Re: [Fab-user] Key-based authentication

[Sergey Kirillov]

Wow, thanks a lot.

Here is my fabfile.py

---
set(
   fab_user = 'wishes',
   fab_password = None,
   fab_mode = 'rolling',
   project = 'wishes',
   deploy_to = '/home/wishes',
   manage_py = '$(deploy_to)/wishes/src/wl/manage',
   fab_debug = True,
)

import logging
logging.basicConfig()


def production():
 "Configures Fabric for production environment."
 set(env='production')
 set(fab_hosts=['production host'])

def staging():
 "Configures Fabric for Staging environment."
 set(env='staging')
 set(fab_hosts=['192.168.1.60'])
#  set(fab_key_filename='/home/serg/projects/wishlist/staging_key.pri')

def build():
 local('hg archive -t tgz /tmp/$(project).tgz')

def upload():
 require('env', provided_by=['production','staging'])
 put('/tmp/$(project).tgz', '/tmp/$(project).tgz')

def cleanup():
 require('env', provided_by=['production','staging'])
 run('rm /tmp/$(project).tgz', fail='warn')
 local('rm /tmp/$(project).tgz', fail='warn')

def patch_database():
 require('env', provided_by=['production','staging'])
 run('$(manage_py) migrate', fail='abort')
  
def restart():
 require('env', provided_by=['production','staging'])
 run('sudo /etc/init.d/wishes-fcgi restart', fail='abort')
#  sudo('invoke-rc.d wishes-fcgi restart', fail='abort')

def deploy():
 "Build the project and deploy it to a specified environment."
 require('env', provided_by=['production','staging'])

 build()
 upload()

 run('tar -C $(deploy_to) -xzf /tmp/$(project).tgz', fail='abort')
 #run('sudo -u $(sudo_user) cp $(deploy_to)/wishes/conf/settings.py 
$(deploy_to)/wishes/src/wl/', fail='abort')
 patch_database()
 restart()

 cleanup()
---



Christian Vest Hansen wrote:
> I edited the _connect code so you shouldn't have to
> set(fab_password=None) in order to please _connect(). Also, sudo() now
> only uses a password if one is defined.
>
> It's in both git repos. Hopefully this will make it look a little less
> sketchy whenever someone want to do key-based authentication.
>
>
> On 6/12/08, Christian Vest Hansen <address@hidden> wrote:
>   
> > Can you post a working fabfile configured to use SSH keys?
> >
> >  I'de like to document this in the tutorial.
> >
> >
> >  On 6/12/08, Christian Vest Hansen <address@hidden> wrote:
> >  > Alright, I'm glad you figured it out - this is good stuff to know as
> >  >  there's a high likelyhood that others will run into the same problems.
> >  >
> >  >
> >  >
> >  >  On 6/12/08, Sergey Kirillov <address@hidden> wrote:
> >  >  > Hi Christian,
> >  >  >
> >  >  >  Yes, I saw that.
> >  >  >
> >  >  >  It works now. I had to set 'fab_password': None in order to bypass 'if
> >  >  > 'fab_password' not in ENV:' check in _connect(). But now sudo() does not
> >  >  > work because it tries to do
> >  >  > 'stdin.write(env['fab_password'])' and fails there with
> >  >  > exception.
> >  >  >
> >  >  >  To solve this I've updated /etc/sudoers and have listed all commands that
> >  >  > need to be executed as passwordless.  So  instead of sudo() I'm using
> >  >  > run('sudo dosomething'), and it works like a charm.
> >  >  >
> >  >  >  Deployment user does not have password at all, and I can give people 
> > access
> >  >  > to deployment just by adding their SSH public keys into
> >  >  > ~/.ssh/authorized_keys of deployment user.
> >  >  >
> >  >  >
> >  >  >
> >  >  >
> >  >  >  Christian Vest Hansen wrote:
> >  >  >
> >  >  > > I haven't tried key-based authentication myself, but Fabric will relay
> >  >  > > any fab_pkey and fab_key_filename to the SSHClient.connect method in
> >  >  > > paramiko:
> >  >  > >
> >  >  > >
> >  >  > http://www.lag.net/paramiko/docs/paramiko.SSHClient-class.html#connect
> >  >  > >
> >  >  > > Hope that helps.
> >  >  > >
> >  >  > >
> >  >  >
> >  >  >
> >  >
> >  >
> >  >
> >  > --
> >  >  Venlig hilsen / Kind regards,
> >  >  Christian Vest Hansen.
> >  >
> >
> >
> >  --
> >  Venlig hilsen / Kind regards,
> >  Christian Vest Hansen.
> >
> >     
>
>
>