wait_for using bastion host

1,010 views
Skip to first unread message

Vincent Van der Kussen

unread,
Jun 22, 2016, 7:39:46 AM6/22/16
to ansible...@googlegroups.com
Hi,

I'm currently testing Ansible for deploying instances on AWS. To reach hosts in private subnets, I'm using a bastion host. When deploying new instances I have a task that waits for the ssh port of the new instance to come up before proceding.

During the creation of the instance I also update my local inventory file with the ip of the instance and the ansible_ssh_private_key_file (aws generated key-pair) like this:

x.x.x.x ansible_private_key_file=~/.ssh/instance.pem

However, the task that waits for the ssh port to come up gives a timeout. This is the wait_for task:

- name: Wait for SSH
  wait_for:
    host: "{{ item.private_ip }}"
    port: 22
    delay: 60
    timeout: 320
    state: started
  with_items: "{{ ec2.instances }}"

The host variable resolves to the correct ip of the new instance.

In my ssh config file I have configured the bastion host for each subnet. And ssh'ing into the new instance works without issues. I can also perfectly run ad-hoc commands against the new instance.

This is the ansible_cfg I'm using:

[defaults]
inventory=./hosts
ProxyCommand="ssh -W %h:%p -q centos@<ip bastion host>"
host_key_checking=False

[ssh_connection]
ssh_args=-o ForwardAgent=yes


I also tried delegating the wait task to the bastion host, but that results in the same error. Is there something I'm missing?


Vincent

Ansible Madness

unread,
May 24, 2017, 8:06:26 AM5/24/17
to Ansible Project

Sadly I do not have an answer to your question, but as I am facing the same situation i was curious to know if you found a solution?

Rod

Matt Martz

unread,
May 24, 2017, 8:26:37 AM5/24/17
to ansible...@googlegroups.com
You need to delegate the wait_for task to the bastion server:

delegate_to: bastion.host.com


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3f239a2c-aff7-4879-8adb-7addd3d3c7bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Matt Martz
@sivel
sivel.net

Igor Cicimov

unread,
May 24, 2017, 7:12:43 PM5/24/17
to Ansible Project
Try to connect manually with the same ssh command with -vvv switch to find out what went wrong. Also use register in the ansible command and debug the returned value. My guess is missing/mismatch key or security group issue ie the instance has tcp port 22 blocked.
Message has been deleted

Ansible Madness

unread,
May 25, 2017, 3:12:21 AM5/25/17
to Ansible Project
Many thanks, this sorted out my issue!
Reply all
Reply to author
Forward
0 new messages