Need to automate task via bastion host
81 views
Skip to first unread message
Monica
Apr 2, 2023, 11:35:06 AM4/2/23
to Ansible Project
Hi All,
I have requirement to automate some tasks via ansible playbook, the problem is I cannot go to the serves directly I need to go to remote nodes via bastion node. Could anyone pls help how can I write the same inside inventory. Below is the example how I am connecting to the remote host via bastion host.
ssh user@<rremote-host IP>@<bastion-host-IP> -p 8022
Will McDonald
Apr 2, 2023, 12:09:31 PM4/2/23
to ansible...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/19f0148f-01d4-4a4f-82e3-c1270fdbf8f1n%40googlegroups.com.
Todd Zullinger
Apr 2, 2023, 4:51:53 PM4/2/23
to ansible...@googlegroups.com
Will McDonald wrote:
> https://www.jeffgeerling.com/blog/2022/
> using-ansible-playbook-ssh-bastion-jump-host
Odd that uses ProxyCommand in `ansible_ssh_common_args` and
not the far simpler ProxyJump, which it does mention in the
~/.ssh/config method. The `-J` shortcut for that is even
better.
Perhaps it does that to illsutrate a more complex use case,
where the bastion runs on a different port, but if you're
not doing that, it's likely simpler to skip it and use the
`-J` argument.
I would expect (but have not tested) this works:
ansible_ssh_common_args='-J $your_bastion_hostname'
ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
any host folks would be using as an ansible control host.
--
Todd
> https://www.jeffgeerling.com/blog/2022/
> using-ansible-playbook-ssh-bastion-jump-host
Odd that uses ProxyCommand in `ansible_ssh_common_args` and
not the far simpler ProxyJump, which it does mention in the
~/.ssh/config method. The `-J` shortcut for that is even
better.
Perhaps it does that to illsutrate a more complex use case,
where the bastion runs on a different port, but if you're
not doing that, it's likely simpler to skip it and use the
`-J` argument.
I would expect (but have not tested) this works:
ansible_ssh_common_args='-J $your_bastion_hostname'
ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
any host folks would be using as an ansible control host.
--
Todd
Monica
Apr 2, 2023, 11:37:03 PM4/2/23
to Ansible Project
Hi
Todd,
Thank you for sharing the same, however, I have already checked this article.
I have a requirement to connect Host-A then I can connect Host-B. I can’t connect Host-B directly. So in this case how to execute the playbook task on Host-B from Control Machine? Because my control machine is centralized. Hence, my question is how to execute the playbook task on Host-B directly from the control machine via bastion host-: Below is an example of how I am connecting to the remote host via bastion host using ssh. ssh user@<remote-host IP>@<bastion-host-IP> -p 8022 In the playbook I have created the inventory, however, while running the same I am getting the below error-: cat lab.txt [need_bastion] bastion-host [need_bastion:vars] ansible_ssh_common_args='-o StrictHostKeyChecking=no -o ProxyJump="user@<remote-host>@<bastion-host>:8022"' PLAY [copy file from jump to remote servers] ******************************************************************************************************** TASK [copy node exporter package] ************************************************************************************************************************ Password: Password: fatal: [IP]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Connection timed out during banner exchange", "unreachable": true} PLAY RECAP *********************************************************************************************************************************************** IP : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
I have a requirement to connect Host-A then I can connect Host-B. I can’t connect Host-B directly. So in this case how to execute the playbook task on Host-B from Control Machine? Because my control machine is centralized. Hence, my question is how to execute the playbook task on Host-B directly from the control machine via bastion host-: Below is an example of how I am connecting to the remote host via bastion host using ssh. ssh user@<remote-host IP>@<bastion-host-IP> -p 8022 In the playbook I have created the inventory, however, while running the same I am getting the below error-: cat lab.txt [need_bastion] bastion-host [need_bastion:vars] ansible_ssh_common_args='-o StrictHostKeyChecking=no -o ProxyJump="user@<remote-host>@<bastion-host>:8022"' PLAY [copy file from jump to remote servers] ******************************************************************************************************** TASK [copy node exporter package] ************************************************************************************************************************ Password: Password: fatal: [IP]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Connection timed out during banner exchange", "unreachable": true} PLAY RECAP *********************************************************************************************************************************************** IP : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
Todd Zullinger
Apr 3, 2023, 12:37:21 AM4/3/23
to ansible...@googlegroups.com
Hi,
Monica wrote:
> Thank you for sharing the same, however, I have already
> checked this article.
I was simply quoting the article which Will kindly shared to
mention that ProxyJump / -J might be a simpler method, even
within ansible_ssh_common_args.
[I reformatted some of the text you wrote as it arrived at
the list as one large block, which was rather hard to read.]
