[英]Ansible and Git Permission denied (publickey) at Git Clone
I have a playbook where I am trying to clone from a private repo (GIT) to a server.我有一个剧本,我试图从私人回购 (GIT) 克隆到服务器。
I have setup ssh forwarding and when I ssh into the server and try to manually clone from the same repo, it successfully works.我已经设置了 ssh 转发,当我 ssh 进入服务器并尝试从同一个 repo 手动克隆时,它成功地工作。 However, when I use ansible for the to clone the repo to the server, it fails with "Permission Denied Public Key".
但是,当我使用 ansible 将 repo 克隆到服务器时,它因“权限被拒绝公钥”而失败。
This is my playbook deploy.yml
:这是我的剧本
deploy.yml
:
---
- hosts: webservers
remote_user: root
tasks:
- name: Setup Git repo
git: repo={{ git_repo }}
dest={{ app_dir }}
accept_hostkey=yes
This is how my ansible.cfg
looks:这是我的
ansible.cfg
样子:
[ssh_args]
ssh_args = -o FowardAgent=yes
I am also able to perform all the other tasks in my playbooks (os operations, installations).我还能够执行我的剧本中的所有其他任务(操作系统操作、安装)。
I have tried:我试过:
ansible.cfg
on the server (ansible.cfg in same dir as playbook) using:ansible.cfg
在服务器上的 ansible.cfg 中指定 sshAgentForwarding 标志(ansible.cfg 与 playbook 位于同一目录中):
ssh_args = -o ForwardingAgent=yes
ssh_args = -o ForwardingAgent=yes
become: false
to execute the git clonebecome: false
来执行 git clone running ansible -i devops/hosts webservers -a "ssh -T git@bitbucket.org"
returns:运行
ansible -i devops/hosts webservers -a "ssh -T git@bitbucket.org"
返回:
an_ip_address | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true }
This is the command that I use to run the playbook: ansible-playbook devops/deploy.yml -i devops/hosts -vvvv
This is the error message I get:这是我用来运行剧本的命令:
ansible-playbook devops/deploy.yml -i devops/hosts -vvvv
这是我得到的错误消息:
fatal: [162.243.243.13]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone":
true, "depth": null, "dest": "/var/www/aWebsite", "executable": null, "force": false, "key_file": null, "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:aUser/aRepo.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg": "Permission denied (publickey).\r\nfatal: Could not r$ad from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Permission denied (publickey).\r\nfatal: Could not read from remote r$pository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []}
By reading the documentation for ssh forwarding in ansible.通过阅读 ansible 中的 ssh 转发文档。 I was able to figure out the solution.
我能够找出解决方案。
The problem was that my ssh keys were not being forwarded because Ansible does not by default forward your keys, even if you have set up the key forwarding in ~/.ssh/conf
(I updated my question with the ansible.cfg
that I had before fixing the issue).问题是我的 ssh 密钥没有被转发,因为 Ansible 默认不会转发你的密钥,即使你已经在
~/.ssh/conf
设置了密钥转发(我用我拥有的ansible.cfg
更新了我的问题在解决问题之前)。
The solution was to add transport = ssh
to ansible.cfg
under [defaults]
plus running ansible-playbook
from the location where ansible.cfg
is located and make sure that the following setting exists in the /etc/ssh/sshd_config
of the target box:解决办法是在
ansible.cfg
添加transport = ssh
到[defaults]
并从ansible.cfg
所在的位置运行ansible-playbook
,并确保目标框的/etc/ssh/sshd_config
中存在以下设置:
AllowAgentForwarding yes
My ansible.cfg
now looks like this:我的
ansible.cfg
现在看起来像这样:
[defaults]
transport = ssh
[ssh_connection]
ssh_args = -o ForwardAgent=yes
To clone the private github repo over the remote server, I am doing this:要通过远程服务器克隆私有 github 存储库,我这样做:
First add the ssh key to your ssh-agent:首先将 ssh 密钥添加到您的 ssh-agent:
eval `ssh-agent -s`
ssh-add ~/.ssh/my-private-key.pem
After that I have modified the ansible.cfg
:之后我修改了
ansible.cfg
:
[defaults]
transport = ssh
sudo_flags = -HE
[ssh_connection]
ssh_args = -o ForwardAgent=yes
Now you can clone the github private repo even as root user现在您甚至可以以 root 用户身份克隆 github 私有仓库
Normally, I also add these two tasks in my playbook/roles tasks as well:通常,我也会在我的剧本/角色任务中添加这两个任务:
- name: Tell the host about our servers it might want to ssh to
known_hosts:
path: '/etc/ssh/known_hosts'
name: 'github.com'
key: "{{ lookup('pipe', 'ssh-keyscan -t rsa bitbucket.org') }}"
- name: Upload sudo config for key forwarding as root
lineinfile:
dest: /etc/sudoers.d/ssh_key_forward
line: 'Defaults env_keep+=SSH_AUTH_SOCK'
create: yes
owner: root
group: root
mode: "0440"
state: present
validate: 'visudo -c -f %s'
Strange, it work for me.奇怪,它对我有用。 If the
ssh
option didn't work for you then you can use the username/password option like this:如果
ssh
选项对您不起作用,那么您可以使用用户名/密码选项,如下所示:
- name: Pull the code
git:
repo: "https://{{ bitbucket_login }}:{{ bitbucket_password|urlencode }}@bitbucket.org/path/project.git"
dest: /var/www/myproject
version: master
Hope that might helpful for you and others希望对您和其他人有所帮助
On a localhost-only -scenario ForwardAgent
is completely useless, as it would forward the agent only to a remote host.在仅本地主机的场景中,
ForwardAgent
完全没用,因为它只会将代理转发到远程主机。
Even if git
works from command-line when run manually, it doesn't work from Ansible no matter what.即使
git
在手动运行时从命令行工作,无论如何它也不能从 Ansible 工作。 The only working solution I found was to convert git
into command
, like: - command: /usr/bin/git clone git@github
我找到的唯一可行的解决方案是将
git
转换为command
,例如: - command: /usr/bin/git clone git@github
For public repository : (you can use https)对于公共存储库:(您可以使用 https)
- name: Git checkout ghq from github
git:
repo: https://github.com/x-motemen/ghq.git
dest: /tmp/ghqt
depth: "1"
For private, you can copy your private ssh key before and attach like this对于私人,您可以复制您的私人 ssh 密钥之前并像这样附加
- name: Git checkout dotfiles repo
git:
repo: "https://github.com/x-motemen/ghq.git"
dest: /tmp/ghqt
version: "develop"
accept_hostkey: yes
key_file: "{{ ssh_key_private_remote_path }}{{ ssh_key_private_filename }}"
More details : https://www.jeffgeerling.com/blog/2018/cloning-private-github-repositories-ansible-on-remote-server-through-ssh更多详情: https : //www.jeffgeerling.com/blog/2018/cloning-private-github-repositories-ansible-on-remote-server-through-ssh
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.