Re: [ansible-project] Changing ssh port with Ansible

[Michael DeHaan]

Nope (and also, do not want this), you'll have to update your
inventory file to reference the new ports.

On Mon, Nov 12, 2012 at 10:47 AM, Lee S. <lse...@gmail.com> wrote:
> I want to automate the changing of SSH ports from 22 to something else on my
> servers. I've done this by having Ansible upload a new sshd_config template
> and restart ssh. The problem is, now Ansible can no longer connect to the
> servers, unless I manually change my hosts file to reflect the new port, and
> if I do that, I can't use it to provision servers from scratch anymore.
>
> Is there a way to do this with Ansible - maybe specifying different ports to
> try in order?
>
> --
>
>

[Daniel Hokka Zakrisson]

Michael DeHaan wrote:
> Nope (and also, do not want this), you'll have to update your
> inventory file to reference the new ports.

You can do this on your own by creating an action_plugin that returns a
dict containing {'ansible_facts': {'ansible_ssh_port': int(module_args)}}
for instance.

Daniel

> On Mon, Nov 12, 2012 at 10:47 AM, Lee S. <lse...@gmail.com> wrote:
>> I want to automate the changing of SSH ports from 22 to something else
>> on my
>> servers. I've done this by having Ansible upload a new sshd_config
>> template
>> and restart ssh. The problem is, now Ansible can no longer connect to
>> the
>> servers, unless I manually change my hosts file to reflect the new port,
>> and
>> if I do that, I can't use it to provision servers from scratch anymore.
>>
>> Is there a way to do this with Ansible - maybe specifying different
>> ports to
>> try in order?
>>
>> --
>>
>>
>

> --
>
>

[Michael DeHaan]

Though why would you? Go write a plugin when you can edit a file?

-- Michael

> --
>
>

[Ahmad Khayyat]

Here are a few things that I have tried, which all failed:

1. Use the 'port' play attribute with a variable:

- hosts: all

  port: $ssh_port

The same approach works with hosts, e.g. hosts: $hosts, but not with port, which gives me:

ValueError: invalid literal for int() with base 10: '${ssh_port}'

This would have been nice, especially if it could be overridden using the --extra-vars CLI option.

2. Use the --remote-port CLI option. Found out the option was removed, although --user is available.

Like the OP, I want to set arbitrary ports for my hosts while still being able to bootstrap them when they are first deployed using the default ssh port. I want ssh tasks to still work using the new port so it can keep checking that everything is in place and sshd_config hasn't changed since initial deployment. After all, ansible's ability to bootstrap machines is one of its most attractive features. Inflexible ssh port setting is an annoyance.

Editing the inventory every time an initial deployment is done is just annoying.

I think a --port option would complement the --user option nicely and keep the playbooks intact. It should override any ports set in the inventory.

Any other solutions that do not involve editing the inventory?

[Dag Wieers]

On Tue, 20 Nov 2012, Ahmad Khayyat wrote:

> Here are a few things that I have tried, which all failed:
>
> 1. Use the 'port' play attribute with a variable:
>
> - hosts: all
> port: $ssh_port
>
> The same approach works with hosts, e.g. hosts: $hosts, but not with port,
> which gives me:
> ValueError: invalid literal for int() with base 10: '${ssh_port}'

It means the value was not templated, and because of that it was not an
integer. I'll look into creating two patches, one for templating and the
other for making sure the exception is properly handled as well.

--
-- dag wieers, d...@wieers.com, http://dag.wieers.com/
-- dagit linux solutions, in...@dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

[Dag Wieers]

On Tue, 20 Nov 2012, Dag Wieers wrote:

> On Tue, 20 Nov 2012, Ahmad Khayyat wrote:
>
>> Here are a few things that I have tried, which all failed:
>>
>> 1. Use the 'port' play attribute with a variable:
>>
>> - hosts: all
>> port: $ssh_port
>>
>> The same approach works with hosts, e.g. hosts: $hosts, but not with port,
>> which gives me:
>> ValueError: invalid literal for int() with base 10: '${ssh_port}'
>
> It means the value was not templated, and because of that it was not an
> integer. I'll look into creating two patches, one for templating and the
> other for making sure the exception is properly handled as well.

