SSH-keys forwarding to Execution Environment for promptless runs with ansible-navigator

Andersson007 · April 16, 2024, 10:52am

I assume you have your environment set up, built your custom EE/use one of community EEs. If not, first read the Getting started with EE guide.

You also have your SSH keys generated and the public key copied to your target host via ssh-copy-id.

1. Create a test_remote.yml playbook to test SSH-keys forwarding.

``` yaml
cat > test_remote.yml<<EOF
- name: Gather and print facts
  hosts: YOUR_INVENTORY_HOST
  remote_user: YOUR_REMOTE_USER
  gather_facts: true
  tasks:

  - name: Print facts
    ansible.builtin.debug:
      var: ansible_facts
EOF
```

2. Add your private key to ssh-agent.

eval $(ssh-agent)
ssh-add </path/to/your/private/key>

3. Test it:

ansible-navigator run test_remote.yml -i inventory --execution-environment-image YOUR_EE --mode stdout --pull-policy missing

Thanks for reading, any feedback is welcome:)

jpmens · April 16, 2024, 3:19pm

Good write-up, thank you. And quite timely, as I was just experimenting with this for ansible-runner this morning.

In Runner this doesn’t work for me. With a similar configuration as yours, I have:

$ echo YOUR_INVENTORY_HOST > inventory/hosts
$ cat env/settings
---
process_isolation: true
process_isolation_executable: podman
container_image: <my EE>

$ mkdir project
$ cat > project/test_remote.yml<<EOF
- name: Gather and print facts
  hosts: YOUR_INVENTORY_HOST
  remote_user: YOUR_REMOTE_USER
  gather_facts: true
  tasks:

  - name: Print facts
    ansible.builtin.debug:
      var: ansible_facts
EOF

$ ansible-runner run . -p test_remote.yml
TASK [Gathering Facts] *********************************************************
fatal: [YOUR_INVENTORY_HOST]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh:

Only after ensuring the SSH agen’t directory is in ~/.ssh, additionally adding an enviroment variable to Runner, and bind-mounting the hosts .ssh directory do I succeed:

$ eval $(ssh-agent -a ~/.ssh/auth-sock)

$ ssh-add my.key
Identity added: my.id_rsa (Ansible user)

$ echo 'SSH_AUTH_SOCK: "/root/.ssh/auth-sock"' > env/envvars  # the EE will get this

$ ansible-runner run . --container-volume-mount $HOME/.ssh/:/root/.ssh/ -p test_remote.yml                                                 
                                                                                
PLAY [Gather and print facts] **************************************************
                                                                                
TASK [Gathering Facts] *********************************************************
ok: [YOUR_INVENTORY_HOST]              
...

I don’t know what this is due to, as the documentation clearly says the SSH directory will be bind-mounted, but this doesn’t occur here, which may be due to all sorts of reasons.

Andersson007 · April 17, 2024, 7:12am

@jpmens thank you for the feedback!
I did it for ansible-navigator. Sorry for not specifying this which could cause some confusion: now mentioned it explicitly in the title.
Didn’t play with runner yet. I think they would appreciate any docfixes with things you discovered.

Did you try the guide with Navigator?

jpmens · April 17, 2024, 7:56am

Your instructions for Navigator work well.

Andersson007 · April 17, 2024, 10:37am

@jpmens thanks a lot for the feedback!