LifeSaver
ansible/ansible

Solvedansible Anisble does not allow handling of "host unreachable" errors

ansible
hacktoberfest
python
dpedu2 posts at
ansible/ansible
dpedu2
91
ISSUE TYPE
  • Bug Report
COMPONENT NAME

Anible core (?)

ANSIBLE VERSION
ansible 2.1.0.0
  config file = /home/ubuntu/my/ansible/ansible.cfg
  configured module search path = ['/home/ubuntu/my/anisble/library/']

I updated to 2.2.0.0 and the behavior is identical.

CONFIGURATION
[defaults]
forks = 100
nocows = 1

[ssh_connection]
ssh_args = -o ConnectTimeout=20 -o ConnectionAttempts=2 -o ForwardAgent=yes -o ServerAliveInterval=10 -o ServerAliveCountMax=300 -o StrictHostKeyChecking=no -F /home/ubuntu/my/ansible/ssh.config

ssh.config contains:

Host *
ServerAliveInterval 10
ServerAliveCountMax 300
TCPKeepAlive yes
StrictHostKeyChecking no
ControlMaster auto
ControlPath ~/.ssh/mux-%r_%h:%p
ControlPersist 1h
ForwardAgent yes
User ubuntu
OS / ENVIRONMENT

N/A

SUMMARY

Ansible does not allow handling of "host unreachable" errors. The following methods of handling errors do not catch "host unreachable" errors and do not allow playbook logic to detect and act upon such situations:

STEPS TO REPRODUCE
  • Use any technique mentioned in ansible's Error Handling doc
  • Hit a temporary 'host unreachable' error on the play
  • The error is not caught or error-handling logic is not triggered.

Attempts to catch the error:

Retries:

    - name: Example step
      shell: whoami
      retries: 10
      register: task_result
      until: task_result|success

Try/catch block:

  - block:
    - name: Example step
      shell: whoami
    rescue:
    - local_action: shell echo do nothing
EXPECTED RESULTS

Host Unreachable errors are handled by the error-handling logic in the playbook

ACTUAL RESULTS

Ansible behaves as if the error-handling logic does not exist.

23 Answers
Share
Original

✔️Accepted Answer

paxsonsa
88

Does anyone else agree we need to revisit how we are handling unreachable errors?

We have a use case where we are using a play to secure our servers. While securing our servers we disable ssh logins with root. If the setup is run again on secured node it will obvious fail because the root user is not permitted for ssh logins.

Our inventory is dynamic meaning we could have 1000 nodes all secured or 1000 nodes and 'n' unsecured.

The problem we encounter is the secure role runs as root initially and by the end of play, root login is disabled. For the nodes that are unsecured the play runs not problem but for the nodes that are secured the get an unreachable error. We want to be able to handle that and pass it. The method mention above does not seem to work when all nodes are secured. The play is stopped.

I agree with the idea that rescue should be able to catch unreachable errors and decide what to due next.

For now we have made sure that our infrastructure code runs the setup play when the node is initialized but I think being able to have the option to handle unreachable errors would be very helpful

Other Answers:

cazorla19
69

Let's get up this issue. Please, reopen this. It's really painful when you work with autoscaling group on the cloud.
What's the issue exactly? Let's start with, for example, 20 nodes gathering info from EC2 dynamic inventory. A couple of them might be terminated by EC2 API to scale down. If they will, Ansible marks these hosts as unreachable, finish all tasks on helathy nodes. But! It returns "exit code 4" which means error.
The issue is that it sometimes doesn't seem to be error at all. But the target CI system (Jenkins, Bamboo, whatever) marks this operation as an error and breaks the full operational cycle. Meta task doesnt work on multiple nodes. Even if it will, it's going to try to connect to hosts again which seems unreasonable at this situation.
It treats by a shell-wrapper which handles "4 exit code", but, surely, this is a nasty workaround. So, please, include the meta or any other engine which helps to signal Ansible that unreachable is OK and we don't need to return error if some nodes (for example, by percentage) will be unreachable&

mstuder95376
36

I will not use Ansible because of the lack of error handling for unreachable hosts

dpedu2
29

After testing, it seems - meta: clear_host_errors (and refresh_inventory) does not clear unreachable host errors.

