1605147 – [RFE] Add SSH key passphrase support to ansible feature

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1605147 - [RFE] Add SSH key passphrase support to ansible feature

Summary: [RFE] Add SSH key passphrase support to ansible feature

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Ansible - Configuration Management
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	6.10.0
Assignee:	Marek Hulan
QA Contact:	Danny Synk
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1986422 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-20 09:50 UTC by Martin Korbel
Modified:	2024-03-25 15:06 UTC (History)
CC List:	14 users (show)
Fixed In Version:	tfm-rubygem-foreman_ansible-6.3.3, tfm-rubygem-foreman_ansible_core-4.2.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 14:08:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
tfm-rubygem-foreman_ansible_core-3.0.4.1-3.HFRHBZ1971395.1605147.el7sat.noarch.rpm (24.83 KB, application/x-rpm) 2021-08-06 16:00 UTC, Mike McCune	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	24367	0	Normal	Closed	Add SSH key passphrase support to ansible feature	2021-07-28 17:20:51 UTC
Red Hat Bugzilla	1942782	1	unspecified	CLOSED	Parameters specified in "Advanced Fields" are not passed to Ansible	2024-03-25 18:14:21 UTC
Red Hat Product Errata	RHSA-2021:4702	0	None	None	None	2021-11-16 14:08:40 UTC

Description Martin Korbel 2018-07-20 09:50:55 UTC

Description of problem:
This bug related with bz1437538.
If the remote execution feature can use "SSH key passphrase" then the ansible feature should has the same option.

Version-Release number of selected component (if applicable):
Sat6.4#11

How reproducible:
100%

Steps to Reproduce:
> hammer settings list | grep passphrase

Actual results:
remote_execution_ssh_key_passphrase                    | mySecret                                                                         | Default key passphrase to use for SSH. You may override per host by setting a...

Expected results:
ansible_ssh_key_passphrase                    | mySecret                                                                         | Default key passphrase to use for SSH. You may override per host by setting a...
remote_execution_ssh_key_passphrase                    | mySecret                                                                         | Default key passphrase to use for SSH. You may override per host by setting a...


Additional info:

Comment 1 Marek Hulan 2018-07-24 08:46:40 UTC

Created redmine issue https://projects.theforeman.org/issues/24367 from this bug

Comment 2 Marek Hulan 2018-07-24 08:47:42 UTC

note that ansible core does not provide this, we could only workaround it through  ssh-agent, it would be possible though if we used ansible-runner as an engine

Comment 3 Bryan Kearney 2019-11-04 14:02:19 UTC

Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.

Comment 4 Taft Sanders 2020-12-24 14:25:00 UTC

Reopening for consideration now that we have ansible-runner in Satellite 6.8 and a customer request for this feature.

Comment 5 Marek Hulan 2021-01-06 15:02:59 UTC

The runner has support for keys and passwords, it could be done in combinations with emitted password. This part is being improved right now, so we'd need to wait a little, but this is now possible to achieve.

https://ansible-runner.readthedocs.io/en/stable/intro.html#env-ssh-key
https://ansible-runner.readthedocs.io/en/stable/intro.html#env-passwords

Comment 6 Mike McCune 2021-03-11 18:51:03 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in one month's time. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Comment 7 Ondřej Ezr 2021-04-06 11:49:35 UTC


*** This bug has been marked as a duplicate of bug 1942782 ***

Comment 8 Mike McCune 2021-04-13 17:39:47 UTC

Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact your Red Hat Account Team. Thank you.

Comment 13 Bryan Kearney 2021-05-28 10:17:00 UTC

Upstream bug assigned to mhulan

Comment 14 Bryan Kearney 2021-05-28 10:17:03 UTC

Upstream bug assigned to mhulan

Comment 16 Bryan Kearney 2021-07-07 12:02:37 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/24367 has been resolved.

Comment 17 Peter Ondrejka 2021-07-27 14:04:50 UTC

*** Bug 1986422 has been marked as a duplicate of this bug. ***

Comment 19 Mike McCune 2021-08-06 15:59:30 UTC

*** Satellite 6.8.6 Hotfix Available ***

Note that this includes the fix for 1605147 as well as an additional critical hotfix in this area of code, BZ 1971395.

1) Download tfm-rubygem-foreman_ansible_core-3.0.4.1-3.HFRHBZ1971395.1605147.el7sat.noarch.rpm from this bugzilla to your Satellite

2) stop services:

satellite-maintain service stop

3) Install:

rpm -Uvh tfm-rubygem-foreman_ansible_core-3.0.4.1-3.HFRHBZ1971395.1605147.el7sat.noarch.rpm

4) restart:

satellite-maintain service start

5) resume operations

Comment 20 Mike McCune 2021-08-06 16:00:51 UTC

Created attachment 1811561 [details]
tfm-rubygem-foreman_ansible_core-3.0.4.1-3.HFRHBZ1971395.1605147.el7sat.noarch.rpm

Comment 22 Adam Ruzicka 2021-08-09 06:56:58 UTC

To test:
0) Check that running an ansible job against a target host works before changing anything

1) Add a passphrase to the already-existing key
sudo -u foreman-proxy ssh-keygen -p -f ~foreman-proxy/.ssh/id_rsa_foreman_proxy -N $password

2) Restart capsule
systemctl restart foreman-proxy

3) Set the passphrase in Satellite
hammer setting set --name remote_execution_ssh_key_passphrase --value $password

4) Run an ansible job

Actual results:
The job fails since it cannot open the key

Expected results:
The job passes

Comment 28 Danny Synk 2021-09-23 18:52:54 UTC

Failed QA on Satellite 6.10, snap 20 (tfm-rubygem-foreman_ansible-6.3.4-1.el7sat.noarch).

