Bug #1986708 “Ansible ssh connection errors in opendev jobs” : Bugs : tripleo

Rafael Castillo (rafaelcastillo) on 2022-08-16

tags:

added: promotion-blocker

Revision history for this message

Douglas Viroel (dviroel) wrote on 2022-08-17:

#1

Related patch: https://review.opendev.org/c/openstack/project-config/+/853536

Revision history for this message

Sandeep Yadav (sandeepyadav93) wrote on 2022-08-18:

#2

Seen again today in Gate job:-

https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_649/852532/5/gate/tripleo-ci-centos-9-content-provider/649da27/job-output.txt
~~~
2022-08-18 01:14:06.982440 | primary | failed: [undercloud] (item=quay.io/prometheus/node-exporter:v1.3.1) => {"ansible_loop_var": "item", "item": "quay.io/prometheus/node-exporter:v1.3.1", "msg": "Failed to connect to the host via ssh: kex_exchange_identification: Connection closed by remote host\r\nConnection closed by 127.0.0.2 port 22", "unreachable": true}
~~~

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2022-08-18:

#3

Download full text (7.9 KiB)

Seen today as well in this job:
https://review.opendev.org/c/openstack/tripleo-ansible/+/853252

https://zuul.opendev.org/t/openstack/build/c6e5b64b5a4940a08ca751b50ac9e6c9
fatal: [subnode-1]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: kex_exchange_identification: read: Connection reset by peer\r\nConnection reset by 10.209.128.68 port 22", "unreachable": true}

If we compare to the time we see this error in the log (Thursday 18 August 2022 09:32:46 +0000) we can frame this in the journald:
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sshd[135791]: Accepted publickey for zuul from 10.209.39.69 port 54484 ssh2: RSA SHA256:ZF9fnpKktgsD1qskSaOryoa9rBiFv0AhNYxlCxB1S/s
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: New session 128 of user zuul.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd[1]: Started Session 128 of User zuul.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sshd[135791]: pam_unix(sshd:session): session opened for user zuul(uid=1000) by (uid=0)
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sudo[135828]: zuul : TTY=pts/0 ; PWD=/home/zuul ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-igauwcvpqfxxcpaxhwapjcrsfscqvxhe ; /usr/libexec/platform-python /home/zuul/.ansible/tmp/ansible-tmp-1660815163.318697-128609-249815272917366/AnsiballZ_file.py
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sudo[135828]: pam_unix(sudo:session): session opened for user root(uid=0) by zuul(uid=1000)
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd[1]: Started /usr/bin/podman healthcheck run d1a62b77bec9a31ba7325592b4f2c8b70ce6f8120d079776e0d70dbf1521e88a.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd[1]: tmp-crun.FzxKF6.mount: Deactivated successfully.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 podman[135830]: 2022-08-18 09:32:45.939338182 +0000 UTC m=+0.098918338 container exec d1a62b77bec9a31ba7325592b4f2c8b70ce6f8120d079776e0d70dbf1521e88a (image=192.168.24.1:8787/tripleomastercentos9/openstack-nova-compute:80afe6f3cedeea3f67fa00bebbd52e52, name=nova_migration_target, container_name=nova_migration_target, com.redhat.component=ubi9-container, version=9.0.0, config_id=tripleo_step4, release=1604, url=https://access.redhat.com/containers/#/registry.access.redhat.com/ubi9/images/9.0.0-1604, build-date=2022-08-02T22:00:29.261592, io.openshift.expose-services=, io.buildah.version=1.26.4, vendor=Red Hat, Inc., summary=Provides the latest release of Red Hat Universal Base Image 9., config_data={'environment': {'KOLLA_CONFIG_STRATEGY': 'COPY_ALWAYS', 'TRIPLEO_CONFIG_HASH': '26b74d0c5605283ac83ca9f732ef69b1'}, 'healthcheck': {'test': '/openstack/healthcheck'}, 'image': '192.168.24.1:8787/tripleomastercentos9/openstack-nova-compute:80afe6f3cedeea3f67fa00bebbd52e52', 'net': 'host', 'privileged': True, 'restart': 'always', 'user': 'root', 'volumes': ['/etc/hosts:/etc/hosts:ro', '/etc/localtime:/etc/localtime:ro', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', '/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', '/etc/pki/tls/ce...

