Good morning,
I have one Jenkins instance from which I need to issue ansible commands & playbooks, ansible master being on another dedicated machine.
In my jenkins builds I execute Ansible playbooks using “Send files or execute commands over ssh” build step.
I know that the “Send files or execute commands over ssh” doesn’t use a TTY by default.
For now all playbooks that don’t need an SSH connexion to remote hosts are working properly.
1 ] Commands in Jenkins build step (OK)
See below a Jenkis Job build step dedicated to VMWare VM creation (Exec command), for example (one command per line for clarity):
Make vault password available in remote contexte for vault file decryption
export MY_VAULT_PASS=${LINUX_VAULT_PASS}
Execute Ansible playbook
ansible-playbook -vvvv --vault-id vmware@/etc/ansible/vmware_vault_pass.py vm_deploy.yml -e “fqdn=myvm.domain.tld ip=10.0.0.2”
Step above works just fine, vault file is properly decrypted, I can use deciphred vars in my playbook. Note that this playbook DOESN’T NEED SSH connection to target host (vmware_guest module and win_shell modules only meaning VMWare API & WinRM only).
2 ] Commands in Jenkins build step (NOT OK)
Issue occurs why my additionnal build steps where I want to issue other ansible commands on this newly created Linux VM, meaning that Ansible will then need to connect to this VM using SSH.
Make vault password available in remote contexte for vault file decryption
export MY_VAULT_PASS=${LINUX_VAULT_PASS}
Make sure ssh-agent is available
. /home/jenkins/.bash_profile
Execute Ansible command
ansible -vvvv -m ping myvm.domain.tld --vault-id linux@/etc/ansible/linux_vault_pass.py vm_config.yml -e “ansible_ssh_private_key_file=/home/jenkins/.ssh/my_sshkey”
Vault file is properly decrypted, but Jenkins can’t decrypt SSH key on Ansible host to connect to newly created VM, because it is passphrase protected. Even worse it doesn’t seem to detect SSH agent which has been configured to store SSH key passphrase (see below).
Ansible output in Jenkins console:
Omitted output here
read_passphrase: can’t open /dev/tty: No such device or address
Omitted output here
no passphrase given, try newt key
Omitted output here
3 ] Ansible host setup
I have previously configured ssh-agent on Ansible host within a user session of the user used by Jenkins to connect to Ansible:
2.1 ) ssh-agent setup
ssh agent bash
ssh-add /path/to/.ssh/my_private_key
Passphrase fullfilled at prompt
2.2 ) .bash_profile setup
Output of “ssh-agent” have been added to .bash_profile file of the user used by Jenkins to connect to Ansible:
/home/jenkins/.bash_profile (on Ansible host)
SSH_AUTH_SOCK=/tmp/ssh-xxxxxxxxx/agent.yyyy
export SSH_AUTH_SOCK
SSH_AGENT_PID=yyyy
I wonder what setup/design should I consider to issue Ansible commands from a remote host that need an SSH key decryption (Jenkins or raw SSH) to connect to Ansible nodes…
Thanks for your help