GIT over SSH in Ansible hangs, eventhough ssh-agent forwarding is set up

H

6

31

I have set up everyhing I could find, but still cloning a repo from GitHub hangs the provisioning process.

I have:

server in known_hosts

.ssh/config

Host github.com
  ForwardAgent yes
  StrictHostKeyChecking no

copied private key
public key is in authorized_keys
the command runs as vagrant user

the play is:

- name: Checkout from git
  git: [email protected]:username/repositoryname.git dest=/srv/website

Hartzog answered 29/1, 2014 at 9:59 Comment(3)

Make sure you're not running this task with sudo, because it breaks agent forwarding. – Hoyle 23/7, 2014 at 15:47

@techtonik even if the forwarding is set for the root user? – Segura 22/9, 2015 at 19:15

@Segura forwarding is a chain from your ssh-agent port to remote SSH port, and going through sudo breaks this chain unless you work around this. See https://mcmap.net/q/263854/-ssh-agent-forwarding-with-ansible – Hoyle 24/9, 2015 at 7:35

N

61

Just to expand on tillda's answer, that config can be placed in an ansible.cfg file alongside your playbook. e.g.:

ansible.cfg

[defaults]
transport = ssh

[ssh_connection]
ssh_args = -o ForwardAgent=yes

I'd say it's better to do that than setting as an env variable, as placing it in a conf file is both more declarative and also will minimise the steps needed for other people you may be working with to going with a project.

Conf docs: http://docs.ansible.com/intro_configuration.html#the-ansible-configuration-file

Example config file: https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg

Noaccount answered 31/3, 2014 at 8:37 Comment(0)

H

14

I want to share the answer that worked for me:

https://groups.google.com/forum/#!msg/ansible-project/u6o-sWynMjo/69UwJfJPq7cJ - From Ansible Google Group

For ansible, ssh-add to load ssh keys in your host machine first. Then use "ssh" as connection type with forwarding enabled.

Such as:
$ ssh-add  
$ export ANSIBLE_TRANSPORT="ssh"  
$ export  ANSIBLE_SSH_ARGS="-o ForwardAgent=yes"
See manual for ssh-add for running the agent.

The Ansible docs for ssh-args are http://docs.ansible.com/intro_configuration.html#ssh-args

Hartzog answered 29/1, 2014 at 9:59 Comment(0)

U

7

this works for me

- name: ensure known hosts
  shell: touch ~/.ssh/known_hosts
- name: remove github.com from known host
  shell: ssh-keygen -R github.com
  # >> instead of > to keep existing known_hosts file
- name: ensure github.com in known host
  shell: ssh-keyscan -H github.com >> ~/.ssh/known_hosts

Undesigning answered 4/2, 2014 at 18:48 Comment(2)

no need as git ansible module has a flag accept_hostkey to ensure it. Just turn it on. – Justinajustine 27/3, 2014 at 16:27

A module for Ansible to maintain the /etc/ssh/ssh_known_hosts file github.com/bfmartin/ansible-sshknownhosts – Induration 10/8, 2014 at 7:5

E

1

Add to ansible.cfg the following parameter:

[defaults]
sudo_flags=-HE

Earnestineearnings answered 14/7, 2016 at 17:44 Comment(0)

R

1

In my case the issue was the repository string. I had a bitbucket private repository set as:

git@tsrs...

but it should be:

ssh://git@tsrs...

Notice the subtle absence of the prefix "ssh". The weird part is that if I clone a github repository without the "ssh", it works fine!

Reformism answered 20/3, 2017 at 16:16 Comment(0)

Q

0

I had an error :

bitbucket.org has an unknown hostkey. Set accept_hostkey to True or manually add the hostkey prior to running the git module

I had to add a accept_hostkey parameter to my git module command :

playbook :

tasks:
    - name: clone
      git: [email protected]:robusta-code/xyz.git
           dest=/app
           accept_hostkey=yes

ansible.cfg

[ssh_connection]
ssh_args = -o ForwardAgent=yes

Quizmaster answered 18/2, 2016 at 14:35 Comment(0)

Recommended topics

Hot tags