> I have a requirement to connect Host-A then I can connect
> Host-B. I can’t connect Host-B directly. So in this case
> how to execute the playbook task on Host-B from Control
> Machine? Because my control machine is centralized. Hence,
> my question is how to execute the playbook task on Host-B
> directly from the control machine via bastion host-: Below
> is an example of how I am connecting to the remote host
> via bastion host using ssh.
>
> ssh user@<remote-host IP>@<bastion-host-IP> -p 8022
Note that the ssh_config man page says of ProxyJump:
Specifies one or more jump proxies as either
[user@]host[:port] or an ssh URI.
It has further text regarding configuration applied to the
jump (aka bastion) host, which is worth reading.
Ansible uses the value from `ansible_ssh_common_args` to
create the full ssh command to connect to each host, so
`@<remote-host>` should not be included if you're using
ansible to connect to <remote-host> via <bastion-host>.
(If you've got multiple bastion hosts to pass through from
<control-host> to <remote-host>, you should probably get
things working with ssh directly and then map that to either
`ansible_ssh_common_args` or the `.ssh/config` of the user
running ansible on the control host.)
All that said, if you're going from <control-host> to
<remote-host> via <bastion-host> (on port 8022), I think
this would look like:
ansible_ssh_common_args='-J <bastion-user>@<bastion-host>:8022'
(I skipped the StrictHostKeyChecking option there simply for
brevity. I replaced -o ProxyJump with -J for the same
reason.)
That connects to the <remote-host> via the bastion host as
the given user and at the given port.
I find testing with the ansible ping module is helpful in
cases like this. It makes it easier to separate issues with
the playbook from issues with the ssh configuration. E.g.:
ansible <remote-host> -om ping
That should return:
<remote-host> | SUCCESS => {"changed": false,"ping": "pong"}
If not, adding -vvv to the command will show the ssh command
ansible used, which can be checked for sanity (and/or
compared to what works when you run ssh directly to get from
<control-host> to <remote-host> via <bastion-host>).
--
Todd
Monica wrote:
> Thank you for sharing the same, however, I have already
> checked this article.
mention that ProxyJump / -J might be a simpler method, even
within ansible_ssh_common_args.
[I reformatted some of the text you wrote as it arrived at
the list as one large block, which was rather hard to read.]
> I have a requirement to connect Host-A then I can connect
> Host-B. I can’t connect Host-B directly. So in this case
> how to execute the playbook task on Host-B from Control
> Machine? Because my control machine is centralized. Hence,
> my question is how to execute the playbook task on Host-B
> directly from the control machine via bastion host-: Below
> is an example of how I am connecting to the remote host
> via bastion host using ssh.
>
> ssh user@<remote-host IP>@<bastion-host-IP> -p 8022
Specifies one or more jump proxies as either
[user@]host[:port] or an ssh URI.
It has further text regarding configuration applied to the
jump (aka bastion) host, which is worth reading.
Ansible uses the value from `ansible_ssh_common_args` to
create the full ssh command to connect to each host, so
`@<remote-host>` should not be included if you're using
ansible to connect to <remote-host> via <bastion-host>.
(If you've got multiple bastion hosts to pass through from
<control-host> to <remote-host>, you should probably get
things working with ssh directly and then map that to either
`ansible_ssh_common_args` or the `.ssh/config` of the user
running ansible on the control host.)
All that said, if you're going from <control-host> to
<remote-host> via <bastion-host> (on port 8022), I think
this would look like:
ansible_ssh_common_args='-J <bastion-user>@<bastion-host>:8022'
(I skipped the StrictHostKeyChecking option there simply for
brevity. I replaced -o ProxyJump with -J for the same
reason.)
That connects to the <remote-host> via the bastion host as
the given user and at the given port.
I find testing with the ansible ping module is helpful in
cases like this. It makes it easier to separate issues with
the playbook from issues with the ssh configuration. E.g.:
ansible <remote-host> -om ping
That should return:
<remote-host> | SUCCESS => {"changed": false,"ping": "pong"}
If not, adding -vvv to the command will show the ssh command
ansible used, which can be checked for sanity (and/or
compared to what works when you run ssh directly to get from
<control-host> to <remote-host> via <bastion-host>).
--
Todd
dulh...@mailbox.org
Apr 3, 2023, 1:43:08 AM4/3/23
to ansible...@googlegroups.com
I agree with Tood, that setting up a propper ~/.ssh/config should be the way to do this. something like ...
Host jumphost
HostName jumphost.blub.com
User username
PreferredAuthentication publickey
IdentityFile ~/.ssh/demo.ed25519
Host internal-target
Hostname target.blub.com
ProxyJump jumphost
User username
PreferredAuthentication publickey
IdentityFile ~/.ssh/demo.ed25519
... should do it I believe
---
gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090
Host jumphost
HostName jumphost.blub.com
User username
PreferredAuthentication publickey
IdentityFile ~/.ssh/demo.ed25519
Host internal-target
Hostname target.blub.com
ProxyJump jumphost
User username
PreferredAuthentication publickey
IdentityFile ~/.ssh/demo.ed25519
... should do it I believe
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com.