Seen today as well in this job:
https://review.opendev.org/c/openstack/tripleo-ansible/+/853252

https://zuul.opendev.org/t/openstack/build/c6e5b64b5a4940a08ca751b50ac9e6c9
fatal: [subnode-1]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: kex_exchange_identification: read: Connection reset by peer\r\nConnection reset by 10.209.128.68 port 22", "unreachable": true}

If we compare to the time we see this error in the log (Thursday 18 August 2022  09:32:46 +0000) we can frame this in the journald:
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sshd[135791]: Accepted publickey for zuul from 10.209.39.69 port 54484 ssh2: RSA SHA256:ZF9fnpKktgsD1qskSaOryoa9rBiFv0AhNYxlCxB1S/s
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: New session 128 of user zuul.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd[1]: Started Session 128 of User zuul.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sshd[135791]: pam_unix(sshd:session): session opened for user zuul(uid=1000) by (uid=0)
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sudo[135828]:     zuul : TTY=pts/0 ; PWD=/home/zuul ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-igauwcvpqfxxcpaxhwapjcrsfscqvxhe ; /usr/libexec/platform-python /home/zuul/.ansible/tmp/ansible-tmp-1660815163.318697-128609-249815272917366/AnsiballZ_file.py
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 sudo[135828]: pam_unix(sudo:session): session opened for user root(uid=0) by zuul(uid=1000)
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd[1]: Started /usr/bin/podman healthcheck run d1a62b77bec9a31ba7325592b4f2c8b70ce6f8120d079776e0d70dbf1521e88a.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 systemd[1]: tmp-crun.FzxKF6.mount: Deactivated successfully.
Aug 18 09:32:45 centos-9-stream-rax-dfw-0030762605 podman[135830]: 2022-08-18 09:32:45.939338182 +0000 UTC m=+0.098918338 container exec d1a62b77bec9a31ba7325592b4f2c8b70ce6f8120d079776e0d70dbf1521e88a (image=192.168.24.1:8787/tripleomastercentos9/openstack-nova-compute:80afe6f3cedeea3f67fa00bebbd52e52, name=nova_migration_target, container_name=nova_migration_target, com.redhat.component=ubi9-container, version=9.0.0, config_id=tripleo_step4, release=1604, url=https://access.redhat.com/containers/#/registry.access.redhat.com/ubi9/images/9.0.0-1604, build-date=2022-08-02T22:00:29.261592, io.openshift.expose-services=, io.buildah.version=1.26.4, vendor=Red Hat, Inc., summary=Provides the latest release of Red Hat Universal Base Image 9., config_data={'environment': {'KOLLA_CONFIG_STRATEGY': 'COPY_ALWAYS', 'TRIPLEO_CONFIG_HASH': '26b74d0c5605283ac83ca9f732ef69b1'}, 'healthcheck': {'test': '/openstack/healthcheck'}, 'image': '192.168.24.1:8787/tripleomastercentos9/openstack-nova-compute:80afe6f3cedeea3f67fa00bebbd52e52', 'net': 'host', 'privileged': True, 'restart': 'always', 'user': 'root', 'volumes': ['/etc/hosts:/etc/hosts:ro', '/etc/localtime:/etc/localtime:ro', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', '/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', '/dev/log:/dev/log', '/etc/puppet:/etc/puppet:ro', '/var/lib/kolla/config_files/nova-migration-target.json:/var/lib/kolla/config_files/config.json:ro', '/var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro', '/etc/ssh:/host-ssh:ro', '/run/libvirt:/run/libvirt:shared,z', '/var/lib/nova:/var/lib/nova:shared']}, description=The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly., vcs-ref=feeb37c0babd21fde366517b0e3d245d1f9c9b44, com.redhat.license_terms=https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI, architecture=x86_64, io.openshift.tags=base rhel9, maintainer=OpenStack TripleO team, distribution-scope=public, io.k8s.description=The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly., io.k8s.display-name=Red Hat Universal Base Image 9, managed_by=tripleo_ansible, tcib_managed=true, vcs-type=git, com.redhat.build-host=cpt-1005.osbs.prod.upshift.rdu2.redhat.com, name=ubi9)
