There's two corner cases in fetch-ssh-keys:
fed-cloud02 - This is the 'master' node for our private openstack cloud. The way openstack works (at least that version) is that it has the external floating ip's on the master node and routes everything to the instances (on whichever compute node). However, fetch-ssh-keys just gathers all those ip's and adds them to the ssh entry.
serverbeach - sadly, networking is wacky at serverbeach. On the hosts there we have vm guests we have an external ip on the host and it routes everything into the guest via iptables. So, fetch-ssh-keys also in this case puts those external ip's on the host line instead of the guest line.
Example:
{{{ +fed-cloud02.cloud.fedoraproject.org,fed-cloud02,169.254.169.254,172.16.0.1,172.16.1.1,172.16.2.1,172.16.3.1,172.16.4.1,172.16.5.1,172.16.6.1,172.16.7.1,172.16.8.1,172.23.0.2,192.168.122.1,209.132.184.100,209.132.184.102,209.132.184.103,209.132.184.107,209.132.184.108,209.132.184.109,209.132.184.111,209.132.184.112,209.132.184.113,209.132.184.114,209.132.184.115,209.132.184.116,209.132.184.117,209.132.184.118,209.132.184.119,209.132.184.120,209.132.184.121,209.132.184.122,209.132.184.123,209.132.184.124,209.132.184.125,209.132.184.126,209.132.184.127,209.132.184.128,209.132.184.129,209.132.184.130,209.132.184.131,209.132.184.132,209.132.184.133,209.132.184.134,209.132.184.135,209.132.184.136,209.132.184.137,209.132.184.138,209.132.184.139,209.132.184.141,209.132.184.142,209.132.184.143,209.132.184.144,209.132.184.145,209.132.184.146,209.132.184.147,209.132.184.148,209.132.184.149,209.132.184.150,209.132.184.151,209.132.184.152,209.132.184.153,209.132.184.154,209.132.184.155,209.132.184.156,209.132.184.157,209.132.184.158,209.132.184.159,209.132.184.160,209.132.184.161,209.132.184.162,209.132.184.163,209.132.184.164,209.132.184.165,209.132.184.166,209.132.184.167,209.132.184.168,209.132.184.169,209.132.184.170,209.132.184.171,209.132.184.172,209.132.184.173,209.132.184.174,209.132.184.175,209.132.184.176,209.132.184.177,209.132.184.178,209.132.184.179,209.132.184.180,209.132.184.181,209.132.184.182,209.132.184.183,209.132.184.184,209.132.184.186,209.132.184.187,209.132.184.188,209.132.184.189,209.132.184.190,209.132.184.191,209.132.184.192,209.132.184.193,209.132.184.194,209.132.184.195,209.132.184.196,209.132.184.197,209.132.184.198,209.132.184.199,209.132.184.2,209.132.184.200,209.132.184.201,209.132.184.202,209.132.184.203,209.132.184.204,209.132.184.205,209.132.184.206,209.132.184.207,209.132.184.208,209.132.184.209,209.132.184.210,209.132.184.211,209.132.184.213,209.132.184.214,209.132.184.215,209.132.184.216,209.132.184.217,209.132.184.218,209.132.184.219,209.132.184.220,209.132.184.221,209.132.184.222,209.132.184.223,209.132.184.225,209.132.184.226,209.132.184.227,209.132.184.228,209.132.184.230,209.132.184.231,209.132.184.232,209.132.184.233,209.132.184.234,209.132.184.235,209.132.184.237,209.132.184.238,209.132.184.239,209.132.184.240,209.132.184.241,209.132.184.242,209.132.184.243,209.132.184.244,209.132.184.245,209.132.184.246,209.132.184.247,209.132.184.249,209.132.184.250,209.132.184.251,209.132.184.252,209.132.184.253,209.132.184.91,209.132.184.92,209.132.184.93,209.132.184.94,209.132.184.95,209.132.184.96,209.132.184.97,209.132.184.98,209.132.184.99 