Open Krenodeno opened 1 year ago
Hello,
Ansible tries to transfer files via The Bastion but fails with multiple warnings.
It means there are multiple transfer_method
available to Ansible (see documentation). By default, it's smart
and Ansible will try methods one by one: sftp
, scp
then piped
.
The sftp
method is not implemented yet (see #23) so the warning is normal.
The scp
method fails.
Is The Bastion reachable via SSH?
Is your user on The Bastion allowed to scpup
on the remote host?
Did you configured SCP where Ansible is executed?
[ssh_connection]
transfer_method = scp
scp_if_ssh = True # Ansible < 2.17
scp_extra_args = -O # OpenSSH >= 9.0
scp_executable = ./path/to/scpbastion.sh
Could you run your playbook with -vvv
and post the output please? Don't forget to strip sensitive data.
Example:
ansible-playbook -vvv play.hml
Have a nice day,
Hi,
There was an error from myself, when I tried to fix #20 I forgot to declare the default_configuration_file
variable.
After updating scp script, and adding sftp script, I still get the warnings for the twos:
<myhostbehindbastion.example.org> PUT /home/tfromont/.ansible/tmp/ansible-local-161279mt3dlljj/tmph1nlf13j TO /root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/sftpbastion.sh -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' '[myhostbehindbastion.example.org]'
[WARNING]: sftp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/scpbastion.sh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' /home/tfromont/.ansible/tmp/ansible-local-161279mt3dlljj/tmph1nlf13j '[myhostbehindbastion.example.org]:/root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py'
[WARNING]: scp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
<myhostbehindbastion.example.org> ESTABLISH SSH CONNECTION FOR USER: root
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/sshwrapper.py -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' myhostbehindbastion.example.org 'dd of=/root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py bs=65536'
<myhostbehindbastion.example.org> (0, b'', b'2+1 records in\n2+1 records out\n132977 bytes (133 kB, 130 KiB) copied, 0.000414307 s, 321 MB/s\n')
<myhostbehindbastion.example.org> (0, b'', b'2+1 records in\n2+1 records out\n132977 bytes (133 kB, 130 KiB) copied, 0.000414307 s, 321 MB/s\n')
Note that I have not activated pipelining as it can conflict with some of our roles using the become
option in a task.
I tried also with the ANSIBLE_DEBUG=1
anv var, and I can see the help output of the bastion:
162281 1680254927.51801: Sending initial data
162281 1680254927.51815: Sent initial data (165 bytes)
162281 1680254928.21564: stderr chunk (state=3):
>>>
The Bastion v3.10.00 quick usage examples:
Connect to a server: bastion admin@srv1.example.org
Run a command on a server: bastion admin@srv1.example.org -- uname -a
List the osh commands: bastion --osh help
Help on a specific osh command: bastion --osh OSH_COMMAND --help
Enter interactive mode for osh: bastion -i
Get more complete help: bastion --long-help
Received message too long 458961713
Ensure the remote shell produces no output for non-interactive sessions.
<<<
162281 1680254928.21632: stdout chunk (state=3):
>>><<<
162281 1680254928.22278: stderr chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
162281 1680254928.22385:
162281 1680254928.22392:
The Bastion v3.10.00 quick usage examples:
Connect to a server: bastion admin@srv1.example.org
Run a command on a server: bastion admin@srv1.example.org -- uname -a
List the osh commands: bastion --osh help
Help on a specific osh command: bastion --osh OSH_COMMAND --help
Enter interactive mode for osh: bastion -i
Get more complete help: bastion --long-help
Received message too long 458961713
Ensure the remote shell produces no output for non-interactive sessions.
162281 1680254928.36863: stderr chunk (state=2):
>>>scp: Connection closed
<<<
162281 1680254928.36894: stderr chunk (state=3):
>>><<<
162281 1680254928.36898: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
162281 1680254928.36938:
162281 1680254928.36941: scp: Connection closed
It looks like the command sended to the bastion is not the right one.
I may have a source of bug:
In scpwrapper.py, line 29:
elif e == "-o" and argv[i + 1].startswith("User="):
In the ansible output, I see -o 'User="root"'
this condition might be skipped, because it doesn't match the "
with '
.
mmh, no, forget it, totally okay there
@jriouovh Hi, If I can assist you with anything in regard of this issue, let me know, I'll help as much as I can.
Update:
ANSIBLE_DEBUG=1
and saw this:
18015 1688648460.81423: Sending initial data
18015 1688648460.81465: Sent initial data (162 bytes)
18015 1688648460.82377: stderr chunk (state=3):
>>>exec: extra/bastion/sftpwrapper.py: Permission denied
<<<
18015 1688648460.82403: stderr chunk (state=3):
>>>Connection closed
<<<
18015 1688648460.82413: stderr chunk (state=3):
>>><<<
18015 1688648460.82417: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18015 1688648460.82463:
18015 1688648460.82465: exec: extra/bastion/sftpwrapper.py: Permission denied
Connection closed
18015 1688648460.95284: stderr chunk (state=2):
>>>scp: Connection closed
<<<
18015 1688648460.95314: stderr chunk (state=3):
>>><<<
18015 1688648460.95330: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18015 1688648460.95369:
18015 1688648460.95370: scp: Connection closed
chmod +x extra/bastion/sftpwrapper.py
and reran ansible again:
18944 1688648937.75379: Sending initial data
18944 1688648937.75385: Sent initial data (161 bytes)
18944 1688648938.80904: stderr chunk (state=3):
>>>
Sorry, but even if you have ssh access to root@10.42.42.42:22, you still need to be granted specifically for sftp
<<<
18944 1688648938.81316: stderr chunk (state=3):
>>>Connection closed
<<<
18944 1688648938.81368: stderr chunk (state=3):
>>><<<
18944 1688648938.81407: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18944 1688648938.81517:
18944 1688648938.81521:
Sorry, but even if you have ssh access to root@10.42.42.42:22, you still need to be granted specifically for sftp
Connection closed
18944 1688648938.97396: stderr chunk (state=2):
>>>scp: Connection closed
<<<
18944 1688648938.97414: stderr chunk (state=3):
>>><<<
18944 1688648938.97424: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
18944 1688648938.97444:
18944 1688648938.97445: scp: Connection closed
Note the exact same error message from SFTP and SCP methods.
Both errors get away when I grant SFTP permission in our bastion, but both errors still shows when a hosts only have SCP (up & down) granted.
Hi, I get the following warnings for each task when running an ansible provisioning with the wrapper:
I don't know if it will impact my deployments, it looks like on my test vm, it run just fine, but still don't like seeing a warning like this. At first I thought it was because of #20, but even after modifying it myself, it didn't change the output.