`trellis vm shell` doesn't forward ssh agent

[johnkraczek]

Version

Trellis v1.21.0 Bedrock v1.22.2

What did you expect to happen?

After running:

trellis new example.com cd example.com/trellis trellis vm start

Trellis provisions the lima VM

I run trellis vm shell which puts me into the VM. echo "$SSH_AUTH_SOCK" should return the host agent so that I can authenticate to ssh services.

What actually happens?

After doing the above, to work around this I can modify the ssh config and things work like they should. limactl show-ssh -f config example.com > ~/.ssh/config

that will put this into my config file:

Host lima-example.com
  IdentityFile "/Users/john/.lima/_config/user"
  IdentityFile "/Users/john/.ssh/id_rsa"
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  NoHostAuthenticationForLocalhost yes
  GSSAPIAuthentication no
  PreferredAuthentications publickey
  Compression no
  BatchMode yes
  IdentitiesOnly yes
  Ciphers "^aes128-gcm@openssh.com,aes256-gcm@openssh.com"
  User john
  ControlMaster auto
  ControlPath "/Users/john/.lima/example.com/ssh.sock"
  ControlPersist 5m
  Hostname 127.0.0.1
  Port 52058

I can edit the file and: remove ControlMaster, ControlPath, and ControlPersist add ForwardAgent yes

Also I make sure that my key is available to the agent: ssh-add --apple-use-keychain ~/.ssh/[MY KEY]

now if I ssh lima-example.com It enters the shell and if I run echo "$SSH_AUTH_SOCK" I am returned with /tmp/ssh-XXXXRB6A0u/agent.24603

Additionally if I attempt to ssh to bitbucket or github:

john@lima-example:~$ ssh johnkraczek@bitbucket.org
PTY allocation request failed on channel 0
authenticated via ssh key.

You can use git to connect to Bitbucket. Shell access is disabled
Connection to bitbucket.org closed.

As I would expect.

I'm not sure if this is exactly an issue with trellis or an issue with lima-vm. I found this issue over there: SSH ForwardAgent does not work correctly But it's not clear about how he fixes the issue. He indicated that he removed the ssh.sock file and that things started to work. I did the same for ~/.lima/example.com/ssh.sock but no dice. but with that info I figured I would try using the edited config file as I can't seem to figure out where the lima config file is being generated/populated from.

Looking through the default Lima config: default.yaml doesn't have a yaml key for using or not using the control master.

I'm not sure If I have not configured things correctly or what, but I have additional composer repositories that I reference private packages and to access those it requires the ssh key from my host.

Steps to reproduce

trellis new example.com cd example.com/trellis trellis vm start trellis vm shell echo "$SSH_AUTH_SOCK"

should return the host agent so that I can authenticate to ssh services.

System info

Apple Macbook Pro: M1-Pro MacOS Ventura 13.4.1

Log output

john@John-MBP% trellis new example.com
Creating new Trellis project in /Users/john/LocalSites/example.com

Site domain [example.com]: 

✔ example.com
Initializing project...

[✓] Created virtualenv (/Users/john/LocalSites/example.com/trellis/.trellis/virtualenv)
[✓] Ensure pip is up to date
[✓] Dependencies installed
Starting galaxy role install process
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.9.0.tar.gz
- extracting composer to /Users/john/LocalSites/example.com/trellis/vendor/roles/composer
- composer (1.9.0) was installed successfully
- downloading role 'ntp', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-ntp/archive/2.3.1.tar.gz
- extracting ntp to /Users/john/LocalSites/example.com/trellis/vendor/roles/ntp
- ntp (2.3.1) was installed successfully
- downloading role 'logrotate', owned by nickhammond
- downloading role from https://github.com/nickhammond/ansible-logrotate/archive/v0.0.5.tar.gz
- extracting logrotate to /Users/john/LocalSites/example.com/trellis/vendor/roles/logrotate
- logrotate (v0.0.5) was installed successfully
- downloading role 'swapfile', owned by oefenweb
- downloading role from https://github.com/Oefenweb/ansible-swapfile/archive/v2.0.36.tar.gz
- extracting swapfile to /Users/john/LocalSites/example.com/trellis/vendor/roles/swapfile
- swapfile (v2.0.36) was installed successfully
- downloading role 'mailpit', owned by roots
- downloading role from https://github.com/roots/ansible-role-mailpit/archive/v1.0.0.tar.gz
- extracting mailpit to /Users/john/LocalSites/example.com/trellis/vendor/roles/mailpit
- mailpit (v1.0.0) was installed successfully

