我有一个剧本,我试图从私人仓库(GIT)克隆到服务器。
我已经设置了ssh转发,当我ssh到服务器并尝试从同一个repo手动克隆时,它成功运行。但是,当我使用ansible将repo克隆到服务器时,它会失败并显示“Permission Denied Public Key”。
这是我的剧本deploy.yml:
---
- hosts: webservers
remote_user: root
tasks:
- name: Setup Git repo
git: repo={{ git_repo }}
dest={{ app_dir }}
accept_hostkey=yes
这就是我的ansible.cfg看起来的样子:
[ssh_args]
ssh_args = -o FowardAgent=yes
我也可以在我的剧本中执行所有其他任务(操作,安装)。
我试过了:
ansible.cfg(与playbook相同的目录中的ansible.cfg)中指定sshAgentForwarding标志:
ssh_args = -o ForwardingAgent = yes
become: false执行git clone 运行ansible -i devops/hosts webservers -a "ssh -T git@bitbucket.org"会返回:
an_ip_address | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh.",
"unreachable": true
}
这是我用来运行playbook的命令:
ansible-playbook devops/deploy.yml -i devops/hosts -vvvv
这是我收到的错误消息:
fatal: [162.243.243.13]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone":
true, "depth": null, "dest": "/var/www/aWebsite", "executable": null, "force": false, "key_file": null, "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:aUser/aRepo.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg": "Permission denied (publickey).\r\nfatal: Could not r$ad from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Permission denied (publickey).\r\nfatal: Could not read from remote r$pository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []}
答案 0 :(得分:6)
通过阅读ansible中的ssh转发文档。我能够找到解决方案。
问题是我的ssh密钥没有被转发,因为Ansible默认不会转发您的密钥,即使您已在~/.ssh/conf设置了密钥转发(我使用{{1}更新了我的问题我在修复问题之前就已经有了。)
解决方案是将ansible.cfg添加到transport = ssh下的ansible.cfg以及[defaults]所在位置ansible-playbook {。}}。
我的ansible.cfg现在看起来像这样:
ansible.cfg答案 1 :(得分:3)
要通过远程服务器克隆私有github存储库,我这样做:
首先将ssh密钥添加到ssh-agent:
eval `ssh-agent -s`
ssh-add ~/.ssh/my-private-key.pem
之后我修改了ansible.cfg:
[defaults]
transport = ssh
sudo_flags = -HE
[ssh_connection]
ssh_args = -o ForwardAgent=yes
现在您可以以root用户身份克隆github私人仓库
通常,我也会在我的playbook / roles任务中添加这两个任务:
- name: Tell the host about our servers it might want to ssh to
known_hosts:
path: '/etc/ssh/known_hosts'
name: 'github.com'
key: "{{ lookup('pipe', 'ssh-keyscan -t rsa bitbucket.org') }}"
- name: Upload sudo config for key forwarding as root
lineinfile:
dest: /etc/sudoers.d/ssh_key_forward
line: 'Defaults env_keep+=SSH_AUTH_SOCK'
create: yes
owner: root
group: root
mode: "0440"
state: present
validate: 'visudo -c -f %s'
奇怪,它适合我。如果ssh选项对您不起作用,那么您可以使用这样的用户名/密码选项:
- name: Pull the code
git:
repo: "https://{{ bitbucket_login }}:{{ bitbucket_password|urlencode }}@bitbucket.org/path/project.git"
dest: /var/www/myproject
version: master
希望这对你和其他人有帮助
答案 2 :(得分:1)
对于公共存储库:(您可以使用 https)
- name: Git checkout ghq from github
git:
repo: https://github.com/x-motemen/ghq.git
dest: /tmp/ghqt
depth: "1"
对于私有,您可以复制您的私有 ssh 密钥并像这样附加
- name: Git checkout dotfiles repo
git:
repo: "https://github.com/x-motemen/ghq.git"
dest: /tmp/ghqt
version: "develop"
accept_hostkey: yes
key_file: "{{ ssh_key_private_remote_path }}{{ ssh_key_private_filename }}"
答案 3 :(得分:0)
在localhost-only -scenario ForwardAgent上完全没用,因为它只会将代理转发给远程主机。
即使git在手动运行时从命令行运行,无论如何都无法使用Ansible。我找到的唯一可行解决方案是将git转换为command,例如:
- command: /usr/bin/git clone git@github