When I try to clone a repository from Bitbucket with Ansible, it seems like the task 'hangs'.
In the documentation I have found some information, but I'm not using SSH.
If the task seems to be hanging, first verify remote host is in
known_hosts. SSH will prompt user to authorize the first contact with
a remote host. One solution is to add StrictHostKeyChecking no in
.ssh/config which will accept and authorize the connection on behalf
of the user. However, if you run as a different user such as setting
sudo to True), for example, root will not look at the user .ssh/config
setting.
These are the two Playbooks I've tried. They both 'hangs'.
Playbook #1
- hosts: staging_mysql
user: ec2-user
sudo: yes
vars_files:
- vars/mercurial.yml
tasks:
- name: Mercurial credentials setup
action: template src=templates/hgrc.j2 dest=/home/ec2-user/.hgrc
- name: Install Mercurial
action: yum name=hg
- name: Setup API repository
action: command hg clone https://bbusername#bitbucket.org/username/my-repo -r default --debug
Playbook #2
- hosts: staging_mysql
user: ec2-user
sudo: yes
vars_files:
- vars/mercurial.yml
tasks:
- name: Mercurial credentials setup
action: template src=templates/hgrc.j2 dest=/home/ec2-user/.hgrc
- name: Install Mercurial
action: yum name=hg
- name: Clone API repo
hg: dest=/home/ec2-user repo=https://bbusername#bitbucket.org/username/my-repo
Any help is welcome. Thanks in advance!
I found better answer for those who want to clone private repository. Bitbucket has feature called "Deployment keys". Login into your project, go into "Settings" and "Deployment Keys". "Add key" and then provide this key within your project deployment process, before hg:
- file: dest=/var/www/someuser/.ssh/config state=touch mode=600
- lineinfile: dest=/var/www/someuser/.ssh/config
line="Host bitbucket.org"
state=present
- copy: src=someuser.key dest=/var/www/someuser/.ssh/id_rsa mode=0600
- copy: src=someuser.key.pub dest=/var/www/someuser/.ssh/id_rsa.pub mode=0600
- lineinfile: dest=/var/www/someuser/.ssh/config
line="IdentityFile ~/.ssh/id_rsa"
- lineinfile: dest=/var/www/someuser/.ssh/config
line=" StrictHostKeyChecking no"
insertafter="Host bitbucket.org"
state=present
- name: install site code
hg: repo='ssh://hg#bitbucket.org/somecode'
dest=someuser
revision=stable
tags: someuser_code
I think it is easier to access BitBucket using the HTTPS protocol rather than ssh. If you are using private repositories in BitBucket, you should also use Ansible to create (or copy) a $HOME/.hgrc to your server.
Here is the content of the .hgrc file:
[auth]
bb.prefix = https://bitbucket.org/{{ user }}/
bb.username = {{ user }}
bb.password = {{ password }}
Two extra tips:
Now it isn't necessary put bbusername# in your BitBucket urls.
Create another user in BB with access to your repositories and configure it as your user in the Ansible host. If your someone breach into your site, they will be able to modify the repository, but won't be able to delete it. Since everything is version controled, you will always be able to rollback the modifications.
This solution uses ssh (so that we can use a ssh deployment key instead of storing credentials for https) and pre-populates ~/.ssh/known_hosts with the relevant entries so that hg doesn't hang on the prompt to accept the host key verification. This should also work whether or not you use sudo - as long as you populate the correct user's known_hosts file
# copy the deploy key to ~/.ssh/id_rsa of the ansible user - we use copy here to
# simplify things but really you should use ansible vault or something similar
- name: copy deploy key
copy: src=id_rsa_deploy dest=/home/{{ ansible_ssh_user }}/.ssh/id_rsa
owner={{ ansible_ssh_user }} group={{ ansible_ssh_user }} mode=0600
- name: add bitbucket to deploy user's ~/.ssh/known_hosts
lineinfile: dest=/home/{{ ansible_ssh_user }}/.ssh/known_hosts line="bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="
- name: 2 add bitbucket to deploy user's ~/.ssh/known_hosts
lineinfile: dest=/home/{{ ansible_ssh_user }}/.ssh/known_hosts line="|1|w3ouhSzx3veHkFkoo/0KlzmLWiY=|dyifJ0YlWhJOElkc09kd5ZP2i6c= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="
- name: 3 add bitbucket to deploy user's ~/.ssh/known_hosts
lineinfile: dest=/home/{{ ansible_ssh_user }}/.ssh/known_hosts line="|1|/an77APTih6pDOBpi0GcQ8b5uno=|VOep3g6ll+3Xd8WdUQ/1BqtiF1A= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=="
- name: copy repo
hg: repo={{ project.repo }} dest={{ project.local_repo }}
How are you actually accessing the hg repository? Try leaving off the last task in your playbook and then logging in and manually trying the hg clone and see what happens. I suspect it is indeed prompting for a password.
