SSH agent forwarding with Capistrano 3 not working when deploying Rails app

Question

I have the following setup in my deploy.rb

set :application, 'sample_app'
set :repo_url, 'user@123.45.67.100:/home/user/railsapps/sample_app'
set :deploy_to, '/var/www/sample_app'
set :user, "user"
set :ssh_options, { :forward_agent => true }

and my deploy/production.rb file:

set :stage, :production
server '123.45.67.200', user: 'user', roles: %w{app db web}

I get the following error when I run cap production deploy:check

DEBUG [] ssh: connect to host 123.45.67.100 port 22: Connection timed out
DEBUG [] fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
(Backtrace restricted to imported tasks)
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as user@123.45.67.200: git exit status: 128
git stdout: Nothing written
git stderr: ssh: connect to host 123.45.67.200 port 22: Connection timed out
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

In one of the lines, I see that it tries to access the repository as user@123.45.67.200, which is the deployment user for the production server:

INFO [] Running /usr/bin/env git ls-remote --heads user@123.45.67.100:/home/user/railsapps/sample_app as user@123.45.67.200

Shouldn't it be saying that it's connecting as the local user with the local ssh keys? Is Capistrano logging into the production server and then pulling code from the repository? If it is, is there a way to make it push code from the repository to the production server?

Answer 1

It appears that your Git URL is not valid. You can test this by connecting to the remote system (user@123.45.67.200) and try to hit the remote Git repo with a simple git ls-remote --heads which will prove connectivity.

git ls-remote --heads user@123.45.67.100:/home/user/railsapps/sample_app

I suspect that you might need .git appended to your URL (user@123.45.67.100:/home/user/railsapps/sample_app.git) but that really depends on how you have your remote repo set up.

Git does use SSH to connect but it doesn't explicitly show that in the Capistrano output. All you will see are the explicit git commands.

Alternatively, if you are expecting to use agent forwarding then you might be experiencing an issue with your ssh forwarding config, either local or remote. You can test that by checking your local machine then connecting to a remote machine and seeing if your identity was forwarded. You would do that like this:

local-host$ ssh-add -l
local-host$ ssh user@remote-host
remote-host$ ssh-add -l

If you see output like:

Error connecting to agent: No such file or directory

or:

Could not open a connection to your authentication agent.

or:

The agent has no identities.

Then you need to sort out that issue before Capistrano will work as expected.

You can checkout this write up "Using ssh-agent with ssh" to help with SSH config.

Answer 2

Capistrano will log into the server, and then from the server pull down the code from your VCS.

There are usually two ways of authenticating this:

1. ssh-agent forwarding which will give the remote session access to your developer key, or
2. deploy keys which will give the server user's key access to your code.

The second half of this documentation page describes the way Git works with Capistrano: http://capistranorb.com/documentation/getting-started/cold-start/

From the errors you have posted, you probably need to set up one or the other of the above options.