Capistrano 在 git:check 上部署失敗 - 權限被拒絕（公鑰）

Question

本地操作系統：Windows 10 Pro（使用 Git Bash 作為我的終端）

暫存服務器操作系統：Ubuntu 16.04 LTS

我一直在努力讓基本的 Capistrano 部署在我的登台服務器上工作。 我按照本指南設置了 Capistrano。

部署過程總是在git:check階段失敗，因為據稱無權訪問我在 GitLab 上的存儲庫。 我確信我的 SSH 代理轉發工作正常，因為我能夠通過 SSH 連接到我的服務器並使用我的 SSH 密鑰訪問 GitLab。 SSH 密鑰未存儲在我服務器上的任何位置：

$ ssh deploy@myserver.com

deploy@MyServer:~$ ssh -T git@gitlab.com
debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
debug1: channel 1: new [authentication agent connection]
debug1: confirm auth-agent@openssh.com
Welcome to GitLab, Alexander!debug1: channel 1: FORCE input drain

到目前為止，關於這個問題的所有問題都沒有對我有用。

這是我的部署文件：

部署文件

set :application, "myapp"
set :branch, "master"
set :repo_url, "git@gitlab.com:MyApp/myapp.git"

# Defaults to false
# Skip migration if files in db/migrate were not modified
set :conditionally_migrate, true

set :ssh_options, { forward_agent: true }

set :rvm_ruby_version, '2.2.6'

# Default deploy_to directory is /var/www/my_app_name
set :deploy_to, "/var/www/#{fetch(:application)}/"
set :deploy_user, "deploy"

# Tells Capistrano to store config/database.yml file inside a directory called /shared, which is meant for any files
# we want to persist between deploys
set :linked_files, fetch(:linked_files, []).push('config/database.yml', 'config/secrets.yml')

# Directories that are meant to persist between deploys, and they will also be stored inside /shared
set :linked_dirs, fetch(:linked_dirs, []).push('bin', 'log', 'tmp/pids', 'tmp/cache', 'tmp/sockets', 'vendor/bundle', 'public/system', 'public/uploads')

# The specs that should be run before deployment is allowed to continue
set :tests, []

# Delayed Job Config: https://github.com/AgileConsultingLLC/capistrano3-delayed-job
set :delayed_job_workers, 3

# Keep the last 5 deploys for rollback purposes
set :keep_releases, 5

namespace :deploy do
  after :restart, :clear_cache do
    on roles(:web), in: :groups, limit: 3, wait: 10 do
      # Here we can do anything such as:
      # within release_path do
      #   execute :rake, 'cache:clear'
      # end
    end
  end
end

分期文件

set :stage, :staging
set :rails_env, :staging

role :app, %w{deploy@myserver.com}
role :web, %w{deploy@myserver.com}
role :db,  %w{deploy@myserver.com}