I've managed to solve the problem. The Mercurial task 'hangs' when logging in as sudo user.
After removing the line sudo: yes from both Playbooks, everything works as expected.
Working Playbook
- hosts: staging_mysql
user: ec2-user
vars_files:
- vars/mercurial.yml
tasks:
- name: Mercurial credentials setup
action: template src=templates/hgrc.j2 dest=/home/ec2-user/.hgrc
- name: Install Mercurial
action: yum name=hg
- name: Clone API repo
hg: dest=/home/ec2-user repo=https://bbusername#bitbucket.org/username/my-repo
Related
When I run skaffold in a github workflow like this
skaffold build
it calls the gradle jib correctly, creates an image and pushes it to the ghcr successfully. Grdale finishes successfully as can be seen in the log. Nevertheless, something happens afterwards that fails. It seems someone tries to access the just built image but is not authorized. This does not happen, if I execute it locally. And it does not fail in the github workflow if I call gradlew jib directly without skaffold being involved.
Built and pushed image as ghcr.io/tobias-neubert/motd-service:453f4c4-dirty
BUILD SUCCESSFUL in 11s
4 actionable tasks: 4 executed
time="2023-02-15T12:07:09Z" level=error msg="No matching credentials were found for \"ghcr.io\""
time="2023-02-15T12:07:09Z" level=error msg="No matching credentials were found for \"ghcr.io\""
getting image: GET https://ghcr.io/token?scope=repository%3Atobias-neubert%2Fmotd-service%3Apull&service=ghcr.io: UNAUTHORIZED: authentication required
Error: Process completed with exit code 1.
The github workflow:
name: Build and push motd-service
on:
push:
permissions:
packages: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout#v3
- name: Set up Java
uses: actions/setup-java#v2
with:
java-version: 17
distribution: temurin
- name: Setup Gradle
uses: gradle/gradle-build-action#v2
- name: Make gradlew executable
run: chmod +x ./gradlew
- name: Install skaffold
run: |
curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64 && \
sudo install skaffold /usr/local/bin/
- name: Deactivate collecting skaffold metrics
run: skaffold config set --global collect-metrics false
- name: Build the motd image
env:
GH_PASSWORD: '${{ secrets.GITHUB_TOKEN }}'
run: skaffold build
Does anybody know what happens here?
It tries to fetch the digest of the new image, which it needs to render the k8s resources. Pushing the image was made by gradle. The jib plugin is configured to use environment variables for authenticating against ghcr.io. But skaffold does not know about those. So it fails to authenticate. A docker login does the trick, although it is not safe in a CI. So now I have to search for a better way to tell skaffold to authenticate against the registry
Hello Github actions community :)
I have a workflow in github actions that I don't quite understand why it is not working.
I am currently using git-secrets to encrypt my credentials using git-secrets and I am trying to decrypt them in the github actions workflow.
This is the code block that I execute when I want to decrypt the files:
- name: Reveal data
run: |
echo
echo 'Before decrypt'
ls -ls
git secret reveal -p ${{ secrets.PASSPHRASE }} -f
echo 'After decrypt'
ls -ls
git secret whoknows
Before decrypt
total 4
4 -rw-r--r-- 1 runner docker 630 Jul 18 09:39 secrets.md.secret
done. all 1 files are revealed.
After decrypt
total 4
4 -rw-r--r-- 1 runner docker 630 Jul 18 09:39 secrets.md.secret
testing#testing.com
According to github actions this works because as you can see the github actions returns 'done. all 1 files are revealed.'. However, as you can see below, no new file is being generated.
Locally it works and I get the decrypted file by running the same command.
How to reproduce it locally:
Install git-secrets
Create a GPG key (gpg --full-generate-key)
Run 'git secret tell email-used-in-the-gpg
Run 'git secret add filename
Run 'git secret hide' to encrypt the file
Run 'rm filename'
Run 'git secret reveal' and pass the password. This will create the decrypted file
How to reproduce it in github actions:
Create a new workflow
Paste this step:
- name: Reveal
run: |
git secret reveal -p ${{ secrets.PASSPHRASE }}
Does anyone have any idea what this is about? Github Workflows does not allow file creation maybe?
Thank you very much in advance and best regards!
I am using kubernetes with helm 3.
I need to create a kubernetes pod with sql - creating:
database name: my_database
user: root
password:12345
port: 3306
The steps:
creating chart by:
helm create test
after the chart is created, change the Chart.yaml file in test folder, by adding dependencies section.
apiVersion: v2
name: test3
description: A Helm chart for Kubernetes
version: 0.1.0
appVersion: "1.16.0"
dependencies:
name: mysql
version: 8.8.23 repository: "https://charts.bitnami.com/bitnami"
run:
helm dependencies build test
After that there is a compressed file tgz.
So I extracted it and there is tar file - I extracted it too, and leave only the final extracted folder.
I presume this isn't the best approach of changing parameter in yaml for bitnami,
and using also the security.yaml - I would like knowing that better approach too.