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmqbGgqTvN/dzhRU5kmWuTPiG2nfQXSXwzUxsTn32pmV9zOOWYzuRd3Q5gLQ4fpixlLu/xVkj4BlqpfBYY/v2MmeLvXCJ79mblAXXEi4KYVKXMmkZPAW8pb+3ft8Fm9Jo4q4XmRkCIw2jtNrQ+2x8yA8Q4q843G8XhpeMau+aOkIISVymbpmAv4X/NPqvuNZ0K1G8vLuajomkD0bn5nWL5xGKYePg1LmzIoenR1Hu0N2rwr/VP0gvlnbBCnMXg6EaZpTKYDLlhmhS+1PRnGnQUrozhTC6Z1qldH857m0LQtOsY+jvACoz5UAHhGZxH1SPSkZYVVHZO8N24lUyc+N6mw== fed-cloud02.cloud.fedoraproject.org -proxy09.fedoraproject.org,hosted01.fedoraproject.org,proxy09,192.168.1.15,192.168.122.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzHebvOulO6ZvyW/bRQIuvRl2g2SGuV+cGhhqeZwtM5q3A5/qNjW6VVPtd1WJ8tJW1w+B9NisuiYpQK3HflgbKgaAsghQM4Z8h6HiAuINzSLwBhC3imMwpBvaLXF1iFSrXVB+6pGJoSt2pPaMXPV+XUsKcbZSnixgz3g6sgiFk7wBXxawPO0FwqwPxogXHeodqdHTv63qDQUPfz2DuTK6zK4fgqtRmRPVv5EyFL785ITobBs2518aAQP2Y4REbS5LV6EAb6BeTdC1zwBT2xtDeSmPnFcWUAfDcHDrWepB4FcJ+Teb4Q99erop31YPVZZth6pKOc6kiPaE92xcHrfIkw== proxy09.fedoraproject.org +proxy09.fedoraproject.org,proxy09,192.168.1.15,192.168.122.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzHebvOulO6ZvyW/bRQIuvRl2g2SGuV+cGhhqeZwtM5q3A5/qNjW6VVPtd1WJ8tJW1w+B9NisuiYpQK3HflgbKgaAsghQM4Z8h6HiAuINzSLwBhC3imMwpBvaLXF1iFSrXVB+6pGJoSt2pPaMXPV+XUsKcbZSnixgz3g6sgiFk7wBXxawPO0FwqwPxogXHeodqdHTv63qDQUPfz2DuTK6zK4fgqtRmRPVv5EyFL785ITobBs2518aAQP2Y4REbS5LV6EAb6BeTdC1zwBT2xtDeSmPnFcWUAfDcHDrWepB4FcJ+Teb4Q99erop31YPVZZth6pKOc6kiPaE92xcHrfIkw== proxy09.fedoraproject.org -serverbeach09.fedoraproject.org,serverbeach09,192.168.1.35,192.168.122.1,66.135.39.232,66.135.39.232,66.135.62.189 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwkGS6in7SepTZVtlSEkwITyUDCn8qxXBpyU9GKvhz4bxwQ5rzI4W0w5tCv5oRhxChCoDrSrFBdVQfTxTcfRs5YeCrVa6GUqQqKg0RqcSM/DpZdyLrbt3jvtJ3rnHlPS/5yFi7Xcb+pbv3JNw8fppgULrGXD53eAIurk2uC2iqazAo4kbeK9tQrysvxIpt3ASxy2yEmflXcBixOOgJkWYbr9oYt8DzuZIzLjQlCIXOJwqYsuHplvmbtt3iUVbpFLsayzzldDfpUSYRWTU0mlIt/wQbrE+zWRtQBSQSdFOlTNPF7dcQc24vTFjDHPSldTgKa8mY/3nsxvenb3+3EzYTw== serverbeach09.fedoraproject.org +serverbeach09.fedoraproject.org,serverbeach09,192.168.1.35,192.168.122.1,66.135.39.232,66.135.39.232,66.135.62.189,69.174.247.243 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwkGS6in7SepTZVtlSEkwITyUDCn8qxXBpyU9GKvhz4bxwQ5rzI4W0w5tCv5oRhxChCoDrSrFBdVQfTxTcfRs5YeCrVa6GUqQqKg0RqcSM/DpZdyLrbt3jvtJ3rnHlPS/5yFi7Xcb+pbv3JNw8fppgULrGXD53eAIurk2uC2iqazAo4kbeK9tQrysvxIpt3ASxy2yEmflXcBixOOgJkWYbr9oYt8DzuZIzLjQlCIXOJwqYsuHplvmbtt3iUVbpFLsayzzldDfpUSYRWTU0mlIt/wQbrE+zWRtQBSQSdFOlTNPF7dcQc24vTFjDHPSldTgKa8mY/3nsxvenb3+3EzYTw== serverbeach09.fedoraproject.org }}}
As a further enhancement, it might be nice for fetch-ssh-keys to set the ANSIBLE_HOST_KEY_CHECKING env variable when running so the user doesn't need to accept new host keys, then unset it after running.
if these two machines run linux-bridges for the "extra" IPs reported, then we can filter-out interfaces with type bridge along with their IPs in the fetch-ssh-keys script.