這是我部署時的 Capistrano 調試日志：

$ bundle exec cap staging deploy --trace
** Invoke staging (first_time)
** Execute staging
** Invoke load:defaults (first_time)
** Execute load:defaults
** Invoke rvm:hook (first_time)
** Invoke passenger:rvm:hook (first_time)
** Invoke passenger:test_which_passenger (first_time)
** Execute passenger:test_which_passenger
** Execute passenger:rvm:hook
** Execute rvm:hook
** Invoke rvm:check (first_time)
** Execute rvm:check
rvm 1.29.3 (latest) by Michal Papis, Piotr Kuczynski, Wayne E. Seguin [https://rvm.io]
ruby-2.2.6
ruby 2.2.6p396 (2016-11-15 revision 56800) [x86_64-linux]
** Invoke bundler:map_bins (first_time)
** Invoke passenger:bundler:hook (first_time)
** Execute passenger:bundler:hook
** Execute bundler:map_bins
** Invoke deploy:set_rails_env (first_time)
** Execute deploy:set_rails_env
** Invoke deploy:set_linked_dirs (first_time)
** Execute deploy:set_linked_dirs
** Invoke deploy:set_rails_env
** Invoke deploy (first_time)
** Execute deploy
** Invoke deploy:starting (first_time)
** Execute deploy:starting
** Invoke deploy:check (first_time)
** Invoke git:check (first_time)
** Invoke git:wrapper (first_time)
** Execute git:wrapper
00:00 git:wrapper
      01 mkdir -p /tmp
    ✔ 01 deploy@myserver.com 0.286s
      Uploading /tmp/git-ssh-myapp-staging-localuser.sh 100.0%
      02 chmod 700 /tmp/git-ssh-myapp-staging-localuser.sh
    ✔ 02 deploy@myserver.com 0.277s
** Execute git:check
00:01 git:check
      01 git ls-remote git@gitlab.com:MyApp/myapp.git HEAD
      01 Permission denied (publickey).
      01 fatal: Could not read from remote repository.
      01
      01 Please make sure you have the correct access rights
      01 and the repository exists.
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as deploy@myserver.com: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/runners/parallel.rb:15:in `rescue in block (2 levels) in execute'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/runners/parallel.rb:11:in `block (2 levels) in execute'

Caused by:
SSHKit::Command::Failed: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/command.rb:99:in `exit_status='
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/netssh.rb:169:in `execute_command'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:141:in `block in create_command_and_execute'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:141:in `tap'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:141:in `create_command_and_execute'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:74:in `execute'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/capistrano-3.10.1/lib/capistrano/scm/git.rb:77:in `git'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/capistrano-3.10.1/lib/capistrano/scm/git.rb:38:in `check_repo_is_reachable'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/capistrano-3.10.1/lib/capistrano/scm/tasks/git.rake:19:in `block (4 levels) in eval_rakefile'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:93:in `with'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/capistrano-3.10.1/lib/capistrano/scm/tasks/git.rake:18:in `block (3 levels) in eval_rakefile'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:29:in `instance_exec'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/backends/abstract.rb:29:in `run'
C:/Ruby22/lib/ruby/gems/2.2.0/gems/sshkit-1.15.1/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'
Tasks: TOP => deploy:check => git:check
The deploy has failed with an error: Exception while executing as deploy@myserver.com: git exit status: 128
git stdout: Nothing written
git stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
** Invoke deploy:failed (first_time)
** Execute deploy:failed


** DEPLOY FAILED
** Refer to log/capistrano.log for details. Here are the last 20 lines:


 DEBUG [6b6ba2d0] Finished in 0.471 seconds with exit status 0 (successful).

 DEBUG [c6e2d7dc] Running ~/.rvm/bin/rvm 2.2.6 do ruby --version as deploy@myserver.com

 DEBUG [c6e2d7dc] Command: ~/.rvm/bin/rvm 2.2.6 do ruby --version

 DEBUG [c6e2d7dc]       ruby 2.2.6p396 (2016-11-15 revision 56800) [x86_64-linux]

 DEBUG [c6e2d7dc] Finished in 0.608 seconds with exit status 0 (successful).

  INFO [fd5500a8] Running /usr/bin/env mkdir -p /tmp as deploy@myserver.com

 DEBUG [fd5500a8] Command: /usr/bin/env mkdir -p /tmp

  INFO [fd5500a8] Finished in 0.286 seconds with exit status 0 (successful).

 DEBUG Uploading /tmp/git-ssh-myapp-staging-localuser.sh 0.0%

  INFO Uploading /tmp/git-ssh-myapp-staging-localuser.sh 100.0%

  INFO [f33d4873] Running /usr/bin/env chmod 700 /tmp/git-ssh-myapp-staging-localuser.sh as deploy@myserver.com

 DEBUG [f33d4873] Command: /usr/bin/env chmod 700 /tmp/git-ssh-myapp-staging-localuser.sh

  INFO [f33d4873] Finished in 0.277 seconds with exit status 0 (successful).

