wait_for, ssh config, & SOCKs

434 views
Skip to first unread message

fort...@gmail.com

unread,
Jun 2, 2015, 11:21:19 PM6/2/15
to ansible...@googlegroups.com
Hi,

I am trying to figure out how to use wait_for to start to detect ssh on a VPC host that needs to use 2 tunnels to be reached.  I cannot use the IP address as it collides with my local network.  DNS also doesn't work but my tunnels work fine.  I'm using SOCKs because I use a browser to access the VPC too.

Here is my setup in pictograph:

Dev -> bastion.Prod -> Bastion.AWS -> VPC/internal

There is ONLY ssh available via Dev & bastion.Prod, hence SOCKs tunnel1 for the rest of *.example.com hosts.  Bastion.AWS can only be reached via Prod via SSH hence a 2nd SOCKS tunnel.  Bastion.AWS can only reach VPC via ssh.  10.0.0.0/24 is the bastion subnet. 10.0.1.0/24 is the internal subnet.  I'm launching instances into VPC/10.0.1.0

I use Host namespaces in .ssh/config (which are generally NOT dns resolvable from Dev) to decide the tunnel to use.
 
I can only reach bastion.example.com directly and by it's resolvable dns name - the only dns resolvable name.

My tunnel works as follows:

Host *.example.com
        ProxyCommand nc -x localhost:1080 %h %p
Host ec2
        ServerAliveInterval 50
        DynamicForward localhost:1090
        User ec2-user
        ProxyCommand nc -x localhost:1080 54.165.xx.yy 22

Host ip-10-0-1-*.ec2.internal
        ProxyCommand nc -x localhost:1090 %h %p
        User ubuntu
        IdentityFile /home/me/.ssh/soc-proto-internal.pem
# bastion
Host ip-10-0-0-*.ec2.internal
        ProxyCommand nc -x localhost:1090 %h %p
        User ec2-user
        IdentityFile /home/fortescu/.ssh/soc-proto-useast1.pem



tunnel1:

dev # ssh -vvv -D 1080 -N -q  m...@bastion.example.com

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011


tunnel2:

dev # ssh ec2

Amazon Linux version 2015.03 is available.

[ec2-user@ip-10-0-0-188 ~]$


Now, from Dev the following works fine:
dev # ssh ip-10.0.1.32

Last login: Tue Jun  2 19:15:07 2015 from ip-10-0-0-188.ec2.internal

ubuntu@ip-10-0-1-32:~$


So how can I get this to work with wait_for?!  The 'private_dns_name' emits and is in the tmp wait_for python script so it's got the right form.  I can even grab the that same address while waiting on wait_for and ssh into it!
Here's the relevant ansible play:


   - name: Launch Opscenter instances

      ec2:

         key_name: "{{ key_name }}"

         group_id: "{{ security_group }}"

         instance_type: "{{ instance_type }}"

         image: "{{ image }}"

         wait: true

         region: "{{ region }}"

         vpc_subnet_id: "{{ subnet_id }}"

         assign_public_ip: no

         ebs_optimized: no

         instance_tags:

           Name: "cassandra_opscenter"

           dbtype: cassandra


      register: ec2


    - name: Logging 

      debug: msg="{{ item }}"

      with_items: ec2.instances


    - name: Add new instance to host group

      add_host: hostname={{ item['private_dns_name'] }} ansible_ssh_host={{ item['private_dns_name'] }} groups=launched,opscenter_nodes

      with_items: ec2.instances


    - name: Wait for SSH to come up

      local_action: wait_for port=22 host="{{ item['private_dns_name'] }}" search_regex=OpenSSH delay=10

      with_items: ec2.instances

I know I must be missing something obvious but it seems like wait_for is stubborning trying to use DNS (which will fail) instead of .ssh/config.

Am I chasing a unicorn here?  Can this be made to work?

Any and all advice deeply appreciated.

Chris

benno joy

unread,
Jun 3, 2015, 12:51:08 AM6/3/15
to ansible...@googlegroups.com
Hi Chris,

wait_for doesnt not use ssh/config files and will uses tcp connection to test if port 22 is open for connection and hence tries to lookup the ip via dns. maybe you could try the below to test if ssh has come up or not.

local_action: shell ssh  "{{item['private_dns_name']  }}" echo hello

register: foo

retries: 5

delay: 5

until: foo.stdout.find('hello') != -1




--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bef08c76-7742-49cb-816e-14dd1e5b1794%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

fort...@gmail.com

unread,
Jun 5, 2015, 2:32:31 AM6/5/15
to ansible...@googlegroups.com
Hi Benno,

Et voila!  That worked great.  

A deep bow.

Chris
Reply all
Reply to author
Forward
0 new messages