[SAT-23947] Ansible Remote Execution Is Not Honoring SSH User From Advanced Fields in Job Template

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 6.16.0
Affects Version/s: 6.14.1
Component/s: Ansible - Remote Execution
Labels:
- team-triaged
- triaged

Satellite Team:

Rocket
Story Points:
0
Target Version:

6.14.z, 6.16.0, stream
Blocked:
False
Bugzilla Bug:
RHBZ: 2269390
Severity:
Moderate

Release Note Type:
Bug Fix
Release Note Text:

Hide
.Ansible jobs use the *SSH User* field from *Advanced fields*

Previously, the Ansible provider for remote execution ignored the *SSH User* field of the *Advanced fields* inputs from the job wizard.
The `foreman_ansible` component has been fixed to use the value of *SSH User* as the Ansible user.
As a result, the Ansible provider uses this value correctly.

Show
.Ansible jobs use the *SSH User* field from *Advanced fields* Previously, the Ansible provider for remote execution ignored the *SSH User* field of the *Advanced fields* inputs from the job wizard. The `foreman_ansible` component has been fixed to use the value of *SSH User* as the Ansible user. As a result, the Ansible provider uses this value correctly.
Release Note Status:
Done

PX Impact Score:
PX Priority Data:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:
None
Regression:
No

Market:

Description of problem:

When using Ansible based Remote Execution, the option to change the "SSH user" from the "Advanced fields" section of a job template is not being honored.

This works as expected with regular ssh remote execution.

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.14

How reproducible:
always

Steps to Reproduce:
1. Set ssh_user and effective_user to root from the "Administer => Settings", "Remote Execution" tab
2. On the Hosts page, select a host, and run "Schedule Remote Job"
3. Select job category "Ansible Playbook" and Job Template "Ansible Roles - Ansible Default"
3. From the Advanced Fields, select "SSH User" to a non-root user (a user that exists on the client, and the foreman-proxy public key has been shared with)

Actual results:

From the /var/log/secure logs on the client, we see the ssh connection to the client is using the root user, and not the non-root user we selected in the Advanced Fields for "SSH User"

Expected results:

The "SSH user" selected in the Advanced Fields of the Job Template should be used.

Additional info:

WORKAROUND:

If we set the "remote_execution_ssh_user" parameter on the host, it will be honored for Ansible REX. Or if we set the "remote_execution_ssh_user" on a hostgroup and assign it to the host, the parameter will be honored for Ansible REX.

NOTE:

The "Effective user" IS being honored from the "Advanced fields" in the job template. It is only the "SSH user" that is not being honoroed.

is cloned by

SAT-28691 Ansible Remote Execution Is Not Honoring SSH User From Advanced Fields in Job Template

Closed

external trackers

Foreman Issue Tracker 37136

Github theforeman/foreman_ansible/pull/691

links to

RHBA-2024:140284 Important: Satellite 6.16.0 release

1.

[QE] Ansible Remote Execution Is Not Honoring SSH User From Advanced Fields in Job Template

Closed

Gaurav Talreja

Errata Tool added a comment - 2024/11/05 5:26 PM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Critical: Satellite 6.16.0 release), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:8906

Errata Tool added a comment - 2024/11/05 5:26 PM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Critical: Satellite 6.16.0 release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:8906

Eric Helms added a comment - 2024/06/06 5:25 PM

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues@redhat.com. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Eric Helms added a comment - 2024/06/06 5:25 PM This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues@redhat.com. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Nofar Alfassi added a comment - 2024/05/22 11:30 AM

I can verify that configuring the "SSH user" and the "Effective user" within the Advanced Fields of the Job Template functions correctly. However, the provided values for the "SSH password" and the "Effective user password" in the Advanced Fields of the Job Template do not work as expected.

Please note that with the recent updates, if the `remote_execution_ssh_user` is defined as a host parameter, it will only be utilized if the "SSH user" is not specified in the Advanced Fields of the Job Template.

Nofar Alfassi added a comment - 2024/05/22 11:30 AM I can verify that configuring the "SSH user" and the "Effective user" within the Advanced Fields of the Job Template functions correctly. However, the provided values for the "SSH password" and the "Effective user password" in the Advanced Fields of the Job Template do not work as expected. Please note that with the recent updates, if the `remote_execution_ssh_user` is defined as a host parameter, it will only be utilized if the "SSH user" is not specified in the Advanced Fields of the Job Template.

Gaurav Talreja added a comment - 2024/05/15 9:39 PM

Verified.

