I want to setup my home server with a new OS (CentOS 7). I decided to use
Ansible to provisioning the server because I want to document the different steps, and to learn Ansible.
To be able to play with Ansible and to try out different steps I had the idea to use a virtual box image with CentOS7 as target (simulating my new server) and a docker container with ansible as provisioner.
Both systems/boxes was setup in just a few minutes. Since I already have installed
Vagrant,
VirtualBox and
Docker I just need to do the following
Afterwards I had the shown structure
Fine - I thought at least ...
Next I tried to ping "new host" from the ansible container.
$ docker run --rm -i -t -v $(pwd):/data -w /data thomo/ansible bash
[root@07091097c2ca data]# ping 10.0.2.15
PING 10.0.2.15 (10.0.2.15) 56(84) bytes of data.
64 bytes from 10.0.2.15: icmp_seq=1 ttl=64 time=0.055 ms
64 bytes from 10.0.2.15: icmp_seq=2 ttl=64 time=0.073 ms
64 bytes from 10.0.2.15: icmp_seq=3 ttl=64 time=0.103 ms
64 bytes from 10.0.2.15: icmp_seq=4 ttl=64 time=0.108 ms
^C
--- 10.0.2.15 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.055/0.084/0.108/0.024 ms
[root@07091097c2ca data]#
Seams to work ...
Next: Login in with ssh
[root@07091097c2ca data]# ssh 10.0.2.15
The authenticity of host '10.0.2.15 (10.0.2.15)' can't be established.
ECDSA key fingerprint is d2:62:41:e4:a3:d2:40:cf:a0:02:eb:d0:16:ab:49:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.2.15' (ECDSA) to the list of known hosts.
root@10.0.2.15's password:
Permission denied, please try again.
root@10.0.2.15's password:
Permission denied, please try again.
root@10.0.2.15's password:
Permission denied (publickey,password,keyboard-interactive).
[root@07091097c2ca data]#
Huh, what the heck ...?
After some investigations (mainly by comparing the host key fingerprints) I realize that I did not communicate with my "new host" box but with the docker host. In fact the "new host" box and the docker host both use the VirtualBox NAT interface but the boxes can not reach each other.
In VirtualBox this router [the NAT interface] is placed between each virtual machine and the host. This separation maximizes security since by default virtual machines cannot talk to each other. (source)
You wonder why the ping trial worked? The reason is the docker host has the same ip address (10.0.2.15) as the "new host". So I did ping the docker host instead of "new host".
I hope my documentation helps other to avoid similar errors or at least facilitates troubleshooting in a similar situation.