Unable to reuse ssh connections in Ansible despite PIPELINING = True

Easy_King · July 23, 2021, 8:19am

My corporate firewall policy allows only 20 connections per minute 60 seconds between the same source and destinations.

Owing to this the ansible play hangs after a while.

I would like multiple tasks to use the same ssh session rather than creating new sessions. For this purpose i set the below pipelining = True in the local folder ansible.cfg as well as in the command line.

cat /opt/automation/startservices/ansible.cfg

[defaults]
host_key_checking = False
gathering = smart
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=600s
control_path = %(directory)s/%%h-%%r
pipelining = True

ANSIBLE_SSH_PIPELINING=0 ansible-playbook -i /opt/automation/startservices/finalallmw.hosts /opt/automation/startservices/va_action.yml -e ‘{ dest_host: myremotehost7 }’ -e dest_user=oracle

The playbook is too big to be shared here but it is this task which loops and this is where it hangs due to more than 20 ssh connections in 60 seconds.

171 - name: Copying from “{{ inventory_hostname }}” to this ansible server.
172 synchronize:
173 src: “{{ item.path }}”
174 dest: “{{ playbook_dir }}/homedirbackup/{{ inventory_hostname }}/{{ dtime }}/”
175 mode: pull
176 copy_links: yes
177 with_items:
178 - “{{ to_copy.files }}”

With the pipelining settings set; my play still hangs after 20 connections.

Below are the playbook settings:

45 hosts: “{{ groups[‘dest_nodes’] | default(groups[‘all’]) }}”
46 user: “{{ USER | default(dest_user) }}”
47 any_errors_fatal: True
49 gather_facts: false
51 tags: always
52
53 vars:
54 ansible_host_key_checking: false
55 ansible_ssh_extra_args: -o StrictHostKeyChecking=no -o ConnectionAttempts=5

Can you please suggest any solution to the issue on the ansible side where all tasks use the same ssh session and is pipelining not working here?

racke · July 23, 2021, 8:25am

My corporate firewall policy allows only 20 connections per minute 60 seconds between the same source and destinations.

Sounds to me like a ridiculous policy. Ask for an exception instead of trying to throttle Ansible.

Regads
Racke

Antony_Stone · July 23, 2021, 8:33am

I agree. This would cause problems just for a large number of standard
websites, unless your IT networking people are relying on browsers using
persistent connections, and even then, static content, images, and dynamic
content are often going to be supplied by different parts of a CDN.

Antony.

Matthew_Davis · July 4, 2023, 7:50am

Hi,

Did you find a solution for this?

I don’t think pipelining will actually result in reusing the same SSH session across the play. It will reduce the number of SSH sessions per task, but I think it will still result in many new SSH sessions.

I can’t figure out how to reuse sessions for a non-SSH connector.

Regards,
Matt

system · July 5, 2023, 1:29pm

A few things:
- pipelining is not about connection reuse but about writing to disk
- for ssh connection plugin, the control persist settings are what
reuse connections/authentication, but not sessions
- the synchronize action does it's own connection handling

Mark_Foster · July 5, 2023, 5:09pm

Consider you might have conflicting settings in your ssh config (~/.ssh/config and/or /etc/ssh/ssh_config)?

Here’s what I have…
Host *
ControlMaster auto
ControlPath ~/.ansible/cp/%h-%r

ControlPersist 10m

control_path probably needs to match ControlPath. Not sure about the others.

Matthew_Davis · July 12, 2023, 10:22am

for ssh connection plugin, the control persist settings are what reuse connections/authentication, but not sessions

Is there a mechanism to re-use sessions? Or a mechanism to re-use connections for non-ssh connection plugins?

Thanks,
Matt

system · July 12, 2023, 2:07pm

Kind of, there is ansible-connection but it can be complicated. I've
been toying around with the idea of a 'persistent: no|yes' keyword to
allow for the use/reuse of persistent sessions. This would first look
at the connection plugin for support and fallback to a connection
manager+ansible-connection on controller otherwise.

Matthew_Davis · July 12, 2023, 11:17pm

Why would you need to check whether the connection plugin supports such a new feature? ConnectionBase already has methods for _connect, connected, reset and close, separate from exec_command, put_file and fetch_file
So wouldn’t this work for all connection plugins if Ansible just starts calling exec_command and put_file multiple times per connection?

system · July 13, 2023, 2:10pm

Ansible already does this per per task, this still just uses 'shared
auth' in the case of ssh, not full session (unlike winrm/prsp). In any
case this feature would be 'across tasks' or block of tasks.

Topic		Replies	Views
pipelining gets disabled when ssh_args is specified Ansible Project	2	2	February 10, 2015
[Errno 110] Connection timed out with multiple ssh in router Ansible Project	18	1	July 8, 2021
How do I know if pipelining is working Ansible Project rhel	3	2	May 7, 2014
How to force creating a new ssh connection Ansible Project	6	3	October 23, 2017
Minimize ssh connections number Ansible Project	5	6	October 22, 2014

Unable to reuse ssh connections in Ansible despite PIPELINING = True

Related topics