Giter VIP home page Giter VIP logo

Comments (6)

jriouovh avatar jriouovh commented on September 7, 2024

Hello,

Ansible tries to transfer files via The Bastion but fails with multiple warnings.

It means there are multiple transfer_method available to Ansible (see documentation). By default, it's smart and Ansible will try methods one by one: sftp, scp then piped.

The sftp method is not implemented yet (see #23) so the warning is normal.

The scp method fails.

Is The Bastion reachable via SSH?
Is your user on The Bastion allowed to scpup on the remote host?
Did you configured SCP where Ansible is executed?

[ssh_connection]
transfer_method = scp
scp_if_ssh = True       # Ansible < 2.17
scp_extra_args = -O     # OpenSSH >= 9.0
scp_executable = ./path/to/scpbastion.sh

Could you run your playbook with -vvv and post the output please? Don't forget to strip sensitive data.

Example:

ansible-playbook -vvv play.hml

Have a nice day,

from the-bastion-ansible-wrapper.

Krenodeno avatar Krenodeno commented on September 7, 2024

Hi,

There was an error from myself, when I tried to fix #20 I forgot to declare the default_configuration_file variable.

After updating scp script, and adding sftp script, I still get the warnings for the twos:

<myhostbehindbastion.example.org> PUT /home/tfromont/.ansible/tmp/ansible-local-161279mt3dlljj/tmph1nlf13j TO /root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/sftpbastion.sh -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' '[myhostbehindbastion.example.org]'
[WARNING]: sftp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/scpbastion.sh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' /home/tfromont/.ansible/tmp/ansible-local-161279mt3dlljj/tmph1nlf13j '[myhostbehindbastion.example.org]:/root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py'
[WARNING]: scp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
<myhostbehindbastion.example.org> ESTABLISH SSH CONNECTION FOR USER: root
<myhostbehindbastion.example.org> SSH: EXEC extra/bastion/sshwrapper.py -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/tfromont/.ansible/cp/cef20c313b"' myhostbehindbastion.example.org 'dd of=/root/.ansible/tmp/ansible-tmp-1680254611.5013845-161951-50064555706425/AnsiballZ_stat.py bs=65536'
<myhostbehindbastion.example.org> (0, b'', b'2+1 records in\n2+1 records out\n132977 bytes (133 kB, 130 KiB) copied, 0.000414307 s, 321 MB/s\n')
<myhostbehindbastion.example.org> (0, b'', b'2+1 records in\n2+1 records out\n132977 bytes (133 kB, 130 KiB) copied, 0.000414307 s, 321 MB/s\n')

Note that I have not activated pipelining as it can conflict with some of our roles using the become option in a task.

I tried also with the ANSIBLE_DEBUG=1 anv var, and I can see the help output of the bastion:

162281 1680254927.51801: Sending initial data
162281 1680254927.51815: Sent initial data (165 bytes)
162281 1680254928.21564: stderr chunk (state=3):
>>>
The Bastion v3.10.00 quick usage examples:

    Connect to a server:              bastion [email protected]
    Run a command on a server:        bastion [email protected] -- uname -a

    List the osh commands:            bastion --osh help
    Help on a specific osh command:   bastion --osh OSH_COMMAND --help
    Enter interactive mode for osh:   bastion -i

    Get more complete help:           bastion --long-help

Received message too long 458961713
Ensure the remote shell produces no output for non-interactive sessions.
<<<
162281 1680254928.21632: stdout chunk (state=3):
>>><<<
162281 1680254928.22278: stderr chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
162281 1680254928.22385: 
162281 1680254928.22392: 
The Bastion v3.10.00 quick usage examples:

    Connect to a server:              bastion [email protected]
    Run a command on a server:        bastion [email protected] -- uname -a

    List the osh commands:            bastion --osh help
    Help on a specific osh command:   bastion --osh OSH_COMMAND --help
    Enter interactive mode for osh:   bastion -i

