Ceph client role fails when Ceph monitor listens on non-default SSH port
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Wishlist
|
Chris Martin |
Bug Description
Some organizations (including mine) have a security policy that hosts should listen on a non-default SSH port. This causes the ceph_client role to fail, because port 22 is hard-coded in /etc/ansible/
```
# look for 1 ceph monitor host that is up
- name: Verify Ceph monitors are up
# using netcat instead of wait_for allows to both check the rc and the
# output, rc not being available using wait_for + failed_when: false
# failed_when: false is needed to not loose any hosts, as this check expects
# some to be down.
local_action: command nc -w 1 {{ item }} 22
with_items: "{{ ceph_mons }}"
changed_when: false
failed_when: false
register: ceph_mon_upcheck
```
Instead of netcat we could use the Ansible ping module: http://
Not to be confused with ICMP ping, this checks for SSH connectivity and existence of Python on the target. It connects using whatever SSH port is defined ~/.ssh/config (or ansible_port if it's defined for the host in inventory). Then, the following task -- "Set ceph_mon_host to an online monitor host" -- could just set ceph_mon_host to whichever host's ping returned "pong".
If we really want to use netcat, we could variablize the SSH port as something like {{ ceph_mon_ssh_port }}, with default of 22 that the user can override, and document this option. I don't love this solution because I've already defined my SSH port in ~/.ssh/config.
Changed in openstack-ansible: | |
assignee: | nobody → Chris Martin (6-chris-z) |
Changed in openstack-ansible: | |
status: | New → In Progress |
importance: | Undecided → Wishlist |
After some testing, I don't actually think the ping module will help. If it can't reach a target via SSH then it aborts playbook execution with a "fatal" /"unreachable" error.
Instead, the following code seems to work for testing SSH reachability. It uses whatever SSH users and ports are defined in ~/.ssh/config, the same way that you override these defaults for OSA overall.
``` create- config client- keyrings nova-libvirt- secret
- name: Verify Ceph monitors are up
local_action: shell ssh {{ item }} "echo pong"
with_items: "{{ ceph_mons }}"
changed_when: false
failed_when: false
register: ceph_mon_upcheck
tags:
- ceph-config-
- ceph-auth-
- ceph-auth-
- name: Set ceph_mon_host to an online monitor host
ceph_ mon_host: '{{ item.item }}' upcheck. results }}" create- config client- keyrings nova-libvirt- secret
set_fact:
when: item.stdout == 'pong'
with_items: "{{ ceph_mon_
tags:
- ceph-config-
- ceph-auth-
- ceph-auth-
```