Key permissions are ok. I can manually sudo to that host, but cannot clone
the repo manually, either. I don't think there's any SSH misconfig. I ran
the ansible playbook in verbose mode (-vvv) to look at the execution
statement where it breaks and here it is:
TASK [Clone cots_lfs repo]
*******************************************************************************************************************************************************************************************************************************
...
<ip.addr> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthenticateion=no -o ConnectTimeout=1$
<ip.addr> (l, b'\r\n{"exception": "WARNING: The below traceback may *not*
be related to the actual failure.\\n File
\\"/tmp/ansible_git_payload_E2Aium/ansible_git_payload.zip/ansible/modules/source_control/git.py\\",
line 461, in $
<ip.addr> Failed to connect to the host via SSH: FIPS mode initialized
Shared connection to <ip.addr> closed.
<ip.addr> ESTABLISH CONNECTION FOR USER: None
<ip.addr> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthenticateion=no -o ConnectTimeout=1$
<ip.addr> (0, b' ', b'FIPS mode initialized\r\n')
The full traceback is:
WARNING: The below traceback may *not* be realated to the actual failure.
File
"/tmp/ansible_git_payload_E2Aium/ansible_git_payload.zip/ansible/modules/source_control/git.py\\",
line 461, in clone
File "/usr/lib64/python2.7/os.py", line 157, in mkdirs
mkdir(name, mode)
fatal: [Host]: FAILED! => {
"changed": false,
"cmd": "/usr/bin/git clone --origin 'ssh://<url> /local_path",
"invocation": {
"module_args": {
"accept_hostkey": false,
"archive": null,
"bare": false,
"clone": true,
"depth": null,
"dest": "/local_path",
"executable": null,
"archive": null,
...
}
},
"msg": "FIPS mode initialized\r\nDisabling GSSAPIKeyExchange.
Not usable in FIPS mode\r\nPermissions denied (publickey).\r\nfatal: Could
not read from remote repository.\n\nPlease make sure you have the correct
access rights\nand the $
"rc": 128,
"stderr": "FIPS mode initialized\r\nDisabling
GSSAPIKeyExchange. Not usable in FIPS mode\r\nPermissions denied
(publickey).\r\nfatal: Could not read from remote repository.\n\nPlease
make sure you have the correct access rights\nand the $
"stderr_lines": [
"FIPS mode initialized",
"Disabling GSSAPIKeyExchange. Not usable in FIPS mode
"Permissions denied (publickey).",
"fatal: Could not read from remote repository.",
"",
"Please make sure you have the correct access rights"'
"and the repository exists."
],
"stdout": "Cloning into '/local_path'...\n",
"stdout_lines: [
"Cloning into '/local_path'...",
]
}
Thanks,
Erick
On Wednesday, September 2, 2020 at 9:50:14 PM UTC-7 [email protected]
wrote:
> Or: key is ok but it's not being used because of an ssh misconfig
>
> On Thu, 3 Sep 2020 at 06:44, Dick Visser <[email protected]> wrote:
>
>> Sounds like a permission issue somewhere.
>> Can you manually sudo to whatever user your playbook is using and clone
>> the repo?
>> Key permissions ok?
>> Correct user?
>>
>>
>>
>> On Wed, 2 Sep 2020 at 23:34, Erick Sun <[email protected]> wrote:
>>
>>> Hello, thanks for taking a look! I am trying to install needed software
>>> on hosts running RHEL 7.x (Docker, Python, Intel Parallel Studio). During
>>> play to download Intel, the play is designed to ssh into and clone from
>>> remote Git repo. It has been verified that the local host' ssh key is
>>> known by remote server and also the server's ssh key is known to local
>>> host, although local host is not able to read from remote. Without going
>>> into too much detail, here is the set of plays being run in playbook.yml,
>>> as well as the inventory in hosts.yml. The playbook breaks at the "Clone
>>> cots_lfs repo" play:
>>>
>>>
>>> ######playbook.yml
>>> ---
>>> - hosts: all
>>> gather_facts: yes
>>> tasks:
>>>
>>> ###Set of plays that checks the host OS, RAM, and scratch Disk Space
>>> #Grab the Distribution and Version and check it is between 7.x and 8.0
>>> - name: Distribution
>>> ...
>>>
>>> - name: Distribution version
>>> ...
>>>
>>> - name: Check that the Red Hat Version >= 7.x and < 8
>>> ...
>>>
>>> #Check the Ram and that there's at least xxx MB
>>> - name: RAM
>>> ...
>>>
>>> - name: Check that the System Ram is > xxx MB
>>> ...
>>>
>>> #Check HD space of /local_path and that there's at least xxx MB.
>>> - name: Disk Space
>>> ...
>>>
>>> - name: Check that Disk Space is > xxx MB.
>>> ...
>>>
>>> ###Set of plays that checks the host RPMs and Services for Docker
>>> #Get RPM and Service Facts
>>> - name: Populate Host RPM Package Facts
>>> ...
>>>
>>> - name: Populate Host Service Facts
>>> ...
>>>
>>> #Docker Plays
>>> - name: Check if Docker is installed
>>> ...
>>>
>>> - name: Install Docker Dependencies if needed
>>> ...
>>>
>>> - name: Add the Public Docker Repo if needed
>>> ...
>>>
>>> - name: Install Docker Dependencies if needed
>>> ...
>>>
>>> - name: Install Docker service 18.x
>>> ...
>>>
>>> - name: Set the Docker http proxy file
>>> ...
>>>
>>> - name: Set the Docker daemon file
>>> ...
>>>
>>> - name: Ensure Docker group is created on host
>>> ...
>>>
>>> - name: Add users to Docker group
>>> ...
