Hello,
my question is half-ansible, half-sysop so I hope it is ok on the list.
my ‘ansibler’ user needs to git clone a repo on behalf of user ‘app’.
‘ansibler’ is the only user having ssh access to the machine.
the git repo is a protected repo only available via ssh keys.
important: I want the cloned repo to have the same ownership / permissions that it would have had if the ‘app’ user executed the git clone.
up until now, my plan was to execute the ansible task with a sudo_user=app. I managed to have the forwarding agent forward the keys up to the ‘app’ user and added the host to the known_hosts of user ‘app’.
It works but its a bit of a hack to have ansible forward the keys. cf ticket https://github.com/ansible/ansible/pull/4100
So I am looking for best practices that people are using to solve this.
I understand that if ‘ansibler’ has acls/permissions to write in ‘app’ home, ‘ansibler’ could git clone directly inside ‘app’ home, but how to you handle the ownership/permission aspect of things so that you end up with a app:app ownership and the correct permissions ? permissions could be handled via acl defaults when acl are available but for the ownership, do you chown recursively ?
can you share a pointer to a playbook demonstrating this ?
I read here and there on the ML that it is best to prepare packages on the control machine and then install those packages on the remotes after a copy is done. Is that the best practive / preferred way to deploy an application ? can you share a playbook on this approach (creating a package on the control machine, packaging an app out of a git repo)
Thank you !