Checkout git repo with chef with ssh key

StackOverflow https://stackoverflow.com//questions/24024783

  •  21-12-2019
  •  | 
  •  

Question

Hello I am having issues getting chef to checkout my git repo using an ssh key from my data_bag.

Below is my git resource:

repo_key = search(:git, "id:git_key").first
git_key_file = "#{Chef::Config['file_cache_path']}/git_key/id_rsa"

directory "#{Chef::Config['file_cache_path']}/git_key" do
    action :create
end

file git_key_file do
    content repo_key['deploy_key']
    mode "0755"
    action :create_if_missing
end

git "/usr/share/my_repo" do
    repository "git@github.com:my_name/some_repo.git"
    checkout_branch "#{node["my_app"][:test_branch]}"
    action :sync
    ssh_wrapper "ssh -i #{git_key_file}"
end

When I run: sudo chef-client I get the error below:

STDERR: error: cannot run ssh -i /var/chef/cache/git_key/id_rsa: No such file or directory

I have ssh'ed into the server and I can verify that the key file is in the proper place and contains the key.

Was it helpful?

Solution

While your private-key file may be in the right place, my [limited] understanding is that the GIT_SSH variable must be the path to an executable script rather than a command itself.

Thankfully, there is a much easier way to set-up Git to use a particular SSH key per repository that doesn't rely on setting environmental variables or creating new scripts. The general process is described in this SuperUser answer, which is to specify the custom SSH command as an "external transport" in the repository location. Here is how I use the method in a Chef recipe:

# Add a deployment key to the node from chef-vault, e.g. at 
#    /path/to/some_repo_deployment_key
#    /path/to/some_repo_deployment_key.pub

git "/usr/share/my_repo" do
  # The following line ensures that our repo-specific deployment 
  # ssh-key will be used for all clone & fetch operations.
  repository "ext::ssh -i /path/to/some_repo_deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git"
  checkout_branch "master"
  action :sync
end

After the repository has been cloned, git fetch and git push operations from within the working-directory will used the same key, making further automation more independent of environmental setup than some of the other techniques which rely on ssh's key-discovery mechanisms.

OTHER TIPS

It seems like you found the answer to this (too open of permissions) but here is the relevant info from my ssh man page:

 ...
 ~/.ssh/identity
 ~/.ssh/id_dsa
 ~/.ssh/id_ecdsa
 ~/.ssh/id_ed25519
 ~/.ssh/id_rsa
         Contains the private key for authentication.  These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).
         ssh will simply ignore a private key file if it is accessible by others.  It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using 3DES.

I actually solved this problem by, running following:

GIT_SSH_COMMAND="ssh -i ~/.ssh/bitbucket_rsa"

On chef recipe adding something like this:

execute 'git ssh' do
  command 'GIT_SSH_COMMAND="ssh -i ~/.ssh/#{rsa['name']}"'
  user "centos"
end

Reference and for my whole steps can be found at my blog: http://www.sadafnoor.com/blog/simplest-way-to-write-your-chef-cookbook-that-git-clone-private-repo-using-bitbucket-deploy-key/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top