-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Best practices for pulling from private git repo? #11
Comments
Hey Jesse, Yup, that's pretty much what I do for my private repos. I have something like this:
You'd probably also want to encrypt the file containing the keys with Ansible Vault if you're committing them to the repo. Another option is to use a private base image with the user and Git keys already created. |
Awesome thanks. Would you mind if I submitted a pull request to make
|
That would be great! Perhaps add a Thanks! |
Cool, sounds good. I currently am using templates to store the key file, On Mon, Oct 27, 2014 at 12:05 PM, JC notifications@github.com wrote:
|
Hmm...not sure what you mean by templates. Are they basically just separate jinja files that get copied to the server (like ssl_cert.j2, ssl_key.j2, id_rsa.j2, id_rsa_pub.j2)? I like putting them in the vars_file so I only have to deal with one file that has all my secret stuff which I then encrypt with Ansible Vault. Not sure if that's considered best practice but I like it for its simplicity. |
@jcalazan Hi tried your solution.
error
Any idea? Thanks |
I had to do this before in order for the file to be correctly created.
|
@kulbir Ah, I haven't tried this with Vagrant, I've only done it with Digital Ocean which creates a root user by default and already has a .ssh folder. @alfonsoperez's solution will probably work if that's the case. If not, add the |
Hi @jcalazan Thanks for your response. I am finally able to clone the Code
But I'm not able to clone directly to 1. When I try to clone directly to
2. When I try to clone directly to
Should I copy github code each time to So what do you suggest? Thanks, |
Hmm...is your Git key password protected by any chance? If it hung, I'm thinking it might be asking for a password. You can try creating another set of keys without a password and use that. The https://github.com/jcalazan/ansible-django-stack/blob/master/roles/web/tasks/setup_virtualenv.yml |
Hi @jcalazan Thank you very much for your response. Yeah, my git keys was password protected. I created another set of keys without a password. And it worked. :-) Working git code.
Thank You. |
Np, glad that worked! :) |
so are you just copying the public/private keys to your vagrant? Im trying to do something similar but generate the keys on the vagrant itself and push the public key to my private repo via API for read-only access |
I have a task to copy over the keys (encrypted with Ansible Vault before committing to my repo) to the destination server. If you're using Vagrant just for development, simplest way is probably just share your local Git directory to the VM. There's also something called "SSH Agent forwarding" that lets you use your local SSH keys instead of putting them on the server, but haven't played around with it yet: https://developer.github.com/guides/using-ssh-agent-forwarding/ |
SSH agent forwarding is the way to go. That way you won't need any extra SSH key and can simply use the one on your machine without copying it around. |
I'm was having issues similar to what @kulbir was experiencing. I generated a key that I associated with bitbucket for accessing a private repo. I confirmed that it is not passphrase protected. on the machine where I created it. Yet, when I create it on my vagrant box, it hangs up when expecting a passphrase. If I ssh in to the vagrant box and try to manually clone the repo in question, I am prompted for a passphrase. If I switch to an approach where I pass in the actual keys, vs. setting the value as variables in the base.yml file, everything works. Any ideas as to why that might be? |
I have config with SSH agent forwarding, |
I don't quite understand the discussion.
|
I'm using this approach in my current playbook. The only thing you have to make sure, is that you set |
@snwflake thanks! I'm curious how you were able to overcome a couple obstacles I had to adjust the playbook for: How did you add your repository URL to the known_hosts file or did you have a workaround for that? Also, did you have a workaround for setting file permissions such that the non-root user can clone the repo? Currently the file permissions are set after the repo is cloned so I had to move those up in my repo. See https://github.com/jcalazan/ansible-django-stack/pull/67/files for what I had done. |
As long as it is a dedicated dev machine, running on localhost, I wouldn't mind simply setting As for the file permissions, I don't have any problems with that, since I Edit: fixed english |
I have a private git repository (hosted on WebFaction). I was able to able to get SSH forwarding working with the following setup:
# Vagrantfile
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = "ubuntu/xenial64"
config.ssh.forward_agent = true
...
In env_vars/base.yml, add the flag, git_repo_private. This is just a convenience so the task added in the next step does not run if the repository is public. I don't think it has any value other than being cosmetic. # env_vars/base.yml
---
git_repo: ...
git_repo_private: true
... In roles/web/tasks/setup_git_repo.yml, add a new task, "Add ssh agent line to sudoers" BEFORE the "Setup the Git repo" task. Note the addition of the "environment" field to set TMPDIR in the git command. # roles/web/tasks/setup_git_repo.yml
# Make sure the sudoers file preserves the ability to use ssh forwarding.
# That way we don't need to store a private key on the server to get
# access to the git repository. Don't forget to add the key used by the
# git repository to your ssh-agent using ssh-add on the machine where you
# run the playbooks.
#
# https://stackoverflow.com/questions/24124140/ssh-agent-forwarding-with-ansible
- name: Add ssh agent line to sudoers
lineinfile:
dest: /etc/sudoers
state: present
regexp: SSH_AUTH_SOCK
line: Defaults env_keep += "SSH_AUTH_SOCK"
when: git_repo_private
# The git module calls python's tempfile.mkstemp() which uses the TMPDIR
# environment variable. However this is set to /tmp which is mounted as
# noexec. As a result the git command will fail. The solution is to set
# TMPDIR to point to some other suitable location. Here we use /var/tmp
# but any suitable location will do.
#
# https://github.com/ansible/ansible/issues/30064
# https://docs.python.org/dev/library/tempfile.html?highlight=mkstemp#tempfile.tempdir
- name: Setup the Git repo
environment:
TMPDIR: "/var/tmp"
git: repo={{ git_repo }}
version={{ git_branch }}
dest={{ project_path }}
accept_hostkey=yes
when: setup_git_repo is defined and setup_git_repo
notify: restart application
tags: git
I am just getting started with this project. My experience so far is this works when provisioning the Vagrant VM. The panel to unlock the key pops up on the first checkout and not in subsequent ones. I have not tried this on a droplet yet. It took quite a bit of fiddling to get the VM to first work so what I don't know is whether 'vagrant destroy' really cleans out everything and nothing is left lying around that affects the changes above. |
Fixed via #91 |
Hi, just wondering if you have thoughts on best way to get this to work if you're pulling from a private repo. My initial thought is:
Does that sound like an ok plan?
The text was updated successfully, but these errors were encountered: