Fork me on GitHub
#biff
<
2024-03-13
>
kpassapk17:03:39

I deployed an application with a private dependency in deps.edn yesterday. When the systemd service ran clj -M:prod , it failed to download the dependency because it had no access to my forwarded SSH agent / auth socket. I solved it by sshing into the server as the app user and running the command, then restarting the service. Might it make sense to have the deploy command download dependencies, even if it takes a while?

Jacob O'Bryant18:03:23

I'm not too familiar with private dependencies. Is this a dependency in a private git repo that your ssh key has access to? or a private maven repo/something else? What was the command you ran as the app user that fixed it?

kpassapk18:03:56

yes, a private git repo which my SSH key can access. I ran clj -M:prod, then Ctrl+C'd out of it - there must be a better way but I'm only a couple of months into Clojure.

Jacob O'Bryant19:03:30

got it--I think the best approach here would be to create a read-only ssh key for the repo (github calls them https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys) and then install the private key in /home/app/.ssh/ . Then clj -M:prod should work fine, and no need to download dependencies to your local machine first + upload from there to the server. The latter approach would be like building an uberjar (`clj -M:dev uberjar`) and then uploading that, which you could also do. The deploy process would just be slower than Biff's default deploy process. e.g. you could make a custom deploy task that runs the uberjar task, uploads it to the server, then restarts the server. And then you'd just need to edit the systemd file to have it run java -jar ... instead of clj -M:prod (see the systemd section in server-setup.sh). But yeah, setting up the read-only ssh key would definitely be my first recommendation.

👍 1
kpassapk20:03:55

I like that recommendation, thanks! I'll do that in the future. Small point to clarify: I ran the command on the server, so the dependencies were not installed on my machine + then uploaded. I still like your solution better, though, because 1. it's one less step, doesn't slow down deployment 2. it's more granular (allowing access to a single repo) 3. it doesn't assume any special SSH configuration on the development machine.

👍 1
👌 1
kpassapk00:03:00

nb (in case it's useful to anyone): the ~/.ssh/config on my local machine has

Host 
     ForwardAgent yes
which is why the deps can be downloaded when I ssh in myself as , but not by the service - even thought hey both run as the app user. (http://www.unixwiz.net/techtips/ssh-agent-forwarding.html)

Jacob O'Bryant00:03:47

ah, got it--I was surprised it worked that way at first.