search

zhaofengli / colmena

A simple, stateless NixOS deployment tool
https://colmena.cli.rs
MIT License
1.19k stars 64 forks source link

SSH ForwardAgent not working with colmena #154

Open septem9er opened 1 year ago

septem9er commented 1 year ago

Summary

I would like to use SSH ForwardAgent with colmena, so that I can use a non-root user for deployment without having to disable authentication for sudo completly.

Nixops does have an option for specifing ssh Options, maybe this could be added to colmena as well?

However, as I understand it this should still be doable by setting the "SSH_CONFIG_FILE" option and enabling ForwardAgent there. Smehow this doesn't work. I still get the following error:

colmena apply --show-trace switch -v
[INFO ] Using configuration: /home/septem9er/Projekte/nix-infra/hive.nix
[INFO ] Enumerating nodes...
[INFO ] Selected all 1 nodes.
nixos-template | Evaluating nixos-template
nixos-template | trace: warning: system.stateVersion is not set, defaulting to 22.11. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion.
nixos-template | Evaluated nixos-template
nixos-template | Building nixos-template
nixos-template | /nix/store/64yhwyk4jnfja5ifm7jbr7gmfc6nlliw-nixos-system-nixos-template-22.11.3408.a575c243c23
nixos-template | Built "/nix/store/64yhwyk4jnfja5ifm7jbr7gmfc6nlliw-nixos-system-nixos-template-22.11.3408.a575c243c23"
nixos-template | Pushing system closure
nixos-template | copying 2 paths...
nixos-template | copying path '/nix/store/yy81p2v4xjmahmcclv6k04zwqmsh8i2s-etc' to 'ssh://septem9er@10.2.2.200'...
nixos-template | copying path '/nix/store/64yhwyk4jnfja5ifm7jbr7gmfc6nlliw-nixos-system-nixos-template-22.11.3408.a575c243c23' to 'ssh://septem9er@10.2.2.200'...
nixos-template | Pushed system closure
nixos-template | No pre-activation keys to upload
nixos-template | Activating system profile
nixos-template | sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
nixos-template | sudo: a password is required
nixos-template | Activation failed: Child process exited with error code: 1
               | Failed: Child process exited with error code: 1
[ERROR] Failed to deploy to nixos-template - Last 5 lines of logs:
[ERROR]  created)
[ERROR]    state) Running
[ERROR]   stderr) sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
[ERROR]   stderr) sudo: a password is required
[ERROR]  failure) Child process exited with error code: 1
[ERROR] Failed to complete requested operation - Last 1 lines of logs:
[ERROR]  failure) Child process exited with error code: 1
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1

When I connect manually to the host using ssh -T septem9er@10.2.2.200 and try to use sudo, it does work. I don`t have to supply the password.

The envioronment variable does point to the right config file for sure. If I delete the config file, colmere complains that it cannot find it.

I did set ForwardAgent to yes in the ssh config for * Host, I also tried setting this in the system wide ssh config. It doesn't change the behaviour, ForwardAgent does still not work with colmera.

dminuoso commented 1 year ago

Which revision of colmena are you using?

septem9er commented 1 year ago

Currently version 0.3.2