Packer: Ansible - Received disconnect from 127.0.0.1 port ****: too many authentication failures

Created on 26 Jun 2017 · 18Comments · Source: hashicorp/packer

packer version: v1.0.2
initiator OS: macos
guest image OS: ubuntu 16.04
ansible version: 2.3.1.0

Output:

==> amazon-ebs: Prevalidating AMI Name...
    amazon-ebs: Found Image ID: ami-6d48500b
==> amazon-ebs: Creating temporary keypair: packer_5950d4b4-6e84-c715-a9f9-19a16e60088c
==> amazon-ebs: Creating temporary security group for this instance: packer_5950d4b6-ac1e-08ce-d727-dc9ee2f75ae8
==> amazon-ebs: Authorizing access to port 22 on the temporary security group...
==> amazon-ebs: Launching a source AWS instance...
    amazon-ebs: Instance ID: i-00e4df72cd16a1fea
==> amazon-ebs: Waiting for instance (i-00e4df72cd16a1fea) to become ready...
==> amazon-ebs: Adding tags to source instance
    amazon-ebs: Adding tag: "Name": "Packer Builder"
==> amazon-ebs: Waiting for SSH to become available...
==> amazon-ebs: Connected to SSH!
==> amazon-ebs: Provisioning with Ansible...
==> amazon-ebs: Executing Ansible: ansible-playbook --extra-vars packer_build_name=amazon-ebs packer_builder_type=amazon-ebs -i /var/folders/bs/cb_r1q2n6gl79zq3r0_bcft80000gn/T/packer-provisioner-ansible037645181 /LOCATION/test1-playbook.yml --private-key /var/folders/bs/cb_r1q2n6gl79zq3r0_bcft80000gn/T/ansible-key805943062 -v
    amazon-ebs: Using /etc/ansible/ansible.cfg as config file
    amazon-ebs:
    amazon-ebs: PLAY [packer] ******************************************************************
    amazon-ebs:
    amazon-ebs: TASK [Gathering Facts] *********************************************************
==> amazon-ebs: failed to handshake
    amazon-ebs: fatal: [packer]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '[127.0.0.1]:50428' (RSA) to the list of known hosts.\r\nReceived disconnect from 127.0.0.1 port 50428:2: too many authentication failures\r\nsetsockopt TCP_NODELAY: Invalid argument\r\nsetsockopt IP_TOS 8: Invalid argument:\r\nmuxclient: master hello exchange failed\r\nFailed to connect to new control master\r\n", "unreachable": true}
    amazon-ebs:     to retry, use: --limit @/LOCATION/test1-playbook.retry
    amazon-ebs:
    amazon-ebs: PLAY RECAP *********************************************************************
    amazon-ebs: packer                     : ok=0    changed=0    unreachable=1    failed=0
    amazon-ebs:
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...

Was constantly getting Received disconnect from 127.0.0.1 port 50428:2: too many authentication failures when Ansible wanted to connect to the host. As you can see, packer can connect fine the first time.

After lots of searching it turned out that I loaded too many keys with ssh-add. It would try all the keys until it came to the generated packer one. But then the setting 'MaxAuthTries' in sshd_config of the ubuntu AMI kicked in (default 6).

So, it is basically an issue of initiator OS (where packer is run) together with a default value of sshd_config of the guest vm. So no idea if packer can mitigate this.

communicatossh question

Source

filip-vt

👍1

Most helpful comment

danielcompton on 29 Sep 2017

👍4 ❤1

All 18 comments

Just add "ssh_agent_auth": false since you only use a temporary keypair.

rickard-von-essen on 26 Jun 2017

👎2

Packer uses the generated priv key and can connect fine. It's the Ansible module that goes over the complete ssh key list.

filip-vt on 26 Jun 2017

👍1

After some more tests, it looks like it's an Ansible bug. It's doesn't look like a Packer bug.

filip-vt on 26 Jun 2017

I've the same problem:

    virtualbox-iso:
    virtualbox-iso: PLAY [all] *********************************************************************
    virtualbox-iso:
    virtualbox-iso: TASK [Gathering Facts] *********************************************************
    virtualbox-iso: fatal: [default]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Warning: Permanently added '[127.0.0.1]:64069' (RSA) to the list of known hosts.\r\n/bin/sh: 1: /usr/bin/python: not found\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 127}
    virtualbox-iso:     to retry, use: --limit @/Users/rbu0374/Development/octoschool/tools/ansible/octoschool-web.retry
    virtualbox-iso:
    virtualbox-iso: PLAY RECAP *********************************************************************
    virtualbox-iso: default                    : ok=0    changed=0    unreachable=0    failed=1
    virtualbox-iso:

I couldn't find a solution so far. Any ideas?

openscript on 11 Jul 2017

That's a different issue. Ansible cannot find your python bin. Probably because you are on a system that defaults with python 3. Either install python 2 on it, or override the ansible_python_interpreter var.

filip-vt on 11 Jul 2017

👍2

Yes this was the problem indeed. Sorry for polluting this issue.

openscript on 11 Jul 2017

@filip-vt is there a bug in Ansible we can follow?

danielcompton on 11 Sep 2017

👍

KFoxder on 29 Sep 2017

danielcompton on 29 Sep 2017

👍4 ❤1

I also encountered the same problem, but I was able to work around the problem with the settings below.

"provisioners": [
  {
    "type":             "ansible",
    "playbook_file":    "test.yml",
    "ansible_env_vars": [
      "ANSIBLE_SSH_ARGS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o AddKeysToAgent=no'"
    ]
  }
]

ephemeralsnow on 3 Oct 2017

I have also encountered the same problem, but the workaround pasted above did not work for me. It has started to work after adding one more SSH option, which is IdentitiesOnly=yes.
My provisioners section then looks like below:

"provisioners": [
  {
    "type":             "ansible",
    "playbook_file":    "test.yml",
    "ansible_env_vars": [
      "ANSIBLE_SSH_ARGS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o AddKeysToAgent=no -o IdentitiesOnly=yes'"
    ]
  }
]

UPDATE: It happened as I was using an old version of packer. New version with #5329 merged should not suffer from this issue.

GoodMirek on 6 Mar 2019

👍4

UPDATE: It happened as I was using an old version of packer. New version with #5329 merged should not suffer from this issue.

Still happens with packer 1.3.5

tarvip on 3 Apr 2019

This is still happening surprisingly

imranismail on 10 Apr 2019

Ran into this with Packer 1.3.5, building on a Debian 9 host running Ansible 2.2.1.0-2+deb9u1, fwiw. Adding -o IdentitiesOnly=yes to the ANSIBLE_SSH_ARGS worked for me.

ctbfourone on 11 Apr 2019

👍2

Similar to @ctbfourone this is still an issue with latest packer (1.4.0) - especially when running locally with many ssh-keys. Setting "ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes"" solves the issue.

lifeofguenter on 4 May 2019

👍1

Same for me using packer version 1.4.1.

setting ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" did it.

antoniosb on 4 Jul 2019

👍1

I had same issue as above , using packer version 1.4.2.

Also, setting "ANSIBLE_SSH_ARGS=-o IdentitiesOnly=yes" worked for me.

rahmanya on 26 Nov 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.