kindly, run ansible setup on both machines and attach it to the ticket to have a look.
attachment fed-cloud02
attachment serverbeach09
Both output attached
One way I can think about this is that: to build the known_hosts file, and distributed to the servers, one needs the primary IP of the machine; the one it uses to access the outside world. accordingly, we could replace the {{ansible_all_ipv4_addresses}} fact with {{ansible_default_ipv4}}.address.
further investigation, reveals that tunnel IPs might be needed, as for example, cron scripts ssh to the tunnel IP itself.
the latter can be dealt with as an exception, by looking into a interface-with-type-tunnel fact, and adding its corresponding address.
to get rid of the exception case, one needs to inventory the use of tunnel end-point IP usage, and possible point that to the main ip of the machine.
Here is my attempt on the script.
kindly, test and feedback
I seem to be getting a traceback in testing:
{{{ Traceback (most recent call last): File "./fetch-ssh-keys", line 73, in <module> names.append(non_link_local["address"]) TypeError: list indices must be integers, not str }}}
Replying to [comment:6 kevin]:
I seem to be getting a traceback in testing: {{{ Traceback (most recent call last): File "./fetch-ssh-keys", line 73, in <module> names.append(non_link_local["address"]) TypeError: list indices must be integers, not str }}}
fixed. kindly run and feedback.
Looking better. ;)
It seems to be picking up however on eth1 ip's on some hosts. Some phx2 hosts have a 10.5.127.x ip on eth1 to use for storage. We likely don't need this in known_hosts at all. I can't think of any reason we would ssh over the storage network.
for example:
{{{ wiki01.phx2.fedoraproject.org,wiki01,10.5.127.43,192.168.1.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0c5WAVH4jrNNnMvK4Cyj+NH5NQa+s5pwois0W05dl/38kRHpwmLM7YshO5pUyL3H290zCkB27alBAtS4IYduoKNZ+v5z0KFFux2T/qY1YLpw/FbdfviF/GdXqS/uUHTNQp9kISZUkKcbmnu1qQfZq+GAVEdbQH/7H/TrWxqCV0NsUzRlCzj4VMM7NWdG/RqLkdK+ielq5F5Qry8BRWV+m+qUkTYLr+7wVsQvQ50CsIQ5pYePqzLEaIrWH7jzTIv1AgixhmfgRfQtmOpI1xlBmiBkgUCIYS8KYwZCxQks7L2XmjaXsEficzNBtxHmOx1UjfPK00sVb9FPoH+z/NbrIw== wiki01.phx2.fedoraproject.org }}}
So, I guess we either need to filter eth1 out, or 10.5.127.x ip's or something...
wiki01 wiki01
Replying to [comment:8 kevin]:
Looking better. ;) It seems to be picking up however on eth1 ip's on some hosts. Some phx2 hosts have a 10.5.127.x ip on eth1 to use for storage. We likely don't need this in known_hosts at all. I can't think of any reason we would ssh over the storage network. for example: {{{ wiki01.phx2.fedoraproject.org,wiki01,10.5.127.43,192.168.1.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0c5WAVH4jrNNnMvK4Cyj+NH5NQa+s5pwois0W05dl/38kRHpwmLM7YshO5pUyL3H290zCkB27alBAtS4IYduoKNZ+v5z0KFFux2T/qY1YLpw/FbdfviF/GdXqS/uUHTNQp9kISZUkKcbmnu1qQfZq+GAVEdbQH/7H/TrWxqCV0NsUzRlCzj4VMM7NWdG/RqLkdK+ielq5F5Qry8BRWV+m+qUkTYLr+7wVsQvQ50CsIQ5pYePqzLEaIrWH7jzTIv1AgixhmfgRfQtmOpI1xlBmiBkgUCIYS8KYwZCxQks7L2XmjaXsEficzNBtxHmOx1UjfPK00sVb9FPoH+z/NbrIw== wiki01.phx2.fedoraproject.org }}} So, I guess we either need to filter eth1 out, or 10.5.127.x ip's or something...
makes sense. although I asked around and found that this machine has a specific net config that might differ from others.
wiki01 has its net setup as inbound from iface eth0 (126 net) and default outbound through eth1 (127 net), which is as you mentioned used as well for storage. I was not able to find out the reason behind this, though, and will be interested to know why.
so, here we have two alternatives: 1- take the machines net config as is, and deal with it and others with similar config as corner cases. then I need the list of machines you encountered this behavior on.
2- if there is no harm, change the default interface to be eth0 (126) and assign it a gateway (same for others with similar case), and the script will do its job, without dealing with corner cases.
awaiting feedback.