  INFO [86d3cd5a] Running /usr/bin/env git ls-remote git@gitlab.com:MyApp/myapp.git HEAD as deploy@myserver.com

 DEBUG [86d3cd5a] Command: ( export GIT_ASKPASS="/bin/echo" GIT_SSH="/tmp/git-ssh-myapp-staging-localuser.sh" ; /usr/bin/env git ls-remote git@gitlab.com:MyApp/myapp.git HEAD )

 DEBUG [86d3cd5a]       Permission denied (publickey).

 DEBUG [86d3cd5a]       fatal: Could not read from remote repository.



Please make sure you have the correct access rights

and the repository exists.

我嘗試手動運行 Capistrano 在本地和遠程服務器上嘗試的命令，它們都成功了。 我真的被困住了，任何幫助將不勝感激！

Answer 1

感謝所有回答的人，我已經設法找到了解決方案！ 罪魁禍首是 Git Bash，無論出於何種原因，當我運行chmod 700 ~/.ssh時，它並沒有將我的~/.ssh目錄的權限更改為 0700。 這阻止了 SSH 代理轉發在 Capistrano 部署時工作，但在我手動通過 SSH 連接到我的服務器時不會工作。 我決定嘗試在 Windows (BUW) 上的 Ubuntu 上使用 Bash 而不是 Git Bash，果然，我的部署成功了！ 我將完全相同的配置和密鑰從 Git Bash 復制到 BUW。 唯一的區別是我能夠將 BUW 的~/.ssh目錄的權限更改為 0700。話雖如此，這是我的問題的解決方案：

1. 創建部署密鑰並將其添加到 GitLab

正如@Onur 和@grizzthedj 以及@Gokul M 所指出的，我需要為 GitLab 創建一個部署密鑰並在我的服務器上對其進行授權。 這是我如何做到的：

1. 在我的本地機器上生成一個新的 SSH 密鑰： ssh-keygen -t rsa -b 4096
2. 復制公鑰的輸出： cat ~/.ssh/id_rsa.pub
3. SSH 到我的服務器
4. 將公鑰添加到~/.ssh/authorized_keys的末尾
5. 回到我的本地機器上，打開瀏覽器，登錄 GitLab，轉到我的存儲庫頁面，然后將公鑰粘貼到Settings > Repository > Deploy Keys

2.使用BUW代替Git Bash

1. 在我的本地機器上，我設置 BUW 以使用此 SO answer 中的說明在會話加載時啟動 SSH 代理。
2. 更改~/.ssh的權限： chmod 700 ~/.ssh

3. 啟動 SSH 代理並將我的部署密鑰添加到其中：

    eval $(ssh-agent -s) ssh-add ~/.ssh/id_rsa

我已經從我的deploy.rb文件中刪除了set :ssh_options行，因為沒有它它也能正常工作。

就是這樣！ 從現在開始，我似乎將使用 BUW 進行部署。

Answer 2

按照以下步驟將您的公鑰添加到您的存儲庫設置中的部署密鑰列表中：

本地機器設置：

1. 檢查您的本地系統是否有~/.ssh/id_rsa.pub密鑰文件。 如果沒有，請創建一個新的：

    $ ssh-keygen -t rsa

2. 將新創建的公鑰~/.ssh/id_rsa.pub到設置中存儲庫的部署（訪問）密鑰：

   • 比特桶：
     • https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html#SetupSSHforGit-Step4.InstallthepublickeyonyourBitbucketaccount
   • GitHub：
     • https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys
   • GitLab ：
     • https://docs.gitlab.com/ce/ssh/README.html#deploy-keys

