Ansible cascade

[Oscar Segarra]

Hi, 

I'm pretty new with Ansible and I apollogize if my question has a very easy answer.

In my environment I have a KVM host (vdicnode01) where in run a Centos 7 guest (vdicguest01) behind a KVM NAT network. From my Laptop (vdicmanager01) I want to execute an Ansible playbook in order to execute commands in my guest (vdicguest01) that is not directly accessible from my machine (vdicmanager01). Of course I'd like to retrieve the complete output of the command.

I have installed the latest ansible version in my laptop and if necessary I can install the latest ansible version in my kvm host (vdicnode01).

Is there any trick to perform this?

Thanks a lot.

Óscar Segarra

[Oscar Segarra]

Hi everyone!

Nobody has need the same requirement? The same use case aplies in the following scenario:

Laptop with Ansible --> FW --> Ansible server intermediate --> FW --> Destination host of my commands

Any help will be really welcome!

Thanks a lot.

Oscar 

[Kai Stian Olstad]

This topic has been covered on the list a few times, and Internet is full of explanation on how to do this since it's an SSH thing and not Ansible thing.
Ansible is using SSH so it support what SSH can do.

It's called by many names so search for jump host, jump server, proxycommand or bastion(or some other names I have forgotten).


--
Kai Stian Olstad

[Oscar Segarra]

Hi Kai, 

I have found some information in the internet (not so much) but I'm not able to make it work when my end server requires ssh password to be introduced.

Is there any known trick to make this work?

Thanks a lot.

Oscar

[Oscar Segarra]

I mean, 

I'm able to connect to my guest through my jump server by setting my .ssh/config file as:

Host vdicnode01

  HostName vdicnode01

### Host to jump to via jumphost1.example.org

Host vdicone01

  HostName vdicone01

  ProxyJump  vdicnode01

[root@vdicmanager01 ansible]# ssh vdicone01

root@vdicnode01's password:

root@vdicone01's password:

Last login: Thu Nov 23 23:41:45 2017 from vdicnode01

[root@vdicone01 ~]#

But from ansible, I'm not able to make it work:

[root@vdicmanager01 ansible]# ansible vdicone01 -m ping -vv

ansible 2.4.1.0

  config file = /etc/ansible/ansible.cfg

  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/lib/python2.7/site-packages/ansible

  executable location = /usr/bin/ansible

  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]

Using /etc/ansible/ansible.cfg as config file

META: ran handlers

vdicone01 | UNREACHABLE! => {

    "changed": false,

    "msg": "Authentication failure.",

    "unreachable": true

}

[root@vdicmanager01 ansible]#

Thanks a lot and sorry for my previous missexplanation.

Óscar 

[Kai Stian Olstad]

On Thursday, 23 November 2017 23.47.21 CET Oscar Segarra wrote:
> I'm able to connect to my guest through my jump server by setting my
> .ssh/config file as:
>
> Host vdicnode01
> HostName vdicnode01
>
> ### Host to jump to via jumphost1.example.org
> Host vdicone01
> HostName vdicone01
> ProxyJump vdicnode01
>
> [root@vdicmanager01 ansible]# ssh vdicone01
> root@vdicnode01's password:
> root@vdicone01's password:

It seams like you need to provide your password twice, I'm not sure that Ansible support that.

> Last login: Thu Nov 23 23:41:45 2017 from vdicnode01
> [root@vdicone01 ~]#
>
> But from ansible, I'm not able to make it work:
>
> [root@vdicmanager01 ansible]# ansible vdicone01 -m ping -vv
> ansible 2.4.1.0
> config file = /etc/ansible/ansible.cfg
> configured module search path = [u'/root/.ansible/plugins/modules',
> u'/usr/share/ansible/plugins/modules']
> ansible python module location = /usr/lib/python2.7/site-packages/ansible
> executable location = /usr/bin/ansible
> python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5
> 20150623 (Red Hat 4.8.5-16)]
> Using /etc/ansible/ansible.cfg as config file
> META: ran handlers

> *vdicone01 | UNREACHABLE! => {*
> * "changed": false,*
> * "msg": "Authentication failure.",*
> * "unreachable": true*

> }
> [root@vdicmanager01 ansible]#
>
> Thanks a lot and sorry for my previous missexplanation.

You need to tell Ansible to use password, default Ansible just connect an expect it to work.
If you add -k/--ask-pass to the command line Ansible ask for the password.

If you like this to be default you can change ansible.cfg.

--
Kai Stian Olstad

[Oscar Segarra]

Hi,

I have tried with the --ask-pass. In this case system asks for the first password but not the second.

It raises the "Authentication failure" error. 

Thanks a lot 

Oscar 

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/X5wVucEpFFI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1809616.s7aI7YB5lc%40x1.

For more options, visit https://groups.google.com/d/optout.

[Kai Stian Olstad]

On Friday, 24 November 2017 15.40.11 CET Oscar Segarra wrote:
> I have tried with the --ask-pass. In this case system asks for the first
> password but not the second.
>
>
> It raises the "Authentication failure" error.

As I suspected Ansible doesn't support that.
Your option is to set up password less ssh keys between the jump host and the remote node or look up ssh agent forwarding on the ansible control machine.

--
Kai Stian Olstad

[Oscar Segarra]

Hi, 

Is theren't any option to send the second password as a variable? I have tried to add them as variables in host file but it has not worked.

I cannot use a passwordless key because the process I'm trying to develope is exactly for syncronizing keys between all my hosts. For the first time, I need to acceed with a password.

Or what do you think using a kind of "script module" to send an ansible playbook to jumpserver and execute from there?

Thanks a lot.