    Get more complete help:           bastion --long-help

Received message too long 458961713
Ensure the remote shell produces no output for non-interactive sessions.
162281 1680254928.36863: stderr chunk (state=2):
>>>scp: Connection closed
<<<
162281 1680254928.36894: stderr chunk (state=3):
>>><<<
162281 1680254928.36898: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myhostbehindbastion.example.org]. Use ANSIBLE_DEBUG=1 to see detailed information
162281 1680254928.36938: 
162281 1680254928.36941: scp: Connection closed

It looks like the command sended to the bastion is not the right one.

from the-bastion-ansible-wrapper.

Krenodeno avatar Krenodeno commented on September 7, 2024

I may have a source of bug:

In scpwrapper.py, line 29:
elif e == "-o" and argv[i + 1].startswith("User="):
In the ansible output, I see -o 'User="root"'

this condition might be skipped, because it doesn't match the " with '.

from the-bastion-ansible-wrapper.

Krenodeno avatar Krenodeno commented on September 7, 2024

mmh, no, forget it, totally okay there

from the-bastion-ansible-wrapper.

Krenodeno avatar Krenodeno commented on September 7, 2024

@jriouovh Hi, If I can assist you with anything in regard of this issue, let me know, I'll help as much as I can.

from the-bastion-ansible-wrapper.

Krenodeno avatar Krenodeno commented on September 7, 2024

Update:

  • We upgraded theBastion from 3.10 to 3.12
  • I launched an ansible deployment with ANSIBLE_DEBUG=1 and saw this:
 18015 1688648460.81423: Sending initial data
 18015 1688648460.81465: Sent initial data (162 bytes)
 18015 1688648460.82377: stderr chunk (state=3):
>>>exec: extra/bastion/sftpwrapper.py: Permission denied
<<<
 18015 1688648460.82403: stderr chunk (state=3):
>>>Connection closed
<<<
 18015 1688648460.82413: stderr chunk (state=3):
>>><<<
 18015 1688648460.82417: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
 18015 1688648460.82463:
 18015 1688648460.82465: exec: extra/bastion/sftpwrapper.py: Permission denied
Connection closed
 18015 1688648460.95284: stderr chunk (state=2):
>>>scp: Connection closed
<<<
 18015 1688648460.95314: stderr chunk (state=3):
>>><<<
 18015 1688648460.95330: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
 18015 1688648460.95369:
 18015 1688648460.95370: scp: Connection closed
  • So I ran chmod +x extra/bastion/sftpwrapper.py and reran ansible again:
 18944 1688648937.75379: Sending initial data
 18944 1688648937.75385: Sent initial data (161 bytes)
 18944 1688648938.80904: stderr chunk (state=3):
>>>
Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for sftp
<<<
 18944 1688648938.81316: stderr chunk (state=3):
>>>Connection closed
<<<
 18944 1688648938.81368: stderr chunk (state=3):
>>><<<
 18944 1688648938.81407: stdout chunk (state=3):
>>><<<
[WARNING]: sftp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
 18944 1688648938.81517:
 18944 1688648938.81521:
Sorry, but even if you have ssh access to [email protected]:22, you still need to be granted specifically for sftp
Connection closed
 18944 1688648938.97396: stderr chunk (state=2):
>>>scp: Connection closed
<<<
 18944 1688648938.97414: stderr chunk (state=3):
>>><<<
 18944 1688648938.97424: stdout chunk (state=3):
>>><<<
[WARNING]: scp transfer mechanism failed on [myserver.example.com]. Use ANSIBLE_DEBUG=1 to see detailed information
 18944 1688648938.97444:
 18944 1688648938.97445: scp: Connection closed

Note the exact same error message from SFTP and SCP methods.

Both errors get away when I grant SFTP permission in our bastion, but both errors still shows when a hosts only have SCP (up & down) granted.

from the-bastion-ansible-wrapper.

Related Issues (10)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.