CODEWITHSUNDEEP
laravelgithubansible
rhand
rhand

Reputation: 1186

Ansible Task Clone Private Repo Hangs

Set up a repo to set up a Laravel server. A provisioning script using Ansible basically.The repo is called Stedding. It is based on a Digital Ocean tutorial and some code from Roots Trellis as I need PHP 7.1 packages.

Now the issue is that the private Github repo does not get cloned. Been reading on ssh agents, forwarding and all that. Tried sudoers and ansible.cfg setups like here. But no success yet. I prefer not to add private keys. So I tried what Geerlingguy suggested here using

Host [server-address-here] [ip-address-here]
    ForwardAgent yes

inside ~./ssh/config . I also added:

[ssh_connection]
ssh_args=-o ForwardAgent=yes

to ansible.cfg. This to do proper forwarding and avoiding adding private ssh keys. But as /var/www/ is 0700 www-data:www-data I cannot turn off become to become sudo and get it done as there then will not be enough permissions:

"msg": "Could not open /var/www, [Errno 13] Permission denied: '/var/www'", 
    "rc": 13

And this he mentioned was needed to make the forwarding work.

Main code snippet loading cloning task is:

- name: create /var/www/ directory
    file: dest=/var/www/ state=directory owner=www-data group=www-data mode=0700

  - name: Clone git repository
    git:
      repo: "{{ repo_url }}"
      dest: /var/www/laravel
      version: master
      update: no
      accept_hostkey: yes
    become: yes
    become_user: www-data
    register: cloned

With the current setup it all hangs at:

TASK [Clone git repository] ****************************************************
task path: /Users/jasper/webdesign/stedding/php.yml:39
Using module file /usr/local/Cellar/ansible/2.2.1.0_2/libexec/lib/python2.7/site-packages/ansible/modules/core/source_control/git.py
<xxx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: laravel
<xxx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=laravel -o ConnectTimeout=10 -o ControlPath=/Users/jasper/.ansible/cp/ansible-ssh-%h-%p-%r 128.199.35.232 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1494744537.18-20302566024245 `" && echo ansible-tmp-1494744537.18-20302566024245="` echo /tmp/ansible-tmp-1494744537.18-20302566024245 `" ) && sleep 0'"'"''
<xxx.xxx.xx.xxx> PUT /var/folders/_4/g8fn6chn46g9v058h8k4pzpw0000gn/T/tmpO09os2 TO /tmp/ansible-tmp-1494744537.18-20302566024245/git.py
<xxx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=laravel -o ConnectTimeout=10 -o ControlPath=/Users/jasper/.ansible/cp/ansible-ssh-%h-%p-%r '[xxx.xxx.xx.xxx]'
<xxx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: laravel
<xxx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=laravel -o ConnectTimeout=10 -o ControlPath=/Users/jasper/.ansible/cp/ansible-ssh-%h-%p-%r xxx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:www-data:r-x /tmp/ansible-tmp-1494744537.18-20302566024245/ /tmp/ansible-tmp-1494744537.18-20302566024245/git.py && sleep 0'"'"''
<xxx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: laravel
<xxx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=laravel -o ConnectTimeout=10 -o ControlPath=/Users/jasper/.ansible/cp/ansible-ssh-%h-%p-%r -tt xxx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=vvqwwyduilnxfbnxgpojunlavpkasofr] password: " -u www-data /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-vvqwwyduilnxfbnxgpojunlavpkasofr; /usr/bin/python /tmp/ansible-tmp-1494744537.18-20302566024245/git.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

This also happens after I added Github on the server to known hosts using (Ansible suggestion):

ssh-keyscan -H github.com > /etc/ssh/ssh_known_hosts

Any idea how I can make the cloning work and keep the directory rights and permissions secure for installing the Laravel app?

Upvotes: 0

Views: 691

Answers (1)

rhand
rhand

Reputation: 1186

In the end the main issue was that I needed to set agent forwarding properly. I did it using

Host *
  ForwardAgent yes

in ~/.ssh/config That and I decided to use root as a user to set up most playbook material. Root does not require switching to sudo. For parts like cloning I could use the user laravel as it had access to the webroot as owner and that worked as well. So no need for sudo there either.

I have not worked out switching to sudo after sudo user has been created by Ansible. Still new to this all. But progress made. And I am sure the host forwarding hint will help many.

Upvotes: 1

Related Questions