Chef deploy_resource private repo, ssh deploy keys and ssh_wrapper

Question

I\'m having loads of trouble getting my Chef recipe to clone a private repo. Well, I had it working yesterday but after \'cheffin\' my Vagrant box half a dozen times, I\'ve brok

Answer 1

Your question doesn't have a link to to the deploy_resource source, so I can't be sure if this will apply, but if it uses a git resource underneath, the following might be helpful...

As described in this answer to a similar question, you can avoid creating extra script files to go with each SSH key by adding the SSH command as an "external transport" part of the repository URL:

git "/path/to/destination" do
  repository "ext::ssh -i /path/to/.ssh/deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git"
  branch "master"
  ...
end

Answer 2

It took a good couple of days to figure this out properly.

Just to clarify, this is what I did to fix it. I do not know if it's correct, but it works for me.

• Generate a set of public and private keys following this tutorial.

• Add the public key to the Github repo that you want to clone.

• Create a template in my default recipe which includes both the public and private keys. See below.

• Created the relevant templates for the pub and private keys.

• Created the chef_ssh_deploy_wrapper.sh.erb file (see below)

• Created a deploy.rb recipe (see below)

• Uploaded and added the recipes to my role. Ran chef-client.

• Hey presto! Sit back with a beer and watch your repo. smartly cloned into your dir.

The templates are as follows:

Create the directories and templates:

template "/tmp/.ssh/chef_ssh_deploy_wrapper.sh" do
  source "chef_ssh_deploy_wrapper.sh.erb"
  owner node[:base][:username]
  mode 0770
end

template "/home/#{node[:base][:username]}/.ssh/id_rsa.pub" do
  source "id_rsa.pub.erb"
  owner node[:base][:username]
  mode 0600
end

template "/home/#{node[:base][:username]}/.ssh/id_rsa" do
  source "id_rsa.erb"
  owner node[:base][:username]
  mode 0600
end

Create an ssh wrapper chef_ssh_deploy_wrapper.erb

#!/bin/sh
exec ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "/home/#{node[:base][:username]}/.ssh/id_rsa" "$@"

(Make sure you use the private key here or it will fail)

Finally the deploy.rb recipe:

deploy_branch node[:my_app][:deploy_to] do
  repo              node[:base][:repository]
  ssh_wrapper       "/tmp/.ssh/chef_ssh_deploy_wrapper.sh"
  branch            "rails4"
  user               node[:base][:username]
  group              node[:base][:username]
  rollback_on_error  true
  migrate            false
  environment        "RAILS_ENV" => node[:my_app][:environment] 
  purge_before_symlink %w{conf data log tmp public/system public/assets}
  create_dirs_before_symlink []
  symlinks(                        
    "config"   => "config",        
    "data"   => "data",            
    "log"    => "log",             
    "tmp"    => "tmp",             
    "system" => "public/system",  
    "assets" => "public/assets"  
  )
  scm_provider Chef::Provider::Git # is the default, for svn: Chef::Provider::Subversion
  before_restart do
    system("su #{node[:base][:username]} -c 'cd #{node[:my_app][:deploy_to]}/current && /usr/bin/bundle install'") or raise "bundle install failed"
    system("su #{node[:base][:username]} -c 'RAILS_ENV=production /usr/local/bin/rake assets:precompile'")
  end
  notifies :restart, "service[my_app]"
  notifies :restart, "service[nginx]"
end

The before restart has since been replaced as we were initially compiling ruby from source but decided to use rvm in the end. Much easier for multi-user installations.

NB: I'm deploying as an sudo user, if you're doing so as root (avoid this), use the /root/.ssh path instead.

I took much inspiration from this article.

Good luck, I hope this helps someone.