bcoca
29

#43857

Related Issues:

143
ansible module_stdout: "/bin/sh: 1: /usr/bin/python: not found\r\n",
Just use ansible_python_interpreter=/usr/bin/python3 in ur inventory file ansible -m ping -u ubuntu ...
88
ansible error in cryptography setup command: Invalid environment marker: python_version < '3'
I had the same problem in Debian Jessie This is what I did to get it working for me: After this I wa...
88
ansible OSX crash complaining of operation in progress in another thread when fork() was called
This is apparently due to some new security changes made in High Sierra that are breaking lots of Py...
72
ansible Failed to connect to the host via ssh: Permission denied (publickey,password)
Good It's a bit hard to debug when you specify all in your command I have this error I use Debian St...
71
ansible Describe how to use "postgresql_user" properly with ansible >= 2.1.0.0
I managed to get this temporarily working with pipelining per task and becoming postgres user: Hopef...
54
ansible ansible unable to find boto: boto required for this module
@stevenscg still working me with this in my inventory file: Let me know if that does anything for yo...
43
ansible why is ansible's default output not more human readable... stilll?
Ansible 2.4+ has built-in support for human-readable results: Temporarily by setting ANSIBLE_STDOUT_...
37
ansible Reboot and Wait for
An update of the docs and/or the support article to use the preferred full YAML format for tasks wou...
37
ansible ERROR! Timeout (12s) waiting for privilege escalation prompt:
Just as a note I switched the connection over to paramiko and the issue went away and the playbook r...
33
ansible Failed to import docker-py for docker_container module
docker-py is just the name of the project It installs a python package named docker ...
32
ansible json_query filter fails when using the functions "contains", "starts_with", others
The problem is related to the fact that Ansible uses own types for strings: AnsibleUnicode and Ansib...
31
ansible feature: controlling ignore-errors output
From a UX perspective it seems reasonable to give visual distinction between explicitly ignored erro...
30
ansible Support specifying collections in git repositories in requirements.yml
This has become much more frustrating lately SUMMARY When I develop collections I like to store them...
29
ansible SSH works, but ansible throws unreachable error
This happende all of a sudden when I upgraded Ansible ISSUE TYPE Bug Report ANSIBLE VERSION CONFIGUR...
29
ansible Ansible evaluates with_items for tasks in blocks skipped by the block when condition
For anyone who finds this in future the way to have this work without the warning is to use with_ite...
29
ansible "template error while templating string: Missing end of comment tag" error
EDIT: When unsafe characters are defined in vars follow @inossidabile's recommendation to use !unsaf...
24
ansible ansible-galaxy should download dependencies in meta/main.yml
I heavily work with dependencies and meta/main.yml and it would be great to spare the necessity to m...
24
ansible Add an option lock_wait to the apt module
This should integrate with systemd ISSUE TYPE Feature Idea This is a copy of the issue on the old re...
23
ansible Windows 10/WSL: Ansible cannot read ansible.cfg from NTFS mounts
I think I found a solution for 2.6.1 and so on.. SUMMARY Ansible 2.6.1 added #42070 which makes Ansi...
20
ansible Anisble does not allow handling of "host unreachable" errors
Does anyone else agree we need to revisit how we are handling unreachable errors? We have a use case...
20
ansible delegate_to not propagated to include_role
I would say this is a huge issue If Ansible would have raised an error for combination of delegate_t...
18
ansible shared connection closed
Same for me on macOS: ISSUE TYPE Bug Report COMPONENT NAME Script module ANSIBLE VERSION CONFIGURATI...
16
ansible Handle omit value in task attributes (like environment or become_user)
I too am interested in something similar to this In my use case we use the same playbook for multipl...
15
ansible FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
This happened to me after my internet connect dropped while running a playbook I fixed it by running...
14
ansible apt_key module ignores the proxy environment
I'm using this as a workaround: ISSUE TYPE Bug Report COMPONENT NAME apt_key ANSIBLE VERSION SUMMARY...
13
ansible Failure in apt. "Please install python-apt", but it is installed
