“git clone`”在运行“`ansible galaxy install -r requirements.yml`”时在私有git回购中失败

Question

我在我的私人项目中添加了一个.gitlab-ci.yml。其中一个步骤是从私人的gitlab回购中获得一个角色。然而，这是失败的

/usr/bin/git clone ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
papanito.bootstrap failed in directory /root/.ansible/tmp/ansible-
local-1036kia7b4eu/tmpjcyiks12 (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
ERROR: Job failed: exit code 1

在我的机器上运行相同的命令ansible-galaxy install -r requirements.yml可以正常运行。

在运行命令之前，我为ci用户添加了一个私钥。所以不知道我还错过了什么。

.gitlab-ci.yml

variables:
  SITE: "site.yml"
  PLAYBOOKS: "playbooks/*.yml"

stages:
  - verify

before_script:
  - whoami
  - apt-get update -qy #update system
  - mkdir ~/.ssh
  - chmod 700 ~/.ssh
  - echo $SSHKEY_GITLAB > ~/.ssh/id_rsa # https://docs.gitlab.com/ee/ci/ssh_keys
  - chmod 640 ~/.ssh/id_rsa
  - apt-get install ansible ansible-lint -qy
  - git submodule update --init
  - ansible --version
  - ansible-lint --version
  - git config -l
  - ansible-galaxy install -r requirements.yml

ansible-verify:
  stage: verify
  script:
    - ansible-lint -v $SITE
    - ansible-lint -v $PLAYBOOKS
    - ansible-playbook --syntax-check $SITE
    - ansible-playbook --syntax-check $PLAYBOOKS

requirements.yml

- src: geerlingguy.docker
- src: dev-sec.ssh-hardening
- src: m4rcu5nl.zerotier-one

# own roles
- src: https://git@github.com/papanito/ansible-role-rsyslog.git
  name: papanito.rsyslog
  scm: git
  version: master
- src: git+ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
  name: papanito.bootstrap
  scm: git
  version: master

日志

$ ansible-galaxy install -r requirements.yml
- downloading role 'docker', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-docker/archive/2.8.1.tar.gz
- extracting geerlingguy.docker to /root/.ansible/roles/geerlingguy.docker
- geerlingguy.docker (2.8.1) was installed successfully
- downloading role 'ssh-hardening', owned by dev-sec
- downloading role from https://github.com/dev-sec/ansible-ssh-hardening/archive/9.3.0.tar.gz
- extracting dev-sec.ssh-hardening to /root/.ansible/roles/dev-sec.ssh-hardening
- dev-sec.ssh-hardening (9.3.0) was installed successfully
- downloading role 'zerotier-one', owned by m4rcu5nl
- downloading role from https://github.com/m4rcu5nl/ansible-role-zerotier/archive/v1.2.3.tar.gz
- extracting m4rcu5nl.zerotier-one to /root/.ansible/roles/m4rcu5nl.zerotier-one
- m4rcu5nl.zerotier-one (v1.2.3) was installed successfully
- extracting papanito.rsyslog to /root/.ansible/roles/papanito.rsyslog
- papanito.rsyslog (master) was installed successfully
 [WARNING] Ansible is being run in a world writable directory (/builds/papanito/infrastructure), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
 [WARNING]: - papanito.bootstrap was NOT installed successfully: - command
/usr/bin/git clone ssh://git@gitlab.com/papanito/ansible-role-bootstrap.git
papanito.bootstrap failed in directory /root/.ansible/tmp/ansible-
local-1036kia7b4eu/tmpjcyiks12 (rc=128)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
ERROR: Job failed: exit code 1

Answer 1

在我的机器上运行相同的命令ansible-galaxy install -r requirements.yml可以正常运行。

这意味着您的计算机上有正确的~/.ssh/id_rsa公钥/私钥，并且您正在用您的帐户在本地执行它。

如果您在GitLab步骤中复制它，请确保检查权限，并可能检查密码和known_hosts、就像在这里或文献资料中的密码。

  # Paste the PRIVATE key into a gitlab variable. Pay attention to the linebreak at the end when pasting
  - mkdir -p ~/.ssh
  - chmod 700 ~/.ssh
  - echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
  - chmod 600 ~/.ssh/id_rsa
  - eval "$(ssh-agent -s)"
  - ssh-add ~/.ssh/id_rsa
  - ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts

Answer 2

我尝试使用更安全的ssh转发，而不是将私钥复制到机器中，但发现ansible无法正常工作，只在~/.ssh/id_rsa密钥上中继。

下面是我最新版本的@VonC回复：

 - mkdir -p ~/.ssh
 - chmod 700 ~/.ssh
 - echo "$DEPLOY_SERVER_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
 - chmod 600 ~/.ssh/id_rsa
 - ssh-keyscan -H 'your.server.hostname' >> ~/.ssh/known_hosts
 - ssh -T git@gitlab.com

它被删除了ssh-agent和ssh-add命令，并添加了一个git身份验证的标准检查，以便于监视。只有在为不同的git服务器添加了几个私钥时，才需要它们。

如果操作不需要，最好在最后一个部署步骤中删除私钥。