example.com project created with versions:
  Trellis v1.21.0
  Bedrock v1.22.2
john@John-MBP LocalSites % trellis vm start
john@John-MBP LocalSites % cd example.com/trellis
john@John-MBP trellis % trellis vm start
Running command => limactl start --tty=false --name=example.com /Users/john/LocalSites/example.com/trellis/.trellis/lima/example.com.yml
INFO[0000] Terminal is not available, proceeding without opening an editor 
WARN[0000] `vmType: vz` is experimental                 
INFO[0000] Attempting to download the image              arch=aarch64 digest= location="https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-arm64.img"
INFO[0000] Using cache "/Users/john/Library/Caches/lima/download/by-url-sha256/b0292969d1625be5cb3a28bcbd6660473d29afede9d0f7b2a791e4d9891335b8/data" 
INFO[0002] [hostagent] Starting VZ (hint: to watch the boot progress, see "/Users/john/.lima/example.com/serial.log") 
INFO[0002] [hostagent] new connection from  to          
INFO[0002] SSH Local Port: 52058                        
INFO[0002] [hostagent] Waiting for the essential requirement 1 of 3: "ssh" 
INFO[0002] [hostagent] [VZ] - vm state change: running  
INFO[0012] [hostagent] Waiting for the essential requirement 1 of 3: "ssh" 
INFO[0013] [hostagent] The essential requirement 1 of 3 is satisfied 
INFO[0013] [hostagent] Waiting for the essential requirement 2 of 3: "user session is ready for ssh" 
INFO[0025] [hostagent] Waiting for the essential requirement 2 of 3: "user session is ready for ssh" 
INFO[0025] [hostagent] The essential requirement 2 of 3 is satisfied 
INFO[0025] [hostagent] Waiting for the essential requirement 3 of 3: "the guest agent to be running" 
INFO[0025] [hostagent] The essential requirement 3 of 3 is satisfied 
INFO[0025] [hostagent] Waiting for the final requirement 1 of 1: "boot scripts must have finished" 
INFO[0025] [hostagent] Forwarding "/run/lima-guestagent.sock" (guest) to "/Users/john/.lima/example.com/ga.sock" (host) 
INFO[0025] [hostagent] Not forwarding TCP 127.0.0.53:53 
INFO[0025] [hostagent] Not forwarding TCP 0.0.0.0:22    
INFO[0025] [hostagent] Not forwarding TCP [::]:22       
INFO[0025] [hostagent] The final requirement 1 of 1 is satisfied 
INFO[0025] READY. Run `limactl shell example.com` to open the shell. 

Updating /etc/hosts file (sudo may be required, see `trellis vm sudoers` for more details)

Provisioning VM...
Starting galaxy role install process
- composer (1.9.0) is already installed, skipping.
- ntp (2.3.1) is already installed, skipping.
- logrotate (v0.0.5) is already installed, skipping.
- swapfile (v2.0.36) is already installed, skipping.
- mailpit (v1.0.0) is already installed, skipping.

Running command => ansible-playbook dev.yml --inventory-file=/Users/john/LocalSites/example.com/trellis/.trellis/lima/inventory -e env=development

PLAY [WordPress Server: Install LEMP Stack with PHP and MariaDB MySQL] *********

TASK [Gathering Facts] *********************************************************
ok: [default]

TASK [common : Load wordpress_sites.yml vars into <env>_sites vars] ************
skipping: [default] => (item=development) 
skipping: [default]

TASK [common : Fail if there are duplicate site keys within host's wordpress_sites] ***
skipping: [default]

TASK [common : Validate wordpress_sites] ***************************************
skipping: [default]

TASK [common : Validate format of site_hosts] **********************************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [common : Import PHP version specific vars] *******************************
ok: [default]

TASK [common : Verify dict format for apt package component variables] *********
skipping: [default]

TASK [common : Verify dict format for apt package combined variables] **********
skipping: [default]

TASK [common : Validate Ubuntu version] ****************************************
skipping: [default]

TASK [common : Check whether passlib is needed] ********************************
skipping: [default]

TASK [common : Retrieve local SSH client's settings per host] ******************
ok: [default]

TASK [common : Validate compatible settings between SSH client and server] *****
ok: [default] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [common : Update apt packages] ********************************************
changed: [default]

