Ansible 和 Git Permission denied (publickey) at Git Clone

Ansible and Git Permission denied (publickey) at Git Clone

我有一个剧本,我正在尝试从私有存储库 (GIT) 克隆到服务器。

我已经设置了 ssh 转发,当我 ssh 进入服务器并尝试从同一个 repo 手动克隆时,它成功运行。但是,当我使用 ansible 将存储库克隆到服务器时,它失败并显示 "Permission Denied Public Key"。

这是我的剧本deploy.yml:

---

- hosts: webservers
  remote_user: root

  tasks:
      - name: Setup Git repo
        git: repo={{ git_repo }}
             dest={{ app_dir }}
             accept_hostkey=yes

这是我的 ansible.cfg 的样子:

[ssh_args]
ssh_args = -o FowardAgent=yes

我还能够执行剧本中的所有其他任务(os 操作、安装)。

我试过了:

这是我用于 运行 剧本的命令: ansible-playbook devops/deploy.yml -i devops/hosts -vvvv 这是我收到的错误消息:

fatal: [162.243.243.13]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone":
 true, "depth": null, "dest": "/var/www/aWebsite", "executable": null, "force": false, "key_file": null, "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:aUser/aRepo.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg": "Permission denied (publickey).\r\nfatal: Could not r$ad from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Permission denied (publickey).\r\nfatal: Could not read from remote r$pository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []}

要在远程服务器上克隆私有 github 存储库,我正在这样做:

首先将 ssh 密钥添加到您的 ssh-agent:

eval `ssh-agent -s`
ssh-add ~/.ssh/my-private-key.pem

之后我修改了ansible.cfg:

[defaults]
transport = ssh
sudo_flags = -HE

[ssh_connection]
ssh_args = -o ForwardAgent=yes

现在您可以克隆 github 私有存储库,即使是 root 用户

通常,我也会在我的 playbook/roles 任务中添加这两个任务:

- name: Tell the host about our servers it might want to ssh to
  known_hosts:
    path: '/etc/ssh/known_hosts'
    name: 'github.com'
    key: "{{ lookup('pipe', 'ssh-keyscan -t rsa bitbucket.org') }}"

- name: Upload sudo config for key forwarding as root
  lineinfile:
    dest: /etc/sudoers.d/ssh_key_forward
    line: 'Defaults env_keep+=SSH_AUTH_SOCK'
    create: yes
    owner: root 
    group: root 
    mode: "0440"
    state: present
    validate: 'visudo -c -f %s'

奇怪,对我有用。如果 ssh 选项对您不起作用,那么您可以像这样使用 username/password 选项:

- name: Pull the code
  git:
    repo: "https://{{ bitbucket_login }}:{{ bitbucket_password|urlencode }}@bitbucket.org/path/project.git"
    dest: /var/www/myproject
    version: master

希望对您和其他人有所帮助

通过阅读ansible中ssh转发的文档。我找到了解决方案。

问题是我的 ssh 密钥没有被转发,因为 Ansible 默认情况下不会转发您的密钥,即使您已经在 ~/.ssh/conf 中设置了密钥转发(我用 ansible.cfg 我在解决问题之前拥有的)。

解决方法是在[defaults]下的ansible.cfg加上ansible.cfg所在的位置加上运行ansible-playbook和确保目标框的 /etc/ssh/sshd_config 中存在以下设置:

AllowAgentForwarding yes

我的 ansible.cfg 现在看起来像这样:

[defaults]
transport = ssh

[ssh_connection]
ssh_args = -o ForwardAgent=yes

在仅限本地主机的情况下 ForwardAgent 完全没用,因为它只会将代理转发到远程主机。

即使 git 在 运行 手动时从命令行工作,无论如何它都不能从 Ansible 工作。我找到的唯一可行的解​​决方案是将 git 转换为 command,例如: - command: /usr/bin/git clone git@github

对于 public 存储库:(您可以使用 https)

- name: Git checkout ghq from github
  git:
    repo: https://github.com/x-motemen/ghq.git
    dest: /tmp/ghqt
    depth: "1"

对于私人,您可以复制之前的私人ssh密钥并像这样附加

- name: Git checkout dotfiles repo
  git:
    repo: "https://github.com/x-motemen/ghq.git"
    dest: /tmp/ghqt
    version: "develop"
    accept_hostkey: yes
    key_file: "{{ ssh_key_private_remote_path }}{{ ssh_key_private_filename }}"

更多详情:https://www.jeffgeerling.com/blog/2018/cloning-private-github-repositories-ansible-on-remote-server-through-ssh