Geek Answers Handbook

Chef deploy_resource private repo, keys for deploying ssh and ssh_wrapper

I'm having trouble getting my chef's recipe for cloning a private repo. Well, yesterday it worked for me, but after the "Cheffin" of my stray box half a dozen times, I broke it. I, as you might imagine, a beginner chef.

Following the deployment_resource guide, I created my deploy.rb recipe (shortened):

deploy_branch "/var/www/html/ps" do repo git@github.com :simonmorley/private-v2.git ssh_wrapper "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" branch "rails4" migrate false environment "RAILS_ENV" => node[:ps][:rails_env] purge_before_symlink %w{conf data log tmp public/system public/assets} create_dirs_before_symlink [] symlinks( # the arrow is sort of reversed: "conf" => "conf", # current/conf -> shared/conf "data" => "data", # current/data -> shared/data "log" => "log", # current/log -> shared/log "tmp" => "tmp", # current/tmp -> shared/tmp "system" => "public/system", # current/public/system -> shared/system "assets" => "public/assets" # current/public/assets -> shared/assets ) scm_provider Chef::Provider::Git # is the default, for svn: Chef::Provider::Subversion notifies :restart, "service[ps]" notifies :restart, "service[nginx]" end

In the default settings, I have the following to create dirs, etc.

 directory "/tmp/.ssh" do action :create owner node[:base][:username] group node[:base][:username] recursive true end template "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" do source "chef_ssh_deploy_wrapper.sh.erb" owner node[:base][:username] mode 0770 end # Put SSH private key to be used with SSH wrapper template "/tmp/.ssh/id_deploy" do source "id_rsa.pub.erb" owner node[:base][:username] mode 0600 end

And in a wrapper:

 #!/bin/sh exec ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "/tmp/.ssh/id_deploy" " $@ "

And I created a public key and uploaded it to github.

When I breed a recipe, it gives me an error:

  deploy_branch[/var/www/html/ps] action deployEnter passphrase for key '/tmp/.ssh/id_deploy':

Obvs I do not have a set of passwords ... Therefore, the private key should be absent.

Just by chance, I deleted the id_deploy key from the recipe, deleted the folders, and started it again. Low and now it started working ... The reason is id_rsa.pub && The id_rsa files were in /root/.ssh when I manually generated them for testing.

I do not understand what I'm doing wrong here. So my questions are:

  • Do I need a private and public key for each node I deploy to? Documents do not mention this.
  • Should it not be deployed as a non-root user? I installed the user in my roles file.
  • Why ssh_wrapper is not doing what it should
+7
ruby-on-rails chef
source share
2 answers

It took several days to get it right.

Just to clarify, this is what I did to fix it. I don't know if this is correct, but it works for me.

  • Create a set of public and private keys in accordance with this guide .

  • Add the public key to the Github repository that you want to clone.

  • Create a template in my default recipe that includes both public and private keys. See below.

  • Corresponding templates for the pub and private keys have been created.

  • Created chef_ssh_deploy_wrapper.sh.erb file (see below)

  • The deploy.rb recipe was created (see below)

  • Loaded and added recipes to my role. Ran chef-client.

  • Hey presto! Sit back with a beer and watch your repo. cleverly cloned into your directory.

The patterns are as follows:

Create directories and templates:

 template "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" do source "chef_ssh_deploy_wrapper.sh.erb" owner node[:base][:username] mode 0770 end template "/home/#{node[:base][:username]}/.ssh/id_rsa.pub" do source "id_rsa.pub.erb" owner node[:base][:username] mode 0600 end template "/home/#{node[:base][:username]}/.ssh/id_rsa" do source "id_rsa.erb" owner node[:base][:username] mode 0600 end

Create ssh wrapper chef_ssh_deploy_wrapper.erb

 #!/bin/sh exec ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "/home/#{node[:base][:username]}/.ssh/id_rsa" " $@ "

(Make sure you use the private key here or it does not work)

Finally, the deploy.rb recipe:

 deploy_branch node[:my_app][:deploy_to] do repo node[:base][:repository] ssh_wrapper "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" branch "rails4" user node[:base][:username] group node[:base][:username] rollback_on_error true migrate false environment "RAILS_ENV" => node[:my_app][:environment] purge_before_symlink %w{conf data log tmp public/system public/assets} create_dirs_before_symlink [] symlinks( "config" => "config", "data" => "data", "log" => "log", "tmp" => "tmp", "system" => "public/system", "assets" => "public/assets" ) scm_provider Chef::Provider::Git # is the default, for svn: Chef::Provider::Subversion before_restart do system("su #{node[:base][:username]} -c 'cd #{node[:my_app][:deploy_to]}/current && /usr/bin/bundle install'") or raise "bundle install failed" system("su #{node[:base][:username]} -c 'RAILS_ENV=production /usr/local/bin/rake assets:precompile'") end notifies :restart, "service[my_app]" notifies :restart, "service[nginx]" end

Since then, the reboot has been replaced since we originally compiled ruby โ€‹โ€‹from the source code, but decided to use rvm at the end. Much easier for multi-user installations.

NB: I am deploying as a sudo user, if you are doing this as root (avoid this), use the /root/.ssh path instead.

I got a lot of inspiration from this article .

Good luck, I hope this helps someone.

+18
source share

Your question has no reference to the deploy_resource source, so I canโ€™t be sure that this is applicable, but if it uses the git resource below, the following may be useful:

As described in this answer to a similar question , you can avoid creating additional script files for each SSH key by adding the SSH command as the โ€œexternal transportโ€ part of the repository URL:

 git "/path/to/destination" do repository "ext::ssh -i /path/to/.ssh/deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git" branch "master" ... end
+1
source share

More articles:


All Articles