TASK [common : Checking essentials] ********************************************
changed: [default] => (item=build-essential)
ok: [default] => (item=curl)
ok: [default] => (item=dbus)
changed: [default] => (item=ghostscript)
ok: [default] => (item=git)
changed: [default] => (item=imagemagick)
changed: [default] => (item=libgs-dev)
changed: [default] => (item=libnss-myhostname)
ok: [default] => (item=python3)
ok: [default] => (item=python3-software-properties)
changed: [default] => (item=python3-mysqldb)
changed: [default] => (item=python3-pycurl)
changed: [default] => (item=unzip)

TASK [common : Validate timezone variable] *************************************
ok: [default]

TASK [common : Explain timezone error] *****************************************
skipping: [default]

TASK [common : Add myhostname to nsswitch.conf to ensure resolvable hostname] ***
ok: [default]

TASK [common : Generate SSH key for vagrant user for ansible_local provisioning] ***
skipping: [default]

TASK [common : Retrieve SSH client IP] *****************************************
skipping: [default]

TASK [common : Restrict journal log size] **************************************
[WARNING]: Module remote_tmp /root/.ansible/tmp did not exist and was created
with a mode of 0700, this may cause issues when running as another user. To
avoid this, create the remote_tmp dir with the correct permissions manually
changed: [default]

TASK [fail2ban : ensure fail2ban is installed] *********************************
changed: [default]

TASK [fail2ban : ensure fail2ban is configured] ********************************
changed: [default] => (item=jail.local)
changed: [default] => (item=fail2ban.local)

TASK [fail2ban : Check if fail2ban_filter_templates_path exists] ***************
ok: [default -> localhost]

TASK [fail2ban : build list of fail2ban filter templates] **********************
ok: [default -> localhost]

TASK [fail2ban : ensure configuration directory exists] ************************
ok: [default]

TASK [fail2ban : template fail2ban filters] ************************************
changed: [default] => (item=/Users/john/LocalSites/example.com/trellis/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2)
changed: [default] => (item=/Users/john/LocalSites/example.com/trellis/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2)

TASK [fail2ban : ensure fail2ban starts on a fresh reboot] *********************
changed: [default]

TASK [ferm : ensure ferm status is in debconf] *********************************
changed: [default]

TASK [ferm : ensure ferm is installed] *****************************************
changed: [default]

TASK [ferm : ensure configuration directories exist] ***************************
changed: [default] => (item=/etc/ferm/ferm.d)
changed: [default] => (item=/etc/ferm/filter-input.d)

TASK [ferm : ensure firewall is configured] ************************************
changed: [default] => (item=etc/default/ferm)
changed: [default] => (item=etc/ferm/ferm.conf)

TASK [ferm : ensure iptables INPUT rules are removed] **************************
skipping: [default] => (item={'type': 'dport_accept', 'dport': ['http', 'https'], 'filename': 'nginx_accept'}) 
skipping: [default] => (item={'type': 'dport_accept', 'dport': ['ssh'], 'saddr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']}) 
skipping: [default] => (item={'type': 'dport_limit', 'dport': ['ssh'], 'seconds': 300, 'hits': 20}) 
skipping: [default]

TASK [ferm : ensure iptables INPUT rules are added] ****************************
changed: [default] => (item={'type': 'dport_accept', 'dport': ['http', 'https'], 'filename': 'nginx_accept'})
changed: [default] => (item={'type': 'dport_accept', 'dport': ['ssh'], 'saddr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']})
changed: [default] => (item={'type': 'dport_limit', 'dport': ['ssh'], 'seconds': 300, 'hits': 20})

TASK [ferm : ensure iptables rules are enabled] ********************************
skipping: [default]

TASK [ferm : ensure iptables rules are disabled] *******************************
ok: [default]

TASK [ntp : Include OS-specific variables.] ************************************
ok: [default]

TASK [ntp : Set the ntp_driftfile variable.] ***********************************
ok: [default]

TASK [ntp : Set the ntp_package variable.] *************************************
ok: [default]

TASK [ntp : Set the ntp_config_file variable.] *********************************
ok: [default]

TASK [ntp : Set the ntp_daemon variable.] **************************************
ok: [default]

TASK [ntp : Ensure NTP package is installed.] **********************************
changed: [default]

TASK [ntp : Ensure tzdata package is installed (Linux).] ***********************
ok: [default]

TASK [ntp : Set timezone.] *****************************************************
ok: [default]

