Ignoring connection errors

[EricDriussi]

I'm trying to migrate from Ansible and I can't figure out this part of the puzzle:

What I'm trying to achieve

Given a server with root ssh access, as a first step before provisioning, I want to set up a non-root sudo user.
This new user should be used to do the provisioning.

Subsequent runs should not produce errors when trying to do the first step (or the connection error should be ignored).

What seems to partially work

Simplified inventory.py:

servers = [
    ("sudo_user", {"ssh_user": "new_user", "ssh_hostname": "192.168.0.15"}),
    ("root_user", {"ssh_user": "root", "ssh_hostname": "192.168.0.15"}),
]

Simplified deploy.py:

user = host.get_fact(User)

if user == "root":
    logger.info("Set up new_user")
else:
    logger.info("Provision the server")

Issues

This setup produces a connection error on subsequent runs:

--> Connecting to hosts...
    [sudo_user] Connected
    [root_user] SSH error (No existing session)

---

Is there a way to maybe ignore that connection error?
Or maybe I'm approaching this the wrong way?

[anntnzrb]

Use FAIL_PERCENT to allow connection failures without stopping execution. In your deploy script: from pyinfra import config; config.FAIL_PERCENT = 50 or via CLI: pyinfra inventory.py deploy.py --fail-percent 50. This allows the deployment to continue on successfully connected hosts while tolerating failures from hosts where root login is no longer valid after user setup.

[EricDriussi]

Thanks for the pointer!
That seems to do the trick, but I noticed that it doesn't seem to work as I expected with the -y flag:

If I add the -y flag as suggested, the script just fails (due to the root_user connection).

Is this a bug or am I just not getting how it works?

Come to think about it, FAIL_PERCENT forces user interaction doesn't it? Is there a way to tell pyinfra "yes, I am aware some of the connections failed, please continue" without it prompting me?

[Dexmachi]

This seems like an issue on how the CLI was written, it assumes "if something can go wrong, it will." and stops the interaction before something terrible happens.

think about utilizing the API, it is great for managing the system programatically and is quite unique on the cfg mgmt world!

[EricDriussi]

Following @Dexmachi suggestion I ended up writing something like this in a run.py file:

root_ssh_check_cmd = [
    "ssh",
    "-o", "BatchMode=yes",
    "-o", "ConnectTimeout=5",
    f"root@{ip_address}",
    "echo ok",
]

with open("/dev/null", "wb") as devnull:
    root_ssh_available = subprocess.run(
        root_ssh_check_cmd,
        stdout=devnull,
        stderr=devnull,
    ).returncode == 0

if root_ssh_available:
    print("Root SSH connection is open, setting up sudo user...")

    inventory = Inventory((["root_user"], {"ssh_user": "root", "ssh_hostname": ip_address}))
    setup_user(inventory, username)

pyinfra_cmd = [
    "pyinfra",
    "-y",
    ip_address,
    "deploy.py",
    "--user",
    username,
]

subprocess.run(pyinfra_cmd, check=True)

where setup_user looks like

def setup_user(inventory, username):
    state = State(inventory=inventory)
    connect_all(state)

    sudo = "sudo"
    add_op(
        state,
        server.packages,

        name=f"Install {sudo}",
        packages=[sudo],
    )

    groups = [sudo, "docker", "crontab"]
    for group in groups:
        add_op(
            state,
            server.group,

            name=f"Create {group} group",
            group=group,
        )

    add_op(
        state,
        server.user,

        name="Create sudo user",
        user=username,
        groups=groups,
        system=True,
        create_home=True,
        home=f"/home/{username}",
    )

    run_ops(state)

What's missing here is the part where I disallow all root ssh connection to the server, but you get the point.

This way I always ensure a sudo user exists and that it is used to run the setup.
TBH this feels quite hacky but hey, it works!

[Dexmachi]

I tend to do a complete run_ops() (without the need of a subprocess)

like this I can just use the complete pyinfra stack without relying on anything other than a python3 run

this does work tho, congrats on getting it to run!