Different ssh behavior on Linux and MacOSX

Archives Ansible Project
1

Ha all
We use Ansible version 2.0.1.0 on MacOS X 10.11.3 (El Capitan) and Ubuntu 14.04

Ansible on MAcOS installed via #brew install ansible
Today i’v got a strange behavior on my project
In our role we change root password and then follow our tasks
All ok in linux session, playbook wont stop and success, but if we run this playbook in macosx we got auth error

TASK [init_server : Change root password] **************************************

changed: [LEASEWEB_NL_PGGN005] => {“append”: false, “changed”: true, “comment”: “root”, “group”: 0, “home”: “/root”, “invocation”: {“module_args”: {“append”: false, “comment”: null, “createhome”: true, “expires”: null, “force”: false, “generate_ssh_key”: null, “group”: null, “groups”: null, “home”: null, “login_class”: null, “move_home”: false, “name”: “root”, “non_unique”: false, “password”: “VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”, “remove”: false, “shell”: null, “skeleton”: null, “ssh_key_bits”: “2048”, “ssh_key_comment”: “ansible-generated on PGGN005”, “ssh_key_file”: null, “ssh_key_passphrase”: null, “ssh_key_type”: “rsa”, “state”: “present”, “system”: false, “uid”: null, “update_password”: “always”}, “module_name”: “user”}, “move_home”: false, “name”: “root”, “password”: “NOT_LOGGING_PASSWORD”, “shell”: “/bin/bash”, “state”: “present”, “uid”: 0}

TASK [init_server : Add public-keys users “XXX”] ************************
task path: /Users/ZZZ/workspace/devops/SGSansible/roles/init_server/tasks/main.yml:27
File lookup using /Users/ZZZ/…roles/init_server/files/id_rsa16_XXX.pub as file
File lookup using /Users/ZZZ/…/roles/init_server/files/id_rsa16_YYY.pub as file
<5.79.100.137> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO 5.79.100.137
<5.79.100.137> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO 5.79.100.137
fatal: [LEASEWEB_NL_PGGN005]: UNREACHABLE! => {“changed”: false, “msg”: “All items completed”, “results”: [{“item”: "ssh-rsa …, “msg”: “Authentication failed.”, “unreachable”: true}]}
to retry, use: --limit @init.retry

My question is: why ansible on MacOS X creates ssh connection on every playbook step, but don’t do this under linux?

ansible.cfg

config file for ansible – http://ansible.com/

==============================================

[defaults]

inventory = inventory

remote_port = 65321
roles_path = roles

host_key_checking = False

remote_user = sgsansible

log_path = log/ansible.log

private_key_file = keys/id_rsa16_ansible

[ssh_connection]

ssh_args = -o ControlMaster=auto -o ControlPersist=60s
accelerate_multi_key = yes

WBR - Stanislav

2

Default transport is ‘smart’ which uses paramiko instead of openssh on OS X due to an issue with sshpass crashing the OS X kernel.

If you are NOT using ssh passwords (you are using keys) it should be OK to change the default to ‘ssh’ and it will work just like under Linux.

3

Brian, thnx for answer!

Unfortunately, we are using passwords on the initial deployment phase, keys are used later
For avoiding problem in this case we use simple trick in our playebooks

  • name: Finish prepare (restart)
    vars:
    ansible_ssh_pass: “{{ new_generated_pass_stored_in_host_vars }}”

WBR - Stanislav

4

Change the default transport to ssh and set connection: paramiko for the tasks that use the password and push the keys. That should minimize the issue, for browny points set the connection conditionally to paramiko when localhost is OS X.