使用 ansible 自动使用 SSH 本地密钥进行 git 部署
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21925808/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
automate usage of SSH local key for git deployment with ansible
提问by oskargicast
I am working with vagrant and ansible. I want to automate the deploymentrole of ansible (You can check my repo here). For this purpose, I am trying to deploy my local ssh key into my VPS and my vagrant guest machine (I am trying SSH agent forwarding).
我正在与 vagrant 和 ansible 一起工作。我想自动化ansible的部署角色(您可以在此处查看我的 repo)。为此,我试图将我的本地 ssh 密钥部署到我的 VPS 和我的流浪客机(我正在尝试 SSH 代理转发)。
GOAL
目标
Automate deployment process with git using ansible. I've already done this:
使用 ansible 使用 git 自动化部署过程。我已经这样做了:
---
- name: read-write git checkout from github
git: repo={{ repository }} dest=/home/site
Where:
在哪里:
---
# Variables here are applicable to all host groups
repository: [email protected]:dgnest/dgnest.git
PROBLEM
问题
When I do: "vagrant provision", the console stop here:
当我做:“流浪者条款”时,控制台停在这里:
TASK: [deployment | read-write git checkout from github] **********************
That's because I haven't set up the ssh keys.
那是因为我还没有设置 ssh 密钥。
I TRIED
我试过
I would like to use the key_fileoption that the git module of ansible has. But it fails too.
我想使用ansible的 git 模块具有的key_file选项。但它也失败了。
---
- name: read-write git checkout from github
git: repo={{ repository }} dest=/home/site key_file=/home/oscar/.ssh/id_rsa.pub
Another option is to copy my ~/ssh/id_rsa.pubinto each VPS and vagrant, but my problem in this case is to handle with all the different users. Vagrant uses the "vagrant" user and my VPS uses another ones, so I had to put my ssh local key into each of these user?
另一种选择是将我的~/ssh/id_rsa.pub 复制到每个 VPS 和 vagrant 中,但在这种情况下我的问题是处理所有不同的用户。Vagrant 使用“vagrant”用户,而我的 VPS 使用另一个用户,所以我必须将我的 ssh 本地密钥放入每个用户中?
Hope you can help me. Thank you.
希望您能够帮助我。谢谢你。
UPDATE:
更新:
I've just automated the @leucos answer (Thanks). Copying the private and public rsa keys. I share this linkwith the implementation.
我刚刚自动化了@leucos 的回答(谢谢)。复制私钥和公钥 rsa 密钥。我与实现共享此链接。
回答by Igor Pomaranskiy
You don'thave to copy your local SSH key to remote servers. Instead, you just create file named ansible.cfgin the directory you are running deployment scripts from, and put the next settings:
您不必将本地 SSH 密钥复制到远程服务器。相反,您只需ansible.cfg在运行部署脚本的目录中创建命名的文件,然后放置下一个设置:
[ssh_connection]
ssh_args = -o ForwardAgent=yes
That's it, now your local identity is forwarded to the remote servers you manage with Ansible.
就是这样,现在您的本地身份被转发到您使用 Ansible 管理的远程服务器。
回答by leucos
If you choose the key_fileway, my guess is that the key must be on the VPS/vagrant machine. So you might want to copy it first. Note that you need a private key here, not a public one.
如果选择key_file方式,我的猜测是key一定在VPS/vagrant机器上。所以你可能想先复制它。请注意,您在这里需要私钥,而不是公钥。
For your second option, you could push your key to specific users depending on the instance type. Suppose the user in VPS is vpsuser, and that you deploy mostly on these VPS, you could do :
对于第二个选项,您可以根据实例类型将密钥推送给特定用户。假设 VPS 中的用户是 vpsuser,并且您主要在这些 VPS 上部署,您可以执行以下操作:
group_vars/all :
group_vars/all :
deploy_user=vpsuser
group_vars/vagrant
group_vars/流浪汉
deploy_user=vagrant
Then, you could have a playbook like :
然后,你可以有一个像这样的剧本:
- name: send key to remote deploy user
copy: src=files/private_key dest=~/{{deploy_user}}/.ssh/priv_key
- name: read-write git checkout from github
git: repo={{ repository }} dest=/home/site key_file=~/{{deploy_user}}/.ssh/priv_key
However, I have no idea how the password for the remote private key might be asked (I don't think ansible allows authentication agent forwarding by default (check -vvvvoutput), you might have to fiddle with your ~/.ansible.cfg).
但是,我不知道如何询问远程私钥的密码(我认为 ansible 默认不允许身份验证代理转发(检查-vvvv输出),您可能需要摆弄您的~/.ansible.cfg)。
I suggest that you use a specific key for deployment purposes (with read-only perms on your git repository). This way, your private key won't leave your machine. Make this special key password-less. I think the security trade-off is acceptable since - it will just protect your code, - your code is checked out on the machine where the private key is so the game is already over.
我建议您使用特定的密钥进行部署(在您的 git 存储库上使用只读权限)。这样,您的私钥就不会离开您的机器。使这个特殊的密钥无密码。我认为安全权衡是可以接受的,因为 - 它只会保护您的代码, - 您的代码在私钥所在的机器上签出,因此游戏已经结束。
Another option is to distribute your application from your local checkout using ansible : make a tarball, copy files over, untar, and you're set. This way, you don't need to leave security credentials on your VPS.
另一种选择是使用 ansible 从本地结帐分发您的应用程序:制作 tarball,复制文件,解压缩,然后就可以了。这样,您无需在 VPS 上留下安全凭证。
Good luck.
祝你好运。
