Description of problem: SSIA Version-Release number of selected component (if applicable): ovirt-engine-metrics-1.1.3.2-1.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. remove ssh key for metrics store from .known_hosts 2. /usr/share/ovirt-engine-metrics/configure_ovirt_machines_for_metrics.sh WA (thus low severity) 3. Log in to the machine via ssh - >(yes) on accepting the known host 4. rerun playbook Actual results: TASK [Gathering Facts] ******************************************************************************************************************************************************************************************** fatal: [es.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'es.example.com' (ECDSA) to the list of known hosts.\r\nWarning: the ECDSA host key for 'es.example.com' differs from the key for the IP address '10.10.10.10'\nOffending key for IP in /root/.ssh/known_hosts:1\r\nPermission denied (publickey,password).\r\n", "unreachable": true} Expected results: Should automatically add the key
It seems the problem is that Ansible is unable to WA connection through different hostname es.hostname.com hostname.com ip-address.. In case I connected from engine to metrics store via IP address ansible is unable to later conenct in metrics playbook via es.hostname.com [root@ ovirt-engine-metrics]# ssh root.com Warning: the ECDSA host key for 'es.hostname.com' differs from the key for the IP address '10.10.10.10' Offending key for IP in /root/.ssh/known_hosts:1 Matching host key in /root/.ssh/known_hosts:4 Are you sure you want to continue connecting (yes/no)? yes WA: remove both from /root/.ssh/.known_hosts and add it after sshing through es.hostname.com
I dug a bit deaper... Problem is in configure metrics script: Last line: ansible-playbook \ playbooks/"${PLAYBOOK}" \ -e pg_db_name="${ENGINE_DB_DATABASE}" \ -e ansible_ssh_private_key_file="${ENGINE_PKI}/keys/engine_id_rsa" \ -l "${SCOPE}" \ "${extra_opts[@]}" we are using private id_rsa of engine, however metrics store does not have authorized public key of engine: to WA, get public key of engine: 1. ssh-keygen -y -f /etc/pki/ovirt-engine/keys/engine_id_rsa 2. copy output to metrics-store authorized keys Raising priority as this is blocking metrics store deployment, however we have WA
This will be added as a documentation step at this point.
I agree documentation will be preferred as this may cause security issue of passing the pub key to other machines, however, we need this in 4.2, as without the proper documentation admin is not able to run playbook since we introduced the modification of metrics store (in 4.2.2). If it's just documentation change, we should be able to make it to 4.2.2 or in the worst case 4.2.3. Yaniv can we reschedule?
Moving this to VERIFIED as test steps works, and we are waiting just for Docs https://bugzilla.redhat.com/show_bug.cgi?id=1546540
This bugzilla is included in oVirt 4.2.7 release, published on November 2nd 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.7 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.
Closed by mistake, moving back to qa -> verified
This bugzilla is included in oVirt 4.3.0 release, published on February 4th 2019. Since the problem described in this bug report should be resolved in oVirt 4.3.0 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.