Struggling with "skipping: no hosts matched"

[Nizla]

Hi there,

I started using Rundeck and Ansible for a few days from today, and, i've run into a lot of problem, but this one i'm not passing through. I'm just trying to launch 2 simple playbook into a Cisco Switch who create an ACL Test, and destroy it. Just to test if playbook can work normally.

Playbooks work fine when:

• Launch them from command line as root ansible-playbook /etc/ansible/playbooks/ios/ios-test-acl.yml
• Launch them from command line as rundeck su rundeck -s /bin/bash -c "ansible-playbook /etc/ansible/playbooks/ios/ios-test-acl.yml
• Launch them from Rundeck without the plugin (as Command Line)

But they won't work when i launch them from Rundeck with the option coming from the plugin (to launch playbook)

I'm pretty sure i'm missing something but i can't find what it is and it's pretty frustrating. Here what i've done at the moment.

Project configuration following the readme:

#Project Project_Ansible_Plugin configuration, generated
#Tue Jun 21 10:17:13 CEST 2016
project.name=Project_Ansible_Plugin
project.ssh-authentication=privateKey
service.NodeExecutor.default.provider=com.batix.rundeck.AnsibleNodeExecutor
resources.source.1.config.gatherFacts=false
resources.source.1.config.extraArgs=-u root
project.nodeCache.enabled=true
project.ssh-keypath=/var/lib/rundeck/.ssh/id_rsa
project.nodeCache.delay=30
project.description=Project using functionalities from the ansible plugin for rundeck
service.FileCopier.default.provider=com.batix.rundeck.AnsibleFileCopier
executable=/bin/bash
resources.source.1.type=com.batix.rundeck.AnsibleResourceModelSourceFactory

ownership from rundeck to /var/lib/rundeck: drwxr-xr-x 12 rundeck root 4.0K Jun 20 16:59 rundeck

The test command is good:

ansible config file:

[defaults]
log_path        = /var/log/ansible.log
inventory       = /etc/ansible/hosts
local_tmp       = $HOME/.ansible/tmp
#host_key_checking  = false

node rundeck can see:

And the host file (with the password which is visible and not crypted for the ssh pass missing here):

[localhost]
rundeck ansible_connection=local ansible_host=127.0.0.1 ansible_user=root ansible_ssh_pass=<>
[nxos]
sdc9-n6k-01 ansible_connection=local
[ios]
172.30.253.30 ansible_connection=local

Tanks in advance !

Server: Debian 8.4 Rundeck 2.6.7-1 Ansible 2.1.0.0 Plugin 1.2.4 Java 1.7.0_101 Python 2.7.9 Client: Cisco IOS - C2960X - 15.0(2)EX5

[frozenice]

Wow, thanks for the detailed report! That's a developer's dream. ;)

It seems your playbook targets "172.30.253.30" with its hosts entry. But the job screenshot shows Rundeck is trying to run it on node "rundeck".

How did you configure your job? Can you post your job definition as YAML?

[Nizla]

That's the behaviour i expect from the playbook. What the playbook try to do is to connect, from the rundeck server, to the switch (172.30.253.30) using SSH. So the playbook must be run locally.

Here the job definition from the job using the plugin:

- description: test job which create acl, and destro them afterward
  executionEnabled: true
  id: b80b0aa3-bd1a-48b2-8efe-6842980b6986
  loglevel: INFO
  name: test_acl
  scheduleEnabled: true
  sequence:
    commands:
    - configuration:
        extraArgs: -u root
        playbook: /etc/ansible/playbooks/ios/ios-test-acl.yml
      description: test the creation of the acl
      nodeStep: true
      type: com.batix.rundeck.AnsiblePlaybookNodeStep
    - configuration:
        extraArgs: -u root
        playbook: /etc/ansible/playbooks/ios/ios-delete-test-acl.yml
      description: test the destruction of the freshly created acl
      nodeStep: true
      type: com.batix.rundeck.AnsiblePlaybookNodeStep
    keepgoing: false
    strategy: node-first
  uuid: b80b0aa3-bd1a-48b2-8efe-6842980b6986

