hostkey enhancements to the git module

I created a new feature in the git module to help with hostkey management and prevent task hangs with unknown keys:

https://github.com/ansible/ansible/commit/8665b0638a1d3a70f985126b0f007a26c81273cb
https://github.com/ansible/ansible/commit/eeee1e1c5aa9dd4f84175966e0f9e467fd7fc600

The module should fail early on if the hostkey is unknown instead of hanging indefinitely.

If the user adds "accept_hostkey=yes" to the git parameters, the key will be automatically
added to the known_hosts file.

Hopefully this makes the git module easier for our new users.

Hopefully this makes the git module easier for our new users.

It also makes it easier for us non-new users. Thanks!

Is anyone else having issues with this feature. If the host key is on the machine my Ansible git checkout works perfectly.

If the host key isn’t on the box and even with accept_hostkey=yes the checkout fails. I’m on Ansible 1.5.2

Error is also ambiguous as it says set accept_hostkey to True!!

TASK: [webservers | checkout the site] ****************************************

failed: [app01] => {“failed”: true, “item”: “”}

msg: intro.repositoryhosting.com has an unknown hostkey. Set accept_hostkey to True or manually add the hostkey prior to running the git module

FATAL: all hosts have already failed – aborting

Can we see the yaml syntax and the -vvvv output for the failed task?

TASK: [webservers | checkout the site] ****************************************

ESTABLISH CONNECTION FOR USER: root

REMOTE_MODULE git repo=ssh:********@intro.repositoryhosting.com/intro/onsite.git dest=/var/www/onsite accept_hostkey=true

EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPersist=60s’, ‘-o’, ‘ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘app01’, “/bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683 && echo $HOME/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683’”]

PUT /tmp/tmptO5e80 TO /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/git

EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPersist=60s’, ‘-o’, ‘ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘app01’, “/bin/sh -c ‘/usr/bin/python /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/git; rm -rf /root/.ansible/tmp/ansible-tmp-1395785319.12-187266324329683/ >/dev/null 2>&1’”]

failed: [app01] => {“failed”: true, “item”: “”}

msg: failed to add intro.repositoryhosting.com hostkey: getaddrinfo >>: Name or service not known

FATAL: all hosts have already failed – aborting

PLAY RECAP ********************************************************************

to retry, use: --limit @/root/webservers.retry

app01 : ok=7 changed=0 unreachable=0 failed=1

yaml code is:

  • name: checkout the site

git: repo=ssh://git@intro.repositoryhosting.com/intro/onsite.git dest={{ nginx_webroot }}/{{ app_name }} accept_hostkey=true

Just checked again… if I clone this repo on the host and accept the key then run the playbook it’s fine. remove the known_hosts and it bails out.

In the ansible.cfg the HostKeyChecking=False is commented out which I assume means it’s on and the git accept_hostkey setting will be parsed.

Can the host resolve the fqdn?

“I’m on Ansible 1.5.2”

Please definitely test on 1.5.3 if you can. 1.5.2 was released to fix one specific problem in the 1.5.1 line, but 1.5.3 fixes quite a bit more.

Nobody – pretty much nobody – should be running 1.5.2. it will yield unhappy things.

(Also, if you have issues on 1.5.3, I’d be interested in results on devel).

root@app01:~# nslookup intro.repositoryhosting.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
intro.repositoryhosting.com canonical name = na-va-app-1.repositoryhosting.com.
Name: na-va-app-1.repositoryhosting.com
Address: 174.129.252.219

root@app01:~# host intro.repositoryhosting.com
intro.repositoryhosting.com is an alias for na-va-app-1.repositoryhosting.com.
na-va-app-1.repositoryhosting.com has address 174.129.252.219

root@app01:~# ssh-keyscan intro.repositoryhosting.com

intro.repositoryhosting.com SSH-2.0-OpenSSH_5.1p1 Debian-5

intro.repositoryhosting.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtC70z+dO6++V+qMRE37WUMiGkuNVPdYG8mB/EsJ010YCbc/VeotkPTqinE+gX1EGvdBmZn3DYSK5Cqt4Mh/waBQHfiCK4Lm8BJyQ6vJQf+l8u1bL59pGuAk6XEpoa9nE1eWpXSr7UpENcV/iDi/8Xc5qYrTJgmlK8z8H0XWigwkIEP2DtgysU2swwsa7rcyNnrNzdKstezf7Gd7qEqb8yKnIirkxcV2Q9Kt2ERvl1h+j0miZlWPPiLSBPJi38VZdWPSp3qOBCqqDy4GuUNahXl7H3IvIa0CV0AFPzcoes+1VHmoZmaC1wzV7jmrxRFS7c80BDbwSQ625v9Wb75IWTQ==

Looks fine. Here’s the vvvv if I hop onto the box and clone the repo and accept the key manually. Then re-run the playbook.

TASK: [webservers | checkout the site] ****************************************
ESTABLISH CONNECTION FOR USER: root
REMOTE_MODULE git repo=ssh:********@intro.repositoryhosting.com/intro/onsite.git dest=/var/www/onsite accept_hostkey=true
EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPersist=60s’, ‘-o’, ‘ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘app01’, “/bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287 && echo $HOME/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287’”]
PUT /tmp/tmpyHkG3V TO /root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/git
EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPersist=60s’, ‘-o’, ‘ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘app01’, “/bin/sh -c ‘/usr/bin/python /root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/git; rm -rf /root/.ansible/tmp/ansible-tmp-1395786695.84-167115969213287/ >/dev/null 2>&1’”]
ok: [app01] => {“after”: “41ce80a70ab048c46c306bf4a34f66fd61ebb979”, “before”: “41ce80a70ab048c46c306bf4a34f66fd61ebb979”, “changed”: false, “item”: “”}

Can the host resolve the fqdn?

OK this is no issue on 1.5.3. I was previously installed through apt-get and 1.5.2 seems to be the latest there. 1.5.3 via pip is all good.