Tested on Satellite Stream Snap 56.0
Version: rubygem-foreman_ansible-14.0.0-1.el9sat.noarch

Steps:
1. Ensure ssh_user and effective_user to root from the "Administer => Settings", "Remote Execution" tab
2. Register a host, and on the Hosts page, select a host, and run "Schedule Remote Job"
3. Select job category "Ansible Playbook" and Job Template "Ansible Roles - Ansible Default"
4. From the Advanced Fields, select "SSH User" to a non-root user (a user that exists on the client, and the foreman-proxy public key has been shared with)
5. verify /var/log/secure on the client to check ssh connection using which user

OR
3. Use "Ansible Playbook - Ansible Run Playbook" job with below playbook to validate ansible_user,
—

name: Verify Ansible user
hosts: all
gather_facts: false
tasks:
name: Display Ansible user
debug:
msg: "Ansible is running as user {{ ansible_user }}"

4. From the Advanced Fields, Select "SSH User" to a non-root user, check stdout for executed job and verify /var/log/secure on the client.

Observation:
The "SSH user" selected in the Advanced Fields of the Job Template is used correctly

Gaurav Talreja added a comment - 2024/05/15 9:39 PM Verified. Tested on Satellite Stream Snap 56.0 Version: rubygem-foreman_ansible-14.0.0-1.el9sat.noarch Steps: 1. Ensure ssh_user and effective_user to root from the "Administer => Settings", "Remote Execution" tab 2. Register a host, and on the Hosts page, select a host, and run "Schedule Remote Job" 3. Select job category "Ansible Playbook" and Job Template "Ansible Roles - Ansible Default" 4. From the Advanced Fields, select "SSH User" to a non-root user (a user that exists on the client, and the foreman-proxy public key has been shared with) 5. verify /var/log/secure on the client to check ssh connection using which user OR 3. Use "Ansible Playbook - Ansible Run Playbook" job with below playbook to validate ansible_user, — name: Verify Ansible user hosts: all gather_facts: false tasks: name: Display Ansible user debug: msg: "Ansible is running as user {{ ansible_user }}" 4. From the Advanced Fields, Select "SSH User" to a non-root user, check stdout for executed job and verify /var/log/secure on the client. Observation: The "SSH user" selected in the Advanced Fields of the Job Template is used correctly

Takae Harrington added a comment - 2024/03/14 5:08 PM - edited

customer in 03757734 also reported that the override value for the ssh_user password (password field in the "Advanced fields" section) will not work when he uses "remote_execution_ssh_user" parameter on the host. I confirmed this also with my satellite.

This seem to leave the only workable solution for Ansible REX with the override value for non-ssh user is to:

1) "remote_execution_ssh_user" parameter on the host
2) deploy the ssh key to the non-root user (passwdless ssh)

Unless there is a different workaround like "remote_execution_ssh_user_password" parameter on the host which I tested and did not work.

Takae Harrington added a comment - 2024/03/14 5:08 PM - edited customer in 03757734 also reported that the override value for the ssh_user password (password field in the "Advanced fields" section) will not work when he uses "remote_execution_ssh_user" parameter on the host. I confirmed this also with my satellite. This seem to leave the only workable solution for Ansible REX with the override value for non-ssh user is to: 1) "remote_execution_ssh_user" parameter on the host 2) deploy the ssh key to the non-root user (passwdless ssh) Unless there is a different workaround like "remote_execution_ssh_user_password" parameter on the host which I tested and did not work.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Sub-Tasks

Activity

Collapse comment: Errata Tool added a comment - 2024/11/05 5:26 PM

Expand comment: Errata Tool added a comment - 2024/11/05 5:26 PM

Collapse comment: Eric Helms added a comment - 2024/06/06 5:25 PM

Expand comment: Eric Helms added a comment - 2024/06/06 5:25 PM

Collapse comment: Nofar Alfassi added a comment - 2024/05/22 11:30 AM

Expand comment: Nofar Alfassi added a comment - 2024/05/22 11:30 AM

Collapse comment: Gaurav Talreja added a comment - 2024/05/15 9:39 PM

Expand comment: Gaurav Talreja added a comment - 2024/05/15 9:39 PM

Collapse comment: Takae Harrington added a comment - 2024/03/14 5:08 PM, Edited by Eric Helms - 2024/05/14 8:09 PM

Expand comment: Takae Harrington added a comment - 2024/03/14 5:08 PM, Edited by Eric Helms - 2024/05/14 8:09 PM

People

Dates