I ran into this issue using the local connection mode -c local using ansible from a virtualenv ...
12
ansible [mac os x] ansible-galaxy: "unexpected Exception: name must be a byte string" when installing from requirements file
Upgrading urllib3 solved this problem for me: sudo pip install --upgrade urllib3 ...
12
ansible Support apt-mark hold
Full working example for reference from Ubuntu 16.04 and docker: From @scottnonnenberg on September ...
12
ansible Single Vault Encrypted value not decrypted in jinja2 pipeline
It still not work for password_hash It need to add string before using password_hash ...
12
ansible file touch always 'changed' - [was: need a separate touch module]
FYI: In Ansible 2.7 was added access_time and modification_time so you can use that to avoid change ...
12
ansible podman support (podman_container)
I am working on the following modules for inclusion in TripleO: podman_image podman_container I also...
11
ansible Inventory script does not work with assumed roles from the command line
For me the fix was to set AWS_SECURITY_TOKEN to the same value as AWS_SESSION_TOKEN ...
11
ansible failed to transfer file to ~/.ansible/tmp/ansible-tmp-xxx/setup.py: [Errno 2] No such file or directory
Same issue here with 2.2.1 (ok with 2.2.0) ISSUE TYPE Bug Report COMPONENT NAME ansible-playbook set...
11
ansible mysql_user broken in 2.7.1 when using /root/.my.cnf
Ok I found it It was a discussion on #ansible-devel on October 2nd SUMMARY When upgrading from 2.7.0...
8
ansible k8s module throwing 'This module requires the OpenShift Python client. Try pip install openshift'
So in my case it was an annoying Requests-related exception (actually just a RequestsDependencyWarni...
6
ansible synchronize: rsync_opts broken/changed in ansible 2.3.0
rsync cmd: BAD (ansible 2.3.0) GOOD (ansible 2.2.2.0) ISSUE TYPE Bug Report COMPONENT NAME synchroni...
5
ansible Issues in template module
Maybe you can add -K option for ansible-playbook command I fixed this problem in my case. ...
4
ansible (P1) nxos* modules timeout sending long running command for transport == cli
@mikewiebe One possible way is: provider: {{ connection | combine({'timeout': 400}) }} ...
3
ansible windows 8.1 .net 3.5 installation: raw, win_chocolatey, win_webpicmd
I ran into this on Server 2012 The easiest solution I found was this: Per this MSDN page Edited for ...
3
ansible pywinrm fails to authenticate from centos 7 host to windows 2012 R2 client
Had the same issue Fixed by uninstalling pyOpenSSL completely (cleaning folders like @darioems sugge...
3
ansible HaProxy drain mode 'bool' object is not callable error
@alikins I looked into the issue today ISSUE TYPE Bug Report COMPONENT NAME HaProxy Module ANSIBLE V...
3
ansible Add possibility to set up several ips for hostname in module ipa_dnsrecord
Are you thinking a format something like: ISSUE TYPE Feature Idea COMPONENT NAME ipa_dnsrecord ANSIB...
82
drupal vm Composer install fails without proper swap
or you can create a swap file sudo fallocate -l 2G /swapfile sudo chmod 600 /swapfile sudo mkswap /s...
77
kubespray After the certificate expires how use kubespray to renew certificate
@kerOssinas you are right the upgrade-cluster.yml of Kubespray will also rotate the certificates ...
32
kubespray Current install documentation is incorrect and does not work due to inventory script changes
@elfiii good luck. The install/usage documentation here: https://github.com/kubernetes-sigs/kubespra...
31
ansible elasticsearch Permissions on elasticsearch.keystore prevent Elasticsearch from starting
This entire problem is being caused by an incorrect mixing of static read-only configuration (elasti...
29
drupal vm Failing to install Drupal on macOS High Sierra - NFS filesystem issues
@ajhoddinott OMG That works thank you! For explicit instructions on Mac OS High Sierra open the app ...
28
kubespray etcd cluster is unavailable or misconfigured: connection refused
Run on master nodes: Run no all nodes: btw SELinux is working fine i did not had to do any adjustmen...
22
kubespray Unable to add new master/etcd node to cluster
You should be able to In the past we managed to replace all nodes in the cluster: master etcd and wo...
21
ansible lint Re-evaluate E0010 - Package installs should not use latest
The official Ansible yum module docs prominently recommend using state=latest with name=* to update ...
LifeSaver
Privacy PolicyDisclaimer