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
---
gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090
Monica
Apr 3, 2023, 6:32:33 AM4/3/23
to ansible...@googlegroups.com
Hi Todd,
Thank you for explaining the same, however I am still getting the same error-:
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org.
Avinash Jadhav
Apr 3, 2023, 6:38:59 AM4/3/23
to ansible...@googlegroups.com
Hi
Can you please try to this way
[remote-nodes]
remote-node-1 ansible_host=<remote-node-1-IP> ansible_user=user ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@<bastion-host-IP>"'
remote-node-2 ansible_host=<remote-node-2-IP> ansible_user=user ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@<bastion-host-IP>"'
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com.
Monica
Apr 3, 2023, 9:32:02 AM4/3/23
to Ansible Project
Hi Avinash.
Thanks you for the update. I am still facing the issue.
Connection timed out during banner exchange", "unreachable": true
dulh...@mailbox.org
Apr 4, 2023, 5:47:43 AM4/4/23
to ansible...@googlegroups.com
what I would try is
1. create an ~/.ssh/conf file as per the example I sent
2. use Ansible as if there was no jumphost involved at all
---------- Original Message ----------
From: Monica <monicaac...@gmail.com>
To: Gunnar Wagner <gunnar...@mailbox.org>
Date: 04/03/2023 6:11 PM CEST
Subject: Re: [ansible-project] Need to automate task via bastion host
hi Gunnar,
I tried this and the same didn't work out-:
[remote-nodes]
remote-node-1 ansible_host=<remote-node-1-IP> ansible_user=user ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@<bastion-host-IP>"'
remote-node-2 ansible_host=<remote-node-2-IP> ansible_user=user ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@<bastion-host-IP>"'
remote-node-1 ansible_host=<remote-node-1-IP> ansible_user=user ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@<bastion-host-IP>"'
remote-node-2 ansible_host=<remote-node-2-IP> ansible_user=user ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@<bastion-host-IP>"'
On Mon, Apr 3, 2023 at 6:00 PM Gunnar Wagner <gunnar...@mailbox.org> wrote:
it is not quite clear what exactly you have tried & did not work
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com.
Monica
Apr 12, 2023, 1:30:45 AM4/12/23
to Ansible Project
Hi,
Can anyone help me on this, still I am facing the issue.
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
Monica
Apr 16, 2023, 3:23:14 AM4/16/23
to Ansible Project
Hi Vladimir Botka,
Looking for your support on this.
Vladimir Botka
Apr 16, 2023, 7:28:07 AM4/16/23
to Monica, ansible...@googlegroups.com
Hi Monica,
On Sun, 16 Apr 2023 00:23:14 -0700 (PDT)
Monica <monicaac...@gmail.com> wrote:
> Hi Vladimir Botka,
> Looking for your support on this.
You said you can "connect to the remote host via bastion host
using ssh".
shell> ssh user@<remote-host IP>@<bastion-host-IP> -p 8022
Let me ask you first. Wouldn't an Ansible controller in the internal
network serve you use-case better?
ext_net <-> bastion_host <-> ansible_controller <-> remote_host
You should store you projects in a version control. Why don't you
clone the projects on the controller and run your playbooks from
there? This has many advantages:
* The configuration is simpler
* You can limit the external SSH access to single host
* Playbooks in the local network run faster
* The execution of the projects don't depend on the throughput and
quality of the external network
* You can use *ansible-pull* on the controller to update the
projects automatically
* You can schedule the projects' updating to off-peak times
Why do you want to run Ansible via proxy?
--
Vladimir Botka
On Sun, 16 Apr 2023 00:23:14 -0700 (PDT)
Monica <monicaac...@gmail.com> wrote:
> Hi Vladimir Botka,
> Looking for your support on this.
using ssh".
shell> ssh user@<remote-host IP>@<bastion-host-IP> -p 8022
Let me ask you first. Wouldn't an Ansible controller in the internal
network serve you use-case better?
ext_net <-> bastion_host <-> ansible_controller <-> remote_host
You should store you projects in a version control. Why don't you
clone the projects on the controller and run your playbooks from
there? This has many advantages:
* The configuration is simpler
* You can limit the external SSH access to single host
* Playbooks in the local network run faster
* The execution of the projects don't depend on the throughput and
quality of the external network
* You can use *ansible-pull* on the controller to update the
projects automatically
* You can schedule the projects' updating to off-peak times
Why do you want to run Ansible via proxy?
--
Vladimir Botka
Reply all
Reply to author
Forward
0 new messages