>>>
>>> - name: Initial Start of Docker Service
>>> ...
>>>
>>> - name: Set permissions on /var/run/docker.sock to 0666
>>> ...
>>>
>>> - name: Stop Docker Service
>>> ...
>>>
>>> - name: Reload Docker Service
>>> ...
>>>
>>> - name: Enable and Start Docker Service
>>> ...
>>>
>>> - name: Print Docker Service Info
>>> ...
>>>
>>> ###Set of plays that checks the host RPMs and Services for Python3
>>> #Check Python plays
>>> - name: Check for Python3
>>> ...
>>>
>>> - name: Install Python3 if needed
>>> ...
>>>
>>> - name: Check for Python3-Pip
>>> ...
>>>
>>> - name: Install Python3-Pip if needed
>>> ...
>>>
>>> - name: Check for Python-Virtualenv
>>> ...
>>>
>>> - name: Install
>>>
>>>
>>>
>>> Python-Virtualenv if needed
>>> ...
>>>
>>> - name: Run script to create Python Virtual environment
>>> ...
>>>
>>> ###Set of plays that checks the host's git lfs installation
>>> - name: Install git-lfs if needed
>>> ...
>>>
>>> ###Set of plays that installs Intel
>>> - name: Check if Intel is installed in /opt/
>>> ...
>>>
>>> - name: Clone cots_lfs repo
>>> clone: yes
>>> repo: 'ssh://<url/cots_lfs.git>'
>>> dest: /local_path/cots_lfs
>>> version: intel_parallel_studio_full
>>> update: yes
>>> clone: yes
>>> force: yes
>>> when: not intel_exists.stat.exists
>>>
>>> - name: Install Intel
>>> ...
>>>
>>> ###Set of plays that modifies the hosts /etc/ files
>>> - name: Run modify system files script
>>> ...
>>>
>>> - name: Restart host if system files have been modified
>>> ...
>>>
>>> - name: Restart Docker service if host was rebooted
>>> ...
>>>
>>>
>>> ######hosts.yml
>>> ---
>>> all:
>>> hosts:
>>> localhost
>>> children:
>>> watermarked:
>>> vars:
>>> proxy: <url>
>>> hosts:
>>> Workstation1:
>>> ansible_host: <ip_addr>
>>> Workstation2:
>>> ansible_host: <ip_addr>
>>> ...
>>>
>>> nonwatermarked:
>>> hosts:
>>> Workstation1:
>>> ansible_host: <ip_addr>
>>> Workstation2:
>>> ansible_host: <ip_addr>
>>> ...
>>>
>>> offline:
>>> hosts:
>>> <ip_addr>
>>>
>>>
>>>
>>> Thanks,
>>> Erick
>>>
>>>
>>>
>>> On Wednesday, September 2, 2020 at 1:37:01 AM UTC-7 [email protected]
>>> wrote:
>>>
>>>> You need to give more info. Playbooks, inventory, what are you trying
>>>>
>>>>
>>>> to achieve, etc.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, 1 Sep 2020 at 23:48, Erick Sun <[email protected]> wrote:
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > Host SSH key not recognized when trying to SSH into remote repository
>>>> using Ansible playbook. Remote repository was verified to have the correct
>>>> SSH key from host, but still wouldn't recognize host when trying to clone
>>>> from the repository. Ran Ansible on 15 hosts, 13 were successful, 1 failed
>>>> to clone from remote repo even though they were configured the same. Here
>>>> is the actual error received. Can anyone help, please? Thx
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > fatal: [Host]: FAILED! => {"changed": false, "cmd": "/usr/bin/git
>>>> clone --origin origin 'ssh:<path_to_repo>' /local_path", "msg": "FIPS mode
>>>> initialized\r\nDisabling GSSAPIKeyExchange. Not usable in FIPS
>>>> mode\r\nPermission denied (publickey).\r\nfatal: Could not read from
>>>> remote
>>>> repository.\n\nPlease make sure you have the correct access rights\nand
>>>> the
>>>> repository exists.", "rc": 128, "stderr": "FIPS mode
>>>> initialized\r\nDisabling GSSAPIKeyExchange. Not usable in FIPS
>>>> mode\r\nPermission denied (public key).\r\nfatal: Could not read from
>>>> remote repository.\n\nPlease make sure you have the corr ect access
>>>> rights\nand the repository exists.\n", "stderr_lines": ["FIPS mode
>>>> initialized", "Disabling GSSAPIKeyExchange. Not usable in FIPS mode",
>>>> "Permission denied (publickey).", "fatal: Could not read from remote
>>>> repository.", "", "Please make sure you have the correct access rights",
>>>> "and the repository exists."], "stdout": "Cloning into
>>>> '/local_path'...\n",
>>>> "stdout_lines": ["Cloning into '/local_path'..."]}
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > --
>>>>
>>>>
>>>> > You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>>
>>>>
>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>> send an email to [email protected].
>>>>
>>>>
>>>> > To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/e84682be-85ac-47b8-8c80-661de0f5dbc6n%40googlegroups.com
>>>> .
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>> Dick Visser
>>>>
>>>>
>>>> Trust & Identity Service Operations Manager
>>>>
>>>>
>>>> GÉANT
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>>
>>>
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>>>
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/1ca775c3-320c-4139-8f13-d61ae64c7d41n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/ansible-project/1ca775c3-320c-4139-8f13-d61ae64c7d41n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>
>>> --
>> Sent from a mobile device - please excuse the brevity, spelling and
>> punctuation.
>>
>>
>> --
> Sent from a mobile device - please excuse the brevity, spelling and
> punctuation.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9b0b432c-0022-46ab-a80a-e2d1663feaf7n%40googlegroups.com.
