Bug #25481
Foreman fails to execute ansible commands when connected to ipa server
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1650103
Description of problem:
Whne Satellite 6.4 is connected to an IPA server it fails to run Ansible commands on client systems
Version-Release number of selected component (if applicable):
- Satellite 6.4.0
- ansible-2.7.0-1.el7ae.noarch
How reproducible:
Everytime the Satellite is configured as an ipa client
Steps to Reproduce:
1. Install Satellite 6.4.0
2. Connect Satellite to IPA server
3. Try to run an Ansible command on a command on a client
Actual results:
The run fails with:
fatal: [fluffy.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host\r\n", "unreachable": true}
Expected results:
The run should work
Additional info:
The ipa client changes the file /etc/ssh/ssh_config when it is configured and adds the line
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
This was already reported for ovirt/RHV in this bugzillas:
- https://bugzilla.redhat.com/show_bug.cgi?id=1529851#c14
- https://bugzilla.redhat.com/show_bug.cgi?id=1531967#c5
Workaround:
Comment the line in /etc/ssh/ssh_config like this:
#ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
and the Ansible jobs are working again.
Related issues
Associated revisions
History
#1
Updated by Tomer Brisker about 4 years ago
- Category set to Foreman modules
- Subject changed from Satellite fails to execute ansible commands when connected to ipa server to Satellite fails to execute ansible commands when connected to ipa server
- Project changed from Ansible to Installer
#2
Updated by Tomer Brisker about 4 years ago
- Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/485 added
#3
Updated by Tomer Brisker about 4 years ago
- Status changed from New to Ready For Testing
#4
Updated by Ohad Levy about 4 years ago
- Subject changed from Satellite fails to execute ansible commands when connected to ipa server to Foreman fails to execute ansible commands when connected to ipa server
#5
Updated by The Foreman Bot almost 4 years ago
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/511 added
#6
Updated by The Foreman Bot over 3 years ago
- Fixed in Releases 1.23.0 added
#7
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman_proxy|2e11f6810d8b4e7e8ce28f91bdf6a534c0f3e2f4.
#8
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/534 added
#9
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Triaged changed from No to Yes
- Fixed in Releases 1.22.1 added
#10
Updated by Marek Hulán over 3 years ago
This causes a problem on my debian environment when ansible setup module is ran, for some reasons `ssh_args=` (even empty) changes the behavior. Reproduced with ansible 2.8, when running under foreman-proxy user only (root seems to work fine), it seems like sftp/scp/pipe (dd over ssh) does not work, therefore setup fails.
When I commented this line, it started working again but I had to also change owner of /var/lib/foreman-proxy/ansible/ to foreman-proxy on debian (packaging issue?)
#11
Updated by Marek Hulán over 3 years ago
If I specify also ansible defaults as per https://docs.ansible.com/ansible/latest/reference_appendices/config.html#ansible-ssh-args (-C -o ControlMaster=auto -o ControlPersist=60s) it works, so some of these options are probably necessary and by hardcoding ssh_args to ProxyCommand=none we're breaking it
#12
Updated by Ewoud Kohl van Wijngaarden 5 months ago
- Related to Bug #28559: Hardcoding Proxy Command breaks running Ansible on Debian added
Fixes #25481 - Set ProxyCommand=none for Ansible (#511)
In case of IPA there's a ProxyCommand set that handles known hosts, but
foreman_ansible has its own way of handling known hosts. This sets the
ssh args to force override this.