GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license, developed by GitLab Inc.
Both Deploy Keys and Deploy Tokens allow you to checkout code without using your personal GitLab username/password. And as their name indicates, they are best suited for deployments, usually automated/scripted. What are their features?
- Utilize SSH keys (public and private)
- Checkout via SSH (requires port 22 open)
- GitLab will store the public SSH key
- The server doing the checkout will have to have the private SSH key
- Allows read and/or write of repository
- More steps for setup
- Use a generate once password ie token
- Check via HTTPS (requires port 443 open, more common)
- Token can have an expiration date
- Allows read only of repository
- Simpler setup
How to create and use Deploy Keys (SSH)
By default, when you use SSH, it reads from ~/.ssh/id_rsa
But that is your personal SSH key
Create a SSH key for GitLab deployments with a unique name
Login to the server where you will clone/deploy your code
> ssh-keygen -t rsa -b 4096 -f ~/.ssh/gitlab_deploy_rsa
Tell ssh about the new gitlab key
> vim ~/.ssh/config
Note: for the Host, use the host GitLab references
GitLab: Repo: Clone button
For security, and to allow SSH, make the config read only by you
> chmod 600 ~/.ssh/config
So GitLab knows about your new key, create a GitLab Deploy Key
GitLab: Repo: Settings -> Repository, scroll to Deploy Keys
Copy the contents of your public key ~/.ssh/gitlab_rsa.pub to the Key section
Back on your server,
Test that SSH access works
-T Disable pseudo-terminal allocation ie just give return result "as is"
If SSH times out, try a public site to ensure port 22 is open
> ssh -vT gitlab.com
If SSH gitlab.com does not work, then enable port 22 on your server, most likely via it's firewall.
If SSH gitlab.com does work, then maybe SSH is not enabled or accessible on your GitLab server. Review your GitLabs firewall ie iptables, tcp wrappers ie /etc/hosts.deny and /etc/hosts.allow, and the SSH daemon configuration ie /etc/sshd_config
You should be able to checkout your code using SSH, using
which is a slight shorthand for
Note: If you cannot get SSH working, you can try using Deploy Tokens, which uses HTTPS, which is more often accessible.
How to create and use Deploy Tokens (HTTPS)
Create a GitLab Deploy Token
GitLab: Repo: Settings -> Repository, scroll to Deploy Tokens
After creating the Deploy Token, make sure to copy and save the token
From your server, you can checkout your code using
> git clone https://<username>:<token>@gitlab.yourdomain.com/dir/repo.git target_dir
After cloning, you can simply Pull changes
> git pull
So, should you use SSH or HTTPS?
Ideally you should use SSH keys as they are a way to identify trusted computers, without involving passwords, but HTTPS is the easiest to set up on the widest range of networks and platforms.
-End of Document-
Thanks for reading