Getting warnings about scp and sftp when running with the wrapper

Krenodeno commented 1 year ago

Hi, I get the following warnings for each task when running an ansible provisioning with the wrapper:

[WARNING]: sftp transfer mechanism failed on [vm1.localhost.dev]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: scp transfer mechanism failed on [vm1.localhost.dev]. Use ANSIBLE_DEBUG=1 to see detailed information

I don't know if it will impact my deployments, it looks like on my test vm, it run just fine, but still don't like seeing a warning like this. At first I thought it was because of #20, but even after modifying it myself, it didn't change the output.

jriouovh commented 1 year ago

Hello,

Ansible tries to transfer files via The Bastion but fails with multiple warnings.

It means there are multiple transfer_method available to Ansible (see documentation). By default, it's smart and Ansible will try methods one by one: sftp, scp then piped.

The sftp method is not implemented yet (see #23) so the warning is normal.

The scp method fails.

Is The Bastion reachable via SSH? Is your user on The Bastion allowed to scpup on the remote host? Did you configured SCP where Ansible is executed?

[ssh_connection]
transfer_method = scp
scp_if_ssh = True       # Ansible < 2.17
scp_extra_args = -O     # OpenSSH >= 9.0
scp_executable = ./path/to/scpbastion.sh

Could you run your playbook with -vvv and post the output please? Don't forget to strip sensitive data.

Example:

ansible-playbook -vvv play.hml

Have a nice day,

Krenodeno commented 1 year ago

Hi,

There was an error from myself, when I tried to fix #20 I forgot to declare the default_configuration_file variable.

After updating scp script, and adding sftp script, I still get the warnings for the twos:

<myhostbehindbastion.example.org> PUT /home/tfromont/.ansible/tmp/ansible-local-161279mt3dlljj/tmph1nlf13j TO /root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/sftpbastion.sh -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' '[myhostbehindbastion.example.org]'
[WARNING]: sftp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/scpbastion.sh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' /home/tfromont/.ansible/tmp/ansible-local-161279mt3dlljj/tmph1nlf13j '[myhostbehindbastion.example.org]:/root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py'
[WARNING]: scp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
<myhostbehindbastion.example.org> ESTABLISH SSH CONNECTION FOR USER: root
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/sshwrapper.py -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' myhostbehindbastion.example.org 'dd of=/root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py bs=65536'
<myhostbehindbastion.example.org> (0, b'', b'2+1 records in\n2+1 records out\n132977 bytes (133 kB, 130 KiB) copied, 0.000414307 s, 321 MB/s\n')
<myhostbehindbastion.example.org> (0, b'', b'2+1 records in\n2+1 records out\n132977 bytes (133 kB, 130 KiB) copied, 0.000414307 s, 321 MB/s\n')

Note that I have not activated pipelining as it can conflict with some of our roles using the become option in a task.

I tried also with the ANSIBLE_DEBUG=1 anv var, and I can see the help output of the bastion:

162281 1680254927.51801: Sending initial data
162281 1680254927.51815: Sent initial data (165 bytes)
162281 1680254928.21564: stderr chunk (state=3):
>>>
The Bastion v3.10.00 quick usage examples:

    Connect to a server:              bastion admin@srv1.example.org
    Run a command on a server:        bastion admin@srv1.example.org -- uname -a

    List the osh commands:            bastion --osh help
    Help on a specific osh command:   bastion --osh OSH_COMMAND --help
    Enter interactive mode for osh:   bastion -i

    Get more complete help:           bastion --long-help

Received message too long 458961713
Ensure the remote shell produces no output for non-interactive sessions.
<<<
162281 1680254928.21632: stdout chunk (state=3):
>>><<<
162281 1680254928.22278: stderr chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
162281 1680254928.22385: 
162281 1680254928.22392: 
The Bastion v3.10.00 quick usage examples:

    Connect to a server:              bastion admin@srv1.example.org
    Run a command on a server:        bastion admin@srv1.example.org -- uname -a

    List the osh commands:            bastion --osh help
    Help on a specific osh command:   bastion --osh OSH_COMMAND --help
    Enter interactive mode for osh:   bastion -i

    Get more complete help:           bastion --long-help

Received message too long 458961713
Ensure the remote shell produces no output for non-interactive sessions.
162281 1680254928.36863: stderr chunk (state=2):
>>>scp: Connection closed
<<<
162281 1680254928.36894: stderr chunk (state=3):
>>><<<
162281 1680254928.36898: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
162281 1680254928.36938: 
162281 1680254928.36941: scp: Connection closed

It looks like the command sended to the bastion is not the right one.

Krenodeno commented 1 year ago

I may have a source of bug:

In scpwrapper.py, line 29: elif e == "-o" and argv[i + 1].startswith("User="): In the ansible output, I see -o 'User="root"'

this condition might be skipped, because it doesn't match the " with '.

Krenodeno commented 1 year ago

mmh, no, forget it, totally okay there

Krenodeno commented 1 year ago

@jriouovh Hi, If I can assist you with anything in regard of this issue, let me know, I'll help as much as I can.

Krenodeno commented 1 year ago

Update:

We upgraded theBastion from 3.10 to 3.12

I launched an ansible deployment with ANSIBLE_DEBUG=1 and saw this:

18015 1688648460.81423: Sending initial data
18015 1688648460.81465: Sent initial data (162 bytes)
18015 1688648460.82377: stderr chunk (state=3):
>>>exec: extra/bastion/sftpwrapper.py: Permission denied
<<<
18015 1688648460.82403: stderr chunk (state=3):
>>>Connection closed
<<<
18015 1688648460.82413: stderr chunk (state=3):
>>><<<
18015 1688648460.82417: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18015 1688648460.82463:
18015 1688648460.82465: exec: extra/bastion/sftpwrapper.py: Permission denied
Connection closed
18015 1688648460.95284: stderr chunk (state=2):
>>>scp: Connection closed
<<<
18015 1688648460.95314: stderr chunk (state=3):
>>><<<
18015 1688648460.95330: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18015 1688648460.95369:
18015 1688648460.95370: scp: Connection closed

So I ran chmod +x extra/bastion/sftpwrapper.py and reran ansible again:

18944 1688648937.75379: Sending initial data
18944 1688648937.75385: Sent initial data (161 bytes)
18944 1688648938.80904: stderr chunk (state=3):
>>>
Sorry, but even if you have ssh access to root@10.42.42.42:22, you still need to be granted specifically for sftp
<<<
18944 1688648938.81316: stderr chunk (state=3):
>>>Connection closed
<<<
18944 1688648938.81368: stderr chunk (state=3):
>>><<<
18944 1688648938.81407: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18944 1688648938.81517:
18944 1688648938.81521:
Sorry, but even if you have ssh access to root@10.42.42.42:22, you still need to be granted specifically for sftp
Connection closed
18944 1688648938.97396: stderr chunk (state=2):
>>>scp: Connection closed
<<<
18944 1688648938.97414: stderr chunk (state=3):
>>><<<
18944 1688648938.97424: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18944 1688648938.97444:
18944 1688648938.97445: scp: Connection closed

Note the exact same error message from SFTP and SCP methods.

Both errors get away when I grant SFTP permission in our bastion, but both errors still shows when a hosts only have SCP (up & down) granted.

ovh / the-bastion-ansible-wrapper

Getting warnings about scp and sftp when running with the wrapper #21