Checkout git repo with chef with ssh key

Question

Checkout git repo with chef with ssh key

Hi, I am having trouble getting a chef to check my git repository using the ssh key from my data_bag.

Below is my git resource:

repo_key = search(:git, "id:git_key").first git_key_file = "#{Chef::Config['file_cache_path']}/git_key/id_rsa" directory "#{Chef::Config['file_cache_path']}/git_key" do action :create end file git_key_file do content repo_key['deploy_key'] mode "0755" action :create_if_missing end git "/usr/share/my_repo" do repository " git@github.com :my_name/some_repo.git" checkout_branch "#{node["my_app"][:test_branch]}" action :sync ssh_wrapper "ssh -i #{git_key_file}" end

When I run: sudo chef-client I get the following error:

 STDERR: error: cannot run ssh -i /var/chef/cache/git_key/id_rsa: No such file or directory

I have ssh'ed on the server, and I can verify that the key file is in the right place and contains the key.

+2

git ssh chef

twreid Jun 03 '14 at 20:57

source share

3 answers

You seem to have found the answer to this question (permissions are too open), but here is the relevant information from my ssh man page:

  ... ~/.ssh/identity ~/.ssh/id_dsa ~/.ssh/id_ecdsa ~/.ssh/id_ed25519 ~/.ssh/id_rsa Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using 3DES.

+1

tbizzle Jun 09 '14 at 16:26

source share

I really solved this problem by running the following command:

GIT_SSH_COMMAND = "ssh -i ~ / .ssh / bitbucket_rsa"

Something like this has been added to the chef's recipe:

 execute 'git ssh' do command 'GIT_SSH_COMMAND="ssh -i ~/.ssh/#{rsa['name']}"' user "centos" end

The link and all my steps can be found on my blog: http://www.sadafnoor.com/blog/simplest-way-to-write-your-chef-cookbook-that-git-clone-private-repo-using-bitbucket -deploy-key /

0

sadaf2605 May 31 '16 at 14:12

source share

Adam franco · Accepted Answer · 2015-11-19T17:08:06+0000

Although your private key file may be in the right place, my [limited] understanding is that the GIT_SSH variable should be empty for the script executable, not the command itself.

Fortunately, there is a much simpler way to configure Git to use a specific SSH key for each repository that does not rely on setting environment variables or creating new scripts. The general process is described in this SuperUser answer , which is to specify the SSH user command as "external transport" at the repository location. Here's how I use the method in a chef's recipe:

 # Add a deployment key to the node from chef-vault, eg at # /path/to/some_repo_deployment_key # /path/to/some_repo_deployment_key.pub git "/usr/share/my_repo" do # The following line ensures that our repo-specific deployment # ssh-key will be used for all clone & fetch operations. repository "ext::ssh -i /path/to/some_repo_deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git" checkout_branch "master" action :sync end

After cloning the repository, git fetch and git push operations from the working directory will use the same key, making further automation more independent of the environment settings than some other methods that rely on ssh key detection mechanisms.

Checkout git repo with chef with ssh key

More articles: