I’m using Root.io
‘s Trellis
workflow.
I’ve encountered an error wherein I couldn’t establish a connection via ansible-playbook
.
-
When I run
ansible-playbook server.yml -e env=staging
it throws me an error that the ssh connection cannot be established so I checked myusers.yml
file and saw a problem under thekeys
section:- name: "{{ admin_user }}" groups: - sudo keys: - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" - https://github.com/dummyuser.keys
I realised I have an existing
id_rsa.pub
key but I didn’t have it authorized on my server, I was usinghttps://github.com/dummyuser.keys
instead. So I removed that line- "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
However the problem still persists. The response was:
fatal: [10.10.2.5]: UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true }
Also why does the config point to the
public key
when we need theprivate key
to login via ssh. I usually dossh -i ~/.ssh/private_key [email protected]
whenever I login to the server via ssh.
-
I So I used another approach. specified the key on the cli this time
ansible-playbook server.yml -e env=staging -vvvv --key-file=~/.ssh/dummy_rsa
and the result was I was able to establish a connection:
<10.10.2.5> ESTABLISH SSH CONNECTION FOR USER: dummy_admin
But there was another error: it says
a password is required
here’s the full message:fatal: [10.10.2.5]: FAILED! => { "changed": false, "failed": true, "invocation": {"module_name": "setup"}, "module_stderr": "OpenSSH_6.9p1, LibreSSL 2.1.8\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 21: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 85702\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to 10.10.2.5 closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false }
I’m not sure why it is asking for a password I’ve already set it in my
group_vars/staging/vault.yml
here’s the content of that:vault_mysql_root_password: stagingpw vault_sudoer_passwords: dummy_admin: $6$rounds=656000$8DWzDN3KQkM9SjlF$DhxLkYaayplFmtj9q.EqzMDWmvlLNKsLU0GPL9E0P2EvkFQBsbjcMCXgWkug4a5E66PfwL4eZQXzMLkhXcPBk0
-
So I finally got logged in using the command below:
ansible-playbook server.yml -e env=staging -vvvv --key-file=~/.ssh/dummy_rsa --ask-become-pass
after asking me for a password it works and provisions my server without problem.
Can anyone give light to this? Am I missing something? Let me know if you need more details.
2 Answers
I’ve also posted this question on discourse and @fullyint has answered it in detail. So I’m just posting a link for the answer and some excerpt
Helping Ansible and ssh to find the necessary private key
This means that you are manually specifying the private key with each ssh command, and yes, the corollary of manually specifying the private key with every ansible-playbook command is to add the –private-key= or key-file= option. However, you could save yourself some hassle by enabling ssh and ansible-playbook commands to automatically find and use your desired private key file. One approach would be to add an entry to your ssh config file, specifying the IdentityFile to be used with Host 10.10.2.5. I’d recommend the alternative of loading the ~/.ssh/dummy_rsa into your ssh-agent, which can handle keys for you, trying multiple private keys when attempting a connection.
Make sure your ssh-agent is running: ssh-agent bash
Add your key: ssh-add ~/.ssh/dummy_rsa
If you’re on mac, add the key to your Keychain: ssh-add -K ~/.ssh/dummy_rsa
Now you should be able to run ssh commands without the -i option, and ansible-playbook commands without the –key-file= option because your ssh-agent will inform those commands of the various available private keys to try in making the ssh connections.Reasons for the error “sudo: a password is required”
Of the tasks Trellis runs via the server.yml playbook, some require sudo. This is a non-issue when the playbook connects as root, but sometimes the playbook doesn’t connect as root. If this initial connection attempt as root fails, it will fall back to connecting as the admin_user. This user must specify its sudo password via the option –ask-become-pass, as you discovered.
Maybe you already know why your connection as root failed, but here are some possibilities:
Maybe your remote is on AWS, where root is disabled by default, and your admin_user: ubuntu.
Maybe you’ve already successfully run server.yml with sshd_permit_root_login: false in group_vars/all/security.yml, so root is no longer allowed to log in via ssh (good security).
Maybe the private key you are trying to use is not loaded on the remote in the root user’s authorized_keys