Awx: Project: Clone Git repo over SHH fails on Submodules

Created on 7 Nov 2017 · 3Comments · Source: ansible/awx

ISSUE TYPE

Bug Report

COMPONENT NAME

API
- AWX-TASK Container

SUMMARY

When cloning a Git Repo over SSH which has submodules, the Submodules fail to clone.
This is with cert or password auth. The credentials get used for the main repo, but are not applyed to the Submodule. This is because AWX sets the username when cloning the main repo, but does not do that for submodules.

So This will Fail

[submodule "roles/yourrole"]
    path = roles/yourrole
    url = ssh://git.yourserver.com:29418/ansible/roles/yourrole.git

When adding a username in .gitmodules the clone works and the cert gets used correctly by awx. Howerver this is bad practice as other users of that Repo fail to clone it because they always have a wrong user.

[submodule "roles/yourrole"]
    path = roles/yourrole
    url = ssh://[email protected]:29418/ansible/roles/yourrole.git

As a Workaround , one can add this in /etc/ssh/ssh_conf to force that username on a specific server in the awx_task container.

Host git.yourserver.com
        HostName git.yourserver.com
        User awxuser

ENVIRONMENT

AWX version: 1.0.1.100
AWX install method: docker / open source installer via playbook
Ansible version: 2.4.0.0
Operating System: RHEL7
Web Browser: Chrome

STEPS TO REPRODUCE

Clone Project wirth submodules over SSH. The submodules must not specefy a username.

[submodule "roles/yourrole"]
    path = roles/yourrole
    url = ssh://git.yourserver.com:29418/ansible/roles/yourrole.git

All hase to be done over SSH and authentication is required for the Git Server.

EXPECTED RESULTS

Clone submodules works with the Username and the Password/cert of the Credentials that are used to clone the Project in AWX.

ACTUAL RESULTS

fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/usr/bin/git submodule foreach /usr/bin/git fetch", "failed": true, "msg": "Permission denied (password,keyboard-interactive,publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\nStopping at 'roles/yourrole'; script returned non-zero status.", "rc": 1, "stderr": "Permission denied (password,keyboard-interactive,publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\nStopping at 'roles/yourrole'; script returned non-zero status.\n", "stderr_lines": ["Permission denied (password,keyboard-interactive,publickey).", "fatal: Could not read from remote repository.", "", "Please make sure you have the correct access rights", "and the repository exists.", "Stopping at 'roles/yourrole'; script returned non-zero status."], "stdout": "Entering 'roles/yourrole'\n", "stdout_lines": ["Entering 'roles/yourrole'"]}

api medium needs_info bug

Source

FloThinksPi

All 3 comments

hmm we use ssh-agent (or sshpass) iirc to set the credentials before running the playbook to perform the checkout.

Does this also happen with the core git module?

matburt on 7 Nov 2017

@matburt OK i tried it again with local git and the ssh-agent and it also only uses the ssh-key for the main repo and asks for password for the submodules. So after looking around a while, there is a syntax for submodules which use relative paths instead of absolute ones.

[submodule "roles/myrole"]
    path = roles/myrole
    url = ../../roles/myrole.git

So in this case, the credentials for the main repo get reused, while with absolute paths, git suspects a connection to a new server and asks for new username and password even when the URLs match with the main repo.

So in conclusion when using the relative submodule paths, all submodules get cloned correctly 😄

FloThinksPi on 9 Nov 2017

👍1

@FloThinksPi solution worked for me as well, I was trying to add project to my Ansible Tower that had submodule in it.