Have you ever run some ansible playbook and you get a message similar to: image But you know the host is “reachable” , because you can ssh into it , it just happens that the ansible’s host ssh key isn’t on the node .

The word “UNREACHABLE” means (at least to me) that you can’t connect to port 22 (in this case) either because there’s no routing or there’s no application(ssh in this case) binding port 22.

So i took a little dive on the ansible code to identify why this behaviour which is very confusing , having said that the log message says “Permission denied” suggesting that the host was REACHABLE but ansible wasn’t able to authenticate.

But here it goes:

Ansible uses the subprocess python module to shell out and run ssh or sshpass:

ansible/ansible

image This isn’t bad or anything but what it means that you’re left to either “expect” different strings out of stdout/stderr for diagnosing the possible error OR return codes.

The problem with return codes is that sometimes external applications that ansible might rely on are not super granular about them, For example:

image

So you see how i got the same responsecode (255) even tho the failures where completely different :

Failure 1: no way i can ssh into Google dns servers (Connection Timed out)

Failure 2: I can connect to port 22 in this case , but my password is wrong.

If you look at this part of the ssh plugin code:

ansible/ansible

image You can see that we get the error “Failed to connect” because we get error code 255 .

So one trashy but possible solution, would be go to the callback function that renders the message and check for a string or something on the stdout/stderr.

https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/default.py#L118

This is the function that returns that message , which isn’t accurate so a solution would be something like:

image

This is a very simple solution , just “expecting” Permission on stdout , if it’s not there we can return the UNREACHABLE message , but if it is there return something more meaningful:

So in case of a real unreachable we print out something like: image But if we can REACH the box but authentication fails , then something different is returned: image It might be worth to do a PR with a more elaborated solution , but hey it’s good for now.

Have a great weekend!