Re: [ansible-project] hostkey enhancements to the git module

[Michael Small]

root@app01:~# nslookup  intro.repositoryhosting.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
intro.repositoryhosting.com     canonical name = 
na-va-app-1.repositoryhosting.com.
Name:   na-va-app-1.repositoryhosting.com
Address: 174.129.252.219

root@app01:~# host intro.repositoryhosting.com
intro.repositoryhosting.com is an alias for na-va-app-1.repositoryhosting.com.
na-va-app-1.repositoryhosting.com has address 174.129.252.219

root@app01:~# ssh-keyscan intro.repositoryhosting.com
# intro.repositoryhosting.com SSH-2.0-OpenSSH_5.1p1 Debian-5
intro.repositoryhosting.com ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAQEAtC70z+dO6++V+qMRE37WUMiGkuNVPdYG8mB/EsJ010YCbc/VeotkPTqinE+gX1EGvdBmZn3DYSK5Cqt4Mh/waBQHfiCK4Lm8BJyQ6vJQf+l8u1bL59pGuAk6XEpoa9nE1eWpXSr7UpENcV/iDi/8Xc5qYrTJgmlK8z8H0XWigwkIEP2DtgysU2swwsa7rcyNnrNzdKstezf7Gd7qEqb8yKnIirkxcV2Q9Kt2ERvl1h+j0miZlWPPiLSBPJi38VZdWPSp3qOBCqqDy4GuUNahXl7H3IvIa0CV0AFPzcoes+1VHmoZmaC1wzV7jmrxRFS7c80BDbwSQ625v9Wb75IWTQ==

Looks fine. Here's the vvvv if I hop onto the box and clone the repo and accept 
the key manually. Then re-run the playbook.

TASK: [webservers | checkout the site] **************************************** 
<app01> ESTABLISH CONNECTION FOR USER: root
<app01> REMOTE_MODULE git 
repo=ssh:********@intro.repositoryhosting.com/intro/onsite.git 
dest=/var/www/onsite accept_hostkey=true
<app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 
'ControlPersist=60s', '-o', 
'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 
'KbdInteractiveAuthentication=no', '-o', 
'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', 
'-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', "/bin/sh 
-c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287 && 
echo $HOME/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287'"]
<app01> PUT /tmp/tmpyHkG3V TO 
/root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/git
<app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 
'ControlPersist=60s', '-o', 
'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 
'KbdInteractiveAuthentication=no', '-o', 
'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', 
'-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', "/bin/sh 
-c '/usr/bin/python 
/root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/git; rm -rf 
/root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/ >/dev/null 2>&1'"]
ok: [app01] => {"after": "41ce80a70ab048c46c306bf4a34f66fd61ebb979", "before": 
"41ce80a70ab048c46c306bf4a34f66fd61ebb979", "changed": false, "item": ""}

On 25 Mar 2014, at 22:22, James Tanner <tanner...@gmail.com> wrote:

Can the host resolve the fqdn?

- shell: nslookup intro.repositoryhosting.com
- shell: host intro.repositoryhosting.com
- shell: sshkeyscan intro.repositoryhost.com

On Mar 25, 2014, at 6:14 PM, m...@introlabs.net wrote:

> TASK: [webservers | checkout the site] 
> **************************************** 
> <app01> ESTABLISH CONNECTION FOR USER: root
> <app01> REMOTE_MODULE git 
> repo=ssh:********@intro.repositoryhosting.com/intro/onsite.git 
> dest=/var/www/onsite accept_hostkey=true
> <app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 
> 'ControlPersist=60s', '-o', 
> 'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 
> 'KbdInteractiveAuthentication=no', '-o', 
> 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', 
> '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', 
> "/bin/sh -c 'mkdir -p 
> $HOME/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683 && echo 
> $HOME/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683'"]
> <app01> PUT /tmp/tmptO5e80 TO 
> /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/git
> <app01> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 
> 'ControlPersist=60s', '-o', 
> 'ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 
> 'KbdInteractiveAuthentication=no', '-o', 
> 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', 
> '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=10', 'app01', 
> "/bin/sh -c '/usr/bin/python 
> /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/git; rm -rf 
> /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/ >/dev/null 
> 2>&1'"]
> failed: [app01] => {"failed": true, "item": ""}
> msg: failed to add intro.repositoryhosting.com hostkey: getaddrinfo >>: Name 
> or service not known
> 
> 
> FATAL: all hosts have already failed -- aborting
> 
> PLAY RECAP 
> ******************************************************************** 
>            to retry, use: --limit @/root/webservers.retry
> 
> app01                      : ok=7    changed=0    unreachable=0    failed=1
> 
> yaml code is:
> 
> - name: checkout the site
>   git: repo=ssh://g...@intro.repositoryhosting.com/intro/onsite.git dest={{ 
> nginx_webroot }}/{{ app_name }} accept_hostkey=true
> 
> Just checked again... if I clone this repo on the host and accept the key 
> then run the playbook it's fine. remove the known_hosts and it bails out.
> 
> In the ansible.cfg the HostKeyChecking=False is commented out which I assume 
> means it's on and the git accept_hostkey setting will be parsed.
> 
> On Tuesday, March 25, 2014 9:17:37 PM UTC, James Tanner wrote:
> Can we see the yaml syntax and the -vvvv output for the failed task?
> 
> On Mar 25, 2014, at 1:44 PM, mi...@introlabs.net wrote:
> 
>> Is anyone else having issues with this feature. If the host key is on the 
>> machine my Ansible git checkout works perfectly.
>> 
>> If the host key isn't on the box and even with accept_hostkey=yes the 
>> checkout fails. I'm on Ansible 1.5.2
>> 
>> Error is also ambiguous as it says set accept_hostkey to True!!
>> 
>> TASK: [webservers | checkout the site] 
>> **************************************** 
>> failed: [app01] => {"failed": true, "item": ""}
>> msg: intro.repositoryhosting.com has an unknown hostkey. Set accept_hostkey 
>> to True or manually add the hostkey prior to running the git module
>> 
>> FATAL: all hosts have already failed -- aborting
>> 
>> 
>> 
>> On Saturday, January 11, 2014 4:34:12 PM UTC, James Tanner wrote:
>> I created a new feature in the git module to help with hostkey 
>> management and prevent task hangs with unknown keys: 
>> 
>> https://github.com/ansible/ansible/commit/8665b0638a1d3a70f985126b0f007a26c81273cb
>>  
>> https://github.com/ansible/ansible/commit/eeee1e1c5aa9dd4f84175966e0f9e467fd7fc600
>>  
>> 
>> The module should fail early on if the hostkey is unknown instead of 
>> hanging indefinitely. 
>> 
>> If the user adds "accept_hostkey=yes" to the git parameters, the key 
>> will be automatically 
>> added to the known_hosts file. 
>> 
>> Hopefully this makes the git module easier for our new users. 
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>> To post to this group, send email to ansible...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/6bb95a06-bc62-4745-9466-8ea5778698ae%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/e48e9e39-579c-425c-b5c4-caad6c365f43%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to a topic in the Google 
Groups "Ansible Project" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/ansible-project/d5OVhIWQ8AI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/9AA31C99-8A00-4D5A-AE23-F22FFEF7D26C%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/66C25FF0-E613-4C09-8939-740C2200CFF4%40introlabs.net.
For more options, visit https://groups.google.com/d/optout.