Fixes #37803 - Remove hardcoded ProxyCommand #845
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adamlazik1
force-pushed
the
refs-36456-remove-hardcoded-proxycommand
branch
from
546abc9 to
9239feb
Compare
Previously, we added a hardcoded `ProxyCommand=none` because ipa-client-install added `ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h` into `/etc/ssh/ssh_config`, which caused failure to execute ansible commands on systems without the `/sbin/nologin` shell [1]. However; this also prevents users from using their own jump host in the ssh configuration since the hardcoded command line arguments always take precedence. Since this issue was fixed in the ipa tooling 3 years ago (they now use the `Match exec true` rule [2]), I propose we remove the hardcoded ProxyCommand to allow users to specify their own jump hosts. The same is being done for remote execution [3]. Some users who have configured the ipa client before the fix landed in ipa might still report that they are getting errors when trying to run ansible commands because the ProxyCommand specified in `etc/ssh/ssh_config` is failing to execute. We should suggest these users to remove the ProxyCommand from ssh config, which should fix all of their issues originating from this. This is more of a problem of the old ipa tooling rather than a problem of foreman. [1] https://projects.theforeman.org/issues/25481 [2] https://pagure.io/freeipa/issue/7676 [3] theforeman/smart_proxy_remote_execution_ssh#117
adamlazik1
force-pushed
the
refs-36456-remove-hardcoded-proxycommand
branch
from
9239feb to
a6eb9e2
Compare
ekohl
approved these changes
Oct 28, 2024
|
@adamlazik1 can you take a look at an installer migration? I can provide pointers if needed. |
|
@ekohl I can take a look but it will probably take some time. |
|
We have a helper to create the migration files in the right places. https://github.com/theforeman/foreman-installer/blob/develop/config/foreman.migrations/20201224125100_ansible_ssh_args.rb is probably a good place to start from. You can decide how you want to handle it. One way is to see if @adamruzicka probably also has some thoughts on what we want for our upgrading users. |
adamlazik1
added a commit
to adamlazik1/foreman-installer
that referenced
this pull request
Nov 6, 2024
adamlazik1
added a commit
to adamlazik1/foreman-installer
that referenced
this pull request
Nov 15, 2024
ekohl
pushed a commit
to theforeman/foreman-installer
that referenced
this pull request
Nov 21, 2024
ekohl
pushed a commit
to ekohl/foreman-installer
that referenced
this pull request
Nov 21, 2024
Relates to theforeman/puppet-foreman_proxy#845 (cherry picked from commit 349e482)
ekohl
pushed a commit
to theforeman/foreman-installer
that referenced
this pull request
Nov 21, 2024
Relates to theforeman/puppet-foreman_proxy#845 (cherry picked from commit 349e482)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, we added a hardcoded
ProxyCommand=nonebecause ipa-client-install addedProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %hinto/etc/ssh/ssh_config, which caused failure to execute ansible commands on systems without the/sbin/nologinshell. 1 However; this also prevents users from using their own jump host in the ssh configuration since the hardcoded command line arguments always take precedence.Since this issue was fixed in the ipa tooling 3 years ago (they now use the
Match exec truerule)2, I propose we remove the hardcoded ProxyCommand to allow users to specify their own jump hosts. The same is being done for remote execution. 3Some users who have configured the ipa client before the fix landed in ipa might still report that they are getting errors when trying to run ansible commands because the ProxyCommand specified in
etc/ssh/ssh_configis failing to execute. We should suggest these users to remove the ProxyCommand from ssh config, which should fix all of their issues originating from this. This is more of a problem of the old ipa tooling rather than a problem of foreman.Footnotes
https://projects.theforeman.org/issues/25481 ↩
https://pagure.io/freeipa/issue/7676 ↩
https://github.com/theforeman/smart_proxy_remote_execution_ssh/pull/117 ↩