TASK [ntp : Populate service facts.] *******************************************
ok: [default]

TASK [ntp : Disable systemd-timesyncd if it's running but ntp is enabled.] *****
ok: [default]

TASK [ntp : Ensure NTP is running and enabled as configured.] ******************
ok: [default]

TASK [ntp : Ensure NTP is stopped and disabled as configured.] *****************
skipping: [default]

TASK [ntp : Generate ntp configuration file.] **********************************
changed: [default]

TASK [sshd : Ensure latest SSH server and client are installed] ****************
ok: [default] => (item=openssh-server)
ok: [default] => (item=openssh-client)

TASK [sshd : Create a secure sshd_config] **************************************
changed: [default]

TASK [sshd : Create a secure ssh_config] ***************************************
changed: [default]

TASK [sshd : Remove Diffie-Hellman moduli of size < 2000] **********************
ok: [default]

TASK [mariadb : Add MariaDB APT key] *******************************************
changed: [default]

TASK [mariadb : Add MariaDB PPA] ***********************************************
changed: [default]

TASK [mariadb : Install MySQL client] ******************************************
changed: [default]

TASK [mariadb : Install MySQL server] ******************************************
changed: [default]

TASK [mariadb : Disable MariaDB binary logging] ********************************
changed: [default]

TASK [mariadb : Copy .my.cnf file with root password credentials.] *************
changed: [default]

TASK [mariadb : Set root user password] ****************************************
changed: [default] => (item=None)
changed: [default] => (item=None)
changed: [default] => (item=None)
changed: [default] => (item=None)
changed: [default]

TASK [mariadb : Delete anonymous MySQL server users] ***************************
ok: [default] => (item=None)
ok: [default] => (item=None)
ok: [default] => (item=None)
ok: [default]

TASK [mariadb : Remove the test database] **************************************
ok: [default]

TASK [mailpit : Ensure mailpit install directory exists.] **********************
changed: [default]

TASK [mailpit : Download and install mailpit binary] ***************************
changed: [default]

TASK [mailpit : Copy mailpit systemd unit file into place] *********************
changed: [default]

TASK [mailpit : Ensure mailpit is enabled and will start on boot] **************
changed: [default]

TASK [php : Add PHP PPA] *******************************************************
changed: [default]

TASK [php : Install PHP and extensions] ****************************************
changed: [default] => (item=php8.1-bcmath)
changed: [default] => (item=php8.1-cli)
changed: [default] => (item=php8.1-curl)
changed: [default] => (item=php8.1-dev)
changed: [default] => (item=php8.1-fpm)
changed: [default] => (item=php8.1-imagick)
changed: [default] => (item=php8.1-intl)
changed: [default] => (item=php8.1-mbstring)
changed: [default] => (item=php8.1-mysql)
changed: [default] => (item=php8.1-xml)
changed: [default] => (item=php8.1-xmlrpc)
changed: [default] => (item=php8.1-zip)

TASK [php : Ensure correct PHP version selected] *******************************
ok: [default]

TASK [php : Find existing php fpm services] ************************************
ok: [default]

TASK [php : Stop old php-fpm services] *****************************************
skipping: [default]

TASK [php : Start php fpm service] *********************************************
ok: [default]

TASK [php : Copy PHP-FPM configuration file] ***********************************
changed: [default]

TASK [php : Copy PHP CLI configuration file] ***********************************
changed: [default]

TASK [php : Change ImageMagick policy.xml to allow for PDFs] *******************
changed: [default]

TASK [xdebug : Include php8.1 related vars] ************************************
ok: [default]

TASK [xdebug : Install Xdebug] *************************************************
changed: [default]

TASK [xdebug : Template the Xdebug configuration file] *************************
changed: [default]

TASK [xdebug : Ensure 20-xdebug.ini is present] ********************************
ok: [default]

TASK [xdebug : Disable Xdebug CLI] *********************************************
changed: [default]

TASK [memcached : Install memcached] *******************************************
changed: [default] => (item=memcached)
changed: [default] => (item=php8.1-memcached)

TASK [memcached : Copy the client configuration file] **************************
changed: [default]

TASK [memcached : Set the max open file descriptors] ***************************
changed: [default]

TASK [memcached : Start the memcached service] *********************************
ok: [default]

TASK [nginx : Add Nginx APT key] ***********************************************
changed: [default]

TASK [nginx : Add Nginx PPA] ***************************************************
changed: [default]

