I have written a task for ansible-xml module.
- name: Learning xml module
xml:
file: /var/lib/tomcat7/webapps/sme/WEB-INF/sme-servlet.xml
xpath: //ref/[#abcd="test"]
I am getting the following Error :
failed: [xxxx] => {"failed": true, "parsed": false}
BECOME-SUCCESS-ezlukfdsowbhzcovltxcovwmgbziywxu
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 3: Applying options for *
debug1: auto-mux: Trying existing master
debug1: mux_client_request_session: master session id: 2
Shared connection to xxxx closed.
By default, ansible adds some options which override ssh_config options. Specifically, it adds:
-o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/user/.ansible/cp/ansible-ssh-%h-%p-%r"
Figured that out by using -vvv with ansible-playbook.
How to fix:
You can override those options by specifying ssh_args in the [ssh_connection] section of your .ansible.cfg as specified here. Changing ssh_args doesn't actually change all of the args because Ansible also passes -C -tt -v -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o ConnectTimeout=10 and other options (e.g. -o PasswordAuthentication=no -o User=root), some of which are simply immutable defaults, and some of which depend on variables you've specified in the playbook.
Related
My Ansible tasks hangs. I use -vvvv, but nevertheless I can't see any useful information.
<coffee-and-sugar.club> ESTABLISH SSH CONNECTION FOR USER: root
<coffee-and-sugar.club> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/guettli/.ansible/cp/544631aae4 -tt coffee-and-sugar.club '/bin/sh -c '"'"'/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1608394831.3465264-205483640933119/AnsiballZ_pip.py && sleep 0'"'"''
What can I do to see what is going on?
Is there a way to enable tracing (like set -x in a shell script)?
You can execute the python script on the remote server by hand. In my case this revealed the root-cause.
Example:
ssh root#remote
# /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1608394831.3465264-205483640933119/AnsiballZ_pip.py
The authenticity of host 'github.com (140.82.121.3)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
I am trying to bootstrap my private IP instance with its NAT Gateway using below command, but unable to bootstrap.
$knife bootstrap x.x.x.x --ssh-gateway x.x.x.x --ssh-user ec2-user --sudo --ssh-identity-file mypemfile.pem -N <nodename>
...
ERROR: Train::Transports::SSHFailed: SSH command failed (command timed out: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -o BatchMode=yes -o LogLevel=ERROR -o ForwardAgent=no -i mypemfile.pem root#x.x.x.x -p 22 -W x.x.x.x:22)
I am trying to run an Ansible job on a remote host. But for that to happen, I need to go through a proxy.
Proxy server is: 142.133.134.161
Proxy port is: 1088
My playbook is simple for now:
---
- hosts: LAB1
tasks:
- name: Copy file
template: src=/tmp/file1 dest=/tmp/file1
My environment file is:
[LAB1]
10.169.99.189
10.169.99.190
My ansible.cfg file is:
Host 10.169.99.*
ProxyCommand nc -x 142.133.134.161:1088 %h %p
But when I run a job, it says "Connection timed out":
[root#vm1 ANSIBLE]# ansible -i /root/ANSIBLE/env/target LAB1 -m ping
10.169.99.190 | FAILED => SSH Error: ssh: connect to host 10.169.99.190 port 22: Connection timed out
while connecting to 10.169.99.190:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
10.169.99.189 | FAILED => SSH Error: ssh: connect to host 10.169.99.189 port 22: Connection timed out
while connecting to 10.169.99.189:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
When I run this in debug mode:
[root#vm1 ANSIBLE]# ansible -i /root/ANSIBLE/env/target LAB1 -m ping -vvvvv
<10.169.99.190> ESTABLISH CONNECTION FOR USER: msdp
<10.169.99.190> REMOTE_MODULE ping
<10.169.99.189> ESTABLISH CONNECTION FOR USER: msdp
<10.169.99.189> REMOTE_MODULE ping
<10.169.99.190> EXEC sshpass -d8 ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/root/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PubkeyAuthentication=no -o User=msdp -o ConnectTimeout=10 10.169.99.190 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1473612082.62-116308097993503 && echo $HOME/.ansible/tmp/ansible-tmp-1473612082.62-116308097993503'
<10.169.99.189> EXEC sshpass -d9 ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/root/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PubkeyAuthentication=no -o User=msdp -o ConnectTimeout=10 10.169.99.189 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1473612082.63-269107268980760 && echo $HOME/.ansible/tmp/ansible-tmp-1473612082.63-269107268980760'
10.169.99.189 | FAILED => SSH Error: ssh: connect to host 10.169.99.189 port 22: Connection timed out
while connecting to 10.169.99.189:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
10.169.99.190 | FAILED => SSH Error: ssh: connect to host 10.169.99.190 port 22: Connection timed out
while connecting to 10.169.99.190:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
This does not indicate that it is using the Proxy. Is that the issue here?
