Failed to connect to the host via ssh: Host key verification failed - jenkins

I am facing an issue while executing the ansible-playbook form Jenkins,
like :
PLAY [centos-slave-02] *********************************************************
TASK [Gathering Facts] *********************************************************
fatal: [centos-slave-02]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Host key verification failed.", "unreachable": true}
PLAY RECAP *********************************************************************
centos-slave-02 : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
but I am able to get ping-pong response and each time its asking for
Matching host key in /var/jenkins_home/.ssh/known_hosts:5 :
jenkins#c11582cb5024:~/jenkins-ansible$ ansible -i hosts -m ping centos-slave-02
Warning: the ECDSA host key for 'centos-slave-02' differs from the key for the IP address '172.19.0.3'
Offending key for IP in /var/jenkins_home/.ssh/known_hosts:2
Matching host key in /var/jenkins_home/.ssh/known_hosts:5
Are you sure you want to continue connecting (yes/no)? yes
centos-slave-02 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
could anyone please fix this issue!thanks in advance.

Your known_hosts file in the jenkins-ansible host already has an entry for the host centos-slave-02. Now that the centos-slave-02 host's identity has changed, a new entry needs to be added. But the existing entry in the file is throwing this warning.
Warning: the ECDSA host key for 'centos-slave-02' differs from the key for the IP address '172.19.0.3'
Offending key for IP in /var/jenkins_home/.ssh/known_hosts:2
Matching host key in /var/jenkins_home/.ssh/known_hosts:5
You can either manually edit the /var/jenkins_home/.ssh/known_hosts file to remove the key for this centos-slave-02 host or run the below command,
ssh-keygen -R centos-slave-02
The workaround with ansible would be to add this line in ansible.cfg under [defaults] section,
[defaults]
host_key_checking = False
This will disable HostKeyChecking when making SSH connections.

Make sure you don't use sudo in your jenkin build Exec command.

Related

Jenkins ERROR: script returned exit code 4

I got a simple Groovy script to install agents on my servers using Ansible.
After I run the pipeline I get error about
ERROR: script returned exit code 4
Finished: FAILURE
The error happens because I have two instances not running (I don't want them running) and I get connection time out from them.
Is there a way to get Jenkins to ignore such errors?
A not-so-ideal solution would be to just state ignore_unreachable: yes at the top of you playbook.
This is no ideal because you risk missing on unreachable hosts you do care about.
A possibly better solution would be to gracefully end those unreachable hosts in a meta task based on a list of host(s) you don't need up and running.
For example:
- hosts: localhost, ok-if-down
gather_facts: no
pre_tasks:
- ping:
ignore_unreachable: yes
register: ping
- meta: end_host
when:
- inventory_hostname in _possibly_unreachable_hosts
- ping is unreachable
vars:
_possibly_unreachable_hosts:
- ok-if-down
## add more host(s) name in this list, here
tasks:
## here goes your current tasks
When run, the exit code of this playbook would be 0:
$ ansible-playbook play.yml; echo "Return code is $?"
PLAY [localhost, ok-if-down] **************************************************
TASK [ping] *******************************************************************
fatal: [ok-if-down]: UNREACHABLE! => changed=false
msg: 'Failed to connect to the host via ssh: ssh: Could not resolve hostname ok-if-down: Name does not resolve'
skip_reason: Host ok-if-down is unreachable
unreachable: true
ok: [localhost]
TASK [meta] *******************************************************************
skipping: [localhost]
TASK [meta] *******************************************************************
PLAY RECAP ********************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ok-if-down : ok=0 changed=0 unreachable=1 failed=0 skipped=1 rescued=0 ignored=0
Return code is 0

Ansible ping fails when I am not using root priviledges

I get the following error when I try to ping another docker container I setup as a remote:
"changed": false,
"msg": "Failed to connect to the host via ssh: bind: File name too long\r\nunix_listener: cannot bind to path: /var/jenkins_home/.ansible/cp/jenkins_remote-22-remote_user.15sibyvAohxbTCvh",
"unreachable": true
}
However, when I run the same command using the root user, it works.
I have tried to add add the following command to my ansible.cfg file, but it still fails.
control_path = %(directory)s/%%h-%%p-%%r
Please what could be the issue?
I had the same issue it worked with root user and printed the same error otherwise. What did help was to add the following:
[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
control_path = /dev/shm/cp%%h-%%p-%%r
to /etc/ansible/ansible.cfg file (create it if it doesn't exist).

Trying to install but getting an error "Failed to connect to the host via ssh: Permission denied (publickey,password)"

