SSH host key prompts trample over each other #13318

Closed
amenonsen opened this Issue Nov 26, 2015 · 5 comments

Comments

Projects
None yet
4 participants
@amenonsen
Contributor

amenonsen commented Nov 26, 2015

This is a known problem, for which I had submitted a patch with #12276. Although that PR was merged, the actual locking part was rejected because it (unavoidably) waited too long if ssh timed out trying to connect to unreachable hosts.

@bcoca said on IRC that he may be prepared to reconsider this for v2, because otherwise it's painful to deal with any number of newly-provisioned hosts.

I'm creating this just to keep track of the decision. If the feature is definitely wanted for v2.0, then I'll go back and rebase [https://gist.github.com/amenonsen/a2ecbea86b468e780608](the patch that I had originally submitted) (which worked fine, but by now needs rebasing, and can also be slightly improved upon).

@amenonsen

This comment has been minimized.

Show comment
Hide comment
@amenonsen

amenonsen Nov 26, 2015

Contributor

P.S. For anyone who isn't already familiar with the problem: http://toroid.org/ansible-ssh-locking explains it.

Contributor

amenonsen commented Nov 26, 2015

P.S. For anyone who isn't already familiar with the problem: http://toroid.org/ansible-ssh-locking explains it.

@bcoca bcoca added the feature_idea label Nov 27, 2015

@bcoca bcoca added this to the v2 milestone Nov 27, 2015

@bcoca

This comment has been minimized.

Show comment
Hide comment
@bcoca

bcoca Nov 27, 2015

Member

I attempted to recreate the locking but you can probably do it faster as you rewrote most of it and I have not caught up with the new code yet.

Member

bcoca commented Nov 27, 2015

I attempted to recreate the locking but you can probably do it faster as you rewrote most of it and I have not caught up with the new code yet.

@amenonsen

This comment has been minimized.

Show comment
Hide comment
@amenonsen

amenonsen Nov 28, 2015

Contributor

I pushed another commit to add the requested locking in the existing PR #13297 (which fixes a real problem, and should be merged).

Contributor

amenonsen commented Nov 28, 2015

I pushed another commit to add the requested locking in the existing PR #13297 (which fixes a real problem, and should be merged).

amenonsen added a commit to amenonsen/ansible that referenced this issue Nov 28, 2015

Use connection locking to protect against competing host key prompts
We acquire the connection lock before executing ssh, and release it as
soon as the unknown host key prompt is negotiated, or we can be sure it
won't be issued at all. This fixes the problem where many prompts pile
up and compete for input.

Unfortunately, we can only lock against other connections: there's no
output_lockfile that can prevent output from other subsystems. See the
FIXME note.

This problem was the original motivation for PR #12276, but although
the bulk of that PR was merged, the locking changes were not.

Fixes #13318
@amenonsen

This comment has been minimized.

Show comment
Hide comment
@amenonsen

amenonsen Feb 11, 2016

Contributor

I'm closing this because the associated PR was rejected and an alternative solution adopted for v2.

Contributor

amenonsen commented Feb 11, 2016

I'm closing this because the associated PR was rejected and an alternative solution adopted for v2.

@amenonsen amenonsen closed this Feb 11, 2016

@matjam

This comment has been minimized.

Show comment
Hide comment
@matjam

matjam Feb 27, 2018

clearly the solution doesn't work because this is still a problem.

matjam commented Feb 27, 2018

clearly the solution doesn't work because this is still a problem.

@ansibot ansibot added feature and removed feature_idea labels Mar 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment