12

I am trying to create an Ansible playbook which would be run from our dev team computers and from CI/CD servers.

One of the tasks in the playbook is to get the source code of our project from a private git repository. Because the playbook has to run from CI/CD servers we can not use SSH forwarding.

What i came up with is to copy necessary SSH private key to remote host machine and then using the key clone the code from the private git repository.

However when trying this, the cloning task hangs. When trying to launch the command manually it asks for a passphrase for the SSH private key. SSH key uses no passphrase (blank).

Could anyone share their solution of this (probably very common) problem?

In case anyone needs, this is my current playbook:

- name: Create SSH directory
  file: path=/root/.ssh state=directory

- name: Copy SHH key for Git access
  copy:
    content: "{{ git_ssh_key }}"
    dest: /root/.ssh/id_rsa
    owner: root
    group: root
    mode: 0600

# Also tried this, but it also hangs
#- name: Start SSH agent and add SSH key
#  shell: eval `ssh-agent -s` && ssh-add

- name: Get new source from GIT
  git: 
    key_file: /root/.ssh/id_rsa
    repo: "git@gitlab.com:user/repo.git"
    dest: "{{ staging_dir }}"
    depth: 1
    accept_hostkey: yes
    clone: yes

I am using ansible 2.3.1.0, python version = 2.7.12

Laurynas Mališauskas
  • 1,909
  • 1
  • 19
  • 34
  • "*When trying to launch the command manually it asks for a passphrase for the SSH private key.*" -- how is that a programming problem? – techraf Jul 07 '17 at 12:35
  • i need a way to write a task to enter the passphrase (programming problem) or a different approach where i would not need to enter it at all (operations problem). – Laurynas Mališauskas Jul 07 '17 at 12:52
  • Use a key without a passphrase. – techraf Jul 07 '17 at 12:54
  • @techraf i did, the process still hangs. how can i debug this? – Laurynas Mališauskas Jul 07 '17 at 13:14
  • It hangs, because from your own words, even if you call "the command" manually it asks for a passphrase. Describe how you generated the key and what commands you execute on SuperUser. It is off-topic for StackOverflow . – techraf Jul 07 '17 at 13:16
  • I assume the user running the playbook is root? When running `ssh-keygen -yf ` is a passphrase required? Does the second line of `/root/.ssh/id_rsa` contain the word `ENCRYPTED`? – damienfrancois Jul 09 '17 at 13:54
  • @damien yes, i run the playbook as rot user. ```ssh-keygen -yf``` asks for password. No, ENCRYPTED is not there. – Laurynas Mališauskas Jul 10 '17 at 14:41
  • Is the connection successful after you enter the blank passphrase? Have you tried removing the (empty) passphrase with `ssh-keygen -p` or considering generating a new key? – damienfrancois Jul 11 '17 at 06:15
  • i am willing to create a new key, what options shouldi use in order to create a passwordless ssh key? – Laurynas Mališauskas Jul 11 '17 at 11:34

2 Answers2

8

Here are steps to make it work (tested with Ansible 2.3.1 and Python 2.7.10 on MacOS, Ubuntu LTS):

  1. Generate new SSH key pair without passphrase ssh-keygen -f my_ssh_key -N ''.

  2. Add my_ssh_key.pub to your repository server user profile

  3. Test with the following playbook:

_

---
- hosts: localhost
  gather_facts: no
  vars:
    git_ssh_public_key: "Your public ssh key"
    git_ssh_key: |
              -----BEGIN RSA PRIVATE KEY-----
              .... actual key here ....
              -----END RSA PRIVATE KEY-----
  tasks:
  - name: Copy SSH public key file
    copy: 
      content: "{{ git_ssh_public_key }}"
      dest: /root/.ssh/id_rsa.pub
      mode: 0644

  - name: Copy SSH private key file
    copy: 
      content: "{{ git_ssh_key }}"
      #src: id_rsa
      dest: /root/.ssh/id_rsa
      mode: 0600

  - name: Get new source from GIT
    git: 
      repo: "git@gitlab.com:user/repo.git"
      dest: "/var/www/"
      depth: 1
      accept_hostkey: yes
      clone: yes

IMPORTANT SECURITY NOTICES

If you want to use this example in real world, please do not save your private key in plaintext - use Ansible Vault.

You should also NOT use root as your ansible user. It would be more secure to create new user without sudo permissions.

Laurynas Mališauskas
  • 1,909
  • 1
  • 19
  • 34
Konstantin Suvorov
  • 65,183
  • 9
  • 162
  • 193
  • 2
    this still does not work for me.. when trying to ```git fetch``` it still asks for passphrase ```Enter passphrase for key '/root/.ssh/id_rsa':```. Maybe there is some SSH configuration parameter which would bypass passphrase asking when it is blank? – Laurynas Mališauskas Jul 16 '17 at 15:44
  • Why `git fetch`? Check with ansible `git` module. And ensure that supplied key file is valid for your repo server. – Konstantin Suvorov Jul 16 '17 at 15:52
  • 1
    In ansible script i am using default command which you gave. But it hangs doing nothing. That is why i manually connected to the target machine and tested git command which would connect to my private repo. Even if the key is generated witout passphrase, it still asks to enter it (just hit enter). – Laurynas Mališauskas Jul 16 '17 at 17:07
  • Everything worked when i also copied the public key. Edited your answer and accepted it. Спасибо! – Laurynas Mališauskas Jul 31 '17 at 12:40
0

I guess the problem is that for the automated task, git is not using a ssh key. I've read (by looking around for a couple of minutes) that with git 2.10, you can provide ssh stuff to pass when calling git.... so I guess you could try something like:

git -c core.sshCommand='ssh -i /path/to/private/key' fetch origin

Or whatever other command you would like to use. You could also fix it in configuration:

git config core.sshCommand 'ssh -i /path/to/private/key'

Anyway, hope that helps a little bit

Specify private SSH-key to use when executing shell command with or without Ruby?

eftshift0
  • 26,375
  • 3
  • 36
  • 60