Is Jump host advisable ?

[rajthecomputerguy]

Hi Team,

Which is one is followed as best practice in Ansible?

Using jump server to connect devices ? or having direct access to devices.

thanks

[Tran Khang]

You need to practice somes to familiar with Ansible first. Then set some small targets using ansible to manage. So far I know switch, router devices don't have python inside which must have to manage by ansible.

I suggest you use model : Ansible control --> Jump server --> cisco devices. (I use this model to do backup task all devices in my environment labs)

Ansible control: ansible installed, use playbook variable to manage quantity/type of devices, use templates to send scripts to Jump server to execute.

Jum server: Python installed, expect installed. Only use for executing scripts to manage devices (upgrade, backup, etc..)

### playbook.yml sample

---

- hosts: jumpserver
  become: yes
  become_method: su
  gather_facts: no
  ignore_errors: yes
  roles:
    - upgrade_cisco_router
    - backup_router

####upgrade_cisco_router roles sample:

## roles/tasks/main.yml

---

- name: Prepare upgrade scripts
  template: src=upgrade_cisco_router.exp.j2 dest=/root/upgrade_cisco_router_{{ item }}.exp mode=0774
  with_items:

    - {{ cisco_router }}

- name: Start upgrade
  raw: /root/upgrade_cisco_router_{{ item }}.exp
  with_items:

    - {{ cisco_router }}

## roles/vars/main.yml

---

cisco_router: ["10.10.10.5", "10.10.10.6"]

## roles/templates/upgrade_cisco_router.exp.j2

<contain script to upgrade cisco router>

[Jonathan Lozada De La Matta]

This isn't necessary best practices but, more security policies.

Jonathan Lozada De La Matta on mobile

 

---

From: ansible...@googlegroups.com on behalf of rajthecomputerguy <rajtheco...@gmail.com>
Sent: Thursday, May 16, 2019 2:57 AM
To: Ansible Project
Subject: [ansible-project] Is Jump host advisable ?

 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/43b3995d-cad4-4eca-9153-1378fd136481%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[rajthecomputerguy]

Hi Tran,

thanks for your response!

Do you see any connection drops when we ask ansible to go thru jump servers? or else we can provide acess to ansible to connect directly to access all devices?

[rajthecomputerguy]

Hi Jon,

You mean Jump is not necessary ? 

thanks,

On Thursday, May 16, 2019 at 2:43:04 PM UTC+5:30, Jonathan Lozada De La Matta wrote:

This isn't necessary best practices but, more security policies.

Jonathan Lozada De La Matta on mobile

 

---

From: ansible...@googlegroups.com on behalf of rajthecomputerguy <rajtheco...@gmail.com>
Sent: Thursday, May 16, 2019 2:57 AM
To: Ansible Project
Subject: [ansible-project] Is Jump host advisable ?

 

Hi Team,

Which is one is followed as best practice in Ansible?

Using jump server to connect devices ? or having direct access to devices.

thanks

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.

[Jonathan Lozada De La Matta]

No, is not. Usually is required by organizations but, is not required with ansible.

Jonathan Lozada De La Matta on mobile

From: ansible...@googlegroups.com on behalf of rajthecomputerguy <rajtheco...@gmail.com>

Sent: Thursday, May 16, 2019 5:24 AM
To: Ansible Project
Subject: Re: [ansible-project] Is Jump host advisable ?

 

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f728a391-ef04-4c26-88ef-6d6de95082fc%40googlegroups.com.

[Tran Khang]

good policies is needed but using jump server is a better choice. Imagine:

1. You can use local network server to build all ansible scripts, playbooks and only allow this server can access jump server.

    All ansible playbook, scripts protected by ansible vault.

    Playbook send scripts to jump server to execute wanted tasks then make 1 more task to remove all run scripts, clearing logs on jump server after process done.

2. Jump server contain nothing after running scripts --> more safety

@Raj: why does packet drop? It belong to your network is stable or not.

[Mounika Bonam]

Hi Tran,

  you have suggested a model Ansible control --> Jump server --> cisco devices to execute playbooks on jumpserver using expect installed on jumpserver.
Can you please explain clearly how hostfile configuration needs to be done. And also iam not familier with the j2 templates used in the above example. can you share sample template file for executing "show version" command on network devices.

Thanks in Advance.