0

I am trying to use chef-solo to pull private git repo. I used following steps to create my setup.

  1. Create necessary data bags to encrypt private ssh keys

a. create encrypted key file

EDITOR=vim knife solo data bag create secret --secret_file=...

b. remove newline and copy to clipboard

Select cat ~/.ssh/id_rsa | tr -d '\r\n' > pbcopy

c. Edit the file with

>    { 
>      “id”: “<app_name>”,
>      “private_key”: <Private key copied from clipboard>    
     }

d. It correctly creates data bag and I can view it 

 - knife solo data bag show secrets <app_name>    
 - knife solo data bag show secrets <app_name> --secret-file  ~/.chef/encrypted_data_bag_secret

  1. ssh-wrapper to refer to the private key file

    #!/bin/sh exec ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "/home/ubuntu/.ssh/id_rsa" "$@"

  2. Using git resource, checkout or clone the repo

    git "#{node[:test][:base]}/test" do
    repository "git@github.test/test.git"
    reference "master"
    action :sync
    destination node[:test][:base]
    user "#{node[:test][:user]}"
    group "#{node[:test][:user]}"
    ssh_wrapper "#{node[:test][:base]}/.ssh/git-ssh-wrapper.sh"
end

The attributes.rb file contains following

default[:test][:base]  = "/home/ubuntu"  
default[:test][:log_dir] = "/var/log/test"  
default[:test][:loglevel]   = "info" 
default[:test][:user]       = "ubuntu"  
default[:test][:virtualenv] ="/home/ubuntu/environments/test"  
default[:test][:deploy_repo] = "git@github.com:test/test.git"  
default[:test][:deploy_branch] = "master"  
default[:test][:deploy_dir] = "/srv/test"

In the end, when I run following command 'knife solo bootstrap ubuntu@' I observe following.

  • The code gets stuck, while running "sync" action and never completes it.
  • On the AWS instance, the private key id_rsa is being generated in .ssh directory, however when performing ssh-add ~/.ssh/id_rsa it asks for passphrase (even if the original ssh-keygen command did not have any password)
  • On the AWS instance, performing manual git ls remote git@github.com:test fails while it's successful on local machine The authentication daemon is not running by default, so how to start it automatically?

Again, all of the above can be due to the fact that private key. However, while comparing the decrypted private key content on remote machine matches the local private key (original key without encryption).

It would be great, to get some insight into the above behavior and potential solution.

Rajan Shah
  • 1
  • 1
  • Out of curiosity, how are you writing the encrypted data bag's contents to ~/.ssh/id_rsa? And does it appear to be the same after you've copied it? – Noah Gibbs Apr 19 '15 at 20:14
  • I am writing it in following manner. ```secrets = Chef::EncryptedDataBagItem.load( "secrets", "" ) file "#{node[:][:base]}/.ssh/id_rsa" do content secrets["id_rsa"] owner node[:][:user] group node[:][:user] mode 0600 end `The content is same except the id_rsa file does not have new lines. – Rajan Shah Apr 20 '15 at 00:37
  • That sounds fine, then. I might try adding back the newlines to check, but I don't think that's the problem. – Noah Gibbs Apr 20 '15 at 12:24

0 Answers0