Connect via NOT a bastion jump host
73 views
Skip to first unread message
Anton Kirichenko
Feb 27, 2017, 8:10:24 AM2/27/17
to Ansible Project
Hello,
Sorry for a lame question, but I'm trying to enable Ansible to manage Cisco routers which are reachable only from a sinlge management host. That host is HP NA server, where users could connect by ssh and then manually build connection (ssh/telnet) to the final destination (i.e. routers).
I've already read about known ways to establish SSH session via jump/bastion hosts using "proxycommand" and "ssh -W", but my case is a little bit different. HPNA jump host has it's own CLI, where users call command "connect ROUTER_NAME" to connect to routers.
In other words it looks like "laptop -> ssh -> HPNA -> HPNA CLI command "connect router Bla" -> ssh/telnet(rare case) -> router"
I wonder if Ansible has any modules wich would wrap that command "connect router Bla" to ssh session established from my laptop to the jump host ?
Thank you
Anton
Sorry for a lame question, but I'm trying to enable Ansible to manage Cisco routers which are reachable only from a sinlge management host. That host is HP NA server, where users could connect by ssh and then manually build connection (ssh/telnet) to the final destination (i.e. routers).
I've already read about known ways to establish SSH session via jump/bastion hosts using "proxycommand" and "ssh -W", but my case is a little bit different. HPNA jump host has it's own CLI, where users call command "connect ROUTER_NAME" to connect to routers.
In other words it looks like "laptop -> ssh -> HPNA -> HPNA CLI command "connect router Bla" -> ssh/telnet(rare case) -> router"
I wonder if Ansible has any modules wich would wrap that command "connect router Bla" to ssh session established from my laptop to the jump host ?
Thank you
Anton
jo...@adicora.net
Apr 10, 2018, 8:04:01 AM4/10/18
to Ansible Project
Hello Anton, did you manage to get this working, I am trying to do the same exact thing but I do not see how it could be done?
Cordially
Jose
vladan.milos...@gmail.com
Nov 27, 2018, 11:58:37 AM11/27/18
to Ansible Project
As far as I have seen, it is not trivial - looks like although plugin for network_cli is selected, the paramiko_ssh plugin is used to handle actual ssh session. Considereing it is easy to send additional command, it is not easy to keep all that without significantly touching classes defined in Ansible. And I wanted something like 5 lines of code ...
I almost gave up on this effort...
Mark Zhitomirski
Nov 28, 2018, 4:45:35 AM11/28/18
to ansible...@googlegroups.com
can you kindly present your case? It's not easy to see what you are trying and where it fails.
Regards,
Mark
On Tue, Nov 27, 2018 at 7:58 PM <vladan.milos...@gmail.com> wrote:
As far as I have seen, it is not trivial - looks like although plugin for network_cli is selected, the paramiko_ssh plugin is used to handle actual ssh session. Considereing it is easy to send additional command, it is not easy to keep all that without significantly touching classes defined in Ansible. And I wanted something like 5 lines of code ...I almost gave up on this effort...
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/821650d7-1495-49be-9535-b05fa16b4ced%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MZ
vladan.milos...@gmail.com
Nov 28, 2018, 5:43:17 AM11/28/18
to Ansible Project
Of course, thanks for asking;
My company has HP Network Automation (HP NA) host which provides universal access to all network devices. It behaves like a jump host, but, not SSH jump host. We ssh to it, authenticate and then get onto local CLI - which is specialised for managing the database of devices on the HP NA and to connect to them (allowing for logging of the session, different setups and so on).
Here is the problem:
HP NA is not SSH bastion so no SSH forwarding (-J, -W, -tt options) works. It has to be a two stage connection to a device if HP NA was to be used (in our case, it has to be).
First of all, I do not have a way to tell Ansible to connect to a device by ssh-ing to HP NA server, then to start a new session to a device using connect 'device_name' command to get the actual device prompt.
What I wanted to achieve:
I wanted to modify network_cli plugin to add a fixed server and a couple of additional steps, so it looks like this - very high level:
ansible -i inventory.ans playbook.yml
(inventory.ans contains real IP addresses and/or device names known to HP NA, playbook.yml conatins network_cli_HPNA modified connector to be used and arbitrary task)
I thought that ansible-playbook will call network_cli_HPNA at some point to establish a session and I would intercept it there, connect first to HP NA server, then, after verifying sanity, issue connect device, where device is the information in the playbook and supplied by ansible-playboook when it calls network_cli.
Now, that does not happen early enough (or I did not understand this well).
What I saw was that after I start ansible-playbook and ingest modules and parse playbook, I call paramiko_ssh to establish a permanent connection (which times out, as I can not access devices directly), but, network_cli is never visited...
I saw that connection is brought up in paramiko_ssh and we could possibly change it there, but, that would ruin any upgrade down the road - I wanted to fork this later, when I will not put anyone else in jeopardy (those who use paramiko_ssh as a regular connector plugin).
I hope that this helps.
Thanks,
Vladan
Mark Zhitomirski
Nov 28, 2018, 11:55:03 AM11/28/18
to ansible...@googlegroups.com
On Wed, Nov 28, 2018 at 1:43 PM <vladan.milos...@gmail.com> wrote:
Of course, thanks for asking;My company has HP Network Automation (HP NA) host which provides universal access to all network devices. It behaves like a jump host, but, not SSH jump host. We ssh to it, authenticate and then get onto local CLI - which is specialised for managing the database of devices on the HP NA and to connect to them (allowing for logging of the session, different setups and so on).Here is the problem:HP NA is not SSH bastion so no SSH forwarding (-J, -W, -tt options) works.
I see your problem and feel your pain.
It has to be a two stage connection
to my understanding this is not how Ansible works
to a device if HP NA was to be used (in our case, it has to be).First of all, I do not have a way to tell Ansible to connect to a device by ssh-ing to HP NA server, then to start a new session to a device using connect 'device_name' command to get the actual device prompt.What I wanted to achieve:I wanted to modify network_cli plugin
that's way above my Ansible knowledge. I suppose network_cli
is not a transport for Ansible and it cannot be used as such.
Firing a single CLI command on the host and returning output is what it is used for I guess.
Regards,
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6e90d8cf-b248-46a3-921d-208e7e678f54%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MZ
Reply all
Reply to author
Forward
0 new messages