Steps to Test:
1. Register a RHEL 7 host and a RHEL 8 host to Satellite 6.10 and configure the hosts for remote execution with the Global Registration Template.
2. Verify that a job of category 'Ansible Commands' and template 'Run Command - Ansible Default' is able to execute successfully on both hosts. I ran `touch test_ansible`, which succeeded on both hosts.
3. Add a passphrase to the foreman-proxy private key:

# sudo -u foreman-proxy ssh-keygen -p -f ~foreman-proxy/.ssh/id_rsa_foreman_proxy -N password

4. Restart the foreman-proxy service:

# systemctl restart foreman-proxy

5. Set the passphrase for the key in Satellite:

# hammer setting set --name remote_execution_ssh_key_passphrase --value password

6. Attempt to run another remote job on the hosts. The settings for this job were the same as in step 2, except that the command used was `touch test_ansible_with_passphrase`.

Actual Results:
The `Actions::RemoteExecution::RunHostsJob` task and its two `Actions::RemoteExecution::RunHostJob` subtasks stay in result 'Running' and state 'Pending' for fifteen minutes.

Expected Results:
The remote jobs finish successfully.

Notes:
- The results were the same when attempting the same job and entering the passphrase in the 'Private key passphrase' field on the job invocations page.
- The private key was able to authenticate successfully when attempting to log in from the Satellite to the hosts using `ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy root.com` and entering the passphrase interactively.
- I did not find any error messages in /var/log/foreman-proxy/proxy.log, /var/log/foreman/production.log, or /var/log/messages on the Satellite around the time the unsuccessful jobs were run.

Comment 29 Marek Hulan 2021-09-27 08:31:20 UTC

I think the fix actually landed in smart_proxy_ansible, it requires this specific commit https://github.com/theforeman/smart_proxy_ansible/commit/a169a9518b67b42088fdd2c45da6515a9c13367f, which doesn't seem to be present in any released version. I guess we'd need a cherrypick for 6.10.

Adam can you please double-check your Fixed in version information is correct?

Comment 30 Adam Ruzicka 2021-09-29 11:05:06 UTC

> I think the fix actually landed in smart_proxy_ansible

While that is true, 6.10 still has foreman_ansible before the core extraction happened, so the fix for 6.10 will be in foreman_ansible and foreman_ansible_core. Apparently the fix was never backported to foreman_ansible_core, if we don't count hotfixes.

foreman_ansible-6.3.3 has fix for the behavior described in #24, the rest just went out in foreman_ansible_core-4.2.0.

Comment 31 Danny Synk 2021-10-05 13:22:14 UTC

Failed QA on Satellite 6.10, snap 21 (tfm-rubygem-foreman_ansible-6.3.4-1.el7sat.noarch, tfm-rubygem-foreman_ansible_core-4.2.0-1.el7sat.noarch).

I used the same steps to test as in comment #28. Now, though, `Ansible Command` jobs stay in result 'Running' and state 'Pending' indefinitely both when a passphrase is defined and when no passphrase is defined. 

For comparison, equivalent remote jobs (`touch ssh_test` and `touch ssh_test_with_passphrase`) run against two hosts using the `Run Command - SSH Default` job template finish in ten seconds both when a passphrase is defined and when no passphrase is defined.

Comment 32 Lukáš Hellebrandt 2021-10-05 14:08:34 UTC

See also bug 2010863

Comment 33 Marek Hulan 2021-10-05 14:40:45 UTC

I'd say that if ansible-runner hangs on no passphrase forever, it's primarilly a bug in ansible-runner. There should be some timeout. From the Satellite process we can't tell whether the ansible-runner process still does something (e.g. configuring a system through ansible) after 10 minutes or it only waits for the input. We can't really even tell if the SSH key is passphrased prior the actual run.

However based on the comment 31, it seems that even if the passphrase is specified, it hangs, correct? That would of course be an issue. How does it behave when the key is not passphrased at all? Does that still work?

Comment 34 Danny Synk 2021-10-05 15:21:24 UTC

Yesterday, with no passphrase specified on the key, I left an `Ansible Commands` job running on snap 21 when I signed off for the day. This morning, it had been running for ~18 hours with no change. The behavior currently appears to be the same with Ansible Commands jobs regardless of whether a passphrase is set.

On Satellite 6.10, snap 20, though, Ansible Commands were working properly when no passphrase was set, so there seems to have been a regression between snap 20 and snap 21

Non-Ansible remote jobs over SSH are working properly on snap 21 both with no passphrase set and with a passphrase set.

Comment 37 Danny Synk 2021-10-15 18:38:11 UTC

Verified on Satellite 6.10, snap 23 (tfm-rubygem-foreman_ansible-6.3.4-1.el7sat.noarch).

I re-ran the steps from comment 28, and Ansible Commands jobs are now completing successfully both with and without a passphrase assigned to the foreman-proxy private key.

Comment 40 errata-xmlrpc 2021-11-16 14:08:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.