I am able to connect to the other nodes with SSH without a password. I have followed the IBM KC instructions. Here is the command and results:
ubuntu#ipc1:/opt/ibm-cloud-private-ce-3.1.0/cluster$ sudo docker run --net=host -t -e LICENSE=accept -v "$(pwd)":/installer/cluster ibmcom/icp-inception:3.1.0 install
PLAY [Checking Python interpreter] *********************************************
TASK [Checking Python interpreter] *********************************************
fatal: [172.31.39.234]: UNREACHABLE! => changed=false
Failed to connect to the host via ssh: Permission denied (publickey,password).
unreachable: true
fatal: [172.31.39.53]: UNREACHABLE! => changed=false
msg: Failed to connect to the host via ssh: Permission denied (publickey,password)
unreachable: true
fatal: [172.31.44.240]: UNREACHABLE! => changed=false
msg: ed to connect to the host via ssh: Permission denied (publickey,password).
unreachable: true
NO MORE HOSTS LEFT *************************************************************
NO MORE HOSTS LEFT *************************************************************
PLAY RECAP *********************************************************************
172.31.39.234 : ok=0 changed=0 unreachable=1 failed=0
172.31.39.53 : ok=0 changed=0 unreachable=1 failed=0
172.31.44.240 : ok=0 changed=0 unreachable=1 failed=0
Playbook run took 0 days, 0 hours, 0 minutes, 0 seconds
Can you ssh between hosts without specifiy any password?
Any by using sudo that mean you are trying to ssh passwordless via root.
So I think you haven't copy the root ssh key between your hosts.
Good Luck
You are facing this issue because you have not generated the password less authentication within the same server(self ssh).
Follow these steps and you will be able to get rid of the issue specified above.
[root#localhost ~]# ssh-keygen
Sample Output:
Then run the following commands:
[root#localhost ~]# touch ~/.ssh/authorized_keys
[root#localhost ~]# chmod 600 ~/.ssh/authorized_keys
[root#localhost ~]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[root#localhost ~]# cd /opt/ibm-cloud-private-ce-3.1.0/cluster/
[root#localhost ~]# cp -rp ~/.ssh/id_rsa ./ssh_key
Also make sure that hostname is mapped to the host's IP address in the local /etc/hosts.
Before you install an IBM Cloud Private cluster, you must configure authentication between configuration nodes. You can generate an SSH key pair on your boot node and share that key with the other cluster nodes. To share the key with the cluster nodes, you must have the access to an account with root access for each node in your cluster.
Follow the ICP 3.1.0 Knowledge Center (KC) steps here:
https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.0/installing/ssh_keys.html

how to make ansible get access to an sshd container?

I use an ansible script to load & start the https://hub.docker.com/r/rastasheep/ubuntu-sshd/ container.
so it starts well of course :
bash-4.4$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bedbd3b7d88 rastasheep/ubuntu-sshd "/usr/sbin/sshd -D" 37 minutes ago Up 36 minutes 0.0.0.0:49154->22/tcp test
bash-4.4$
so after ansible failure on ssh access to it I tested manually from shell
this is also ok.
bash-4.4$ ssh root#172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ECDSA key fingerprint is SHA256:YtTfuoRRR5qStSVA5UuznGamA/dvf+djbIT6Y48IYD0.
ECDSA key fingerprint is MD5:43:3f:41:e9:89:45:06:6f:f6:42:c4:6a:70:37:f8:1d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.2' (ECDSA) to the list of known hosts.
root#172.17.0.2's password:
root#8bedbd3b7d88:~# logout
Connection to 172.17.0.2 closed.
bash-4.4$
so the step that failed is trying to get on it from ansible script & make access to ssh-copy-id
ansible error message is :
Fatal: [172.17.0.2]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.17.0.2' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).\r\n", "unreachable": true}
---
- hosts: 127.0.0.1
tasks:
- name: start docker service
service:
name: docker
state: started
- name: load and start the container we wanna use
docker_container:
name: test
image: rastasheep/ubuntu-sshd
state: started
ports:
- "49154:22"
- name: Wait maximum of 300 seconds for ports to be available
wait_for:
host: 0.0.0.0
port: 49154
state: started
- hosts: 172.17.0.2
vars:
passwordadmin: $6$pbE6yznA$AeFIdI.....K0
passwordroot: $6$TMrxQUxT$I8.JIzR.....TV1
ansible_ssh_extra_args: "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
tasks:
- name: Build test container root user rsa ssh-key
shell: docker exec test ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N ""
so I cannot even run the needed step to build ssh
how to do then ??
1st step (ansible task) : load docker container
2cd step (ansible task on only 172.17.0.2) : connect to it & setup it
there will be 3rd step to run application on it after that.
the problem occurs only when starting the 2cd step
Ok after many trys on a second container
conclusion is my procedure was bad
what I have done to solve that :
build a diroctory tree separating ./ ./inventory ./includes
build 1 yaml file by host (local, docker, labo)
build 1 main yaml file on ./
build 1 new host file in ./inventory
connect forced by sshpass to docker on default password
changed it
add the host key on authorized key to a login dedicated usage
installed pyhton (needed to answer ansible host else it makes
randomly module errors or refused connections depending on current
action)
setup a ssh login user in sudoers
then I can un the docker.yaml actions
then only at last I can run the labo.yaml actions.
Thanks for help
now I'm able to build the missing tools.

How can I specify canonical server name in composer connection profile?

We need to run "composer" command outside of docker container's network.
When I specify orderer and peer host name (e.g. peer0.org1.example.com) in /etc/hosts file, "composer" command seems to work.
However, if I specify server's IP address, it does not work. Here is sample.
$ composer network list -p hlfv1 -n info-share-bc -i PeerAdmin -s secret
✖ List business network info-share-bc
Error trying to ping. Error: Error trying to query chaincode. Error: Connect Failed
Command succeeded
This is a command example when I specify host name in /etc/hosts.
$ composer network list -p hlfv1 -n info-share-bc -i PeerAdmin -s secret
✔ List business network info-share-bc
name: info-share-bc
models:
- org.hyperledger.composer.system
- bc.share.info
<snip>
I believe when the server name can not be resolved, we will specify the option called "ssl-target-name-override", hyperledger node.js SDK as described here.
https://jimthematrix.github.io/Remote.html
- ssl-target-name-override {string} Used in test environment only,
when the server certificate's hostname (in the 'CN' field) does not
match the actual host endpoint that the server process runs at,
the application can work around the client TLS verify failure by
setting this property to the value of the server certificate's hostname
Is there any option to specify host name in connection profile (connection.json) ?
Found a work around: hostnameOverride option in connection profile resolved the connection issue.
"eventURL": "grpcs://<target-host>:17053",
"hostnameOverride": "peer0.org1.example.com",

Resources