hostkey enhancements to the git module

[James Tanner]

I created a new feature in the git module to help with hostkey
management and prevent task hangs with unknown keys:

https://github.com/ansible/ansible/commit/8665b0638a1d3a70f985126b0f007a26c81273cb
https://github.com/ansible/ansible/commit/eeee1e1c5aa9dd4f84175966e0f9e467fd7fc600

The module should fail early on if the hostkey is unknown instead of
hanging indefinitely.

If the user adds "accept_hostkey=yes" to the git parameters, the key
will be automatically
added to the known_hosts file.

Hopefully this makes the git module easier for our new users.

[Peter Gehres]

Hopefully this makes the git module easier for our new users.

It also makes it easier for us non-new users. Thanks!

--

Peter Gehres

Site Reliability Engineer | AppDynamics, Inc.

www.appdynamics.com | AS62897

[mi...@introlabs.net]

Is anyone else having issues with this feature. If the host key is on the machine my Ansible git checkout works perfectly.

If the host key isn't on the box and even with accept_hostkey=yes the checkout fails. I'm on Ansible 1.5.2

Error is also ambiguous as it says set accept_hostkey to True!!

TASK: [webservers | checkout the site] **************************************** 

failed: [app01] => {"failed": true, "item": ""}

msg: intro.repositoryhosting.com has an unknown hostkey. Set accept_hostkey to True or manually add the hostkey prior to running the git module

FATAL: all hosts have already failed -- aborting

[James Tanner]

Can we see the yaml syntax and the -vvvv output for the failed task?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6bb95a06-bc62-4745-9466-8ea5778698ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mi...@introlabs.net]

TASK: [webservers | checkout the site] **************************************** 

<app01> ESTABLISH CONNECTION FOR USER: root

<app01> REMOTE_MODULE git repo=ssh:********@intro.repositoryhosting.com/intro/onsite.git dest=/var/www/onsite accept_hostkey=true

<app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683 && echo $HOME/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683'"]

<app01> PUT /tmp/tmptO5e80 TO /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/git

<app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', "/bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/git; rm -rf /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/ >/dev/null 2>&1'"]

failed: [app01] => {"failed": true, "item": ""}

msg: failed to add intro.repositoryhosting.com hostkey: getaddrinfo >>: Name or service not known

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 

           to retry, use: --limit @/root/webservers.retry

app01                      : ok=7    changed=0    unreachable=0    failed=1

yaml code is:

- name: checkout the site

  git: repo=ssh://g...@intro.repositoryhosting.com/intro/onsite.git dest={{ nginx_webroot }}/{{ app_name }} accept_hostkey=true

Just checked again... if I clone this repo on the host and accept the key then run the playbook it's fine. remove the known_hosts and it bails out.

In the ansible.cfg the HostKeyChecking=False is commented out which I assume means it's on and the git accept_hostkey setting will be parsed.

[James Tanner]

Can the host resolve the fqdn?

- shell: nslookup intro.repositoryhosting.com

- shell: host intro.repositoryhosting.com

- shell: sshkeyscan intro.repositoryhost.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e48e9e39-579c-425c-b5c4-caad6c365f43%40googlegroups.com.

[Michael DeHaan]

"I'm on Ansible 1.5.2"

Please definitely test on 1.5.3 if you can.    1.5.2 was released to fix one specific problem in the 1.5.1 line, but 1.5.3 fixes quite a bit more.

Nobody -- pretty much nobody -- should be running 1.5.2.   it will yield unhappy things.

(Also, if you have issues on 1.5.3, I'd be interested in results on devel).

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9AA31C99-8A00-4D5A-AE23-F22FFEF7D26C%40gmail.com.

[Michael Small]

root@app01:~# nslookup  intro.repositoryhosting.com

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

intro.repositoryhosting.com canonical name = na-va-app-1.repositoryhosting.com.

Name: na-va-app-1.repositoryhosting.com

Address: 174.129.252.219

root@app01:~# host intro.repositoryhosting.com

intro.repositoryhosting.com is an alias for na-va-app-1.repositoryhosting.com.

na-va-app-1.repositoryhosting.com has address 174.129.252.219

root@app01:~# ssh-keyscan intro.repositoryhosting.com

# intro.repositoryhosting.com SSH-2.0-OpenSSH_5.1p1 Debian-5

intro.repositoryhosting.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtC70z+dO6++V+qMRE37WUMiGkuNVPdYG8mB/EsJ010YCbc/VeotkPTqinE+gX1EGvdBmZn3DYSK5Cqt4Mh/waBQHfiCK4Lm8BJyQ6vJQf+l8u1bL59pGuAk6XEpoa9nE1eWpXSr7UpENcV/iDi/8Xc5qYrTJgmlK8z8H0XWigwkIEP2DtgysU2swwsa7rcyNnrNzdKstezf7Gd7qEqb8yKnIirkxcV2Q9Kt2ERvl1h+j0miZlWPPiLSBPJi38VZdWPSp3qOBCqqDy4GuUNahXl7H3IvIa0CV0AFPzcoes+1VHmoZmaC1wzV7jmrxRFS7c80BDbwSQ625v9Wb75IWTQ==

Looks fine. Here’s the vvvv if I hop onto the box and clone the repo and accept the key manually. Then re-run the playbook.

TASK: [webservers | checkout the site] **************************************** 

<app01> ESTABLISH CONNECTION FOR USER: root

<app01> REMOTE_MODULE git repo=ssh:********@intro.repositoryhosting.com/intro/onsite.git dest=/var/www/onsite accept_hostkey=true

<app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287 && echo $HOME/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287'"]

<app01> PUT /tmp/tmpyHkG3V TO /root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/git

<app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', "/bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/git; rm -rf /root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/ >/dev/null 2>&1'"]

ok: [app01] => {"after": "41ce80a70ab048c46c306bf4a34f66fd61ebb979", "before": "41ce80a70ab048c46c306bf4a34f66fd61ebb979", "changed": false, "item": ""}

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/d5OVhIWQ8AI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9AA31C99-8A00-4D5A-AE23-F22FFEF7D26C%40gmail.com.

[Michael Small]

OK this is no issue on 1.5.3. I was previously installed through apt-get and 1.5.2 seems to be the latest there. 1.5.3 via pip is all good.

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/d5OVhIWQ8AI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEVJ8QN%2BLuw6i%3Dfh9LxdhtEmRfY-76izoF8VTD2CmcN9ujfERQ%40mail.gmail.com.