SSH Agent Forwarding does not work out of the box during provisioning

[holtkamp]

Related to #111

A typical use for a Phansible generated Vagrant + Ansible environment would be to use Composer to install dependencies of a PHP application based on the composer.lock file during provisioning. These dependencies might need the SSH keys of the host machine to be able to properly connect to GIT repositories like:

• GitHub
• BitBucket
• private repositories

A great way to enable the use of SSH keys from the host machine is using SSH Agent Forwarding, which is already enabled by default in the generated Vagrantfile:

config.ssh.forward_agent = true

However! Due to hashicorp/vagrant#1303, this will NOT work out of the box during provisioning and some extra effort is needed to make this work. Also see http://www.phase2technology.com/blog/running-an-ssh-agent-with-vagrant

• To not use SSH Agent Forwarding during provisioning: add this to Vagrantfile:

    config.vm.provision :shell do |shell|
        shell.inline = "touch $1 && chmod 0440 $1 && echo $2 > $1"
        shell.args = %q{/etc/sudoers.d/root_ssh_agent "Defaults env_keep += \"SSH_AUTH_SOCK\""}
    end

• To allow SSH Agent Forwarding from host machine to the Vagrant box, ensure the host machine has an SSH Agent running and a ~/.ssh/config file exists with the following content

host {{ipAddressOfVagrantBox}}
      ForwardAgent yes

• I would suggest to make the config.ssh.forward_agent a configurable setting in the Phansible frontend, in case the user uses the (default) value of true, the above settings should be checked. An additional check like this can be added to https://github.com/phansible/phansible/blob/master/src/Phansible/Resources/ansible/templates/vagrant_local.twig as well:

# Check to see if there's an SSH agent running with keys.
`ssh-add -l`

if not $?.success?
  puts 'Your SSH does not currently contain any keys, or is stopped.'
  puts 'Please start it and add your BitBucket SSH key to continue.'
  puts 'Use "ssh-add -l" to see your identities'
  puts 'Also see: http://www.phase2technology.com/blog/running-an-ssh-agent-with-vagrant'
  exit 1
end

• And finally, to actually allow a 'silent' installation of Composer dependencies, this might be usefull to include (as comments?) in ansible/roles/app/tasks/main.yml

- name: Application | Add BitBucket host key to known hosts to allow GIT-based installations from this domain
  shell: ssh-keyscan -H bitbucket.org >> ~/.ssh/known_hosts
- name: Application | Connect to BitBucket once before actually using Composer
  shell: ssh -T git@bitbucket.org
- name: Application | Install dependencies
  shell: composer install  --no-interaction --working-dir /vagrant

It took me a while to actually get a simple vagrant destroy -f && vagrant up working, think this is useful for others.

[debo]

@holtkamp I see where are you coming from however this sounds more like a phansible feature request to accomodate a specific custom behaviour rather than a common use case. Even if we add that settings you will still need to take actions and create something project specific as suggested by your last point, so probably it's better to leave this the end user. As main philosophy Phansible is trying to be a generic bootstrap point rather than a solve all the the things one, however I'm open to further discuss this especially if we can find a more flexible way.

[holtkamp]

@debo

You write:

"this sounds more like a phansible feature request to accomodate a specific custom behaviour rather than a common use case"

Well yes, that is also what I was thinking of 😄

"I would suggest to make the config.ssh.forward_agent a configurable setting in the Phansible frontend"

I remember it took me hours to understand what was going wrong and why. Even a small note / commented-out configuration options might help future users to get up and running a bit quicker, hence the suggestion...

[debo]

@holtkamp which I'm more than happy to keep in consideration. I'll will schedule some time to work on this too.