# Failure to establish connection when provisioning via ansible-playbook server.yml **URL:** https://discourse.roots.io/t/failure-to-establish-connection-when-provisioning-via-ansible-playbook-server-yml/6518 **Category:** trellis **Created:** 2016-04-21T14:21:08Z **Posts:** 31 **Showing post:** 24 of 31 ## Post 24 by @fullyint — 2016-08-25T20:09:13Z > [@jajouka](#): > > I also tried pinging again: > > `sbeasley➜S/l/trellis(master✗)» ansible -m ping -u vagrant all ` The `-u vagrant` will probably always fail. A default DO Ubuntu droplet will only have the user `root`, not `vagrant`, so even if you have the correct ssh key, an attempt to connect as `vagrant` user will fail. I think the command below is better for testing: ``` ansible staging -m raw -a whoami -u root ``` You’ll notice that this is [the command](https://github.com/roots/trellis/blob/5b50d799b34ed5f6bda72bb86a4927d9b44ca9c2/roles/remote-user/tasks/main.yml#L10) Trellis uses to test whether it can connect as `root` or whether it must fall back to the admin\_user. If the connection as `root` succeeds, Trellis will use `root`. That’s why I don’t see any reason to change the `admin_user` to `root`. Trellis won’t even try the `admin_user` unless `root` has already failed. In addition, the purpose of the `admin_user` is to have a non-root user who can connect in case you’ve heightened security by disabling root login (see [security docs](https://roots.io/trellis/docs/security/)). * * * I’m not perfectly familiar with all the ssh possibilities, so some of this may be unnecessary, but… I’m guessing you’re using zsh instead of bash, so, sorry to make you repeat, could you try this: ``` ssh-agent zsh ssh-add /home/sbeasley/.ssh/digital_ocean # Connection Test 1: basic connection ansible staging -m raw -a whoami -u root # Connection Test 2: force choice of private ssh key ansible staging -m raw -a whoami -u root --private-key=/home/sbeasley/.ssh/digital_ocean ``` If Connection Test 1 succeeds, then I guess that finally adds your key to the ssh-agent and I bet the `ansible-playbook` command will succeed. If it fails, but Test 2 succeeds, then apparently Ansible is having trouble finding the right ssh key on its own. You could try to figure out why, or just add the `--private-key=/home/sbeasley/.ssh/digital_ocean` to the end of your `ansible-playbook` commands. Or, set up your Trellis `hosts/staging` like this: ``` # hosts/staging lc-dev1.co.uk ansible_host=178.62.35.88 ansible_ssh_private_key_file='/home/sbeasley/.ssh/digital_ocean' [staging] lc-dev1.co.uk [web] lc-dev1.co.uk ``` (ref for [`ansible_ssh_private_key_file`](http://docs.ansible.com/ansible/intro_inventory.html#list-of-behavioral-inventory-parameters)) If Connection Tests 1 and 2 both fail, then I’m not sure what to explore next. - Have you had a successful Trellis project before or is this project the first attempt? (helps isolate problem to your dev environment vs. your current project configuration) - Are you making any modifications to the default bare Ubuntu box from DO before running Trellis commands? - Any relevant configs in `/home/sbeasley/.ssh/config` or `/etc/ssh/ssh_config` (e.g., on line 19 for `Host *`)? - In case this is a duplicate of an obscure problem, you could try adding `control_path = %(directory)s/%%h-%%r` to your `ansible.cfg` under `[ssh_connection]` ([details](https://discourse.roots.io/t/rote-install-busted-on-mac-el-capitan/7466/13)) * * * > [@jajouka](#): > > I … rebuilt DO server droplet (ubuntu 14.04 64) Given that you did all the work to update Trellis, I’d suggest rebuilding your droplet with ubuntu 16.04. > [@Your thoughts on rebuilding droplets with 16.04](https://discourse.roots.io/t/your-thoughts-on-rebuilding-droplets-with-16-04/7480/2): > > you should ideally use Ubuntu 16.04 because it’s required to get HTTP2 working. * * * > [@jajouka](#): > > I … destroyed vagrant box, created vagrant box Again, I don’t see this as being necessary, because I don’t see that Vagrant has anything to do with your connection to a DO staging server. But I want to be sure I’m not missing something that could be the key to resolving the connection issue. Do you have Vagrant involved in some way? What is your understanding of how Vagrant is related to your Ubuntu machine’s connection to your DO staging server? * * * > [@jajouka](#): > > also I can’t see how to obtain the password for the admin user, i can see the hashed version in users.yml but is there someway I can get it so I can ssh-copy-id -i ~/.ssh/digital\_ocean admin@\*\*\*\*\* ? In the latest version of Trellis, you simply define the admin\_user’s raw password in [`group_vars//vault.yml`](https://github.com/roots/trellis/blob/5b50d799b34ed5f6bda72bb86a4927d9b44ca9c2/group_vars/staging/vault.yml#L7). The admin\_user does not exist on the DO bare Ubuntu box. Trellis _creates_ the admin user (and any other users in [`group_vars/all/users.yml`](https://github.com/roots/trellis/blob/5b50d799b34ed5f6bda72bb86a4927d9b44ca9c2/group_vars/all/users.yml#L5-L17) as part of the [`server.yml`](https://github.com/roots/trellis/blob/5b50d799b34ed5f6bda72bb86a4927d9b44ca9c2/server.yml#L29) playbook in the users role. The [SSH-keys docs](https://roots.io/trellis/docs/ssh-keys/) describe these users and their purposes. Current Trellis does not have a hashed version of passwords. Any chance you’re still seeing the old version of [`vault_sudoer_passwords` removed in roots/trellis#614](https://github.com/roots/trellis/pull/614/files#diff-baddfe1923c254518d42b44bcd9392d4L4)? Trellis will assign the `admin_user` [the password](https://github.com/roots/trellis/blob/5b50d799b34ed5f6bda72bb86a4927d9b44ca9c2/roles/users/tasks/main.yml#L35) when it creates the admin\_user, so you will not need to `ssh-copy-id -i ~/.ssh/digital_ocean admin@ ***** ` --- _[View the full topic](https://discourse.roots.io/t/failure-to-establish-connection-when-provisioning-via-ansible-playbook-server-yml/6518)._