git_retrieve with empty known_hosts file in EE runs into timeout on AAP

[theChrO]

SUMMARY

I am trying to use ansible.scm in an AAP Execution Environment to retrieve a git repository via SSH. When calling git_retrieve the execution stops, asking what to do about the new unknown hostkey. Afterwards the execution is aborted due to a timeout waiting for a console input.
I tried adding 'host_key_checking: "no"' to the task, but this did not change anything. I guess git_publish will have the same problem.

ISSUE TYPE

• Bug Report

COMPONENT NAME

ANSIBLE VERSION

# ansible --version
ansible [core 2.14.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.16 (main, May 31 2023, 12:21:58) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

Collection  Version
----------- -------
ansible.scm 1.1.0

CONFIGURATION

CONFIG_FILE() = /etc/ansible/ansible.cfg

OS / ENVIRONMENT

Ansible Automation Platform Controller 4.3.8
The execution environment uses "Red Hat Enterprise Linux release 8.8 (Ootpa)"

STEPS TO REPRODUCE

Launch a Job Template in an execution environment which does not have any SSH known_hosts file.

---
- name: "ansible.scm tests"
  hosts: localhost
  gather_facts: false
  collections:
    - ansible.scm
  tasks:
    - name: "Retrieve Task"
      ansible.scm.git_retrieve:
        host_key_checking: "no"
        origin:
          url: ssh://git@gitithost/projectname/reponame.git
      register: repository

EXPECTED RESULTS

The expectation is, that the given git repo is checked out into a temporary directory inside the execution environment accepting/ignoring the unknown host key. The same way as the "accept_hostkey: true" option of ansible.builtin.git is working.

ACTUAL RESULTS

The execution got stuck at the ssh prompt asking wether to accept the unknown host key. Finally running into a timeout as no answer is given.
Although not tested, I assume git_publish will have the same problem.

Enter passphrase for /runner/artifacts/707585/ssh_key_data: 
Identity added: /runner/artifacts/707585/ssh_key_data (/runner/artifacts/707585/ssh_key_data)

PLAY [ansible.scm tests] *******************************************************

TASK [Retrieve Task] **************************************************************
The authenticity of host '[githost]:PORT ([IP ADDRESSE]:PORT)' can't be established.
RSA key fingerprint is SHA256:FINGERPRINT_REMOVED.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 
fatal: [localhost]: FAILED! => {"branch_name": "", "branches": [], "changed": true, "msg": "Timeout: Failed to clone repository: ssh://git@githost:PORT/projectname/reponame.git", "name": "", "output": [{"command": "git -C /tmp/tmpunfrecz9 clone --depth=1 --progress --no-single-branch ssh://git@githost:PORT/projectname/reponame.git", "env": "", "return_code": 62, "stderr_lines": ["Cloning into 'reponame'..."], "stdout_lines": []}], "path": ""}

PLAY RECAP *********************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

My main reason I am trying to use ansible.scm is the git_publish functionality.

As a workaround I could use a dummy ansible.builtin.git with the "accept_hostkey: true" option, to add the git server's fingerprint to the ~/.ssh/known_hosts file in the EE, and afterwards use ansible.scm.*

[termlen0]

Have you tried this with host_key_checking: accept-new. That seems to work for me.