Thanks,
ok, we fixed wiki* (and virthost10) which had default 10.5.127 routes when they shouldn't have.
One last issue I now see with the output...
We are adding in the 'short' name of a host also, which is great, but in the case of stg hosts it will cause overlap. For example we get:
{{{ wiki01.phx2.fedoraproject.org,wiki01,10.5.126.63,192.168.1.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0c5WAVH4jrNNnMvK4Cyj+NH5NQa+s5pwois0W05dl/38kRHpwmLM7YshO5pUyL3H290zCkB27alBAtS4IYduoKNZ+v5z0KFFux2T/qY1YLpw/FbdfviF/GdXqS/uUHTNQp9kISZUkKcbmnu1qQfZq+GAVEdbQH/7H/TrWxqCV0NsUzRlCzj4VMM7NWdG/RqLkdK+ielq5F5Qry8BRWV+m+qUkTYLr+7wVsQvQ50CsIQ5pYePqzLEaIrWH7jzTIv1AgixhmfgRfQtmOpI1xlBmiBkgUCIYS8KYwZCxQks7L2XmjaXsEficzNBtxHmOx1UjfPK00sVb9FPoH+z/NbrIw== wiki01.phx2.fedoraproject.org wiki01.stg.phx2.fedoraproject.org,wiki01,10.5.126.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5XlcxpCOQiq7WT/RA3OWDBdw7LUXDhdq5vIRUH9vtvX+i72vS+DSc/l0VI9Y7JgiEoyGTWN2ncFMuxp6SeW7WGxBs9mDflutLqZWrbTBR2KBPA16kAaE1GjkvlxTy4ubvmHpqL4Iyxh0N3jcFZbak9LHCAH3iycuFX1KLe7YT7wlrE0Ng3GVV1AVwWbINq2tmotsRmiiqiiU4+y/R2eLy2FhJfoAUXqh2Cn5jqWRsAZWj7WNzLWz/sT+T4v6Y1hlna7K6o4hWxJlI9BJ/s6RwNMPBFVPYOlceXiNCC33CXLD13xKkiHs/nPbkS8RMjY5LnYicABjUykBnVh/X9yoVQ== wiki01.stg.phx2.fedoraproject.org }}}
So both end up with 'wiki01'. I guess we need a case for stg and always add it's short name with a .stg after it? This would allow for 'ssh wiki01.stg' to work for example.
Replying to [comment:10 kevin]:
ok, we fixed wiki* (and virthost10) which had default 10.5.127 routes when they shouldn't have. One last issue I now see with the output... We are adding in the 'short' name of a host also, which is great, but in the case of stg hosts it will cause overlap. For example we get: {{{ wiki01.phx2.fedoraproject.org,wiki01,10.5.126.63,192.168.1.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0c5WAVH4jrNNnMvK4Cyj+NH5NQa+s5pwois0W05dl/38kRHpwmLM7YshO5pUyL3H290zCkB27alBAtS4IYduoKNZ+v5z0KFFux2T/qY1YLpw/FbdfviF/GdXqS/uUHTNQp9kISZUkKcbmnu1qQfZq+GAVEdbQH/7H/TrWxqCV0NsUzRlCzj4VMM7NWdG/RqLkdK+ielq5F5Qry8BRWV+m+qUkTYLr+7wVsQvQ50CsIQ5pYePqzLEaIrWH7jzTIv1AgixhmfgRfQtmOpI1xlBmiBkgUCIYS8KYwZCxQks7L2XmjaXsEficzNBtxHmOx1UjfPK00sVb9FPoH+z/NbrIw== wiki01.phx2.fedoraproject.org wiki01.stg.phx2.fedoraproject.org,wiki01,10.5.126.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5XlcxpCOQiq7WT/RA3OWDBdw7LUXDhdq5vIRUH9vtvX+i72vS+DSc/l0VI9Y7JgiEoyGTWN2ncFMuxp6SeW7WGxBs9mDflutLqZWrbTBR2KBPA16kAaE1GjkvlxTy4ubvmHpqL4Iyxh0N3jcFZbak9LHCAH3iycuFX1KLe7YT7wlrE0Ng3GVV1AVwWbINq2tmotsRmiiqiiU4+y/R2eLy2FhJfoAUXqh2Cn5jqWRsAZWj7WNzLWz/sT+T4v6Y1hlna7K6o4hWxJlI9BJ/s6RwNMPBFVPYOlceXiNCC33CXLD13xKkiHs/nPbkS8RMjY5LnYicABjUykBnVh/X9yoVQ== wiki01.stg.phx2.fedoraproject.org }}} So both end up with 'wiki01'. I guess we need a case for stg and always add it's short name with a .stg after it? This would allow for 'ssh wiki01.stg' to work for example.
