Currently on Foreman Ansible, we are facing an issue when running Ansible for the first time against a host.
The host could have been created by Foreman or it could be an already existing host we have imported.
Since it’s the first time the
foreman-proxy users try to SSH to the host, the first run will fail with a familiar error like “Host key verification failed”. In order to work around it, you may try to just open an SSH connection between foreman-proxy and the host on a console, then ‘accept’ the key to be added to
This is most likely a problem shared with Foreman Remote Execution too. Here are some possible solutions. Any more ideas? Preferences?
- If the host has been created by Foreman, add it to
./ssh/known_hosts. This can be problematic for proxies and error-prone (what if the proxy is down)
- Disable this feature as http://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html#host-key-checking indicates - an attack vector for man-in-the-middle.
- Disabling key verification on the first Ansible run we make by passing the variable
ANSIBLE_HOST_KEY_CHECKING=False. The second time onwards we will get a warning if the host key has changed.