I’m using Root.io‘s Trellis workflow.

I’ve encountered an error wherein I couldn’t establish a connection via ansible-playbook.

1. When I run ansible-playbook server.yml -e env=staging it throws me an error that the ssh connection cannot be established so I checked my users.yml file and saw a problem under the keys section:

   - name: "{{ admin_user }}"
     groups:
       - sudo
     keys:
       - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
       - https://github.com/dummyuser.keys
   

   I realised I have an existing id_rsa.pub key but I didn’t have it authorized on my server, I was using https://github.com/dummyuser.keys instead. So I removed that line

   - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
   

   However the problem still persists. The response was:

   fatal: [10.10.2.5]: UNREACHABLE! => {
       "changed": false, 
       "msg": "Failed to connect to the host via ssh.", 
       "unreachable": true
   }
   

   Also why does the config point to the public key when we need the private key to login via ssh. I usually do

   ssh -i ~/.ssh/private_key [email protected]
   

   whenever I login to the server via ssh.

2. I So I used another approach. specified the key on the cli this time

   ansible-playbook server.yml -e env=staging -vvvv --key-file=~/.ssh/dummy_rsa
   

   and the result was I was able to establish a connection:

   <10.10.2.5> ESTABLISH SSH CONNECTION FOR USER: dummy_admin
   

   But there was another error: it says a password is required here’s the full message:

   fatal: [10.10.2.5]: FAILED! => {
       "changed": false, 
       "failed": true, 
       "invocation": {"module_name": "setup"}, 
       "module_stderr": "OpenSSH_6.9p1, LibreSSL 2.1.8\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 21: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 85702\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to 10.10.2.5 closed.\r\n", 
       "module_stdout": "sudo: a password is required\r\n", 
       "msg": "MODULE FAILURE", 
       "parsed": false
   }
   

   I’m not sure why it is asking for a password I’ve already set it in my group_vars/staging/vault.yml here’s the content of that:

   vault_mysql_root_password: stagingpw
   vault_sudoer_passwords:
     dummy_admin: $6$rounds=656000$8DWzDN3KQkM9SjlF$DhxLkYaayplFmtj9q.EqzMDWmvlLNKsLU0GPL9E0P2EvkFQBsbjcMCXgWkug4a5E66PfwL4eZQXzMLkhXcPBk0
   

3. So I finally got logged in using the command below:

   ansible-playbook server.yml -e env=staging -vvvv --key-file=~/.ssh/dummy_rsa --ask-become-pass
   

   after asking me for a password it works and provisions my server without problem.

Can anyone give light to this? Am I missing something? Let me know if you need more details.

I’ve also posted this question on discourse and @fullyint has answered it in detail. So I’m just posting a link for the answer and some excerpt

Helping Ansible and ssh to find the necessary private key

This means that you are manually specifying the private key with each ssh command, and yes, the corollary of manually specifying the private key with every ansible-playbook command is to add the –private-key= or key-file= option. However, you could save yourself some hassle by enabling ssh and ansible-playbook commands to automatically find and use your desired private key file. One approach would be to add an entry to your ssh config file, specifying the IdentityFile to be used with Host 10.10.2.5. I’d recommend the alternative of loading the ~/.ssh/dummy_rsa into your ssh-agent, which can handle keys for you, trying multiple private keys when attempting a connection.
Make sure your ssh-agent is running: ssh-agent bash
Add your key: ssh-add ~/.ssh/dummy_rsa
If you’re on mac, add the key to your Keychain: ssh-add -K ~/.ssh/dummy_rsa
Now you should be able to run ssh commands without the -i option, and ansible-playbook commands without the –key-file= option because your ssh-agent will inform those commands of the various available private keys to try in making the ssh connections.

Reasons for the error “sudo: a password is required”

Of the tasks Trellis runs via the server.yml playbook, some require sudo. This is a non-issue when the playbook connects as root, but sometimes the playbook doesn’t connect as root. If this initial connection attempt as root fails, it will fall back to connecting as the admin_user. This user must specify its sudo password via the option –ask-become-pass, as you discovered.
Maybe you already know why your connection as root failed, but here are some possibilities:
Maybe your remote is on AWS, where root is disabled by default, and your admin_user: ubuntu.
Maybe you’ve already successfully run server.yml with sshd_permit_root_login: false in group_vars/all/security.yml, so root is no longer allowed to log in via ssh (good security).
Maybe the private key you are trying to use is not loaded on the remote in the root user’s authorized_keys