[英]`git clone` fails for role in private git repo when running `ansible-galaxy install -r requirements.yml`
我已將.gitlab-ci.yml
添加到我的私人項目中。 其中一個步驟是從私有 gitlab 存儲庫中獲取角色。 然而,這失敗了
/usr/bin/git clone ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
papanito.bootstrap failed in directory /root/.ansible/tmp/ansible-
local-1036kia7b4eu/tmpjcyiks12 (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
ERROR: Job failed: exit code 1
在我的機器上運行相同的命令ansible-galaxy install -r requirements.yml
運行良好。
在運行命令之前,我為 ci 用戶添加了一個私鑰。 所以不知道我還想念什么。
.gitlab-ci.yml
variables:
SITE: "site.yml"
PLAYBOOKS: "playbooks/*.yml"
stages:
- verify
before_script:
- whoami
- apt-get update -qy #update system
- mkdir ~/.ssh
- chmod 700 ~/.ssh
- echo $SSHKEY_GITLAB > ~/.ssh/id_rsa # https://docs.gitlab.com/ee/ci/ssh_keys
- chmod 640 ~/.ssh/id_rsa
- apt-get install ansible ansible-lint -qy
- git submodule update --init
- ansible --version
- ansible-lint --version
- git config -l
- ansible-galaxy install -r requirements.yml
ansible-verify:
stage: verify
script:
- ansible-lint -v $SITE
- ansible-lint -v $PLAYBOOKS
- ansible-playbook --syntax-check $SITE
- ansible-playbook --syntax-check $PLAYBOOKS
requirements.yml
- src: geerlingguy.docker
- src: dev-sec.ssh-hardening
- src: m4rcu5nl.zerotier-one
# own roles
- src: https://git@github.com/papanito/ansible-role-rsyslog.git
name: papanito.rsyslog
scm: git
version: master
- src: git+ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
name: papanito.bootstrap
scm: git
version: master
$ ansible-galaxy install -r requirements.yml
- downloading role 'docker', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-docker/archive/2.8.1.tar.gz
- extracting geerlingguy.docker to /root/.ansible/roles/geerlingguy.docker
- geerlingguy.docker (2.8.1) was installed successfully
- downloading role 'ssh-hardening', owned by dev-sec
- downloading role from https://github.com/dev-sec/ansible-ssh-hardening/archive/9.3.0.tar.gz
- extracting dev-sec.ssh-hardening to /root/.ansible/roles/dev-sec.ssh-hardening
- dev-sec.ssh-hardening (9.3.0) was installed successfully
- downloading role 'zerotier-one', owned by m4rcu5nl
- downloading role from https://github.com/m4rcu5nl/ansible-role-zerotier/archive/v1.2.3.tar.gz
- extracting m4rcu5nl.zerotier-one to /root/.ansible/roles/m4rcu5nl.zerotier-one
- m4rcu5nl.zerotier-one (v1.2.3) was installed successfully
- extracting papanito.rsyslog to /root/.ansible/roles/papanito.rsyslog
- papanito.rsyslog (master) was installed successfully
[WARNING] Ansible is being run in a world writable directory (/builds/papanito/infrastructure), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
[WARNING]: - papanito.bootstrap was NOT installed successfully: - command
/usr/bin/git clone ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
papanito.bootstrap failed in directory /root/.ansible/tmp/ansible-
local-1036kia7b4eu/tmpjcyiks12 (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
ERROR: Job failed: exit code 1
在我的機器上運行相同的命令
ansible-galaxy install -r requirements.yml
運行良好。
這意味着您在機器上的~/.ssh/id_rsa
中擁有正確的公鑰/私鑰,並且您正在使用您的帳戶在本地執行它。
如果您在 GitLab 步驟中復制它,請確保檢查權限,可能還有密碼和 known_hosts, 如此處或文檔中所示:
# Paste the PRIVATE key into a gitlab variable. Pay attention to the linebreak at the end when pasting
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts
我嘗試使用更安全的 ssh 轉發而不是將私鑰復制到機器中,但發現 ansible-galaxy 無法正常工作並且僅在~/.ssh/id_rsa
密鑰上中繼
所以這是我更新版本的@VonC 答案:
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts
- ssh -T git@gitlab.com
它被刪除了ssh-agent
和ssh-add
命令,並添加了 git 身份驗證的標准檢查,以便於監控。 只有在為不同的 git 服務器添加多個私鑰時才需要它們。
如果操作不需要,最好在最后一個部署步驟中刪除私鑰。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.