Ansible bitbucket clone provisioning ssh error

2019-06-04 03:01发布

问题:

In summary, When provisioning my vagrant box using Ansible, I get thrown a mysterious error when trying to clone my bitbucket private repo using ssh. The error states that the "Host key verification failed".

Yet if I vagrant ssh and then run the 'git clone' command, the private repo is successfully cloned. This indicates that the ssh forward agent is indeed working and the vagrant box can access my private key associated with the bitbucket repo.

I have been struggling for two days on this issue and am loosing my mind! Please, somebody help me!!!

Vagrantfile:

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  config.vm.network "private_network", ip: "192.168.33.10"
  config.ssh.forward_agent = true

  # Only contains ansible dependencies
  config.vm.provision "shell",
    inline: "sudo apt-get install python-minimal -y"

  # Use ansible for all provisioning:
  config.vm.provision "ansible" do |ansible|
    ansible.playbook = "provisioning/playbook.yml"
  end

end

My playbook.yml is as follows:

---

- hosts: all
  become: true

  tasks:
    - name: create /var/www/ directory
      file: dest=/var/www/ state=directory owner=www-data group=www-data mode=0755

    - name: Add the user 'ubuntu' to group 'www-data'
      user:
        name: ubuntu
        shell: /bin/bash
        groups: www-data
        append: yes

    - name: Clone bitbucket repo
      git:
        repo: git@bitbucket.org:gustavmahler/example.com.git
        dest: /var/www/poo
        version: master
        accept_hostkey: yes

Error Message:

vagrant provision

TASK [common : Clone bitbucket repo] *******************************************

fatal: [default]: FAILED! => {"changed": false, "cmd": "/usr/bin/git clone --origin origin '' /var/www/poo", "failed": true, "msg": "Cloning into '/var/www/poo'...\nWarning: Permanently added the RSA host key for IP address '104.192.143.3' to the list of known hosts.\r\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Cloning into '/var/www/poo'...\nWarning: Permanently added the RSA host key for IP address '104.192.143.3' to the list of known hosts.\r\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stderr_lines": ["Cloning into '/var/www/poo'...", "Warning: Permanently added the RSA host key for IP address '104.192.143.3' to the list of known hosts.", "Permission denied (publickey).", "fatal: Could not read from remote repository.", "", "Please make sure you have the correct access rights", "and the repository exists."], "stdout": "", "stdout_lines": []}

Additional Info:

  • ssh-add -l on my machine does contain the associated bitbucket repo key.
  • ssh-add -l inside the vagrant box does also contain the associated bitbucket repo key (through ssh-forwarding).

Yet cloning works if done manually inside the vagrant box ?:

vagrant ssh
git clone git@bitbucket.org:myusername/myprivaterepo.com.git
Then type "yes" to allow the RSA fingerprint to be added to ~/.ssh/known_hosts (as its first connection with bitbucket)

Possible solution?

I have seen in the Ansible documentation that there is a key_file: option. How would I reference the private key which is located outside the vagrant box and is passed in using ssh forwarding?

I do have multiple ssh keys for different entities inside my ~/.ssh/ Perhaps the git clone command when run by Ansible provisioning isn't selecting the correct key?

Any help is greatly appreciated and thanks for reading my nightmare.

回答1:

Since you run the whole playbook with become: true, SSH key-forwarding (as well as troubleshooting) becomes irrelevant, because the user connecting to BitBucket from your play is root.

Run the task connecting to BitBucket as ubuntu user:

  • either specifying become: false in the Clone bitbucket repo task),

  • or removing become: true From the play and adding it only to tasks that require elevated permissions.



回答2:

This answer comes direct from techraf's helpful comments.

  • I changed the owner of the /var/www directory from 'www-data' to 'ubuntu' (the username I use to login via ssh).
  • I also added "become: false" above the git task.

NOTE: I have since been dealing with the following issue so this answer does not fully resolve my problems: Ansible bitbucket clone repo provisioning ssh error

Updated working playbook.yml file:

---

- hosts: all
  become: true

  tasks:
    - name: create /var/www/ directory
      file: dest=/var/www/ state=directory owner=ubuntu group=www-data mode=0755

    - name: Add the user 'ubuntu' to group 'www-data'
      user:
        name: ubuntu
        shell: /bin/bash
        groups: www-data
        append: yes

    - name: Clone bitbucket repo
      become: false
      git:
        repo: git@bitbucket.org:[username]/example.com.git
        dest: /var/www/poo
        version: master
        accept_hostkey: yes