使用ssh键与厨师签出git repo [英] Checkout git repo with chef with ssh key

问题描述

你好，我在让厨师使用data_bag中的ssh密钥检出git repo时遇到问题。

Hello I am having issues getting chef to checkout my git repo using an ssh key from my data_bag.

下面是我的git资源：

Below is my git resource:

repo_key = search(:git, "id:git_key").first
git_key_file = "#{Chef::Config['file_cache_path']}/git_key/id_rsa"

directory "#{Chef::Config['file_cache_path']}/git_key" do
    action :create
end

file git_key_file do
    content repo_key['deploy_key']
    mode "0755"
    action :create_if_missing
end

git "/usr/share/my_repo" do
    repository "git@github.com:my_name/some_repo.git"
    checkout_branch "#{node["my_app"][:test_branch]}"
    action :sync
    ssh_wrapper "ssh -i #{git_key_file}"
end

当我运行： sudo Chef-client 我得到以下错误：

When I run: sudo chef-client I get the error below:

STDERR: error: cannot run ssh -i /var/chef/cache/git_key/id_rsa: No such file or directory

我已进入服务器，可以验证密钥文件是否在正确的位置并包含密钥。

I have ssh'ed into the server and I can verify that the key file is in the proper place and contains the key.

推荐答案

虽然您的私钥文件可能位于正确的位置，但我的[有限]理解是 GIT_SSH 变量必须是可执行脚本而不是命令本身。

While your private-key file may be in the right place, my [limited] understanding is that the GIT_SSH variable must be the path to an executable script rather than a command itself.

很高兴，有一种更简单的方法来设置Git，使其在每个存储库中使用特定的SSH密钥，而不必依赖于设置环境变量或创建新脚本。 此SuperUser答案中描述了一般过程，该过程是将自定义SSH命令指定为超级传输仓库位置。以下是我在Chef食谱中使用该方法的方法：

Thankfully, there is a much easier way to set-up Git to use a particular SSH key per repository that doesn't rely on setting environmental variables or creating new scripts. The general process is described in this SuperUser answer, which is to specify the custom SSH command as an "external transport" in the repository location. Here is how I use the method in a Chef recipe:

# Add a deployment key to the node from chef-vault, e.g. at 
#    /path/to/some_repo_deployment_key
#    /path/to/some_repo_deployment_key.pub

git "/usr/share/my_repo" do
  # The following line ensures that our repo-specific deployment 
  # ssh-key will be used for all clone & fetch operations.
  repository "ext::ssh -i /path/to/some_repo_deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git"
  checkout_branch "master"
  action :sync
end

克隆存储库后，从工作目录中进行 git fetch 和 git push 操作将使用相同的密钥，从而使进一步的自动化更加独立比其他依靠 ssh 的密钥发现机制的其他技术要多。

After the repository has been cloned, git fetch and git push operations from within the working-directory will used the same key, making further automation more independent of environmental setup than some of the other techniques which rely on ssh's key-discovery mechanisms.

这篇关于使用ssh键与厨师签出git repo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！