jump through two bastion hosts?
15 views
Skip to first unread message
Eric Hymowitz
Feb 19, 2020, 3:06:22 PM2/19/20
to Ansible Project
So I've got a host that I need to jump through two bastion hosts to get to:
Ansible -----> bastion_1 -----> bastion_2 -----> target
I can use ansible to get to bastion_2 by setting up a hostvar:
ansible_ssh_common_args: -o "ProxyCommand=ssh -q -W %h:%p {{local_user_account}}@bastion_1"
...and that works correctly.
I tried setting up a similar hostvar for target:
ansible_ssh_common_args: -o "ProxyCommand=ssh -q -W %h:%p {{local_user_account}}@bastion_2"
...but that doesn't work, because ansible is trying to ssh directly to bastion_2 and not caring about the hostvar set up to access bastion_2.
I have a workaround. I can set up an entry in my ~/.ssh/config file
Host bastion_2
ProxyCommand ssh -q -W %h:%p bastion_1
ProxyCommand ssh -q -W %h:%p bastion_1
... and then ansible works, because ansible tells ssh to go through bastion_2, and ssh figures its own way there.
But is there a way to do this just within ansible, without using .ssh/config ?
--EbH
PS -- my ssh is too old for the -J / ProxyJump option, which I think would solve my problem.
Kai Stian Olstad
Feb 21, 2020, 6:32:10 PM2/21/20
to 'Eric Hymowitz' via Ansible Project
On Wed, Feb 19, 2020 at 12:06:21PM -0800, 'Eric Hymowitz' via Ansible Project wrote:
> So I've got a host that I need to jump through two bastion hosts to get to:
>
> Ansible -----> bastion_1 -----> bastion_2 -----> target
>
> I can use ansible to get to bastion_2 by setting up a hostvar:
>
> ansible_ssh_common_args: -o "ProxyCommand=ssh -q -W %h:%p
> {{local_user_account}}@bastion_1"
>
> ...and that works correctly.
>
> I tried setting up a similar hostvar for target:
>
> ansible_ssh_common_args: -o "ProxyCommand=ssh -q -W %h:%p
> {{local_user_account}}@bastion_2"
>
> ...but that doesn't work, because ansible is trying to ssh directly to
> bastion_2 and not caring about the hostvar set up to access bastion_2.
There is nothing stopping you from adding -o ProxyCommand in the ssh inside
> So I've got a host that I need to jump through two bastion hosts to get to:
>
> Ansible -----> bastion_1 -----> bastion_2 -----> target
>
> I can use ansible to get to bastion_2 by setting up a hostvar:
>
> ansible_ssh_common_args: -o "ProxyCommand=ssh -q -W %h:%p
> {{local_user_account}}@bastion_1"
>
> ...and that works correctly.
>
> I tried setting up a similar hostvar for target:
>
> ansible_ssh_common_args: -o "ProxyCommand=ssh -q -W %h:%p
> {{local_user_account}}@bastion_2"
>
> ...but that doesn't work, because ansible is trying to ssh directly to
> bastion_2 and not caring about the hostvar set up to access bastion_2.
the ProxyCommand.
So something like this might work
ansible_ssh_common_args: -o "ProxyCommand=ssh -o 'ProxyCommand=ssh -q -W %h:%p user@bastion_1' -q -W %h:%p user@bastion_2"
You may need to play around with the single and double quotes and escaping some of them.
--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages