Deploying via a bastion server

139 views
Skip to first unread message

Chaitanya Kuber

unread,
Oct 15, 2015, 12:51:47 AM10/15/15
to Capistrano
Hi

I am working on automating deployment across a bunch of our repositories and have run into a roadblock with forward_agent in a bastion server setup. Our infrastructure is setup as follows

We have a CI server which can connect to the internets.
After a build finishes successfully the deploy step is kicked off.
This attempts to ssh through the bastion server to the server(s) it is deploying to but fails. The pastie (http://pastie.org/10481797) shows the error.

We found this article : http://www.randomerrata.com/articles/2015/deploying-via-a-bastion-host-with-capistrano-3/ : and have put that IF block in our deploy.rb
My staging.rb has http://pastie.org/10482088

Versions:
  • Ruby : 2.2.3
  • Capistrano: 3.4.0
Platform:
  • Working on a NodeJS App
  • Deploying to EC2 infrastructure
Logs:
Chaitanya

Lee Hambley

unread,
Oct 15, 2015, 2:13:13 AM10/15/15
to Capistrano
Hi,

We do indeed have a moderation queue, as you may have noticed.

OK, checklist:

1. Agent forwarding is not magic sauce, you have to have an agent running, and your key added to it:

[localhost] $ ssh-add -L
[localhost] $ ssh-add ~/.ssh/path_to_my_key_kere
[localhost] $ ssh-add -L

2. You can easily check what keys your remote agent has, and whether agent forwarding is working

[localhost] $ ssh my-server
[my-server] $ env | grep AUTH
(empty)
[my-server] $ ssh-add -L
Could not open a connection to your authentication agent.
[localhost] $ ssh -o ForwardAgent=yes my-server
[my-server] $ env | grep AUTH
SSH_AUTH_SOCK=/tmp/ssh-pJ6xnUbsDn/agent.30023
[my-server] $ ssh-add -L
... snip: output should match that from step 1. ...

3. You can wrap those things from 2. up in a Capistrano task or two:

namespace :agent_forwarding do
  task :env_auth do
    on roles(:all) do
      execute("env | grep AUTH")
    end
  end
  task :ssh_add do
    on roles(:all) do
      execute(:'ssh-add', '-L')
    end
  end
end

Then simply call those from the command line:

[localhost] $ cap <myenv> agent_forwarding:env_auth
[localhost] $ cap <myenv> agent_forwarding:ssh_add

That should help, I'm sure.


--
You received this message because you are subscribed to the Google Groups "Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capistrano+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/capistrano/dd807bab-7d48-4423-8f3c-a140eb4d1605%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages