厨师deploy_resource私有存储库,ssh部署密钥和ssh_wrapper [英] Chef deploy_resource private repo, ssh deploy keys and ssh_wrapper
问题描述
我在获取厨师食谱以克隆私人仓库时遇到了很多麻烦。好吧,我昨天可以正常使用它,但是在将我的Vagrant盒子塞进去六次之后,我已经把它弄坏了。您可能猜到我是厨师新手。
I'm having loads of trouble getting my Chef recipe to clone a private repo. Well, I had it working yesterday but after 'cheffin' my Vagrant box half a dozen times, I've broken it. I'm a Chef newbie as you may guess.
按照这里的deploy_resource指南,我已经创建了deploy.rb配方(简称):
Following the deploy_resource guide here, I've created my deploy.rb recipe (shortened):
deploy_branch "/var/www/html/ps" do
repo git@github.com:simonmorley/private-v2.git
ssh_wrapper "/tmp/.ssh/chef_ssh_deploy_wrapper.sh"
branch "rails4"
migrate false
environment "RAILS_ENV" => node[:ps][:rails_env]
purge_before_symlink %w{conf data log tmp public/system public/assets}
create_dirs_before_symlink []
symlinks( # the arrow is sort of reversed:
"conf" => "conf", # current/conf -> shared/conf
"data" => "data", # current/data -> shared/data
"log" => "log", # current/log -> shared/log
"tmp" => "tmp", # current/tmp -> shared/tmp
"system" => "public/system", # current/public/system -> shared/system
"assets" => "public/assets" # current/public/assets -> shared/assets
)
scm_provider Chef::Provider::Git # is the default, for svn: Chef::Provider::Subversion
notifies :restart, "service[ps]"
notifies :restart, "service[nginx]"
end
默认情况下,我有以下创建dirs等。
In defaults, I have the following to create the dirs etc.
directory "/tmp/.ssh" do
action :create
owner node[:base][:username]
group node[:base][:username]
recursive true
end
template "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" do
source "chef_ssh_deploy_wrapper.sh.erb"
owner node[:base][:username]
mode 0770
end
# Put SSH private key to be used with SSH wrapper
template "/tmp/.ssh/id_deploy" do
source "id_rsa.pub.erb"
owner node[:base][:username]
mode 0600
end
然后在包装器中:
#!/bin/sh
exec ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "/tmp/.ssh/id_deploy" "$@"
我创建了一个公钥并将其上传到github 。
And I have created a public key and uploaded this to github.
当我部署食谱时,它给了我一个错误:
When I deploy the recipe, it gives me an error:
deploy_branch[/var/www/html/ps] action deployEnter passphrase for key '/tmp/.ssh/id_deploy':
我没有设置密码...因此,私钥必须丢失。.
Obvs I don't have a password set... The private key must therefore be missing..
偶然地,我删除了id_deploy从配方中删除密钥,然后删除文件夹并再次运行。低到低,它开始起作用...原因是id_rsa.pub&&从我手动生成文件进行测试以来,id_rsa文件就位于/root/.ssh中。
Just by chance, I removed the id_deploy key from the recipe, deleted the folders and ran it again. Low and behold, it started working... The reason being that the id_rsa.pub && id_rsa files were in /root/.ssh from when I manually generated them to test.
我不明白我在这里做错了什么。因此,我的问题是:
I don't understand what I'm doing wrong here. My questions are therefore:
- 在部署到的每个节点上都需要私钥和公钥吗?文档中没有提到这一点。
- 是否应该以非root用户身份进行部署?我已经在角色文件中设置了一个用户。.
- 为什么ssh_wrapper没有执行应做的事情
推荐答案
花了好几天的时间才能正确解决。
It took a good couple of days to figure this out properly.
这是要澄清的我做了修复。我不知道它是否正确,但是对我有用。
Just to clarify, this is what I did to fix it. I do not know if it's correct, but it works for me.
-
生成一组遵循本教程的公用密钥和专用密钥。
将公共密钥添加到要克隆的Github存储库中。
Add the public key to the Github repo that you want to clone.
在我的默认配方中创建一个模板,其中包括公共密钥和私有密钥。见下文。
Create a template in my default recipe which includes both the public and private keys. See below.
为发布和私钥创建相关模板。
Created the relevant templates for the pub and private keys.
创建了Chef_ssh_deploy_wrapper.sh.erb文件(见下文)
Created the chef_ssh_deploy_wrapper.sh.erb file (see below)
创建了deploy.rb配方(见下文)
Created a deploy.rb recipe (see below)
已上传食谱并将其添加到我的角色。跑了厨师客户。
Uploaded and added the recipes to my role. Ran chef-client.
嘿!坐下来喝啤酒,看看你的回购。
Hey presto! Sit back with a beer and watch your repo. smartly cloned into your dir.
创建目录和模板:
template "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" do
source "chef_ssh_deploy_wrapper.sh.erb"
owner node[:base][:username]
mode 0770
end
template "/home/#{node[:base][:username]}/.ssh/id_rsa.pub" do
source "id_rsa.pub.erb"
owner node[:base][:username]
mode 0600
end
template "/home/#{node[:base][:username]}/.ssh/id_rsa" do
source "id_rsa.erb"
owner node[:base][:username]
mode 0600
end
创建ssh包装器 chef_ssh_deploy_wrapper.erb
#!/bin/sh
exec ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "/home/#{node[:base][:username]}/.ssh/id_rsa" "$@"
(请确保您在此处使用私钥或将会失败)
(Make sure you use the private key here or it will fail)
最后deploy.rb配方:
Finally the deploy.rb recipe:
deploy_branch node[:my_app][:deploy_to] do
repo node[:base][:repository]
ssh_wrapper "/tmp/.ssh/chef_ssh_deploy_wrapper.sh"
branch "rails4"
user node[:base][:username]
group node[:base][:username]
rollback_on_error true
migrate false
environment "RAILS_ENV" => node[:my_app][:environment]
purge_before_symlink %w{conf data log tmp public/system public/assets}
create_dirs_before_symlink []
symlinks(
"config" => "config",
"data" => "data",
"log" => "log",
"tmp" => "tmp",
"system" => "public/system",
"assets" => "public/assets"
)
scm_provider Chef::Provider::Git # is the default, for svn: Chef::Provider::Subversion
before_restart do
system("su #{node[:base][:username]} -c 'cd #{node[:my_app][:deploy_to]}/current && /usr/bin/bundle install'") or raise "bundle install failed"
system("su #{node[:base][:username]} -c 'RAILS_ENV=production /usr/local/bin/rake assets:precompile'")
end
notifies :restart, "service[my_app]"
notifies :restart, "service[nginx]"
end
前自从我们最初从源代码编译Ruby以来,estart已被替换,但最终决定使用rvm。
The before restart has since been replaced as we were initially compiling ruby from source but decided to use rvm in the end. Much easier for multi-user installations.
NB:我正在以sudo用户身份进行部署,如果您以root用户身份进行部署(避免这样做),请使用/代替root / .ssh路径。
NB: I'm deploying as an sudo user, if you're doing so as root (avoid this), use the /root/.ssh path instead.
我从这篇文章。
祝您好运,希望对您有所帮助。
Good luck, I hope this helps someone.
这篇关于厨师deploy_resource私有存储库,ssh部署密钥和ssh_wrapper的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!