2

Hello I am having issues getting chef to checkout my git repo using an ssh key from my data_bag.

Below is my git resource:

repo_key = search(:git, "id:git_key").first
git_key_file = "#{Chef::Config['file_cache_path']}/git_key/id_rsa"

directory "#{Chef::Config['file_cache_path']}/git_key" do
    action :create
end

file git_key_file do
    content repo_key['deploy_key']
    mode "0755"
    action :create_if_missing
end

git "/usr/share/my_repo" do
    repository "git@github.com:my_name/some_repo.git"
    checkout_branch "#{node["my_app"][:test_branch]}"
    action :sync
    ssh_wrapper "ssh -i #{git_key_file}"
end

When I run: sudo chef-client I get the error below:

STDERR: error: cannot run ssh -i /var/chef/cache/git_key/id_rsa: No such file or directory

I have ssh'ed into the server and I can verify that the key file is in the proper place and contains the key.

twreid
  • 1,453
  • 2
  • 22
  • 42
  • What happens when you run that command manually on your server? – sethvargo Jun 04 '14 at 14:19
  • The same exact thing happens. – twreid Jun 04 '14 at 14:24
  • So, how is this a problem with Chef? Running the ssh command manually on the server fails, so of course this will fail when executed by Chef. Have you looked at the man pages for `ssh -i`? What are you trying to do? – sethvargo Jun 04 '14 at 14:25
  • Yes I have looked at the man pages and the -i is to point to an identity file which I am doing and I have verified that the identity file is correct. I'm starting to think it may be a permissions issue and that I shouldn't be using 0755. – twreid Jun 04 '14 at 14:26

3 Answers3

6

While your private-key file may be in the right place, my [limited] understanding is that the GIT_SSH variable must be the path to an executable script rather than a command itself.

Thankfully, there is a much easier way to set-up Git to use a particular SSH key per repository that doesn't rely on setting environmental variables or creating new scripts. The general process is described in this SuperUser answer, which is to specify the custom SSH command as an "external transport" in the repository location. Here is how I use the method in a Chef recipe:

# Add a deployment key to the node from chef-vault, e.g. at 
#    /path/to/some_repo_deployment_key
#    /path/to/some_repo_deployment_key.pub

git "/usr/share/my_repo" do
  # The following line ensures that our repo-specific deployment 
  # ssh-key will be used for all clone & fetch operations.
  repository "ext::ssh -i /path/to/some_repo_deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git"
  checkout_branch "master"
  action :sync
end

After the repository has been cloned, git fetch and git push operations from within the working-directory will used the same key, making further automation more independent of environmental setup than some of the other techniques which rely on ssh's key-discovery mechanisms.

Community
  • 1
  • 1
Adam Franco
  • 81,148
  • 4
  • 36
  • 39
  • This solution worked perfectly for me except I was getting `STDERR: fatal: Cannot force update the current branch.` error while the line `checkout_branch`was existing. Once I've removed it, no problem at all! – scaryguy Jan 16 '16 at 06:48
  • Just a note, this works nicely with the `deploy_revision` chef resource. – Dave S. Nov 07 '17 at 14:07
1

It seems like you found the answer to this (too open of permissions) but here is the relevant info from my ssh man page:

 ...
 ~/.ssh/identity
 ~/.ssh/id_dsa
 ~/.ssh/id_ecdsa
 ~/.ssh/id_ed25519
 ~/.ssh/id_rsa
         Contains the private key for authentication.  These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).
         ssh will simply ignore a private key file if it is accessible by others.  It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using 3DES.
tbizzle
  • 41
  • 5
  • Yea after permissions it still has the same error. I ended up just giving up and adding a gradle build task to archive the test scripts and deploy to an S3 bucket then I have Chef download the latest archive and extract it. – twreid Jun 09 '14 at 16:31
  • Did you try setting restricted permissions on the parent folder `/var/chef/cache` as well? The permissions on the folder should be 700 and the permissions on the key should be 400 – tbizzle Jun 10 '14 at 17:29
  • That I did not try, but I will give it a whirl and see what happens. Thank you. – twreid Jun 11 '14 at 16:29
0

I actually solved this problem by, running following:

GIT_SSH_COMMAND="ssh -i ~/.ssh/bitbucket_rsa"

On chef recipe adding something like this:

execute 'git ssh' do
  command 'GIT_SSH_COMMAND="ssh -i ~/.ssh/#{rsa['name']}"'
  user "centos"
end

Reference and for my whole steps can be found at my blog: http://www.sadafnoor.com/blog/simplest-way-to-write-your-chef-cookbook-that-git-clone-private-repo-using-bitbucket-deploy-key/

sadaf2605
  • 7,332
  • 8
  • 60
  • 103