I need to change the user + password, and link to database,
so I changed the values.yaml directly (any better approach?), for values: auth:rootPassword and auth:my_database.
the another following steps:
helm build dependencies test
helm install test --namespace test --create-namespace
after that there are two pods created.
I could check it by:
kubectl get pods -n test
and I see two pods running (maybe replication).
one of the pod: test-mysql-0 (the other is with random parse).
run:
kubectl exec --stdin --tty test-mysql-0 --namespace test-mysql -- /bin/sh
did enter the pod.
run:
mysql -rroot -p12345;
and then:
show databases;
That did showing all the database, including seeing the created database: my_database, successfully.
When I tried openning the mysql database from 'mysql workbench', and test (same user: root, and password, and port: 3306, and localhost), I couldn't run test (test connection button in database properties returns: 'failed to connect to database').
Why cannot I run properly 'mysql workbench', while in the pad itself - without any particular problem?
Is there any better approach than extrating the tgz file as I described above, and can I pass in better way (some secured yaml) the user+password?
(Right now is only the root password)
Thanks.
It sounds like you're trying to set the parameters in the dependent chart (please correct me if I'm wrong)
If this is right, all you need to do is add another section in your chart's values.yaml
name-of-dependency:
user-name: ABC
password: abcdef
the "name-of-dependency" is specified in your Chart.yaml file when you declare your chart. For example, here's my redis dependency from one of my own charts
dependencies:
- name: redis
repository: https://charts.bitnami.com/bitnami/
version: x.x.x
Then when I install the chart, I can override the redis chart's settings by doing this in my own chart's values.yaml
redis:
architecture: standalone
auth:
password: "secret-password-here"
I have a github action that runs when a branch is merged into master. It should tag the repo with a version number that it obtains from setup.py, and then push the tag. It should then build the package and upload it to a package repository.
Progress so far: Building and uploading works, tagging does not
name: Deploy Library
on [push]
jobs:
build:
runs-on: ubuntu latest
steps:
- uses: actions/checkout#master
- name: Set up Python env
uses: actions/setup-python#v1
with:
python-version: '3.6'
- name: Install Deps
run: |
python -m pip install --upgrade pip
pip install wheel
pip install twine
- name: Build
run: |
python setup.py build bdist_wheel
- name: Tag
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION=*sed magic on setup.py*
git tag v$VERSION
git push origin v$VERSION
Everything works except for the git push at the end. The logs complain about the need for a username and password (I only have the GITHUB_TOKEN), and anyway, actions/checkout didn't complain...
I've checked the github actions page, and I can't find one relating to tagging.
The actions/checkout#v1 action leaves the git repository in a detached HEAD state. So in order to push back to the repository there are a few steps required.
Set git config for the user you want to be the commit author:
git config --global user.name 'My User'
git config --global user.email 'myuser#example.com'
Set the remote:
git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}#github.com/username/repository
You may also need to checkout. You can extract the branch name from the GITHUB_REF:
git checkout "${GITHUB_REF:11}"
Related questions and answers:
Push to origin from GitHub action
Unable to commit and push back changes made by github action (invalid user)
How can we use bitbucket pipelines to update an asp.net core website on aws elastic beanstalk?
i know this is late answer but i did same thing few days ago so here is example how i did it
firstly you have to enable pipeline in bitbucket choose .NET CORE
in bitbucket-pipelines.yml you need yo write something like this:
image: microsoft/dotnet:sdk
pipelines:
branches:
staging:
- step:
name: build publish prepare and zip
caches:
- dotnetcore
script:
- apt-get update && apt-get install --yes zip
- export PROJECT_NAME=<your-project-name>
- dotnet restore
- dotnet build $PROJECT_NAME
- dotnet publish --self-contained --runtime win-x64 --configuration Release
- zip -j site.zip /opt/atlassian/pipelines/agent/build/<your-project-name>/bin/Release/netcoreapp2.0/win-x64/publish/* -x aws-windows-deployment-manifest.json
- zip -r -j application.zip site.zip /opt/atlassian/pipelines/agent/build/<your-project-name>/bin/Release/netcoreapp2.0/win-x64/publish/aws-windows-deployment-manifest.json
artifacts:
- application.zip
- step:
name: upload to elasticbeanstalk
script:
- pipe: atlassian/aws-elasticbeanstalk-deploy:0.5.0
variables:
APPLICATION_NAME: '<application-name>'
AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
#COMMAND: 'upload-only'
ZIP_FILE: 'application.zip'
ENVIRONMENT_NAME: '<environment-name>'
WAIT: 'true'
in settings -> pipelines -> variables you have to set aws keys: access secret and region that will used by $ ($AWS_SECRET_ACCESS_KEY)
additionally you will have to create s3bucket "-elsticbeanstalk-deployments" (if you dont create it, when the environment will try to upload your zip it will show you error with name of bucket "not found" so just copy the name and create it in s3)