Vagrant, Ansible, and SSH forwarding

2
votes

I'm trying to use Vagrant and Ansible to create a developer VM environment. I'm able to connect just fine and install packages. My issue seems to be with ssh, git, and keyfiles. My setup is unfortunately rather complicated, and I don't have the ability to change that. The git repositories are hosted on a machine that I have to connect to via a bastion host with a keyfile.

My local ssh config file has all the necessary proxy commands to make this work. I have SSH forwarding my key, because I can log into the VM manually and use git. Via Ansible it doesn't seem to know about hosts that should be setup via the ssh config file.

I am not running the git clone as sudo, and I am using accept_hostkey. It just doesn't seem to know about the repository host at all.

I have also tried adding an ansible.cfg with the following command:

ssh_args = -o ControlPersist=15m -F ssh.config -q

The ssh.config file is the same as my ~/.ssh/config that happens to work when doing the git clones manually. I'm also doing this as the vagrant user manually, and I have remote_user set to vagrant in my playbook.

I'm just kind of stumped as to how this is supposed to work.

3
vagrantansible

3 Answers

1
votes

If I understand correctly, you can do it manually git clone into your vagrant machine?

If yes, then you can do like this, as you have already told us that the both machine has exactly the same ~/.ssh/config file, then you can do like this which I did during the git clone, when I got error:

- name: Pull sources from the repository.
  git: repo='[email protected]:test/test.git' version=master dest=/var/www     accept_hostkey=True force=yes recursive=no key_file=~/.ssh/id_rsa

Sometime, explicitly defined the key_file, accept_hostkey=True and force=yes solve the problem.

On the other hand, if you want to explicit define that always us the ssh connection instead of paramiko, then you can set into your ansible.cfg file, which is located at /etc/ansible/ansible.cfg

[defaults]
transport=ssh

There is another technique that I have read somewhere, you can also try that please to teach Ansible to talk to Git server on your behalf (again this change is in /etc/ansible/ansible.cfg)

[ssh_connection]
ssh_args = -o ForwardAgent=yes

Hope this will help you. Thanks

0
votes

I'm not too familiar with Ansible but from docs, Ansible supports 2 ssh transports: OpenSSH, Paramiko (Python's SSH). Unless you manually choose which one to use, it might choose Paramiko instead of OpenSSH.

This can explain the troubles you are having, since ssh_args is OpenSSH specific setting.

0
votes

So the issue turned out to be that I was actually running one of my git clones as root after all.

For the SSH key to be forwarded properly in that case, you have to edit /etc/sudoers (with visudo) and update env_keep so that SSH_AUTH_SOCK is preserved.