Bug 1650103
| Summary: | Satellite fails to execute ansible commands when connected to ipa server | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Stefan Meyer <smeyer> |
| Component: | Ansible - Configuration Management | Assignee: | Ewoud Kohl van Wijngaarden <ekohlvan> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | aperotti, egolov, hyu, ktordeur, matthew.lesieur, mhulan, phess, pierre-yves.goubet, pondrejk, sjagtap |
| Target Milestone: | 6.6.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | foreman-installer-1.22.0.10 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-22 19:51:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Created redmine issue https://projects.theforeman.org/issues/25481 from this bug *** Bug 1656480 has been marked as a duplicate of this bug. *** Alternate *less intrusive* workaround that will allow Satellite to run Ansible playbooks successfully without messing with system-wide ssh_client settings: --- # cat ~foreman-proxy/.ssh/config Host * ProxyCommand none --- Since Ansible playbooks are being run by the foreman-proxy user, this will override the ProxyCommand option for this user only while the rest of the system can keep using sss_ssh_knownhostsproxy as intended by IPA. All, I also ran into the ProxyCommand problem, but I found two different errors in the Plays that I ran. Updating the foreman-proxy user's SSH configuration as per Pablo Hess (comment 5) resolved the problem. fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nwrite: Broken pipe", "unreachable": true} fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nssh_exchange_identification: Connection closed by remote host", "unreachable": true} Thanks Matthew LeSieur Upstream bug assigned to ekohlvan Upstream bug assigned to ekohlvan Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25481 has been resolved. VERIFIED.
@Satellite 6.6.0 Snap22
foreman-installer-1.22.0.16-1.el7sat.noarch
# tail -2 /etc/foreman-proxy/ansible.cfg
[ssh_connection]
ssh_args = -o ProxyCommand=none
>>> ansible ssh_args override any proxy commands to empty for ansible runs only
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3172 |
Description of problem: Whne Satellite 6.4 is connected to an IPA server it fails to run Ansible commands on client systems Version-Release number of selected component (if applicable): - Satellite 6.4.0 - ansible-2.7.0-1.el7ae.noarch How reproducible: Everytime the Satellite is configured as an ipa client Steps to Reproduce: 1. Install Satellite 6.4.0 2. Connect Satellite to IPA server 3. Try to run an Ansible command on a command on a client Actual results: The run fails with: fatal: [fluffy.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host\r\n", "unreachable": true} Expected results: The run should work Additional info: The ipa client changes the file /etc/ssh/ssh_config when it is configured and adds the line ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h This was already reported for ovirt/RHV in this bugzillas: - https://bugzilla.redhat.com/show_bug.cgi?id=1529851#c14 - https://bugzilla.redhat.com/show_bug.cgi?id=1531967#c5 Workaround: Comment the line in /etc/ssh/ssh_config like this: #ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h and the Ansible jobs are working again.