16

I'm trying to automate deployment of application using fabric.

The application code is hosted on GitHub and rolling out a new version is very straightforward - just do 'git pull' and that's it. The application is hosted on 100 servers, so I would like to automate deployment. Fabfile.py:

def deploy():
  code_path = '/home/myuser/myapp'
  with cd(code_path):
    run('git pull')
    run('git submodule update --init --recursive')

The problem is, on every git command I get a promt: Enter passphrase for key '/home/myuser/.ssh/id_rsa:

Is there a way to automatically input the passphrase? It's the same on every server and the same as sudo password

I've tried to fexpect library, but I'm wondering whether there is better (i.e. standard) way of doing it.

CharlesB
  • 86,532
  • 28
  • 194
  • 218
Vladimir Minakov
  • 468
  • 5
  • 9

3 Answers3

13

You can also use a ssh key agent and use the agent forwarding. Always put a password on keys. Github has good docs on how to utilize this here.

Fabric should now also have agent forwarding ability. I've run into troubles with it in some corner cases, but gotten around them with an explicit local('ssh -A...) as a work around until the issue is resolved.

Morgan
  • 4,143
  • 27
  • 35
  • ssh-aget forwarding workerd! That's brilliant. That actually solved so many other problems too. Thanks a lot! – Vladimir Minakov Sep 14 '12 at 16:11
  • "always put passwords on keys" is not as good as "don't copy private keys". Generate a new key. – Adam Dymitruk Sep 14 '12 at 18:13
  • Sure it is. I get a copy of your keys and i have access to your servers. Passworded keys make it two stage auth, regardless of the number of keys. – Morgan Sep 14 '12 at 18:24
  • See comment about agent hijacking. You have no control over that. You have some control of keeping your private keys secure. – Adam Dymitruk Sep 14 '12 at 18:41
1

Although I consider ssh-aget forwarding described in the accepted answer to be a preferable solution (if you get it worked), but there is alternative to it, provided by Fabric itself:
Fabric has it's own "password" settings option (i.e. env.password entry). you can make fabric to automatically input the passphrase (and sudo passwod) if you set the env.password (see documentation):

password

Default: None

The default password used by the SSH layer when connecting to remote hosts, and/or when answering sudo prompts.

 

You can set password with it either of following options:

  • using env.password = 'PASSWORD' directly in code inside "fabfile.py",
  • in command line as an option to fab command, using -p PASSWORD or --password=PASSWORD (documentation).
  • As an another option you can put passwod=PASSWORD line in a ~/.fabricrc (documentation) which gets loaded before each fab command and neither command line option nor code change is required if you use this option.
T.V.
  • 467
  • 5
  • 8
-9

Don't use pass phrases when making a key. Simply press enter and then again to confirm. You can also have more than one key. Some with passwords, some without.

Adam Dymitruk
  • 124,556
  • 26
  • 146
  • 141
  • If he's using his personal key it's best to use a password so as not to open up more than just the box he's deploying to to attack. Let alone his github page. With Robots I may be more inclined to agree a passwordless key is alright. – Morgan Sep 13 '12 at 23:53
  • multiple keys should be used. You shouldn't use one key for everything. – Adam Dymitruk Sep 14 '12 at 18:15
  • That's what a .ssh/config is for. You can assign all that there and then still use agent forwarding. – Morgan Sep 14 '12 at 18:23
  • agent forwarding is susceptible to agent hijacking. Organizations disable agent forwarding. Better to just use a different key for github if you're not willing to use keys with no passwords. – Adam Dymitruk Sep 14 '12 at 18:40
  • 1
    It's susceptible if you don't trust the box's root user. Where then that root user can impersonate said user. But keeping the private key on the box is just as susceptible to root (and anyone able to access the file) impersonation when it's passwordless. (from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html) – Morgan Sep 14 '12 at 19:21