TASK [nginx : Install Nginx] ***************************************************
changed: [default]

TASK [nginx : Ensure site directories exist] ***********************************
changed: [default] => (item=sites-available)
changed: [default] => (item=sites-enabled)

TASK [nginx : Create SSL directory] ********************************************
changed: [default]

TASK [nginx : Copy h5bp configs] ***********************************************
changed: [default]

TASK [nginx : Create nginx.conf] ***********************************************
changed: [default]

TASK [nginx : Disable default server] ******************************************
ok: [default]

TASK [nginx : Enable Nginx to start on boot] ***********************************
changed: [default]

TASK [logrotate : nickhammond.logrotate | Install logrotate] *******************
ok: [default]

TASK [logrotate : nickhammond.logrotate | Setup logrotate.d scripts] ***********
changed: [default] => (item={'name': 'wordpress-sites', 'path': '/srv/www/**/logs/*.log', 'options': ['weekly', 'maxsize 50M', 'missingok', 'rotate 8', 'compress', 'delaycompress', 'notifempty', 'create 0640 john www-data', 'sharedscripts'], 'scripts': {'prerotate': 'if [ -d /etc/logrotate.d/httpd-prerotate ]; then \\\n      run-parts /etc/logrotate.d/httpd-prerotate; \\\n    fi \\\n', 'postrotate': 'service nginx reload >/dev/null 2>&1'}})

TASK [composer : Set php_executable variable to a default if not defined.] *****
ok: [default]

TASK [composer : Check if Composer is installed.] ******************************
ok: [default]

TASK [composer : Get Composer installer signature.] ****************************
ok: [default]

TASK [composer : Download Composer installer.] *********************************
changed: [default]

TASK [composer : Run Composer installer.] **************************************
changed: [default]

TASK [composer : Move Composer into globally-accessible location.] *************
changed: [default]

TASK [composer : Update Composer to latest version (if configured).] ***********
ok: [default]

TASK [composer : Ensure composer directory exists.] ****************************
changed: [default]

TASK [composer : Add GitHub OAuth token for Composer (if configured).] *********
skipping: [default]

TASK [composer : include_tasks] ************************************************
skipping: [default]

TASK [composer : include_tasks] ************************************************
skipping: [default]

TASK [wp-cli : Ensure gpg2 is installed] ***************************************
changed: [default]

TASK [wp-cli : Download WP-CLI Phar] *******************************************
changed: [default]

TASK [wp-cli : Download WP-CLI Phar Signature] *********************************
changed: [default]

TASK [wp-cli : Copy WP-CLI release team public key] ****************************
changed: [default]

TASK [wp-cli : Check GPG signature] ********************************************
ok: [default]

TASK [wp-cli : Install WP-CLI] *************************************************
changed: [default]

TASK [wp-cli : Retrieve WP-CLI tab completions] ********************************
changed: [default]

TASK [wp-cli : Install WP-CLI tab completions] *********************************
changed: [default]

TASK [wp-cli : Install WP-CLI packages] ****************************************
skipping: [default]

TASK [wordpress-setup : Create databases for sites] ****************************
changed: [default] => (item=None)
changed: [default]

TASK [wordpress-setup : Create/assign database user to db and grant permissions] ***
changed: [default] => (item=None)
changed: [default]

TASK [wordpress-setup : Ensure openssl configs directory are present] **********
changed: [default]

TASK [wordpress-setup : Template openssl configs] ******************************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [wordpress-setup : Generate self-signed certificates] *********************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [wordpress-setup : Clean up openssl configs directory] ********************
changed: [default]

TASK [wordpress-setup : Download client cert] **********************************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [wordpress-setup : Create web root] ***************************************
changed: [default]

TASK [wordpress-setup : Create logs folder of sites] ***************************
changed: [default] => (item=example.com)

TASK [wordpress-setup : Create WordPress php-fpm configuration file] ***********
changed: [default]

TASK [wordpress-setup : Disable default PHP-FPM pool] **************************
changed: [default]

TASK [wordpress-setup : stat] **************************************************
ok: [default -> localhost]

TASK [wordpress-setup : Build list of Nginx includes templates] ****************
skipping: [default]

TASK [wordpress-setup : Create includes.d directories] *************************
skipping: [default]

TASK [wordpress-setup : Template files out to includes.d] **********************
skipping: [default]

TASK [wordpress-setup : stat] **************************************************
ok: [default]

