Mount dirs outside /Volumes?

[olejnjak]

Hey guys, I love using tart as it helps me to focus elsewhere then to dealing with environment stuff on our CI 👏

Nevertheless I've run to use case I would love to discuss - our images for our Gitlab CI (that uses Tart Gitlab Executor) are public and we would love to keep them public, although to access some of our private code, we need to provide it with some SSH keys, so cloning it is possible.

Back when our runners weren't ephemeral, we just added private key in ~/.ssh and that was it, this is not possible now ofc. This got me thinking where would I actually want the key stored and how do I get it to the VM.

I came up with 2 variants (feel free to add some more):

1. file variable in Gitlab CI
2. link host's ~/.ssh to guest's ~/.ssh so the guest can have the same auth as host

I don't like 1. as this means that every job needs to move the file from env var to ~/.ssh in guest VM.

Using 2. seems a bit better to me, just looks a bit tricky as AFAIK this is not actually possible and directories from host are mounted under /Volumes/My Shared Files. So that would mean that the image needs to symlink its ~/.ssh to /Volumes/My Shared Files/.ssh which would probably work, but I am not sure I like it.

And this brings me to the original question - would it be possible to mount ~/.ssh from host to ~/.ssh in guest or the mounting point inside /Volumes/My Shared Files is a "limit" of the Virtualization fmwk?

Thanks in advance 🙂

[olejnjak]

Or maybe 3rd option - customize the custom executor, that would use scp to copy ~/.ssh from host to guest in prepare or config stage of running a job.

[fkorotkov]

It seem the idiomatic way will be to follow recommendations for Docker GitLab Executor:

• Create a new SSH_PRIVATE_KEY file type CI/CD variable.
• Put the following in your before_script:

before_script:
  - mkdir -p ~/.ssh
  - chmod 400 "$SSH_PRIVATE_KEY"
  - ssh-add "$SSH_PRIVATE_KEY"

As for the moving mounting outside of /Volumes, it is possible and was described in #537.

But in either cases you will also need to modify your CI config so I'd suggest investigate the idiomatic way. Having a variable instead of always mounting the secrets also sounds like a more secure option IMO.

[olejnjak]

Okay the SSH use case might not be ideal, better use case would probably be dealing with caching of Mint packages, that e.g. puts built products to ~/.mint that means it cannot be cached by Gitlab.

The before_script solution is pretty painful as it works for simple pipelines but for real-life projects that use more jobs and job hierarchy using extends it is not a very nice solution as you need to think about it every time you extend a job.

It is the same story with the proposed solution in #537. I can imagine that it might work in case, this could be done inside the Gitlab Runner config.toml, but I am not sure though.

[fkorotkov]

The GitLab executor supports passing extra --dir folders so theoretically you can pass --dir mint:$HOME/.mint and set MINT_PATH to /Volumes/My Shared Files/mint for all your jobs.

[olejnjak]

Well yeah, but I feel like I'm searching for a bit more general approach as not all such tools have to support such setting and that is why I was asking if mounting all directories from --dir option is limitation of the Virtualization fmwk or it is by design. As using --dir /Users/admin/.mint:~/.mint would make a bit more sense, question is if it is even possible.

[fkorotkov]

Unfortunately, it's a current limitation. 😪 A virtual machine has only one virtio file system so it can only be mounted at one location inside the virtual machine. An automation or scripts will need to take care of symlinking or re-mounting the directories.