Try   HackMD

Live Debugging: SSH into a Running GitLab CI Job

I've always like the idea of being able to ssh into a running job to debug CI-specific things like firewall rules.

In GitHub Actions, the solution is super simple. Just use the action owenthereal/action-upterm:

name: CI
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Setup upterm session
      uses: owenthereal/action-upterm@v1

But with GitLab CI, Actions don't exist and you have to craft your own. To make things worse, you can't find examples of people using upterm in their .gitlab-ci.yml files since GitLab code search isn't available on the public gitlab.com instance (one of the many reasons one should prefer GitHub over GitLab).

Setting up Upterm in your GitLab CI job

Tested on 7 March 2025.

Here is the commands I use. You can also copy-paste these commands into your job's script block as long as it is an Alpine image. For Debian-based images, adjustments will need to be made.

test:
  image: alpine:3.19
  script:
    # Heavily inspired from the GitHub Action owenthereal/action-upterm, you can
    # look into its index.ts to understand the below tricks.
    - apk add --no-cache curl tmux openssh-client
    - curl -sSfL https://github.com/owenthereal/upterm/releases/download/v0.14.3/upterm_linux_amd64.tar.gz | tar xz -C /usr/local/bin
    - mkdir -p ~/.ssh
    - ssh-keyscan uptermd.upterm.dev 2>/dev/null | awk '{ print "@cert-authority * " $2 " " $3 }' | tee /dev/stderr >> ~/.ssh/known_hosts
    - ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ed25519
    - tmux new -d -s upterm-wrapper -x 132 -y 43 "upterm host --accept --force-command 'tmux attach -t upterm' -- tmux new -s upterm -x 132 -y 43"
    - tmux set -t upterm-wrapper window-size largest; tmux set -t upterm window-size largest
    - until upterm session current --admin-socket ~/.upterm/*.sock; do sleep 5; done
    - until ! ls ~/.upterm | grep -q '\.sock$'; do sleep 5; done

Notes

Note that you can't just do:

test:
  image: alpine:3.19
  script:
    - upterm host --force-command 'tmux attach -t upterm' --accept -- tmux new-session -d upterm

Not sure why but when trying to connect, you would get "Connection closed":

$ ssh psxScav2LZnOJugeSE8A:ZTc4NGUxMWRiMjI5MDgudm0udXB0ZXJtLmludGVybmFsOjIyMjI=@uptermd.upterm.dev
Connection closed by 37.16.25.99 port 22
Last changed by 
Maël Valais
1
79

Read more

My macOS tweaks coming from Ubuntu

🔥 Update 26 June 2023: I am abandoning "desktop" Linux! I can't bear having to work around everything all the time, not even counting the tons of problems that occur whenever I do a major version upgrade (e.g., when I upgraded from 21.10 to 22.04, my PPAs broken obviously, and also I lost all the hack I had made to the /etc to work around problems). I am officially back to macOS starting 26 June 2023. I'll still use my Linux workstation remotely over Mosh, but not as a desktop environment.

Jun 2, 2025
Troubleshooting Venafi Kubernetes Agent

To figure out whether it is being OOM killed:

May 29, 2025
Gateway API: cool, but what about my certs?

Gateway API = role-aware version of Ingress API + many more knobs (e.g., lets you to fine-tune the load balancer)

May 21, 2025
cert-manager + ListenerSet: TLS self-service for Gateway API

Due to not having enough maintainers time, the NGINX Ingress Controller

May 20, 2025
Read more from Maël Valais
Published on HackMD