Ansible Mercurial clone hangs

Question

When I try to clone a repository from Bitbucket with Ansible, it seems like the task 'hangs'.

In the documentation I have found some information, but I'm not using SSH.

If the task seems to be hanging, first verify remote host is in known_hosts. SSH will prompt user to authorize the first contact with a remote host. One solution is to add StrictHostKeyChecking no in .ssh/config which will accept and authorize the connection on behalf of the user. However, if you run as a different user such as setting sudo to True), for example, root will not look at the user .ssh/config setting.

These are the two Playbooks I've tried. They both 'hangs'.

Playbook #1

- hosts: staging_mysql
  user: ec2-user
  sudo: yes

  vars_files:
    - vars/mercurial.yml

  tasks:
    - name: Mercurial credentials setup
      action: template src=templates/hgrc.j2 dest=/home/ec2-user/.hgrc

    - name: Install Mercurial
      action: yum name=hg

    - name: Setup API repository
      action: command hg clone https://bbusername@bitbucket.org/username/my-repo -r default --debug

Playbook #2

- hosts: staging_mysql
  user: ec2-user
  sudo: yes

  vars_files:
    - vars/mercurial.yml

  tasks:
    - name: Mercurial credentials setup
      action: template src=templates/hgrc.j2 dest=/home/ec2-user/.hgrc

    - name: Install Mercurial
      action: yum name=hg

    - name: Clone API repo
      hg: dest=/home/ec2-user repo=https://bbusername@bitbucket.org/username/my-repo

Any help is welcome. Thanks in advance!

Answer 1

I've managed to solve the problem. The Mercurial task 'hangs' when logging in as sudo user. After removing the line sudo: yes from both Playbooks, everything works as expected.

Working Playbook

- hosts: staging_mysql
  user: ec2-user

  vars_files:
    - vars/mercurial.yml

  tasks:
    - name: Mercurial credentials setup
      action: template src=templates/hgrc.j2 dest=/home/ec2-user/.hgrc

    - name: Install Mercurial
      action: yum name=hg

    - name: Clone API repo
      hg: dest=/home/ec2-user repo=https://bbusername@bitbucket.org/username/my-repo

Answer 2

I found better answer for those who want to clone private repository. Bitbucket has feature called "Deployment keys". Login into your project, go into "Settings" and "Deployment Keys". "Add key" and then provide this key within your project deployment process, before hg:

- file: dest=/var/www/someuser/.ssh/config state=touch mode=600

- lineinfile: dest=/var/www/someuser/.ssh/config
              line="Host bitbucket.org"
              state=present

- copy: src=someuser.key dest=/var/www/someuser/.ssh/id_rsa mode=0600
- copy: src=someuser.key.pub dest=/var/www/someuser/.ssh/id_rsa.pub mode=0600


- lineinfile: dest=/var/www/someuser/.ssh/config
              line="IdentityFile ~/.ssh/id_rsa"

- lineinfile: dest=/var/www/someuser/.ssh/config
              line="    StrictHostKeyChecking no"
              insertafter="Host bitbucket.org"
              state=present

- name: install site code
  hg: repo='ssh://hg@bitbucket.org/somecode'
      dest=someuser
      revision=stable
  tags: someuser_code

Answer 3

I think it is easier to access BitBucket using the HTTPS protocol rather than ssh. If you are using private repositories in BitBucket, you should also use Ansible to create (or copy) a $HOME/.hgrc to your server.

Here is the content of the .hgrc file:

[auth]
bb.prefix = https://bitbucket.org/{{ user }}/
bb.username = {{ user }}
bb.password = {{ password }}

Two extra tips:

1. Now it isn't necessary put bbusername@ in your BitBucket urls.
2. Create another user in BB with access to your repositories and configure it as your user in the Ansible host. If your someone breach into your site, they will be able to modify the repository, but won't be able to delete it. Since everything is version controled, you will always be able to rollback the modifications.

Answer 4

This solution uses ssh (so that we can use a ssh deployment key instead of storing credentials for https) and pre-populates ~/.ssh/known_hosts with the relevant entries so that hg doesn't hang on the prompt to accept the host key verification. This should also work whether or not you use sudo - as long as you populate the correct user's known_hosts file

# copy the deploy key to ~/.ssh/id_rsa of the ansible user - we use copy here to
# simplify things but really you should use ansible vault or something similar
- name: copy deploy key
  copy: src=id_rsa_deploy dest=/home/{{ ansible_ssh_user }}/.ssh/id_rsa
    owner={{ ansible_ssh_user }} group={{ ansible_ssh_user }} mode=0600

- name: add bitbucket to deploy user's ~/.ssh/known_hosts
  lineinfile: dest=/home/{{ ansible_ssh_user }}/.ssh/known_hosts line="bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="

- name: 2 add bitbucket to deploy user's ~/.ssh/known_hosts
  lineinfile: dest=/home/{{ ansible_ssh_user }}/.ssh/known_hosts line="|1|w3ouhSzx3veHkFkoo/0KlzmLWiY=|dyifJ0YlWhJOElkc09kd5ZP2i6c= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="

- name: 3 add bitbucket to deploy user's ~/.ssh/known_hosts
  lineinfile: dest=/home/{{ ansible_ssh_user }}/.ssh/known_hosts line="|1|/an77APTih6pDOBpi0GcQ8b5uno=|VOep3g6ll+3Xd8WdUQ/1BqtiF1A= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="

- name: copy repo
  hg: repo={{ project.repo }} dest={{ project.local_repo }}

Answer 5

How are you actually accessing the hg repository? Try leaving off the last task in your playbook and then logging in and manually trying the hg clone and see what happens. I suspect it is indeed prompting for a password.