How do I pull from git on boot using Ubuntu (systemd), Github and SSH keys

Question

I have set it up so I auth with Github using ssh keys. I have tried everything out and it appears to be working. So now I want my app to run every time the computer boots so I create the following systemd config...

[Unit]
Description=Job that runs your user script

[Service]
WorkingDirectory=/.../web/site
ExecStart=npm start
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Again everything seems to work. Now I want to pull every time I boot before I start so I change to...

[Unit]
Description=Job that runs your user script

[Service]
WorkingDirectory=/.../web/site
ExecStart=git pull
ExecStart=npm start
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

But now it fails with...

Mar 08 05:45:21 debdev systemd[1]: Starting Job that runs your user script...
Mar 08 05:45:21 debdev git[731]: Host key verification failed.
Mar 08 05:45:21 debdev git[731]: fatal: Could not read from remote repository.
Mar 08 05:45:21 debdev git[731]: Please make sure you have the correct access rights
Mar 08 05:45:21 debdev git[731]: and the repository exists.
Mar 08 05:45:21 debdev systemd[1]: node-site.service: Main process exited, code=exited, status=1/FAILURE
Mar 08 05:45:21 debdev systemd[1]: node-site.service: Failed with result 'exit-code'.
Mar 08 05:45:21 debdev systemd[1]: Failed to start Job that runs your user script.

What am I missing? Is it because my SSH key is under my user? Can I make a "root" ssh key?

kabanus · Answer 1 · 2020-03-08T06:24:20.360

This:

Host key verification failed.

is a problem with authenticating the remote repository, Github in your case. This is likely since when the system boots your are running as root and not your normal user, which is who you were when you setup the key pair. To fix this you can specify the identity file directly. To do this in a one-off kind of way and not add a second identity file for your root (which you could and not much effort either, just like you did for you user), you can instead run

ssh-agent bash -c 'ssh-add /path/to/id_rsa; git pull'

In order to not reboot/restart services while you are fixing this, I suggest you try and fix the git pull command as root, and when that works then try it in your systemd.

sine · Answer 2 · 2020-05-12T10:18:09.320

0

You need to have ssh-agent started and your key added

Start ssh-agent on boot: https://stackoverflow.com/a/38980986/13475540

In your service unit file, add this

[Unit]
After=ssh-agent.service

[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStartPre=/usr/bin/ssh-add [your_key_file]

edited May 12 '20 at 10:18

answered May 12 '20 at 10:09

sine

16
1

Is this `[your_key_file]` the path to `id_rsa`? – charliesneath May 16 '20 at 18:45
Yes, it is the path to your private key file. – sine May 18 '20 at 11:55

score 0 · Answer 3 · answered May 21 '20 at 00:39

To achieve this, I created a new passphrase-less SSH key and added it as a read-only deploy key to my repo.

I use this SSH key when pulling from the repo on boot from the script that's triggered through the systemd unit.

Before issuing the git pull command in my script, I start the ssh-agent and apply the read-only key:

eval `ssh-agent -s`
ssh-add path/to/key

This makes it possible to pull the latest changes from the repo. The passphrase-less SSH introduces some risk, but I feel comfortable since the key is read-only and limited to this repo.

How do I pull from git on boot using Ubuntu (systemd), Github and SSH keys

3 Answers3