ansible does not see hosts (unreachable) - ansible

I have recently installed ansible
demaunt#demaunt-pc:~$ ansible --version
ansible 2.3.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]
I have added 2 lines into: /etc/ansible/hosts
[local]
192.168.1.102
and changed uncommented 1 line in ansible.cfg:
# uncomment this to disable SSH key host checking
host_key_checking = False
Still when I do:
ansible all -m ping
192.168.1.102 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '192.168.1.102' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).\r\n",
"unreachable": true
}
1) Why my localhost is unreachable
2) Why this program is so smart that it tries to connect via ssh even when this option was disabled.

To define localhost and use local connection instead of ssh, define hosts as follows:
[local]
localhost ansible_connection=local
This way we define local group with localhost host with local connection.

The option host_key_checking = False does not mean Ansible will not connect to hosts. It's an option related to the ssh option StrictHostKeyChecking (see the ssh_config man page).
Ansible needs to log into the host to perform the ping. Your local host at IP 192.168.1.102 is probably not running the sshd daemon, or some other issue is preventing the ssh login.
Suggest you review the documentation at http://docs.ansible.com/ansible/intro_configuration.html.

Related

Ansible SSH and Playbook

The current version Ubuntu I have is 20.10, the version of Ansible 2.9.9.
I have Eve NG with Cisco VIRL Routers on IOS 15.6
First I came across that Ubuntu was unable to SSH to cisco router, due to no matching key exchange method found. Their offer: diffie-hellman-group1-sha1, I found a work around using ~/.ssh/config. File using the following link
~/.ssh/config file:
Host 192.168.100.2
KexAlgorithms=+diffie-hellman-group1-sha1
Host 192.168.100.3
KexAlgorithms=+diffie-hellman-group1-sha1_
Now I am trying to deploy my first playbook.
When I try to run the playbook I get the following error:
fatal: [CSR-1]: FAILED! => {"changed": false, "msg": "Connection type ssh is not valid for this module"}
fatal: [CSR-2]: FAILED! => {"changed": false, "msg": "Connection type ssh is not valid for this module"}
I can SSH from Ubuntu to each router as I used ~/.ssh/config, but I don’t know how to make sure Ansible to use the ~/.ssh/config file.
I try in ansible.cfg file ssh_args = -F /home/a/.ssh/config ß the location of the SSH file, but cannot seem to get it working.
I have spent several hours Google around, but cannot find a fix.
ansible.cfg
[defaults]
inventory =./host
host_key_checking = False
retry_files_enabled = False
gathering = explicit
Interpreter_python = /usr/bin/python3
ssh_args = -F /home/n/etc/ssh/ssh_config.d/*.conf
Playbook:
hosts: CSR_Routers
tasks:
name: Show Version
ios_command:
commands: show version
all.yml:
ansible_user: "cisco"
ansible_ssh_pass: "cisco"
ansible_connection: "ssh"
ansible_network_os: "iso"
ansbile_connection: "network_cli"
If you see into the documentation don't use SSH as connection type, but network_cli. So - you don't talk to the device via default ssh, but via network_cli. Put that as a host specific var into your inventory.
all:
hosts:
CSR_01:
ansible_host: 192.168.100.2
ansible_connection: "network_cli"
ansible_network_os: "ios"
ansible_user: "cisco"
ansible_password: "cisco"
ansible_become: yes
ansible_become_method: enable
ansible_become_password: "cisco"
children:
CSR_Routers:
hosts:
CSR_01:
Based on your playbook, this inventory contains a group "CSR_Routers" and the only device on it is CSR_01 with IP 192.168.100.2. The connection type of that device is not ssh but network_cli.
remove the ssh_args from your ansible.cfg
remove ansible_ssh_pass, ansible_connection, ansible_user, ansible_network_os, ansbile_connection from your all.yml. This should be host specific (be aware of other devices in your inventory that are not an IOS device
So you call your playbook with:
ansible-playbook -i inventory.yaml playbook.yml
Also - have a look at the IOS specific documentation in Ansible
SSH FIX - after posted in Reddit
nano /etc/ssh/ssh_config
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc
systemctl restart ssh
nano /etc/ansible/ansible.cfg
[defaults]
host_key_checking=False
timeout = 30
Video with details
https://www.youtube.com/playlist?app=desktop&list=PLov64niDpWBId50D_wuraYWuQ-d02PiR1

Launching Ansible playbook to communicate with Windows host fails without sudo rights

