All geek questions in one place

Ansible and Git Permission denied (publickey) in Git Clone

I have a playbook where I am trying to clone from a private repo (GIT) to a server.

I have ssh forwarding configured and when I ssh to the server and try to manually clone from the same repo, it works successfully. However, when I use issible to clone the repo on the server, it fails with "Allowed Denied Public Key".

This is my playbook deploy.yml:

---

- hosts: webservers
  remote_user: root

  tasks:
      - name: Setup Git repo
        git: repo={{ git_repo }}
             dest={{ app_dir }}
             accept_hostkey=yes

Here's what mine looks like ansible.cfg:

[ssh_args]
ssh_args = -o FowardAgent=yes

I can also perform all other tasks in my books (os-operations, installations).

I tried:

  • Set the sshAgentForwarding flag ansible.cfgon the server (ansible.cfg in the same directory as the Playbook), using:

    ssh_args = -o ForwardingAgent = yes

  • become: false git clone

  • running ansible -i devops/hosts webservers -a "ssh -T git@bitbucket.org" :

    an_ip_address | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true }

, playbook: ansible-playbook devops/deploy.yml -i devops/hosts -vvvv , :

fatal: [162.243.243.13]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone":
 true, "depth": null, "dest": "/var/www/aWebsite", "executable": null, "force": false, "key_file": null, "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@bitbucket.org:aUser/aRepo.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg": "Permission denied (publickey).\r\nfatal: Could not r$ad from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Permission denied (publickey).\r\nfatal: Could not read from remote r$pository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []}
+4
3

ssh . .

, ssh- , Ansible , ~/.ssh/conf ( ansible.cfg, ).

transport = ssh ansible.cfg [defaults] ansible-playbook ansible.cfg.

ansible.cfg :

[defaults]
transport = ssh

[ssh_connection]
ssh_args = -o ForwardAgent=yes
+4

github- , :

ssh ssh-agent:

eval `ssh-agent -s`
ssh-add ~/.ssh/my-private-key.pem

ansible.cfg:

[defaults]
transport = ssh
sudo_flags = -HE

[ssh_connection]
ssh_args = -o ForwardAgent=yes

github root

, playbook/role:

- name: Tell the host about our servers it might want to ssh to
  known_hosts:
    path: '/etc/ssh/known_hosts'
    name: 'github.com'
    key: "{{ lookup('pipe', 'ssh-keyscan -t rsa bitbucket.org') }}"

- name: Upload sudo config for key forwarding as root
  lineinfile:
    dest: /etc/sudoers.d/ssh_key_forward
    line: 'Defaults env_keep+=SSH_AUTH_SOCK'
    create: yes
    owner: root 
    group: root 
    mode: "0440"
    state: present
    validate: 'visudo -c -f %s'

, . ssh , username/password :

- name: Pull the code
  git:
    repo: "https://{{ bitbucket_login }}:{{ bitbucket_password|urlencode }}@bitbucket.org/path/project.git"
    dest: /var/www/myproject
    version: master

, .

+3

localhost-only -scenario ForwardAgent , .

Even if it gitworks from the command line when starting manually, it does not work with Ansible, no matter what. The only working solution I found was converting gitto command, for example: - command: /usr/bin/git clone git@github

0
source

Source: https://habr.com/ru/post/1655410/

More articles:


All Articles