Given your ProxyCommand syntax is correct and you want to include it in the ansible.cfg, the correct syntax would be to add an argument to the ssh_args in the [ssh_connection] section of the file:
[ssh_connection]
ssh_args = -o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s -o ProxyCommand="nc -x 142.133.134.161:1088 %h %p"
When running playbook given in this answer with -vvv I get the following log:
<192.168.1.109> SSH: EXEC ssh -C -q -o PasswordAuthentication=yes
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
-o ControlMaster=auto -o ControlPersist=60s
-o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no
-o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=120
-o ControlPath=/Users/techraf/.ansible/cp/ansible-ssh-%h-%p-%r 192.168.1.109
'/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1469485176.18-28678795304310 `" && echo ansible-tmp-1469485176.18-28678795304310="` echo $HOME/.ansible/tmp/ansible-tmp-1469485176.18-28678795304310 `" ) && sleep 0'"'"''
The first part of SSH arguments is taken from ansible.cfg present in the current directory (which is what I intended):
[ssh_connection]
ssh_args = -o PasswordAuthentication=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s
Where does the second part:
-o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no
-o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=120
come from?
My objective is to run this playbook using password authentication, yet the latter group of arguments prevents it.
I have checked the following are cleared/non-existent:
/usr/local/etc/ansible/ansible.cfg (I am running Homebrew-installed Ansible on OS X)
$ANSIBLE_CONFIG environment variable
.ansible.cfg (in the home directory)
I am running Ansible 2.1.0.0.
By the time the connection's getting set up, it doesn't think you have a password set, so it's trying to remove that from the valid negotiation options. See the source for more detail, or ensure ansible_password is set on the host in question.
My objective is to run this playbook using password authentication, yet the latter group of arguments prevents it.
You need to add an additional parameter for Ansible to use password authentication:
-k, --ask-pass ask for connection password
Ansible will then prompt for your password once, then use that password for connecting to all servers in that run.
You generally should avoid using password auth for ssh. Not only is it annoying (you have to type the password in all the time), but it opens up your server to brute-force attacks; even if you block those using other means (e.g. fail2ban), it's still not a great idea. If you don't like having keys authenticate without any password, you can put a password on the keys and decrypt them on boot using an ssh agent.
I noticed Ansible removes the temporary script using a semi-colon to separate the bash commands.
Here is an example command:
EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o
ControlPath="/Users/devuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=10 build /bin/sh -c
'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python
/home/ec2-user/.ansible/tmp/ansible-tmp-1430847489.81-75617096172775/docker;
rm -rf
/home/ec2-user/.ansible/tmp/ansible-tmp-1430847489.81-75617096172775/
>/dev/null 2>&1'
Is there a way to tell ansible to replace the semi-colon with a double ampersand or to tell it to save the script or output the contents when running ansible-playbook?
I'm trying to debug an error in this script and right now the only thing that appears is this:
failed: [build] => {"changed": false, "failed": true}
msg: ConnectionError(ProtocolError('Connection aborted.', error(2, 'No such file or directory')),)
I found the environment variable -
export ANSIBLE_KEEP_REMOTE_FILES=1
Set this, then re-run ansible-playbook, and then ssh and cd over to ~/.ansible/tmp/ to find the files.