How to use jump/gateway hosts

3,824 views
Skip to first unread message

Baron Schwartz

unread,
Oct 3, 2013, 3:31:04 PM10/3/13
to ansible...@googlegroups.com
Hi! I cannot find anywhere in the documentation how to use a gateway host (jump host, bastion host, etc). All of our hosts are inside an unreachable network with only one host reachable. We SSH to that host and then on to others.

I searched this mailing list, but I mostly found people talking about using ~/.ssh/config. That's obviously not the Right Way To Do It -- we should be sharing our configuration in the configuration management repository, not setting it in user-specific files. In some places people said they were using ansible's SSH options to set a ProxyCommand or other way to accomplish a hop-through. but that also smells, because that's a global setting as far as I can see. If you have more than one isolated network you're going to use different gateway hosts.

This is a really common requirement -- surely I'm missing something?

- Baron

Michael DeHaan

unread,
Oct 3, 2013, 7:56:04 PM10/3/13
to ansible...@googlegroups.com
It's fine to edit ~/.ssh/config and most people who need jumphosts are ok with that.

However it's probably better to just log into your bastion host and run SSH from there.





--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



--
Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/

Mark Maas

unread,
Oct 4, 2013, 8:37:01 AM10/4/13
to ansible...@googlegroups.com
Is it not possible to put the configuration in /etc/ssh/ ? (Just for the one domain)

ssh/config
Host *
ControlMaster auto
#ControlPersist yes
Host domain.net
ProxyCommand none
Host *.domain.net
ProxyCommand ssh domain.net -W %h:%p

Thanks,
Mark

Brian Coca

unread,
Oct 4, 2013, 11:50:26 AM10/4/13
to ansible...@googlegroups.com
this is what /etc/ssh/ssh_config file is for. As for specific domains:

Michael DeHaan

unread,
Oct 4, 2013, 1:16:57 PM10/4/13
to ansible...@googlegroups.com
Yep, it's totally possible in Ansible.

If you were asking Baron, yep :)




--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Baron Schwartz

unread,
Oct 4, 2013, 1:49:58 PM10/4/13
to ansible...@googlegroups.com
Hi!

Thanks for responding, everyone. And now that I've done some more searching, I've found this topic that already discusses the same thing, in the context of a pull request that was rejected.

With respect, I disagree with the Ansible project's stance on this topic. Based on previous discussions such as the one I linked, I don't expect this to change anything, but just to state my position succinctly and then let it be:
  1. The fact that machines must be accessed through a gateway is a vital part of the system's configuration.
  2. Configuration should be contained entirely within the configuration management repository.
  3. The use case is demonstrated by broad existence of this functionality in a convenient form in other tools.
  4. It's fine to say "there's no true solution but here's a workaround." But if the response invalidates/rejects the use case, that's discouraging.
Regards,
Baron

Javier Candeira

unread,
Oct 4, 2013, 2:05:52 PM10/4/13
to ansible...@googlegroups.com
You can use ansible to configure ~/.ssh/config in the localhost
machine, that is, in the machine that's doing the management of the
nodes. By doing it that way, maybe via lineinfile, you can ensure that
the configuration is contained entirely within the configuration
management repo as per your point 2.

J

Michael DeHaan

unread,
Oct 4, 2013, 2:12:20 PM10/4/13
to ansible...@googlegroups.com
Thanks for helping me understand.

I don't think "in a convient form in other tools" really applies.   The reason here is that none of these tools are decentralized, and this behavior in those tools *also* has to be configured.  

In our case, the most *flexible* place to configure that if you wanted to is currently the SSH configuration file.

Now, that all being said, you wish to keep your configuration in version control.  That's fine.  Now in most of those other tools, it's usual to say, keep the configuration file for the tool itself along with the project.  However, in this case, yes, it's decentralized.

Should you choose to keep this in your configuration file, easily solve this problem.

A)  set a "-f" in your ansible_ssh_options to point to the configuration file
B)  check this file in alongside your playbooks as ansible.cfg

This will result in that SSH config being used every time.

I don't believe we have ever invalidated the idea that it should be possible, and each time we've suggested how it can be done.

The crux of it is as follows -- it doesn't make sense to expose in Ansible an option for every option in OpenSSH.   This bloats the system unneccessarily where it's meant to be a minimal system -- let OpenSSH do what it does best and support feeding arbitrary options to it.

Now, all being said, I recognize that it may not *always* be strategic to do this even by jump hosts.   If running inside EC2, it is much nicer to run *ansible* inside of EC2, rather than funneling everything through the jump host.

