Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1650103

Summary: Satellite fails to execute ansible commands when connected to ipa server
Product: Red Hat Satellite Reporter: Stefan Meyer <smeyer>
Component: Ansible - Configuration ManagementAssignee: Ewoud Kohl van Wijngaarden <ekohlvan>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: aperotti, egolov, hyu, ktordeur, matthew.lesieur, mhulan, phess, pierre-yves.goubet, pondrejk, sjagtap
Target Milestone: 6.6.0Keywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-installer-1.22.0.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-22 19:51:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Meyer 2018-11-15 11:15:41 UTC 
Description of problem:
Whne Satellite 6.4 is connected to an IPA server it fails to run Ansible commands on client systems

Version-Release number of selected component (if applicable):
- Satellite 6.4.0
- ansible-2.7.0-1.el7ae.noarch

How reproducible:
Everytime the Satellite is configured as an ipa client

Steps to Reproduce:
1. Install Satellite 6.4.0
2. Connect Satellite to IPA server
3. Try to run an Ansible command on a command on a client

Actual results:
The run fails with:
fatal: [fluffy.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host\r\n", "unreachable": true} 

Expected results:
The run should work

Additional info:
The ipa client changes the  file /etc/ssh/ssh_config when it is configured and adds the line

  ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

This was already reported for ovirt/RHV in this bugzillas:
- https://bugzilla.redhat.com/show_bug.cgi?id=1529851#c14
- https://bugzilla.redhat.com/show_bug.cgi?id=1531967#c5

Workaround:
Comment the line in /etc/ssh/ssh_config like this:

  #ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

and the Ansible jobs are working again.
Comment 1 Marek Hulan 2018-11-16 12:50:05 UTC 
Created redmine issue https://projects.theforeman.org/issues/25481 from this bug
Comment 4 Marek Hulan 2018-12-07 13:40:13 UTC 
*** Bug 1656480 has been marked as a duplicate of this bug. ***
Comment 5 Pablo Hess 2018-12-07 14:35:28 UTC 
Alternate *less intrusive* workaround that will allow Satellite to run Ansible playbooks successfully without messing with system-wide ssh_client settings:

---
# cat ~foreman-proxy/.ssh/config
Host *
  ProxyCommand none
---

Since Ansible playbooks are being run by the foreman-proxy user, this will override the ProxyCommand option for this user only while the rest of the system can keep using sss_ssh_knownhostsproxy as intended by IPA.
Comment 6 Matthew LeSieur 2019-04-12 15:10:03 UTC 
All,
  I also ran into the ProxyCommand problem, but I found two different errors in the Plays that I ran.  Updating the foreman-proxy user's SSH configuration as per Pablo Hess (comment 5) resolved the problem.

fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nwrite: Broken pipe", "unreachable": true}

fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nssh_exchange_identification: Connection closed by remote host", "unreachable": true}

Thanks
Matthew LeSieur
Comment 8 Bryan Kearney 2019-06-06 14:01:21 UTC 
Upstream bug assigned to ekohlvan
Comment 9 Bryan Kearney 2019-06-06 14:01:23 UTC 
Upstream bug assigned to ekohlvan
Comment 11 Bryan Kearney 2019-07-22 18:01:18 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25481 has been resolved.
Comment 12 Lukas Pramuk 2019-10-13 22:20:55 UTC 
VERIFIED.

@Satellite 6.6.0 Snap22
foreman-installer-1.22.0.16-1.el7sat.noarch

# tail -2 /etc/foreman-proxy/ansible.cfg
[ssh_connection]
ssh_args = -o ProxyCommand=none

>>> ansible ssh_args override any proxy commands to empty for ansible runs only
Comment 13 Bryan Kearney 2019-10-22 19:51:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172