Here are some notes when trouble shoot ansbile to connect host and update gitcloud:
Error 1:
{“msg”: “paramiko: The authenticity of host ‘x.x.x.x’ can’t be established.\nThe ssh-rsa key fingerprint is bcdd81ef9ae960bc3c6d2c93d2f3eef5.”}
This error happens when the host is not listed in known-hosts of the server as for ssh connection. That is because that ansbile server has never accessed this host before therefore server has no record of fingerprint of that host.
This can be solved by manually ssh to that host and confirm the fingerprint, so that host is added into file known-host. Or we can use ansible.cfg file to disable fingerprint check.
Ansible.cfg is not created by default if you install ansible via pip, that is exactly what I did, so by default ansible.cfg file is not existed:
$ ansible --version ansible 2.8.6 config file = no configured module search path = [u'/home/yinche/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
But you can manually create the folder”ansible” and file”ansible.cfg” under path /etc, after that, this file will be listed as below:
$ ansible --version ansible 2.8.6 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/yinche/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Here is an example of file “ansible.cfg”. Especially, we may uncomment the following settings to disable SSH key host checking
#host_key_checking = False
Error2:
fatal: [hostname]: FAILED! => {“changed”: false, “cmd”: [“/usr/bin/git”, “fetch”, “origin”],”msg”: “Failed to download remote objects and refs: Host key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights
This is basically the same problem as the above one, only in this time, the message shows that git server has not listed as known_host in ansbile platform. still the solution could be:
manually ssh login git server and confirm the key fingerprint:
The authenticity of host 'domain.com (a.b.c.d)' can't be established. RSA key fingerprint is XX:XX:...:XX. Are you sure you want to continue connecting (yes/no)?
Or,Append GitHub to the list of authorized hosts:
ssh-keyscan -H github.com >> ~/.ssh/known_hosts
Error3:
fatal: [hostname]: FAILED! => {“changed”: false, “cmd”: [“/usr/bin/git”, “fetch”, “origin”], “msg”: “Failed to download remote objects and refs: error: cannot open .git/FETCH_HEAD: Permission denied\n\n”}
This permission denied error was caused by failed login authentication. In this case I am using ssh pub key to authenticate myself when trying to pull repository from the GitHub, but my pubkey is not stored in GitHub server. This can be solved by using ssh-keygen to create a pair of pub/private key on the ansbile server and upload pubkey to GitHub for ssh authentication.
Vault encryption:
Here is a good interaction about vault encryption
some useful commands:
1, encrypt a file:
$ansible-vault encrypt group_vars/creds.yml> New Vault password: > Confirm New Vault password: > Encryption successful
2, save vault password in a file: creat a file and put password in it
3, When running ansible-playbook by asking vault password:
$ansible-playbook --ask-vault-pass -i hosts backup.yaml
It will show prompt asking for vaultpassword
3, When running ansible-playbook by using a vault file
$ansible-playbook --vault-password-file=vault_password -i inventory_file some_playabook.yml
Yings notebook 