TASK [wordpress-setup : Retrieve list of existing files in includes.d] *********
skipping: [default]

TASK [wordpress-setup : Remove unmanaged files from includes.d] ****************
skipping: [default]

TASK [wordpress-setup : Copy SSL cert] *****************************************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [wordpress-setup : Copy SSL key] ******************************************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [wordpress-setup : disable temporary challenge sites] *********************
ok: [default] => (item=example.com)

TASK [wordpress-setup : Create Nginx available sites] **************************
changed: [default] => (item={'src': 'no-default.conf.j2'})
skipping: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False}) 

TASK [wordpress-setup : Disable Nginx sites] ***********************************
skipping: [default] => (item={'src': 'no-default.conf.j2'}) 
ok: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False})

TASK [wordpress-setup : Enable Nginx sites] ************************************
changed: [default] => (item={'src': 'no-default.conf.j2'})
skipping: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False}) 

TASK [wordpress-setup : Create Nginx conf for challenges location] *************
changed: [default]

TASK [wordpress-setup : Create WordPress configuration for Nginx] **************
changed: [default] => (item=example.com)

TASK [wordpress-setup : Enable WordPress site] *********************************
changed: [default] => (item=example.com)

TASK [wordpress-setup : Setup WP system cron] **********************************
changed: [default] => (item=example.com)

TASK [wordpress-setup : Setup WP Multisite system cron] ************************
ok: [default] => (item=example.com)

TASK [wordpress-install : Create web root of sites] ****************************
changed: [default] => (item=example.com)

TASK [wordpress-install : Create shared folder of sites] ***********************
changed: [default] => (item=example.com)

TASK [wordpress-install : Change site owner to user] ***************************
skipping: [default] => (item=example.com) 
skipping: [default]

TASK [wordpress-install : Create .env file] ************************************
changed: [default] => (item=example.com)

TASK [wordpress-install : Copy .env file into web root] ************************
changed: [default] => (item=example.com)

TASK [wordpress-install : Add known_hosts] *************************************
changed: [default] => (item=github.com)
changed: [default] => (item=github.com)
changed: [default] => (item=bitbucket.org)
changed: [default] => (item=gitlab.com)
changed: [default] => (item=gitlab.com)

TASK [wordpress-install : include_tasks] ***************************************
[WARNING]: TASK: wordpress-install : include_tasks: The loop variable 'site' is
already in use. You should set the `loop_var` value in the `loop_control`
option for the task to something else to avoid variable collisions and
unexpected behavior.
included: /Users/john/LocalSites/example.com/trellis/roles/wordpress-install/tasks/composer-authentications.yml for default => (item=(censored due to no_log))

TASK [wordpress-install : Setup composer authentications (HTTP Basic) - {'key': 'example.com', 'value': {'site_hosts': [{'canonical': 'example.test', 'redirects': ['www.example.test']}], 'local_path': '../site', 'admin_email': 'admin@example.test', 'multisite': {'enabled': False}, 'ssl': {'enabled': False, 'provider': 'self-signed'}, 'cache': {'enabled': False}}}] ***
skipping: [default]

TASK [wordpress-install : Setup composer authentications (BitBucket OAuth) - {'key': 'example.com', 'value': {'site_hosts': [{'canonical': 'example.test', 'redirects': ['www.example.test']}], 'local_path': '../site', 'admin_email': 'admin@example.test', 'multisite': {'enabled': False}, 'ssl': {'enabled': False, 'provider': 'self-signed'}, 'cache': {'enabled': False}}}] ***
skipping: [default]

TASK [wordpress-install : Setup composer authentications (Other Tokens) - {'key': 'example.com', 'value': {'site_hosts': [{'canonical': 'example.test', 'redirects': ['www.example.test']}], 'local_path': '../site', 'admin_email': 'admin@example.test', 'multisite': {'enabled': False}, 'ssl': {'enabled': False, 'provider': 'self-signed'}, 'cache': {'enabled': False}}}] ***
skipping: [default]

TASK [wordpress-install : Install Dependencies with Composer] ******************
changed: [default] => (item=example.com)

TASK [wordpress-install : Install WP] ******************************************
changed: [default] => (item=example.com)