Here the job definition from the job who don't:

- description: |-
    Test acl creation with ansible module (ios_config)
    and delete them afterward (with ios_config too)
  executionEnabled: true
  id: a97c4e76-ca7c-428a-991d-3f8f5e98b3a5
  loglevel: INFO
  name: test_ansible_acl
  scheduleEnabled: true
  sequence:
    commands:
    - description: create the acl
      exec: ansible-playbook /etc/ansible/playbooks/ios/ios-test-acl.yml
    - description: delete them
      exec: ansible-playbook /etc/ansible/playbooks/ios/ios-delete-test-acl.yml
    keepgoing: false
    strategy: node-first
  uuid: a97c4e76-ca7c-428a-991d-3f8f5e98b3a5

And the playbooks i'm using in the job are like these (the module i used are nxos_command and nxos_config).

- hosts: ios
  gather_facts: no
  connection: local

  tasks:
  - name: OBTAIN LOGIN CREDENTIALS
    include_vars: secrets.yml

  - name: DEFINE PROVIDER
    set_fact:
      provider:
        host: "{{ inventory_hostname }}"
        username: "{{ creds['username'] }}"
        password: "{{ creds['password'] }}"
        auth_pass: "{{ creds['auth_pass'] }}"

- name: CREATE 'TEST' ACCESS-LIST
    ios_config:
      provider: "{{ provider }}"
      authorize: yes
      lines:
        - 10 permit ip host 1.1.1.1 any
        - 20 deny ip any any
      parents: ['ip access-list extended TEST']
      #before: ['no ip access-list extended TEST']
      match: exact

Only put the one for the creation of acl list, the destruction is just the same with 'no ip access-list extended TEST' in lines:

[yassineazzouz]

Hi @Nizla ,

Can you please try to post the content of the rundeck limit file, it is a temp so you should find it only while the job is running and should be named /tmp/ansible-runner*targets or if you are limiting to only one host the execution will use -l HOST_NAME instead of the file. you can find the full command executed by rundeck if you do : ps -eaf | grep -i "ansible-playbook" while the job is running.

[frozenice]

The plugin passes the selected nodes of the job to the playbook via the -l parameter. So if you select the local Rundeck server node for the job, but your Ansible playbook targets "ios" it won't find a matching host.

It makes more sense if you imagine a playbook that targets "all" or "webservers" but you want to limit the job only to nodes "webserver1" and "webserver5" or something like that. You would then create a job, add a step for the playbook and only select those two nodes for the job.

If you think about it, the nodes you select for a job are the nodes where something should happen, as it is with other steps (Command, Script, Copy File). That's what I initially came up with, happy to discuss improvements (an option to not pass the limits maybe?).

[Nizla]

It seems like more of a problem of philosophy and way of using Rundeck and Ansible, but the mistake was on my side. When i choose the "Dispatch to nodes" option and give him the good node or all the nodes, the playbook run perfectly well.

I didn't understand what the "dispatch to nodes" and "execute locally" options were trying to do. But it's just using the --limit parameter. It was misleading in my case because of the option "run locally". Because everything must be run locally in my job, and that's made by the "connection: local" at the beginning of my playbooks. But i must give him a list of distant host too, as it is used as a parameter by the module i used to connect with SSH, and the local server isn't on the list of hosts.

The way you're using Ansible (with the limit parameter each time) is cool, I didn't thought about it before :+1: But sometimes your playbook is already made with the exact hosts you want it to run, so an option to not use the limit parameter could be very cool, as even ansible made it optional when using the command line. You can pass around by putting ".*" in the node filter, but it will try to launch the job with ALL the nodes referenced in rundeck (with failure of course). And so it's a big waste of time and ressources.