I'm setting up an Ansible server running on CentOS 7 (with AWX as User Interface) and I want to communicate with a few windows hosts to perform basic package manipulation.
As a first approach, I'm using NTLM to communicate with my hosts (Basic Auth is disabled by the sysadmin).
However, I noticed that my playbooks fail to run when I launch ansible-playbook without sudo privileges.
I've already checked the TCP stream in both case. And it seems that when it fails (ie. without sudo rights) the server doesn't event start to communicate with the host. As if it failed without even trying (despite telling otherwise)
It's not a matter of firewall, since I am able to access the wsman endpoint with curl.
I've also checked the Windows account's rights (as was suggested for a similar problem), but everything that's needed was already there.
My playbook is this very simple taskless file:
- hosts: win
vars:
ansible_user: ansible_admin
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_port: 5985
ansible_winrm_transport: ntlm
I've checked with and without tasks (like win_ping) and the ansible_winrm_server_cert_validation variable.
My /etc/ansible/hosts file is this one:
[win]
192.168.0.42
[localhost]
127.0.0.1
Here's what I get when I run the playbook without sudo right
$ ansible-playbook helloworld.yml --ask-pass -vvvvv
ansible-playbook 2.7.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.6.7 (default, Dec 5 2018, 15:02:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Using /etc/ansible/ansible.cfg as config file
SSH password:
setting up inventory plugins
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
Set default localhost to 127.0.0.1
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/callback/default.py
PLAYBOOK: hello_world.yml ******************************************************
1 plays in hello_world.yml
PLAY [win] ******************************************************
TASK [Gathering Facts] *********************************************************
task path: /home/ansible/playbooks/hello_world.yml:1
Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/setup.ps1
<192.168.0.42> ESTABLISH WINRM CONNECTION FOR USER: ansible_admin on PORT 5985 TO 192.168.0.42
checking if winrm_host 192.168.0.42 is an IPv6 address
<192.168.0.42> WINRM CONNECT: transport=ntlm endpoint=http://192.168.0.42:5985/wsman
<192.168.0.42> WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py", line 402, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 243, in send_message
self.build_session()
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 232, in build_session
self.setup_encryption()
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 238, in setup_encryption
self._send_message_request(prepared_request, '')
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialError("the specified credentials were rejected by the server") winrm.exceptions.invalidCredentialError: the specified credentials were rejected by the server
fatal: [192.168.0.42]: UNREACHABLE! => {
"changed": false,
"msg": "ntlm: the specified credentials were rejected by the server",
"unreachable": true
}
to retry, use: --limit #/home/ansible/playbooks/hello_world.retry
PLAY RECAP *********************************************************************
192.168.0.42 : ok=0 changed=0 unreachable=1 failed=0
But when I run the playbook with sudo rights, this works just fine
$ sudo ansible-playbook helloworld.yml --ask-pass -vvvvv
ansible-playbook 2.7.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.6.7 (default, Dec 5 2018, 15:02:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Using /etc/ansible/ansible.cfg as config file
SSH password:
setting up inventory plugins
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
Set default localhost to 127.0.0.1
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/callback/default.py
PLAYBOOK: hello_world.yml ******************************************************
1 plays in hello_world.yml
PLAY [win] ******************************************************
TASK [Gathering Facts] *********************************************************
task path: /home/ansible/playbooks/hello_world.yml:1
Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/setup.ps1
<192.168.0.42> ESTABLISH WINRM CONNECTION FOR USER: ansible_admin on PORT 5985 TO 192.168.0.42
checking if winrm_host 192.168.0.42 is an IPv6 address
<192.168.0.42> WINRM CONNECT: transport=ntlm endpoint=http://192.168.0.42:5985/wsman
<192.168.0.42> WINRM OPEN SHELL: E04DA2D8-15E4-4B28-A079-A5C795B612C5
EXEC (via pipeline wrapper)
<192.168.0.42> WINRM EXEC 'Powershell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', '<-- Very long string here -->']
<192.168.0.42> WINRM RESULT '<Response code 1, out "{"changed":false,"an", err "#< CLIXML\r\n<Objs Ver">'
<192.168.0.42> WINRM CLOSE SHELL: E04DA2D8-15E4-4B28-A079-A5C795B612C5
ok: [192.168.0.42]
PLAY RECAP *********************************************************************
192.168.0.42 : ok=1 changed=0 unreachable=0 failed=0
Does someone have an explanation for this?
Or, as a workaround, is it possible to run a playbook on AWX with sudo privileges?
Edit: Added output with extra verbosity
If you're using AWX, you need to check your credentials correctly, especially on Privilege Escalation Method, if you want to specify the type of escalation privilege to assign to specific users.

How to add remote hosts in Ansible AWX/Tower?

I'm setting up Ansible AWX and so far it's been working nicely.
Although when I'm trying to add remote hosts (e.g hosts that is NOT localhost) the playbook fails, even though it's possible to ssh from the machine running AWX to the nodes.
The node to be configured was added to an inventory, and under the inventory i added it as a host. I used the IP-address ad the hostname:
Then run the job:
If I try to run `ansible -m ping all from CLI:
root#node1:/home/ubuntu# ansible -m ping all
...
10.212.137.189 | SUCCESS => {
"changed": false,
"ping": "pong"
}
...
It seems a problem related to ssh credentials.
Have you correctly configured credentials on AWX/Tower?
You need to configure credential, type "Machine": follow documentation here Ansible Tower User Guide - Credentials
From ansible command line you can ping hosts because probably you have already copied ssh-keys on remote hosts, but AWX/Tower settings are independent from it.

