Description of problem: Whne Satellite 6.4 is connected to an IPA server it fails to run Ansible commands on client systems Version-Release number of selected component (if applicable): - Satellite 6.4.0 - ansible-2.7.0-1.el7ae.noarch How reproducible: Everytime the Satellite is configured as an ipa client Steps to Reproduce: 1. Install Satellite 6.4.0 2. Connect Satellite to IPA server 3. Try to run an Ansible command on a command on a client Actual results: The run fails with: fatal: [fluffy.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host\r\n", "unreachable": true} Expected results: The run should work Additional info: The ipa client changes the file /etc/ssh/ssh_config when it is configured and adds the line ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h This was already reported for ovirt/RHV in this bugzillas: - https://bugzilla.redhat.com/show_bug.cgi?id=1529851#c14 - https://bugzilla.redhat.com/show_bug.cgi?id=1531967#c5 Workaround: Comment the line in /etc/ssh/ssh_config like this: #ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h and the Ansible jobs are working again.
Created redmine issue https://projects.theforeman.org/issues/25481 from this bug
*** Bug 1656480 has been marked as a duplicate of this bug. ***
Alternate *less intrusive* workaround that will allow Satellite to run Ansible playbooks successfully without messing with system-wide ssh_client settings: --- # cat ~foreman-proxy/.ssh/config Host * ProxyCommand none --- Since Ansible playbooks are being run by the foreman-proxy user, this will override the ProxyCommand option for this user only while the rest of the system can keep using sss_ssh_knownhostsproxy as intended by IPA.
All, I also ran into the ProxyCommand problem, but I found two different errors in the Plays that I ran. Updating the foreman-proxy user's SSH configuration as per Pablo Hess (comment 5) resolved the problem. fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nwrite: Broken pipe", "unreachable": true} fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nssh_exchange_identification: Connection closed by remote host", "unreachable": true} Thanks Matthew LeSieur
Upstream bug assigned to ekohlvan
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25481 has been resolved.
VERIFIED. @Satellite 6.6.0 Snap22 foreman-installer-1.22.0.16-1.el7sat.noarch # tail -2 /etc/foreman-proxy/ansible.cfg [ssh_connection] ssh_args = -o ProxyCommand=none >>> ansible ssh_args override any proxy commands to empty for ansible runs only
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3172