TASK [wordpress-install : Setup Permalink Structure] ***************************
changed: [default] => (item={'changed': True, 'stdout': 'Success: WordPress installed successfully.', 'stderr': '', 'rc': 0, 'cmd': ['wp', 'core', 'install', '--allow-root', '--url=http://example.test', '--title=example.com', '--admin_user=admin', '--admin_password=JvHflFh2tTd6oMIuZid4JlhxVZGqbVYh6i0d320titcd1jn993GSvvDnX8SB14eg', '--admin_email=admin@example.test'], 'start': '2023-07-12 20:40:32.624694', 'end': '2023-07-12 20:40:35.395600', 'delta': '0:00:02.770906', 'msg': '', 'invocation': {'module_args': {'chdir': '/srv/www/example.com/current/', '_raw_params': 'wp core install --allow-root --url="http://example.test"  --title="example.com" --admin_user="admin" --admin_password="JvHflFh2tTd6oMIuZid4JlhxVZGqbVYh6i0d320titcd1jn993GSvvDnX8SB14eg" --admin_email="admin@example.test"', '_uses_shell': False, 'stdin_add_newline': True, 'strip_empty_ends': True, 'argv': None, 'executable': None, 'creates': None, 'removes': None, 'stdin': None}}, 'stdout_lines': ['Success: WordPress installed successfully.'], 'stderr_lines': [], 'failed': False, 'item': {'key': 'example.com', 'value': {'site_hosts': [{'canonical': 'example.test', 'redirects': ['www.example.test']}], 'local_path': '../site', 'admin_email': 'admin@example.test', 'multisite': {'enabled': False}, 'ssl': {'enabled': False, 'provider': 'self-signed'}, 'cache': {'enabled': False}}}, 'ansible_loop_var': 'item'})

TASK [wordpress-install : Update WP Multisite Home URL] ************************
skipping: [default] => (item=example.com) 
skipping: [default]

RUNNING HANDLER [common : restart memcached] ***********************************
changed: [default]

RUNNING HANDLER [common : reload php-fpm] **************************************
changed: [default]

RUNNING HANDLER [common : restart journald] ************************************
changed: [default]

RUNNING HANDLER [common : reload nginx] ****************************************
changed: [default]

RUNNING HANDLER [fail2ban : restart fail2ban] **********************************
changed: [default]

RUNNING HANDLER [ferm : restart ferm] ******************************************
skipping: [default]

RUNNING HANDLER [ntp : restart ntp] ********************************************
changed: [default]

RUNNING HANDLER [sshd : restart ssh] *******************************************
changed: [default]

RUNNING HANDLER [mariadb : restart mysql server] *******************************
changed: [default]

RUNNING HANDLER [common : perform nginx reload] ********************************
changed: [default]

PLAY RECAP *********************************************************************
default                    : ok=132  changed=89   unreachable=0    failed=0    skipped=35   rescued=0    ignored=0   

Your Trellis VM is ready to use!

* Composer and WP-CLI commands need to be run on the virtual machine for any post-provision modifications.
* You can SSH into the machine with 'trellis vm shell'
* Then navigate to your WordPress sites at '/srv/www'

john@John-MBP trellis % trellis vm shell
Running command => limactl shell --workdir /srv/www/example.com/current example.com
john@lima-example:/srv/www/example.com/current$ echo "$SSH_AUTH_SOCK"

john@lima-example:/srv/www/example.com/current$ exit
logout

Please confirm this isn't a support request.

Yes

[swalkinshaw]

Thanks for the detailed issue.

I can't think how this would be a trellis-cli issue though since it's just running limactl shell.

The only thing we could (maybe should?) do is set forwardAgent: true by default. But you said that didn't work for you?

https://github.com/lima-vm/lima/blob/d9f0c51db0e84576692da4dde242ea150e3c16ee/examples/default.yaml#L123-L128

[johnkraczek]

Thanks for the comment on this.

I updated that one line in the lima config file.

https://github.com/lima-vm/lima/blob/d9f0c51db0e84576692da4dde242ea150e3c16ee/examples/default.yaml#L123-L128

pkg/lima/files/config.yml

And added the

ssh:
    forwardAgent: true

Then I recompiled trellis-cli and that fixed my issue. I can now forward the ssh-agent and authenticate to ssh services with my host key.

Would you consider either adding that as a default for the trellis-cli?

I made a pull request for this: https://github.com/roots/trellis-cli/pull/403

How difficult would it be to add a configuration option, or command line flag to enable or disable forwarding the agent? I know for myself I will use it 100% of the time, but I'd like to know how often other people require authenticating to ssh services inside their environments.