It is for this reason that Ansible and/or AWX may likely support multiple workers at some point in the future, as we initially did way back when creating Func.  But right now, most people will run their EC2 playbooks from a management node inside EC2, etc.







--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Baron Schwartz

unread,
Oct 4, 2013, 3:49:52 PM10/4/13
to ansible...@googlegroups.com
Michael,

Thanks for your response. Just a couple of things to add to previous points:

I don't think "in a convient form in other tools" really applies.   The reason here is that none of these tools are decentralized, and this behavior in those tools *also* has to be configured.

I've actually enjoyed how Capistrano does this. It is a common configuration setting that "just works" -- you just set :gateway, "gateway.mydomain.com" and you're done. Using the multistage approach that's pretty much universal in Capistrano, you set this variable in each stage file, so it extends nicely, too. Now this is self-contained and magically works on every developer's machine without needing to change any systemwide configuration.

In our case, the most *flexible* place to configure that if you wanted to is currently the SSH configuration file.

Now, that all being said, you wish to keep your configuration in version control.  That's fine.  Now in most of those other tools, it's usual to say, keep the configuration file for the tool itself along with the project.  However, in this case, yes, it's decentralized.

Should you choose to keep this in your configuration file, easily solve this problem.

A)  set a "-f" in your ansible_ssh_options to point to the configuration file
B)  check this file in alongside your playbooks as ansible.cfg

This will result in that SSH config being used every time.

Thanks, this is *very* helpful. I had not thought of checking the SSH config into my git repo and reference it in my playbooks. This sounds workable - I'll let you know. Sounds like a much better option than the others I'd considered or been suggested, although I won't know for sure until I try it for a while.

I'd suggest a FAQ or other documentation entry on this. It seems important to list out the options and their pros and cons, because the docs don't seem to address it directly yet. Digging through the mailing list archives has turned up a lot more information than I found on the docs. I don't feel competent to contribute such docs yet because I'm an absolute newcomer to Ansible (haven't been able to really get started due to this very issue).

By the way, if I may bring up a related topic -- the Ansible config itself. In my Git repo, I've created etc/ansible/hosts and etc/ansible/ansible.cfg. I've symlinked the directory to /etc/ansible. This is not ideal, again because it's system-wide (the only reason I do it is to get the benefits of checking my config into version control). Ideally, Ansible would look for a local config file in the current working directory, and if that doesn't exist, go up to parent directories, and if all else fails look system-wide. I'm firmly in the "vendor things into my repo" camp. I think this should be an article of religious faith for a tool like Ansible: assume that sysadmins and developers are working on lots of things, and need to switch between many entirely self-contained, independent bits of work without side effects. Assume that getting-started instructions should be 1) install Ansible 2) git clone && cd && run.  This means that it's extremely important to have ZERO cross-pollution or systemwide anything. Everything needs to be in the CWD and under version control.

Regards,
Baron 

Brian Coca

unread,
Oct 4, 2013, 3:52:25 PM10/4/13
to ansible...@googlegroups.com
in my devops repo i have an ansible.cfg which points to the dir in same repot inventory. I just run my ansible commands from that repo and it picks up the config and inventory.



--
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
Pedo mellon a minno

Michael DeHaan

unread,
Oct 4, 2013, 4:34:50 PM10/4/13
to ansible...@googlegroups.com
" Ideally, Ansible would look for a local config file in the current working directory, and if that doesn't exist, go up to parent directories, and if all else fails look system-wide"

Actually it does something very much like this already

ansible.cfg is looked for alongside your playbook, then ~/.ansible.cfg, then /etc/ansible/ansible.cfg

I'm about to push out a docs update today that gives the config file it's own chapter.



--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Baron Schwartz

unread,
Oct 5, 2013, 12:11:49 AM10/5/13
to ansible...@googlegroups.com
On Fri, Oct 4, 2013 at 12:34 PM, Michael DeHaan <mic...@ansibleworks.com> wrote:
" Ideally, Ansible would look for a local config file in the current working directory, and if that doesn't exist, go up to parent directories, and if all else fails look system-wide"

Actually it does something very much like this already

ansible.cfg is looked for alongside your playbook, then ~/.ansible.cfg, then /etc/ansible/ansible.cfg

Perfect, thanks. I did not realize that. What about the host inventory file? I was under the impression that had to be in /etc/ansible/hosts, or mentioned explicitly in an env var or config setting. If that's discovered in the CWD and parents too, then that's great.

Thanks,
Baron

Michael DeHaan

unread,
Oct 5, 2013, 12:20:21 AM10/5/13
to ansible...@googlegroups.com
You can specify it with -i or change the default inventory path in your config file.




--
Reply all
Reply to author
Forward
0 new messages