Bedrock-Ansible: Initial Production Deployment - SSH Permission denied

rekast · April 13, 2015, 8:45am

Hi all,
Any advice would be greatly appreciated in helping me tackle this.

Sorry ahead of time for any newbie/simple error on my part. I am just getting started with Bedrock and the stack its running on.

So, my issue seems to be that when deploying the script to my live server for the first time, I am getting a block somewhere between the server and the git repository (Private on GitLab).

This is a DO Ubuntu 14.04 Droplet, the Ansible playbook has already been run and I can see Nginx with the rest of the components have installed.

Mind you I can git ls-remote when ssh-ed into the live server and I get the HEAD output, same from my local dev through the server as ssh -A.

I have set up a deploy ssh key for the deploy user, and I can git clone in the live server.

Hosts/Production added:
ansible_ssh_private_key_file=~/.ssh/id_rsa ansible_ssh_user=deploy

This is the outputted error:

$ ./deploy.sh production example.com

PLAY [Deploy WP site] ********************************************************* 

GATHERING FACTS *************************************************************** 
ok: [IP]

TASK: [deploy | Initialize] *************************************************** 
ok: [IP]

TASK: [deploy | Clone project files] ****************************************** 
failed: [IP] => {"cmd": "/usr/bin/git ls-remote '' -h refs/heads/master", "failed": true, "rc": 128}
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.


Please make sure you have the correct access rights
and the repository exists.

msg: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/home/rekast/deploy.retry

IP             : ok=2    changed=0    unreachable=0    failed=1

fullyint · April 13, 2015, 11:55am

@rekast The time I was able to clone from everywhere except through Ansible, this ForwardAgent setting resolved it for me. Does your ansible.cfg file (in bedrock-ansible root dir) already have that setting?

fullyint · April 13, 2015, 12:50pm

Just remembered: It only worked cloning via ssh (vs https):
Like this: repo: git@gitlab.com:user/repo.git
Not this : repo: https://gitlab.com/user/repo.git

(I haven’t tried it with GitLab)

rekast · April 13, 2015, 1:52pm

@fullyint,
Thanks for chiming in.

My ansible.cfg already has that set:

[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

As for the cloning via ssh, I am going through the bedrock-ansible deploy script at this moment first, but the git clone that I tested was on the live server, yes through ssh not https as you stated.

Any other thoughts anyone?

fullyint · April 13, 2015, 1:58pm

Right. I just meant that in your group_vars/<environment>, the repo variable specifies your repo in the ssh format. You probably already have it set that way, but I thought I’d mention it just in case.

rekast · April 13, 2015, 4:41pm

I Looking at:

TASK: [deploy | Clone project files] ****************************************** 
failed: [PRODUCTIONIP] => {"cmd": "/usr/bin/git ls-remote '' -h refs/heads/master", "failed": true, "rc": 128}
stderr: Permission denied (publickey).

I am noticing that the ls-remote seems to not show the git repo it should be cloning from.

My assumption is that the deploy script is looking at the git repo in the main site one directory up in the root of the project (…/example.com)

Where is the script looking at for its repo url?

I have not manually moved any files to the server yet, did I skip a step?

fullyint · April 13, 2015, 4:59pm

The deploy script will find the url for the repo in wordpress_sites[site].repo as defined in group_vars/<environment>, e.g., like this for production.

fullyint · April 13, 2015, 5:47pm

I don’t know very much about ssh, but here are my guesses of next things to check.

I wonder If there is a conflict in ssh user names between the ansible ssh user you set to ‘deploy’ in your hosts/production file, and whatever you have set for your web_user in group_vars/all.

The deploy.yml playbook will run as user = whatever you’ve set for web_user (default = ‘web’, here in group_vars/all). So, if ansible is running as ‘web’, maybe it’s refusing to use the deploy key you’ve assigned to the user named ‘deploy’ (?). Sorry, I haven’t tried the deploy script with a deploy key.

you might try changing web_user to ‘deploy’ (to match your ansible_ssh_user)
or better yet, you might test whether the simpler default use case works with as many of the project defaults as possible, e.g., no deploy key, just ssh forwarding using your own private key (i.e., temporarily remove ssh-related mods from hosts/production)

On another note, ensure that the ssh key involved is passwordless, otherwise I think Ansible’s git access could hang while silently waiting for a password. But it doesn’t look like that is the problem.

If you have any modifications that might be noteworthy, let us know.

rekast · April 14, 2015, 2:22pm

fullyint,
Thank you so much for taking your time to help me.
After looking at your link I noticed where my oversight was.

I had left the default bedrock git repo in my env config file instead of placing my own in there.
I was affraid it would turn out to be a silly mistake before posting. But thank you because who knows how long I may have been looking before spotting it. Thanks again.

I can now clone, now I have to takle a directory creation permission.

You rock brother.

fullyint · April 14, 2015, 2:41pm

@rekast glad you got it working. And thanks for posting back – it definitely satisfies curiosity, but also helps me/others get smarter.