search

semaphoreui / semaphore

Modern UI for Ansible, Terraform, OpenTofu, Bash, Pulumi.
https://semaphoreui.com
MIT License
10.24k stars 1.03k forks source link

new ssh agent can't be forwarded with ssh persistent connections #1513

Open hmoffatt opened 11 months ago

hmoffatt commented 11 months ago

I'm testing the new beta with SSH agent / private key support feature #1500. I have persistent ssh connections enabled in Ansible (using all the default settings), and I'm also trying to forward the ssh agent to the remote hosts as I need it there: I set

ansible_ssh_common_args="-o StrictHostKeyChecking=accept-new -o ForwardAgent=yes"

What I've found is that after a playbook runs, the internal ssh agent is stopped, but the ssh persistent connection lives on (default ansible setting is 60 seconds). If you run another playbook within that time, the persistent connection is re-used, but it is now forwarding a connection to the old agent, so the agent isn't usable. If you wait until the persistent connection is shut down, then run the playbook, it works again.

Example playbook is simply:

---
- hosts: all

  tasks:
    - name: Ping
      ping:
    - name: List keys
      shell: ssh-add -l

When this is first run, it works. When it is run again within 60 seconds, the shell command fails with the error error fetching identities: communication with agent failed.

Two solutions I can think of;

  1. Semaphore should keep a persistent agent rather than stopping it after the playbook runs, or
  2. Ansible is configured to use a new persistent connection directory (PERSISTENT_CONTROL_PATH_DIR) for each playbook run.
fiftin commented 11 months ago

@hmoffatt thanks a lot.

fiftin commented 11 months ago

Two solutions I can think of;

  • Semaphore should keep a persistent agent rather than stopping it after the playbook runs, or
  • Ansible is configured to use a new persistent connection directory (PERSISTENT_CONTROL_PATH_DIR) for each playbook run.

@hmoffatt or we should add config flag use_ssh_agent for back compatibility. What do you think?

hmoffatt commented 11 months ago

Either solution would work. I prefer the persistent agent but I don't mind.

A use_ssh_agent flag would affect the UI too as the passphrase functionality would be unavailable. Maybe the new internal agent will cause a problem for anyone who is already running Semaphore inside an agent context, because the internal agent would hide their existing agent? I don't know if anyone would do this though.

hmoffatt commented 10 months ago

I wonder if this is also an issue if you are running multiple tasks at once. The SSH connection may be shared (unless Ansible is already configured to use a unique persistent connection path per run?), but the SSH agent will be unique per task.

hmoffatt commented 1 month ago

This is still happening on the latest version. I may add ansible.builtin.meta: reset_connection to the start of all my playbooks as a workaround.