Ansible Jump thru Bastion host

409 views
Skip to first unread message

rajeev

unread,
Mar 10, 2017, 8:03:37 PM3/10/17
to Ansible Project
Hello All,

In my environment, Ansible server (A) does not have trust access to its clients.
I have another host (B), which allows trust access(using keys) to all hosts in the environment.

Host B has root trusted for entire environment.  I can access any other host by running SUDO from my ID.(e.g sudo ssh hostx works from host B from my id)

I have setup trust keys between the Ansible account on host A and my account on host B , which works. I want Ansible to use that trust to jump to host A and then run "SUDO ssh hostx". Here hostx would be any host which is part of my inventory when  I call my playbook.

I am not getting any success so far to jump to any client from Ansible(A) via Host B. 

A command line ssh from A via jump (B) to destination hostx works fine:
A prompt > ssh -t dane@B  "sudo ssh hostx hostname"

Please let me know if I am not clear or need to elaborate further.

Appreciate any help or any ideas.

Thanks much!
Rajeev

Simon Wydooghe

unread,
Mar 11, 2017, 2:23:22 PM3/11/17
to Ansible Project

rajeev

unread,
Mar 12, 2017, 1:03:55 AM3/12/17
to Ansible Project
Thanks for input, but it still does not work for me.

Here are my configs/errors. ssh -F .ssh/config, works fine , just fails thru Ansible

ansible.cfg:

ssh_args = -F /opt/ansible/.ssh/config

 /opt/ansible/.ssh/config:
Host 10.116.10.114
  Hostname 10.116.10.114
  User duttr
  IdentityFile /opt/ansible/.ssh/id_dsa
  PasswordAuthentication no
  ForwardAgent yes
  ServerAliveInterval 60
  TCPKeepAlive yes
  ControlMaster auto
  ControlPath /opt/ansible/.ssh/ansible-%r@%h:%p
  ControlPersist 15m
  ProxyCommand none
  LogLevel QUIET

Host *
  User duttr
  IdentityFile /opt/ansible/.ssh/id_dsa
  ServerAliveInterval 60
  TCPKeepAlive yes
  ProxyCommand ssh -W %h:%p -q du...@10.116.10.114
  LogLevel QUIET
  StrictHostKeyChecking no


ssh -F .ssh/config 51.16.67.33 df -h /
Password:
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3        28G   22G  4.6G  83% /

Thru Ansible:

Using /etc/ansible/ansible.cfg as config file
Loading callback plugin default of type stdout, v2.0 from /opt/ansible/ansible/lib/ansible/plugins/callback/__init__.pyc
Loading callback plugin unnamed of type old, v1.0 from /opt/ansible/ansible/lib/ansible/plugins/callback/__init__.pyc
Loading callback plugin unnamed of type old, v1.0 from /opt/ansible/ansible/lib/ansible/plugins/callback/__init__.pyc

PLAYBOOK: helloworld_ver2.yml ************************************************************************************************************************************
1 plays in playbks/helloworld_ver2.yml

PLAY [Test ping on localhost] ************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************
Using module file /opt/ansible/ansible/lib/ansible/modules/system/setup.py
<51.16.67.33> ESTABLISH SSH CONNECTION FOR USER: None
<51.16.67.33> SSH: ansible.cfg set ssh_args: (-F)(/opt/ansible/.ssh/config)
<51.16.67.33> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
<51.16.67.33> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
<51.16.67.33> SSH: PlayContext set ssh_common_args: ()
<51.16.67.33> SSH: PlayContext set ssh_extra_args: ()
<51.16.67.33> SSH: EXEC ssh -vvv -F /opt/ansible/.ssh/config -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 51.16.67.33 '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
fatal: [51.16.67.33]: UNREACHABLE! => {
    "changed": false,
    "msg": "SSH Error: data could not be sent to remote host \"51.16.67.33\". Make sure this host can be reached over ssh",
    "unreachable": true
}

msg: SSH Error: data could not be sent to remote host "51.16.67.33". Make sure this host can be reached over ssh

msg: SSH Error: data could not be sent to remote host "51.16.67.33". Make sure this host can be reached over ssh
        to retry, use: --limit @/opt/ansible/playbks/helloworld_ver2.retry

PLAY RECAP *******************************************************************************************************************************************************
51.16.67.33                : ok=0    changed=0    unreachable=1    failed=0



Rajeev
Reply all
Reply to author
Forward
0 new messages