement directly with `runner.py`, pass the OpenSSH private key file with `--ssh-private-key`: | ||
|
|
||
| ```bash | ||
| python3 runner.py \ | ||
| --uri git@github.com:example/private-repository.git \ | ||
| --filename usage_scenario.yml \ | ||
| --ssh-private-key ~/.ssh/id_ed25519 | ||
| ``` | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.