3. 將密鑰加載到ssh-agent ：

   檢查ssh-agent是否正在運行，如果沒有，啟動 ssh 代理

   $ ssh-agent /bin/bash

   將id_rsa密鑰添加到代理：

    $ ssh-add ~/.ssh/id_rsa

   注意：有時，如果您在部署期間收到“拒絕訪問存儲庫”錯誤，則需要在每次部署之前完成此步驟（步驟 - 3）。

4. 將您的本地 SSH Key 添加到部署服務器 Authorized Keys 文件中（記住將端口號替換為您自定義的端口號）：

    $ cat ~/.ssh/id_rsa.pub | ssh -p port_num user@server_ip 'cat >> ~/.ssh/authorized_keys'

參考： https : //www.digitalocean.com/community/tutorials/deploying-a-rails-app-on-ubuntu-14-04-with-capistrano-nginx-and-puma

部署文件

嘗試改變ssh_options在deploy.rb文件，如下：

set :ssh_options, { forward_agent: true, user: "deploy", auth_methods: ['publickey'], keys: %w(~/.ssh/privatekey.pem) }

將~/.ssh/privatekey.pem替換為 SSH 私鑰文件路徑。

部署：

只需運行cap staging deploy即可部署到服務器。

根據需要將cap deploy 命令中的staging替換為環境。

Answer 3

根據您的cap deploy輸出，從您的筆記本電腦到您的服務器的 SSH 連接似乎不是問題。

00:00 git:wrapper
      01 mkdir -p /tmp
    ✔ 01 deploy@myserver.com 0.286s
      Uploading /tmp/git-ssh-myapp-staging-localuser.sh 100.0%
      02 chmod 700 /tmp/git-ssh-myapp-staging-localuser.sh
    ✔ 02 deploy@myserver.com 0.277s 

這個問題是當 capistrano 嘗試通過 SSH 運行git ls-remote git@gitlab.com:MyApp/myapp.git HEAD時。

您需要將公鑰添加到 GitLab 中的 SSH 密鑰中，因為 SSH 代理轉發需要在所有目標系統上安裝公鑰。 在您的情況下，Gitlab 是一個目標系統。

cat ~/.ssh/id_rsa.pub    # Copy the contents of your public key(filename may be different)

登錄到 GitLab，並將公鑰粘貼到您的存儲庫的 SSH 密鑰（在存儲庫設置中找到）中，您應該沒問題。

您還需要在ssh_options指定創建 SSH 密鑰的用戶。

set :ssh_options, {
    forward_agent: true,
    user: 'deploy',
}

Answer 4

您還需要將遠程服務器的公鑰定義到存儲庫。 顯然，您的計算機可以訪問存儲庫，但服務器不能。

要獲取默認公鑰，您可以查看~/.ssh/id_rsa.pub或者您可以使用ssh-keygen -t rsa -b 4096 -C "your_email@example.com"生成一個不要忘記初始化也在服務器中使用ssh-add公鑰。

希望它有幫助

Answer 5

對於那些將來遇到此問題尋找替代方案的人：

大多數關於此問題的搜索建議添加 SSH 密鑰。 如果您確定它們已被添加，並且ssh -T git@bitbucket.org （或您使用的任何 git 服務）顯示您已登錄，並且已設置代理轉發，則替代方案對我ssh -T git@bitbucket.org在 Windows 上遇到同樣的問題是安裝PuTTY 。 安裝后：

• 打開 PuTTYGen > 轉換 > 導入密鑰（如果您有要使用的密鑰；否則，生成一個新密鑰）
• 運行 Pageant（包含在 PuTTY 中）
• 在系統托盤中找到Pageant，右鍵單擊，然后“添加密鑰”
• 添加上述密鑰
• 像以前一樣運行cap deploy

我在另一篇關於在 Windows上使用 Capistrano 時響應長度錯誤的文章中發現了這種方法，因此表面上它也適用於這些情況。 這可能是因為Windows 上的 net-ssh 需要 Pageant 才能工作。

Answer 6

我有一個類似的問題，對我來說，我所要做的就是將我的 SSH 密鑰添加到 GitHub。 可以在此處找到此過程的文檔： https : //docs.github.com/en/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account