Added the exception to deal with stg.
kindly, test and feedback.
Sadly, now it's including .stg on all hosts. ;(
{{{ +wiki01.phx2.fedoraproject.org,wiki01.stg,10.5.126.63,192.168.1.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0c5WAVH4jrNNnMvK4Cyj+NH5NQa+s5pwois0W05dl/38kRHpwmLM7YshO5pUyL3H290zCkB27alBAtS4IYduoKNZ+v5z0KFFux2T/qY1YLpw/FbdfviF/GdXqS/uUHTNQp9kISZUkKcbmnu1qQfZq+GAVEdbQH/7H/TrWxqCV0NsUzRlCzj4VMM7NWdG/RqLkdK+ielq5F5Qry8BRWV+m+qUkTYLr+7wVsQvQ50CsIQ5pYePqzLEaIrWH7jzTIv1AgixhmfgRfQtmOpI1xlBmiBkgUCIYS8KYwZCxQks7L2XmjaXsEficzNBtxHmOx1UjfPK00sVb9FPoH+z/NbrIw== wiki01.phx2.fedoraproject.org +wiki01.stg.phx2.fedoraproject.org,wiki01.stg,10.5.126.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5XlcxpCOQiq7WT/RA3OWDBdw7LUXDhdq5vIRUH9vtvX+i72vS+DSc/l0VI9Y7JgiEoyGTWN2ncFMuxp6SeW7WGxBs9mDflutLqZWrbTBR2KBPA16kAaE1GjkvlxTy4ubvmHpqL4Iyxh0N3jcFZbak9LHCAH3iycuFX1KLe7YT7wlrE0Ng3GVV1AVwWbINq2tmotsRmiiqiiU4+y/R2eLy2FhJfoAUXqh2Cn5jqWRsAZWj7WNzLWz/sT+T4v6Y1hlna7K6o4hWxJlI9BJ/s6RwNMPBFVPYOlceXiNCC33CXLD13xKkiHs/nPbkS8RMjY5LnYicABjUykBnVh/X9yoVQ== wiki01.stg.phx2.fedoraproject.org }}}
Replying to [comment:12 kevin]:
Sadly, now it's including .stg on all hosts. ;( {{{ +wiki01.phx2.fedoraproject.org,wiki01.stg,10.5.126.63,192.168.1.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0c5WAVH4jrNNnMvK4Cyj+NH5NQa+s5pwois0W05dl/38kRHpwmLM7YshO5pUyL3H290zCkB27alBAtS4IYduoKNZ+v5z0KFFux2T/qY1YLpw/FbdfviF/GdXqS/uUHTNQp9kISZUkKcbmnu1qQfZq+GAVEdbQH/7H/TrWxqCV0NsUzRlCzj4VMM7NWdG/RqLkdK+ielq5F5Qry8BRWV+m+qUkTYLr+7wVsQvQ50CsIQ5pYePqzLEaIrWH7jzTIv1AgixhmfgRfQtmOpI1xlBmiBkgUCIYS8KYwZCxQks7L2XmjaXsEficzNBtxHmOx1UjfPK00sVb9FPoH+z/NbrIw== wiki01.phx2.fedoraproject.org +wiki01.stg.phx2.fedoraproject.org,wiki01.stg,10.5.126.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5XlcxpCOQiq7WT/RA3OWDBdw7LUXDhdq5vIRUH9vtvX+i72vS+DSc/l0VI9Y7JgiEoyGTWN2ncFMuxp6SeW7WGxBs9mDflutLqZWrbTBR2KBPA16kAaE1GjkvlxTy4ubvmHpqL4Iyxh0N3jcFZbak9LHCAH3iycuFX1KLe7YT7wlrE0Ng3GVV1AVwWbINq2tmotsRmiiqiiU4+y/R2eLy2FhJfoAUXqh2Cn5jqWRsAZWj7WNzLWz/sT+T4v6Y1hlna7K6o4hWxJlI9BJ/s6RwNMPBFVPYOlceXiNCC33CXLD13xKkiHs/nPbkS8RMjY5LnYicABjUykBnVh/X9yoVQ== wiki01.stg.phx2.fedoraproject.org }}}
sorry. please test now and feedback.
attachment fetch-ssh-keys
ok, looks like we have a winner. ;)
I've commited this and pushed out a ssh_known_hosts using it. Please look it over and let me know if you see anything else to change.
Login to comment on this ticket.