Project

General

Profile

Bug #25481

Foreman fails to execute ansible commands when connected to ipa server

Added by Marek Hulán over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ewoud Kohl van Wijngaarden
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
1650103
Pull request:
https://github.com/theforeman/puppet-foreman_proxy/pull/511, https://github.com/theforeman/puppet-foreman_proxy/pull/534, https://github.com/theforeman/puppet-foreman_proxy/pull/485
Fixed in Releases:
Foreman - 1.22.1, Foreman - 1.23.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1650103

Description of problem:
Whne Satellite 6.4 is connected to an IPA server it fails to run Ansible commands on client systems

Version-Release number of selected component (if applicable):
- Satellite 6.4.0
- ansible-2.7.0-1.el7ae.noarch

How reproducible:
Everytime the Satellite is configured as an ipa client

Steps to Reproduce:
1. Install Satellite 6.4.0
2. Connect Satellite to IPA server
3. Try to run an Ansible command on a command on a client

Actual results:
The run fails with:
fatal: [fluffy.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host\r\n", "unreachable": true}

Expected results:
The run should work

Additional info:
The ipa client changes the file /etc/ssh/ssh_config when it is configured and adds the line

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

This was already reported for ovirt/RHV in this bugzillas:
- https://bugzilla.redhat.com/show_bug.cgi?id=1529851#c14
- https://bugzilla.redhat.com/show_bug.cgi?id=1531967#c5

Workaround:
Comment the line in /etc/ssh/ssh_config like this:

#ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

and the Ansible jobs are working again.

Related issues

Related to Installer - Bug #28559: Hardcoding Proxy Command breaks running Ansible on DebianClosed

Associated revisions

Revision 2e11f681 (diff)
Added by Ewoud Kohl van Wijngaarden over 3 years ago

Fixes #25481 - Set ProxyCommand=none for Ansible (#511)

In case of IPA there's a ProxyCommand set that handles known hosts, but
foreman_ansible has its own way of handling known hosts. This sets the
ssh args to force override this.

History

#1 Updated by Tomer Brisker about 4 years ago

  • Category set to Foreman modules
  • Subject changed from Satellite fails to execute ansible commands when connected to ipa server to Satellite fails to execute ansible commands when connected to ipa server
  • Project changed from Ansible to Installer

#2 Updated by Tomer Brisker about 4 years ago

  • Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/485 added

#3 Updated by Tomer Brisker about 4 years ago

  • Status changed from New to Ready For Testing

#4 Updated by Ohad Levy about 4 years ago

  • Subject changed from Satellite fails to execute ansible commands when connected to ipa server to Foreman fails to execute ansible commands when connected to ipa server

#5 Updated by The Foreman Bot almost 4 years ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/511 added

#6 Updated by The Foreman Bot over 3 years ago

  • Fixed in Releases 1.23.0 added

#7 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Status changed from Ready For Testing to Closed

#8 Updated by The Foreman Bot over 3 years ago

  • Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/534 added

#9 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Triaged changed from No to Yes
  • Fixed in Releases 1.22.1 added

#10 Updated by Marek Hulán over 3 years ago

This causes a problem on my debian environment when ansible setup module is ran, for some reasons `ssh_args=` (even empty) changes the behavior. Reproduced with ansible 2.8, when running under foreman-proxy user only (root seems to work fine), it seems like sftp/scp/pipe (dd over ssh) does not work, therefore setup fails.

When I commented this line, it started working again but I had to also change owner of /var/lib/foreman-proxy/ansible/ to foreman-proxy on debian (packaging issue?)

#11 Updated by Marek Hulán over 3 years ago

If I specify also ansible defaults as per https://docs.ansible.com/ansible/latest/reference_appendices/config.html#ansible-ssh-args (-C -o ControlMaster=auto -o ControlPersist=60s) it works, so some of these options are probably necessary and by hardcoding ssh_args to ProxyCommand=none we're breaking it

#12 Updated by Ewoud Kohl van Wijngaarden 5 months ago

  • Related to Bug #28559: Hardcoding Proxy Command breaks running Ansible on Debian added

Also available in: Atom PDF