I am trying to create an Ansible playbook which would be run from our dev team computers and from CI/CD servers.
One of the tasks in the playbook is to get the source code of our project from a private git repository. Because the playbook has to run from CI/CD servers we can not use SSH forwarding.
What i came up with is to copy necessary SSH private key to remote host machine and then using the key clone the code from the private git repository.
However when trying this, the cloning task hangs. When trying to launch the command manually it asks for a passphrase for the SSH private key. SSH key uses no passphrase (blank).
Could anyone share their solution of this (probably very common) problem?
In case anyone needs, this is my current playbook:
- name: Create SSH directory
file: path=/root/.ssh state=directory
- name: Copy SHH key for Git access
copy:
content: "{{ git_ssh_key }}"
dest: /root/.ssh/id_rsa
owner: root
group: root
mode: 0600
# Also tried this, but it also hangs
#- name: Start SSH agent and add SSH key
# shell: eval `ssh-agent -s` && ssh-add
- name: Get new source from GIT
git:
key_file: /root/.ssh/id_rsa
repo: "[email protected]:user/repo.git"
dest: "{{ staging_dir }}"
depth: 1
accept_hostkey: yes
clone: yes
I am using ansible 2.3.1.0, python version = 2.7.12
Here are steps to make it work (tested with Ansible 2.3.1 and Python 2.7.10 on MacOS, Ubuntu LTS):
Generate new SSH key pair without passphrase ssh-keygen -f my_ssh_key -N ''
.
Add my_ssh_key.pub
to your repository server user profile
Test with the following playbook:
_
---
- hosts: localhost
gather_facts: no
vars:
git_ssh_public_key: "Your public ssh key"
git_ssh_key: |
-----BEGIN RSA PRIVATE KEY-----
.... actual key here ....
-----END RSA PRIVATE KEY-----
tasks:
- name: Copy SSH public key file
copy:
content: "{{ git_ssh_public_key }}"
dest: /root/.ssh/id_rsa.pub
mode: 0644
- name: Copy SSH private key file
copy:
content: "{{ git_ssh_key }}"
#src: id_rsa
dest: /root/.ssh/id_rsa
mode: 0600
- name: Get new source from GIT
git:
repo: "[email protected]:user/repo.git"
dest: "/var/www/"
depth: 1
accept_hostkey: yes
clone: yes
IMPORTANT SECURITY NOTICES
If you want to use this example in real world, please do not save your private key in plaintext - use Ansible Vault.
You should also NOT use root as your ansible user. It would be more secure to create new user without sudo permissions.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With