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 ansible-file[135831]: Invoked with path=/var/log/extra state=directory mode=511 recurse=False force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S unsafe_writes=False _original_basename=None _diff_peek=None src=None modification_time=None access_time=None owner=None group=None seuser=None serole=None selevel=None setype=None attributes=None
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sudo[135828]: pam_unix(sudo:session): session closed for user root
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135794]: Received disconnect from 10.209.39.69 port 54484:11: disconnected by user
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135794]: Disconnected from user zuul 10.209.39.69 port 54484
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135791]: pam_unix(sshd:session): session closed for user zuul
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd[1]: session-128.scope: Deactivated successfully.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: Session 128 logged out. Waiting for processes to exit.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: Removed session 128.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 kernel: IN=enX1 OUT= MAC=bc:76:4e:04:39:71:18:8b:45:d9:71:41:08:00 SRC=10.209.39.69 DST=10.209.128.68 LEN=60 TOS=0x08 PREC=0x40 TTL=61 ID=8666 DF PROTO=TCP SPT=54486 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135854]: Accepted publickey for zuul from 10.209.39.69 port 54502 ssh2: RSA SHA256:ZF9fnpKktgsD1qskSaOryoa9rBiFv0AhNYxlCxB1S/s
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: New session 129 of user zuul.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd[1]: Started Session 129 of User zuul.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135854]: pam_unix(sshd:session): session opened for user zuul(uid=1000) by (uid=0)
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135857]: Received disconnect from 10.209.39.69 port 54502:11: disconnected by user
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135857]: Disconnected from user zuul 10.209.39.69 port 54502
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 sshd[135854]: pam_unix(sshd:session): session closed for user zuul
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd[1]: session-129.scope: Deactivated successfully.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: Session 129 logged out. Waiting for processes to exit.
Aug 18 09:32:46 centos-9-stream-rax-dfw-0030762605 systemd-logind[704]: Removed session 129.

If we take the audit.log.1[1] in parallel, and pass it through `ausearch -if audit.log.1 | grep -A1 ":32:46" | grep -v success' :
time->Thu Aug 18 11:32:46 2022
type=LOGIN msg=audit(1660815166.265:21068): pid=135854 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=129 res=1

apparently, there's a tiny issue here. No idea where to look deeper, but that may have something to do with the amount/speed of ssh connection spawing.. ?

Revision history for this message

Rabi Mishra (rabi) wrote on 2022-08-22:

#5

The fact that we've started to see it lately, is it related to some iptables/nftables related changes? It can't ssh to localhost (loopback address).

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2022-08-24:

#6

Nope, not that I know at least - not for nftables (still not used as default). As for iptables, I didn't see any DROPPED logs in the journald content (this is the location with that one).

Apparently, it's more due to scans and other things taking resources. We may be able to play with limit/burst on the firewall to limit the impact of bots - though it's of course far from perfect...

But with current master (and other branches), it's still iptables, still the old way.

Douglas Viroel (dviroel) on 2022-08-26

Changed in tripleo:
status:	Triaged → Fix Released

tripleo

Ansible ssh connection errors in opendev jobs

Bug Description

Other bug subscribers

Remote bug watches