'Gitlab CI with Ansible

I am creating a pipeline which is automatically triggered when I push my code on gitlab.com. The project is about the provisioning of a machine.

Here my .gitlab-ci.yml file

ansible_build:
image: debian:10
script:
  - apt-get update -q -y
  - apt-get install -y ansible git openssh-server keychain
  - service ssh stop
  - service ssh start
  - cp files/<ad-hoc-created-key> key.pem && chmod 600 key.pem
  - eval `keychain --eval` > /dev/null 2>&1
  - ssh-add key.pem
  - ansible-galaxy install -r requirements.yml
  - ansible-playbook provision.yml --inventory hosts --limit local

When I push my code, the gitlab environment starts running all commands, but then it exits with the following error

$ ansible-playbook provision.yml --inventory hosts --limit local
 PLAY [Provision step] **********************************************************
 TASK [Gathering Facts] *********************************************************
 fatal: [127.0.0.1]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Host key verification failed.", "unreachable": true}
 NO MORE HOSTS LEFT *************************************************************
    to retry, use: --limit @/builds/team/ansible/provision.retry
 PLAY RECAP *********************************************************************
 127.0.0.1                  : ok=0    changed=0    unreachable=1    failed=0   

In my local PC, I solved it using the ssh-copy-id <path-to-the-key> <localhost> command, but I don't know how to solve it for gitlab-ci, given that it's not an environment which I can control.

I tried also to replace the 127.0.0.1 IP address with localhost.

ansible-playbook provision.yml --inventory hosts --limit localhost

Then it fails:

ansible-playbook provision.yml --inventory hosts --limit localhost
  [WARNING] Ansible is being run in a world writable directory (/builds/teamiguana/minerva-ansible), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
  [WARNING]: Found both group and host with same name: localhost
 PLAY [Provision step] **********************************************************
 TASK [Gathering Facts] *********************************************************
 fatal: [localhost]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\r\nroot@localhost: Permission denied (publickey,password).", "unreachable": true}
 NO MORE HOSTS LEFT *************************************************************
    to retry, use: --limit @/builds/teamiguana/minerva-ansible/provision.retry
 PLAY RECAP *********************************************************************
 localhost                  : ok=0    changed=0    unreachable=1    failed=0   


Solution 1:[1]

I don't have experience setting up similar - but my first thought would be to check

  1. What system user is Gitlab trying to SSH as?
  2. What system user has the corresponding public keys on the remote hosts?

You can override which user Ansible connects with either in the playbooks, or via --user <user> command-line flag, see https://docs.ansible.com/ansible/latest/cli/ansible-playbook.html#cmdoption-ansible-playbook-u.

Though maybe I'm misunderstanding, because I just noticed that you've set --limit local in your command?

Solution 2:[2]

You may try to add env variable ANSIBLE_TRANSPORT with value "local" to your ansible-playbook command, like this: ANSIBLE_TRANSPORT=local ansible-playbook provision.yml --inventory hosts --limit local

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 n7s
Solution 2 Rabban Keyak