Bug 1650103 - Satellite fails to execute ansible commands when connected to ipa server
Summary: Satellite fails to execute ansible commands when connected to ipa server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Ansible
Version: 6.4
Hardware: All
OS: Linux
medium
medium vote
Target Milestone: 6.6.0
Assignee: Ewoud Kohl van Wijngaarden
QA Contact: Lukas Pramuk
URL:
Whiteboard:
: 1656480 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-15 11:15 UTC by Stefan Meyer
Modified: 2019-10-22 19:51 UTC (History)
10 users (show)

Fixed In Version: foreman-installer-1.22.0.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 19:51:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 25481 'Normal' 'Closed' 'Foreman fails to execute ansible commands when connected to ipa server' 2019-12-04 14:06:01 UTC
Red Hat Knowledge Base (Solution) 3703171 None None None 2018-12-05 20:00:02 UTC

Description Stefan Meyer 2018-11-15 11:15:41 UTC
Description of problem:
Whne Satellite 6.4 is connected to an IPA server it fails to run Ansible commands on client systems

Version-Release number of selected component (if applicable):
- Satellite 6.4.0
- ansible-2.7.0-1.el7ae.noarch

How reproducible:
Everytime the Satellite is configured as an ipa client

Steps to Reproduce:
1. Install Satellite 6.4.0
2. Connect Satellite to IPA server
3. Try to run an Ansible command on a command on a client

Actual results:
The run fails with:
fatal: [fluffy.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host\r\n", "unreachable": true} 

Expected results:
The run should work

Additional info:
The ipa client changes the  file /etc/ssh/ssh_config when it is configured and adds the line

  ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

This was already reported for ovirt/RHV in this bugzillas:
- https://bugzilla.redhat.com/show_bug.cgi?id=1529851#c14
- https://bugzilla.redhat.com/show_bug.cgi?id=1531967#c5

Workaround:
Comment the line in /etc/ssh/ssh_config like this:

  #ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

and the Ansible jobs are working again.

Comment 1 Marek Hulan 2018-11-16 12:50:05 UTC
Created redmine issue https://projects.theforeman.org/issues/25481 from this bug

Comment 4 Marek Hulan 2018-12-07 13:40:13 UTC
*** Bug 1656480 has been marked as a duplicate of this bug. ***

Comment 5 Pablo Hess 2018-12-07 14:35:28 UTC
Alternate *less intrusive* workaround that will allow Satellite to run Ansible playbooks successfully without messing with system-wide ssh_client settings:

---
# cat ~foreman-proxy/.ssh/config
Host *
  ProxyCommand none
---

Since Ansible playbooks are being run by the foreman-proxy user, this will override the ProxyCommand option for this user only while the rest of the system can keep using sss_ssh_knownhostsproxy as intended by IPA.

Comment 6 Matthew LeSieur 2019-04-12 15:10:03 UTC
All,
  I also ran into the ProxyCommand problem, but I found two different errors in the Plays that I ran.  Updating the foreman-proxy user's SSH configuration as per Pablo Hess (comment 5) resolved the problem.

fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nwrite: Broken pipe", "unreachable": true}

fatal: [satellite.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: key_load_public: invalid format\r\nssh_exchange_identification: Connection closed by remote host", "unreachable": true}

Thanks
Matthew LeSieur

Comment 8 Bryan Kearney 2019-06-06 14:01:21 UTC
Upstream bug assigned to ekohlvan@redhat.com

Comment 9 Bryan Kearney 2019-06-06 14:01:23 UTC
Upstream bug assigned to ekohlvan@redhat.com

Comment 11 Bryan Kearney 2019-07-22 18:01:18 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25481 has been resolved.

Comment 12 Lukas Pramuk 2019-10-13 22:20:55 UTC
VERIFIED.

@Satellite 6.6.0 Snap22
foreman-installer-1.22.0.16-1.el7sat.noarch

# tail -2 /etc/foreman-proxy/ansible.cfg
[ssh_connection]
ssh_args = -o ProxyCommand=none

>>> ansible ssh_args override any proxy commands to empty for ansible runs only

Comment 13 Bryan Kearney 2019-10-22 19:51:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172


Note You need to log in before you can comment on or make changes to this bug.