Here’s the way I think about Trellis/Ansible’s process of cloning the repo on deploy.
The final section of the ssh keys docs mentions this:
All the SSH connections discussed above apply to Trellis connecting from your local machine to your server. It is a different type of connection, however, when Trellis clones a remote private repo during deployment. In this case, your remote server is allowed to forward your local machine’s SSH credentials to the remote repo to authorize the connection.
It could state more explicitly that this means that the list of users
(and their keys) is actually irrelevant. Similarly, any keys present or absent on your remote are also irrelevant to your issue of failed connection to the repo.
You could think of it as an authentication of your local machine to your git repo. Your remote server just happens to be in the middle, forwarding the authentication credentials from your local machine to the git repo. (I get it though, that you could think of it as the remote connecting to the git host, but asking your local machine “can we just use your ssh key/credentials?”)
The required ssh credentials are managed by your local ssh-agent, so the whole thing is called ssh-agent forwarding. The process relies on the 1) correct keys being used (on local and git host) and 2) the ssh-agent forwarding being set up correctly.
Keys
Local machine has private key. Git repo has public key. Keys are really a pair.
Be sure your private key and public key are really a pair. Run ssh-keygen -y
on local machine then enter in the absolute path to private key file. This prints the corresponding public key to the log. Ensure that the printed public key is among the keys loaded into the repo (e.g., this key displays at https://github.com/user_who_owns_target_repo.keys).
Key is being handled by ssh-agent.
Because you are a mac user, add your private key to your keychain by running
ssh-add -K ~/.ssh/id_rsa
Note the -K
that is here, but was not in this command as it appeared earlier in the thread.
And yes, run ssh-add -L
on local machine to verify that the public key that prints out is the one loaded on your git host (e.g., GitHub or Bitbucket).
SSH-agent forwarding
Local machine allows forwarding.
Make sure your version of Trellis has ansible.cfg
(in Trellis project root) and that it includes ssh_args = -o ForwardAgent=yes
. This instructs Ansible to allow your local ssh-agent credentials to be forwarded through the remote and on to the git host.
Note that if you test ssh-agent forwarding by running
ssh web@example.com 'ssh -T git@github.com'
this command won’t see the ForwardAgent
setting in your ansible.cfg
so it will fail unless you add this to your ~/.ssh/config
:
# this host is your remote, not the host of your git repo
Host example.com
ForwardAgent yes
Remote machine allows forwarding.
The remote must also be set up to allow ssh-agent forwarding. This is enabled by default on a bare Ubuntu install you would get from DigitalOcean. If your remote is not running Ubuntu, or is with a VPS provider that might adjust sshd default settings, let us know.
Try running this on your local machine to output the sshd configs:
ssh root@example.com 'less /etc/ssh/sshd_config'
Do you see a setting for AllowAgentForwarding
? If not, the default is yes
so you should be ok.
Get more debug info
If the problem/solution doesn’t surface as you work through the notes above, please share more verbose log output from the failed command. You could comment out no_log: true
so no info is suppressed and rerun the deploy with -vvvv
:
ansible-playbook deploy.yml -e "env=production site=example.com" -vvvv
You might also work through each step here (some steps you’ve covered already). One challenge is that Ansible introduces another variable to the equation.