運行“ansible-galaxy install -r requirements.yml”時，“git clone”在私有 git 存儲庫中的角色失敗

Question

我已將.gitlab-ci.yml添加到我的私人項目中。 其中一個步驟是從私有 gitlab 存儲庫中獲取角色。 然而，這失敗了

/usr/bin/git clone ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
papanito.bootstrap failed in directory /root/.ansible/tmp/ansible-
local-1036kia7b4eu/tmpjcyiks12 (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
ERROR: Job failed: exit code 1

在我的機器上運行相同的命令ansible-galaxy install -r requirements.yml運行良好。

在運行命令之前，我為 ci 用戶添加了一個私鑰。 所以不知道我還想念什么。

.gitlab-ci.yml

variables:
  SITE: "site.yml"
  PLAYBOOKS: "playbooks/*.yml"

stages:
  - verify

before_script:
  - whoami
  - apt-get update -qy #update system
  - mkdir ~/.ssh
  - chmod 700 ~/.ssh
  - echo $SSHKEY_GITLAB > ~/.ssh/id_rsa # https://docs.gitlab.com/ee/ci/ssh_keys
  - chmod 640 ~/.ssh/id_rsa
  - apt-get install ansible ansible-lint -qy
  - git submodule update --init
  - ansible --version
  - ansible-lint --version
  - git config -l
  - ansible-galaxy install -r requirements.yml

ansible-verify:
  stage: verify
  script:
    - ansible-lint -v $SITE
    - ansible-lint -v $PLAYBOOKS
    - ansible-playbook --syntax-check $SITE
    - ansible-playbook --syntax-check $PLAYBOOKS

requirements.yml

- src: geerlingguy.docker
- src: dev-sec.ssh-hardening
- src: m4rcu5nl.zerotier-one

# own roles
- src: https://git@github.com/papanito/ansible-role-rsyslog.git
  name: papanito.rsyslog
  scm: git
  version: master
- src: git+ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
  name: papanito.bootstrap
  scm: git
  version: master

日志

$ ansible-galaxy install -r requirements.yml
- downloading role 'docker', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-docker/archive/2.8.1.tar.gz
- extracting geerlingguy.docker to /root/.ansible/roles/geerlingguy.docker
- geerlingguy.docker (2.8.1) was installed successfully
- downloading role 'ssh-hardening', owned by dev-sec
- downloading role from https://github.com/dev-sec/ansible-ssh-hardening/archive/9.3.0.tar.gz
- extracting dev-sec.ssh-hardening to /root/.ansible/roles/dev-sec.ssh-hardening
- dev-sec.ssh-hardening (9.3.0) was installed successfully
- downloading role 'zerotier-one', owned by m4rcu5nl
- downloading role from https://github.com/m4rcu5nl/ansible-role-zerotier/archive/v1.2.3.tar.gz
- extracting m4rcu5nl.zerotier-one to /root/.ansible/roles/m4rcu5nl.zerotier-one
- m4rcu5nl.zerotier-one (v1.2.3) was installed successfully
- extracting papanito.rsyslog to /root/.ansible/roles/papanito.rsyslog
- papanito.rsyslog (master) was installed successfully
 [WARNING] Ansible is being run in a world writable directory (/builds/papanito/infrastructure), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
 [WARNING]: - papanito.bootstrap was NOT installed successfully: - command
/usr/bin/git clone ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
papanito.bootstrap failed in directory /root/.ansible/tmp/ansible-
local-1036kia7b4eu/tmpjcyiks12 (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
ERROR: Job failed: exit code 1

Answer 1

在我的機器上運行相同的命令ansible-galaxy install -r requirements.yml運行良好。

這意味着您在機器上的~/.ssh/id_rsa中擁有正確的公鑰/私鑰，並且您正在使用您的帳戶在本地執行它。

如果您在 GitLab 步驟中復制它，請確保檢查權限，可能還有密碼和 known_hosts， 如此處或文檔中所示：

  # Paste the PRIVATE key into a gitlab variable. Pay attention to the linebreak at the end when pasting
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
  - chmod 600 ~/.ssh/id_rsa
  - eval "$(ssh-agent -s)"
  - ssh-add ~/.ssh/id_rsa
  - ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts

Answer 2

我嘗試使用更安全的 ssh 轉發而不是將私鑰復制到機器中，但發現 ansible-galaxy 無法正常工作並且僅在~/.ssh/id_rsa密鑰上中繼

所以這是我更新版本的@VonC 答案：

 - mkdir -p ~/.ssh
 - chmod 700 ~/.ssh
 - echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
 - chmod 600 ~/.ssh/id_rsa
 - ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts
 - ssh -T git@gitlab.com

它被刪除了ssh-agent和ssh-add命令，並添加了 git 身份驗證的標准檢查，以便於監控。 只有在為不同的 git 服務器添加多個私鑰時才需要它們。

如果操作不需要，最好在最后一個部署步驟中刪除私鑰。