knife-solo and data bag encryption #461
Comments
|
I'd debug a layer deeper. Can you ssh from the box to If that works then try the git clone command next. If that works, I'd check the wrapper. I'd also recommend doing away with the wrapper if possible. If you need it to set the key file location I'd recommend placing a Give those things a try and good luck! |
|
Oh and you may want to run |
|
Thanks for quick response. I performed unset SSH_AUTH_SOCK on node and try to carry out following commands:
ssh -vvv [email protected]:<github_acct>/test.git
#!/bin/sh When I try ./git-ssh-wrapper.sh [email protected], it asks for the passphrase for the key Actually, the chef-solo recipe and private repo cloning used to work just fine before I changed my key so is there any easy way to verify accuracy of private key you deploy on server? |
|
It got resolved, I had password on my private key and expected it to work. Now, the question is: What's the preferred approach for automated deployment keys for github? The follow-up question is, if it's option b. how one can supply passphrase to deployment key while performing automated deployment via chef. |
|
I recommend a key with no password that's only given read permission to the Encrypting the key then automating password injection with Chef doesn't If you're provisioning with knife-solo and don't want to have an On Tuesday, 27 October 2015, rajanshah [email protected] wrote:
-Mat matschaffer.com |
|
Yes, mainly password-less key on server can grant access to your repo. Isn't SSH forward at least more secure option? Is there any good reference you can point to perform such SSH forwarding with knife-solo? Thanks a lot for your help. |
|
It adds security, but at the cost of requiring a 3rd party to perform the You can specify Note that for this to work sshd must be configured to allow it (usually You can test it with Reading around bit (http://d.hatena.ne.jp/nekonokataomoi/20130527/1369673600) Hope that helps. Like I said I usually opt for unencrypted keys which only -Mat matschaffer.com On Wed, Oct 28, 2015 at 11:27 AM, rajanshah [email protected]
|
Hi,
Again this has nothing to do with knife-solo issue, but it has to be my understanding. At the same time, it would be great if someone can assist with following issue.
I am trying to clone private repo using chef-solo and have following setup.
EDITOR=vim knife solo data bag create test_key project
a. pbcopy < ~/.ssh/id_rsa
b. vi /tmp/test.key
c. paste the key
d. remove new line via :%s/\n/\n/
e. copy it to test_key file, so now it will look like as follows:
{ “id”: “project”,
“test_key”:
}
a. knife solo data bag show secrets <app_name>
b. knife solo data bag show secrets <app_name> --secret-file ~/.chef/encrypted_data_bag_secret
default[:test][:base] = "/home/ubuntu"
default[:test][:log_dir] = "/var/log/test"
default[:test][:loglevel] = "info"
default[:test][:user] = "ubuntu"
default[:test][:deploy_repo] = "[email protected]:test/test.git"
default[:test][:deploy_branch] = "master"
default[:test][:deploy_dir] = "/srv/test"
git "#{node[:test][:base]}/test" do
repository "[email protected]/test.git"
reference "master"
action :sync
destination "node[:test][:base]/test"
user "#{node[:test][:user]}"
group "#{node[:test][:user]}"
ssh_wrapper "#{node[:test][:base]}/.ssh/git-ssh-wrapper.sh"
timeout 300
end
Couple observations:
I would appreciate, if one suggests hint or suggestions on "what could be wrong" and ways to resolve it.
The text was updated successfully, but these errors were encountered: