如何将 ansible 中的 ssh 密钥转发到目标机器上的 git 存储库?
How to forward ssh key in ansible to checkout git repository on target machine from origin?
我正在尝试配置 ansible 以从 bitbucket 检出一个 git 存储库并将其放在目标机器上。控制机器(我的电脑)有 bitbucket 私有 ssh 密钥。 public 密钥已上传到 bitbucket,并且使用它进行 ssh 访问已经过测试并且可以正常工作。
这是 ansible yml 任务代码:
- name: Checkout application
become: no
git: repo=git@bitbucket.org:bitbucketusername/deployment.git
dest=/tmp/myapp
accept_hostkey=True
key_file=/home/me/.ssh/bitbucket_ssh_key
这是错误:
Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible:
No such file or directory.
Permission denied (publickey)
所以我认为密钥转发不起作用?这很奇怪,因为在我的 ~/.ssh/config
中我为目标机器 111.222.333.444 启用了转发:
Host 111.222.333.444
ForwardAgent yes
那么出了什么问题,如何将我的存储库从 bitbucket 获取到我的目标机器上?我正在使用 ansible 2.1.1.0.
编辑:这是 -vvvv
标志打开时它抱怨的部分:
TASK [Checkout application] *********************************************
task path: /home/me/path/to/the/ansible/playbook.yml:49
<111.222.333.444> ESTABLISH SSH CONNECTION FOR USER: deploy
<111.222.333.444> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 111.222.333.444 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480 `" && echo ansible-tmp-1477655760.17-42684399995480="` echo $HOME/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480 `" ) && sleep 0'"'"''
<111.222.333.444> PUT /tmp/tmp0NYGtg TO /home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/git
<111.222.333.444> SSH: EXEC sftp -b - -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 '[111.222.333.444]'
<111.222.333.444> ESTABLISH SSH CONNECTION FOR USER: deploy
<111.222.333.444> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 -tt 111.222.333.444 '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/git; rm -rf "/home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/" > /dev/null 2>&1 && sleep 0'"'"''
fatal: [app1]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone": true, "depth": null, "dest": "/tmp/myapp", "executable": null, "force": false, "key_file": "/home/me/.ssh/bitbucket_ssh_key", "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:memeares/deployment.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg":
"Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: No such file or directory.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.", "rc": 128, "stderr": "Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: No such file or directory.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
", "stdout": "", "stdout_lines": []}
而且我还在 ansible.cfg 文件中配置了转发(如上面的输出所示):
[ssh_connection]
# Enable SSH Agent Forwarding so that the private key used to be able to
# checkout from git does not have to be on the server
ssh_args=-o ForwardAgent=yes
修复它的最后一个错误是 ssh-add ~/.ssh/the_ssh_key
将密钥添加到 ssh-agent
。
我认为在我的情况下,这是错误的组合,尽管这让我走到了这一步,因为我之前使用 ssh-add
添加了密钥,但在尝试调试其他错误后销毁了实例。
还有这里没有提到的东西:
- 如果密钥不是
id_rsa
,则使用 -i the_ssh_key
手动指定它
- 确保服务器在相关用户的
~/.ssh
目录 中确实有 public 密钥 the_ssh_key.pub
文件的副本
- 确保
/etc/ssh/sshd_config
有 AllowAgentForwarding yes
ssh-agent -L
告诉你 ssh-agent "knows about" 是否是你的 ssh key 有问题。 (我不知道为什么用 ssh -i the_ssh_key
指定密钥文件时需要这样做)
- 从中控机sshing时包含
-o AllowAgentForwarding=yes
我正在尝试配置 ansible 以从 bitbucket 检出一个 git 存储库并将其放在目标机器上。控制机器(我的电脑)有 bitbucket 私有 ssh 密钥。 public 密钥已上传到 bitbucket,并且使用它进行 ssh 访问已经过测试并且可以正常工作。
这是 ansible yml 任务代码:
- name: Checkout application
become: no
git: repo=git@bitbucket.org:bitbucketusername/deployment.git
dest=/tmp/myapp
accept_hostkey=True
key_file=/home/me/.ssh/bitbucket_ssh_key
这是错误:
Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible:
No such file or directory.
Permission denied (publickey)
所以我认为密钥转发不起作用?这很奇怪,因为在我的 ~/.ssh/config
中我为目标机器 111.222.333.444 启用了转发:
Host 111.222.333.444
ForwardAgent yes
那么出了什么问题,如何将我的存储库从 bitbucket 获取到我的目标机器上?我正在使用 ansible 2.1.1.0.
编辑:这是 -vvvv
标志打开时它抱怨的部分:
TASK [Checkout application] *********************************************
task path: /home/me/path/to/the/ansible/playbook.yml:49
<111.222.333.444> ESTABLISH SSH CONNECTION FOR USER: deploy
<111.222.333.444> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 111.222.333.444 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480 `" && echo ansible-tmp-1477655760.17-42684399995480="` echo $HOME/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480 `" ) && sleep 0'"'"''
<111.222.333.444> PUT /tmp/tmp0NYGtg TO /home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/git
<111.222.333.444> SSH: EXEC sftp -b - -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 '[111.222.333.444]'
<111.222.333.444> ESTABLISH SSH CONNECTION FOR USER: deploy
<111.222.333.444> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o StrictHostKeyChecking=no -o 'IdentityFile="/home/me/.ssh/the_ssh_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=deploy -o ConnectTimeout=10 -tt 111.222.333.444 '/bin/sh -c '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/git; rm -rf "/home/deploy/.ansible/tmp/ansible-tmp-1477655760.17-42684399995480/" > /dev/null 2>&1 && sleep 0'"'"''
fatal: [app1]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone": true, "depth": null, "dest": "/tmp/myapp", "executable": null, "force": false, "key_file": "/home/me/.ssh/bitbucket_ssh_key", "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:memeares/deployment.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg":
"Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: No such file or directory.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.", "rc": 128, "stderr": "Warning: Identity file /home/me/.ssh/bitbucket_ssh_key not accessible: No such file or directory.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
", "stdout": "", "stdout_lines": []}
而且我还在 ansible.cfg 文件中配置了转发(如上面的输出所示):
[ssh_connection]
# Enable SSH Agent Forwarding so that the private key used to be able to
# checkout from git does not have to be on the server
ssh_args=-o ForwardAgent=yes
修复它的最后一个错误是 ssh-add ~/.ssh/the_ssh_key
将密钥添加到 ssh-agent
。
我认为在我的情况下,这是错误的组合,尽管这让我走到了这一步,因为我之前使用 ssh-add
添加了密钥,但在尝试调试其他错误后销毁了实例。
还有这里没有提到的东西:
- 如果密钥不是
id_rsa
,则使用-i the_ssh_key
手动指定它
- 确保服务器在相关用户的
~/.ssh
目录 中确实有 public 密钥 - 确保
/etc/ssh/sshd_config
有AllowAgentForwarding yes
ssh-agent -L
告诉你 ssh-agent "knows about" 是否是你的 ssh key 有问题。 (我不知道为什么用ssh -i the_ssh_key
指定密钥文件时需要这样做)- 从中控机sshing时包含
-o AllowAgentForwarding=yes
the_ssh_key.pub
文件的副本