Ansible and Git Permission denied (publickey) at Git Clone

前端 未结 3 725
挽巷 2021-02-20 17:11

I have a playbook where I am trying to clone from a private repo (GIT) to a server.

I have setup ssh forwarding and when I ssh into the server and try to manually clone

  • 2021-02-20 17:48

    On a localhost-only -scenario ForwardAgent is completely useless, as it would forward the agent only to a remote host.

    Even if git works from command-line when run manually, it doesn't work from Ansible no matter what. The only working solution I found was to convert git into command, like: - command: /usr/bin/git clone git@github

    0 讨论(0)
  • 2021-02-20 17:51

    By reading the documentation for ssh forwarding in ansible. I was able to figure out the solution.

    The problem was that my ssh keys were not being forwarded because Ansible does not by default forward your keys, even if you have set up the key forwarding on ~/.ssh/conf (I updated my question with the ansible.cfg that I had before fixing the issue).

    The solution is was to add transport = ssh to ansible.cfg under [defaults] plus running ansible-playbook from the location where ansible.cfg is located and make sure thet the following setting exists in the /etc/ssh/sshd_config of the target box:

    AllowAgentForwarding yes

    My ansible.cfg now looks like this:

    transport = ssh
    ssh_args = -o ForwardAgent=yes
    0 讨论(0)
  • 2021-02-20 18:02

    To clone the private github repo over the remote server, I am doing this:

    First add the ssh key to your ssh-agent:

    eval `ssh-agent -s`
    ssh-add ~/.ssh/my-private-key.pem

    After that I have modified the ansible.cfg:

    transport = ssh
    sudo_flags = -HE
    ssh_args = -o ForwardAgent=yes

    Now you can clone the github private repo even as root user

    Normally, I also add these two tasks in my playbook/roles tasks as well:

    - name: Tell the host about our servers it might want to ssh to
        path: '/etc/ssh/known_hosts'
        name: ''
        key: "{{ lookup('pipe', 'ssh-keyscan -t rsa') }}"
    - name: Upload sudo config for key forwarding as root
        dest: /etc/sudoers.d/ssh_key_forward
        line: 'Defaults env_keep+=SSH_AUTH_SOCK'
        create: yes
        owner: root 
        group: root 
        mode: "0440"
        state: present
        validate: 'visudo -c -f %s'

    Strange, it work for me. If the ssh option didn't work for you then you can use the username/password option like this:

    - name: Pull the code
        repo: "https://{{ bitbucket_login }}:{{ bitbucket_password|urlencode }}"
        dest: /var/www/myproject
        version: master

    Hope that might helpful for you and others

    0 讨论(0)