GitHub

Secure SSH Access from GitHub Runner to Docker Host for CI/CD

Set up secure SSH access from your GitHub self-hosted runner to your Docker host for seamless CI/CD. Learn to create a deploy user, configure SSH key authentication, and disable root access for security.

Michael

2 min read
Share
Secure SSH Access from GitHub Runner to Docker Host for CI/CD

Setting up a secure and automated deployment pipeline requires seamless communication between your GitHub self-hosted runner and your Docker host. The most efficient way to achieve this is through SSH key-based authentication, allowing the runner to securely execute commands on the Docker host without manual intervention.

In this guide, we’ll walk through:

  • Creating a dedicated deployment user on the Docker host
  • Setting up SSH key authentication between the GitHub runner and Docker host
  • Hardening SSH security by disabling root access and password authentication
  • Testing remote Docker commands for seamless CI/CD integration

By the end of this setup, your GitHub runner will have a secure, passwordless connection to your Docker host, laying the foundation for automated deployments. 🚀

Create a New User on the Docker Host

Instead of using root, create a dedicated user for deployments on your Docker host:

Create a New User (deployuser)

On your Docker host LXC:

sudo adduser deployuser

Set a password and skip the extra fields.

Add User to Docker Group

Allow deployuser to manage Docker without needing sudo:

sudo usermod -aG docker deployuser

Apply changes:

newgrp docker

Set Up SSH Access from GitHub Runner to Docker Host

Now, ensure that the GitHub runner can SSH into the Docker host LXC without a password.

Generate an SSH Key on the GitHub Runner

On your GitHub runner LXC, run:

ssh-keygen -t ed25519 -C "github-runner"

Press Enter to accept the default path (~/.ssh/id_ed25519).

Copy the SSH Key to the Docker Host

Use ssh-copy-id to transfer the public key to the Docker host:

ssh-copy-id deployuser@your-docker-host-ip

Test SSH access:

ssh deployuser@your-docker-host-ip

If successful, SSH is working without a password.

Secure the SSH Configuration

Disable Root SSH Access on Docker Host

On the Docker host, edit SSH config:

sudo nano /etc/ssh/sshd_config

Modify:

PermitRootLogin no
PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

Test Deployment Manually

On the GitHub runner, try deploying manually:

Copy a test file:

scp testfile.txt deployuser@your-docker-host-ip:/home/deployuser/

Run a remote Docker command

ssh deployuser@your-docker-host-ip "docker ps"

If you see running containers, everything is set up correctly.

Conclusion

By setting up SSH key-based authentication between your GitHub self-hosted runner and Docker host, you’ve created a secure and automated connection for CI/CD deployments. With a dedicated deploy user and hardened SSH security, your pipeline is now ready for seamless remote execution of Docker commands. This foundation ensures efficient, secure, and scalable deployments.

Disclaimer: The views and opinions expressed on this website are solely those of the author and do not necessarily reflect the official policy or position of any employer or organization affiliated with the author.