How to fix "Could not match supplied host pattern, ignoring: bigip" errors, works in Ansible, NOT Tower

I am running Ansible Tower v3.4.1 with Ansible v2.7.6 on an ubuntu 16.04 VM running on VirtualBox. I run a playbook that works when I run it from the command line using "ansible-playbook" but fails when I try to run it from Ansible Tower. I know I must have something misconfigured in ansible tower but I can't find it.
I get this warning no matter what changes I make to the inventory (hosts) file.
$ ansible-playbook 2.7.6
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.12 (default, Nov 12 2018, 14:36:49) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
SSH password:
**/tmp/awx_74_z6yJB4/tmpVlXGCX did not meet host_list requirements**, check plugin documentation if this is unexpected
Parsed /tmp/awx_74_z6yJB4/tmpVlXGCX inventory source with script plugin
PLAYBOOK: addpool.yaml *********************************************************
1 plays in addpool.yaml
[WARNING]: **Could not match supplied host pattern, ignoring: bigip**
PLAY [Sample pool playbook] ****************************************************
17:05:43
skipping: no hosts matched
I have enabled inventory plugins for YAML, and made my hosts file into a hosts.yml file.
Here's my hosts file:
192.168.68.253
192.168.68.254
192.168.1.165
[centos]
dad2 ansible_ssh_host=192.168.1.165
[bigip]
bigip1 ansible_host=192.168.68.254
bigip2 ansible_host=192.168.68.253
Here's my playbook:
---
- name: Sample pool playbook
hosts: bigip
connection: local
tasks:
- name: create web servers pool
bigip_pool:
name: web-servers2
lb_method: ratio-member
password: admin
user: admin
server: '{{inventory_hostname}}'
validate_certs: no
I replaced hosts: bigip with hosts: all and specified the inventory in Tower as bigip which contains only the two hosts I want to change. This seems to provide the output I am looking for.
For the ansible-playbook command line, I added --limit bigip and this seems to provide the output I am looking for.
So things appear to be working, I just don't know whether this is best practice use.
If you get the error below while running a playbook with the command
ansible-playbook -i test-project/inventory.txt playbook.yml
{"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host 172.31.24.10 port 22: Connection timed out", "unreachable": true}
The solution is to add, in the file ansible.cfg:
[defaults]
inventory=/etc/ansible/hosts
I think you need to remove the connection: local.
You have specified in hosts: bigip that you want these tasks to only run on hosts in the bigip group. You then specify connection: local which causes the task to run on the controller node (i.e. localhost), rather than the nodes in the bigip group. Localhost is not a member of the bigip group, and so none of the tasks in the play will trigger.
Check for special characters in absolute path of hosts file or playbook. Incase if you directly copied the path from putty, try copy and paste it from notepad or any editor
For me the issue was the format of the /etc/ansible/hosts file. You should use the :children suffix in order to use groups of groups like this:
[dev1]
dev_1 ansible_ssh_host=192.168.1.55 ansible_connection=ssh ansible_ssh_user={{username}} ansible_ssh_pass={{password}}
[dev2]
dev_2 ansible_ssh_host=192.168.1.68 ansible_connection=ssh ansible_ssh_user={{username}} ansible_ssh_pass={{password}}
[devs:children]
dev1
dev2
Reference: here

Ansible test hosts fails

Just starting out with Ansible. I configured the hosts file like this:
[webserver]
<remote-server-ip> ansible_user=<user> ansible_private_key_file=<full-path-to-private-ssh-key>
When I run:
ansible all -m ping
I get:
<remote-server-ip> | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Couldn't read packet: Connection reset by peer\r\n",
"unreachable": true
I can connect with no issues if I run:
ssh -i <full-path-to-private-ssh-key> <user>#<remote-server-ip>
Notes:
There is no password on the SSH key.
The project is located at ~/my_project_name.
I also tried using ansible_connection=local, and while ansible all -m ping appeared to work, in reality all it does is allow me to execute tasks that modify the host machine Ansible is running on.
The ansible.cfg file has not been modified, though it is in a different directory: /etc/ansible/ansible.cfg.
Ansible by default tries to connect to localhost through ssh. For localhost, set the ansible_connection to local in your hosts file shown below.
<remote-server-ip> ansible_connection=local ansible_user=<user> ansible_private_key_file=<full-path-to-private-ssh-key>
Refer this documentation for more details.
Hope this helps!
I think I saw this earlier, can you try adding below in the hosts file and see if that works
ansible_connection=ssh ansible_port=22
I figured out that this is an issue with the version of Ansible I was using (2.3.1). Using version 2.2.0.0 works with no problems.

Resources