Pull-requests:

- #1649 (https://github.com/ansible/ansible/pull/1649)
- #1650 (https://github.com/ansible/ansible/pull/1650)

Kind regards,

[Ahmad Khayyat]

On Tue, Nov 20, 2012 at 1:27 PM, Dag Wieers <d...@wieers.com> wrote:

 

Pull-requests:

 - #1649 (https://github.com/ansible/ansible/pull/1649)
 - #1650 (https://github.com/ansible/ansible/pull/1650)

Thanks Dag.
Will check it out.

[Ahmad Khayyat]

On Tuesday, November 20, 2012 1:27:38 PM UTC-5, Dag Wieers wrote:

 

I tried a fresh checkout which includes this patch:

  - #1649 (https://github.com/ansible/ansible/pull/1649)  

(Allow the remote port to be templated per play)

I still get the message:

site-packages/ansible/runner/__init__.py", line 384, in _executor_internal_inner

    actual_port = int(actual_port)

[Dag Wieers]

Right, at this point only variables defined in the playbook are taken into
account. I made a new patch moving the templating down to the runner.

https://github.com/ansible/ansible/pull/1651

And this time I tested it with host variables, not just playbook
variables.

Thanks for the feedback,

[Dag Wieers]

On Wed, 21 Nov 2012, Dag Wieers wrote:

> On Wed, 21 Nov 2012, Ahmad Khayyat wrote:
>
>> I still get the message:
>>
>> site-packages/ansible/runner/__init__.py", line 384, in
>> _executor_internal_inner
>> actual_port = int(actual_port)
>> ValueError: invalid literal for int() with base 10: '${ssh_port}'
>
> Right, at this point only variables defined in the playbook are taken into
> account. I made a new patch moving the templating down to the runner.
>
> https://github.com/ansible/ansible/pull/1651
>
> And this time I tested it with host variables, not just playbook variables.

Ok, the official word is that using #1649 you can now do -e 'ssh_port=22',
or you can use ansible_ssh_port variable. The change in #1651 will not be
merged. (Plenty of options, no need to create another one)

[Ahmad Khayyat]

Thanks Dag..

I commented on the pull request, explaining my use case. Here it is again for people following this thread:

The use case that I still cannot implement with current options is: by default use a non-standard ssh port, but allow resetting it back to port 22 from the command line.

Can I do this without this patch?

I was hoping I can use every host's or group's ssh_port as set in their host_vars or group_vars, then override them from the command line using -e ssh_port=22.

[Ahmad Khayyat]

For future reference, I'd just like to point it that there is a way around this now.

You can set your default ports in the inventory, and override them from the command line using the --extra-vars option:
ansible-playbook [...] -e ansible_ssh_port=22

This used not to affect GATHERING FACTS (which may appear as though it did not affect anything since the failure would abort execution), but not it does, thanks to daniel_hozac.

[Ahmad Khayyat]

Thanks Dag..

I commented on the pull request, explaining my use case. Here it is again for people following this thread:

The use case that I still cannot implement with current options is: by default use a non-standard ssh port, but allow resetting it back to port 22 from the command line.

Can I do this without this patch?

I was hoping I can use every host's or group's ssh_port as set in their host_vars or group_vars, then override them from the command line using -e ssh_port=22.

[Michael DeHaan]

FYI -- It's ansible_ssh_port, not ssh_port

> --
>
>

[Ahmad Khayyat]

On Fri, Nov 23, 2012 at 10:51 AM, Michael DeHaan <michael...@gmail.com> wrote:

FYI -- It's ansible_ssh_port, not ssh_port

Well, ssh_port is defined in my group_vars, and I was trying to use it, but 'port: $ssh_port' in the playbook doesn't work.

I now do not have 'port:' in the playbook. Instead, I set my non-standard default port in the inventory and override it using -e ansible_ssh_port, which used not to work (GATHERING FACTS ignored it) but now it does work.

[Michael DeHaan]

Banana_tree_firetruck as a variable also does not work.  

-- Michael

--
 
 

[Ahmad Khayyat]

On Fri, Nov 23, 2012 at 1:26 PM, Michael DeHaan <michael...@gmail.com> wrote:

Banana_tree_firetruck as a variable also does not work.  

It's ansible_ssh_port, not Banana_tree_firetruck.

What are you getting at?

[Michael DeHaan]

You left off the ansible_ which matters

-- Michael

--
 
 

[Ahmad Khayyat]

On Fri, Nov 23, 2012 at 2:38 PM, Michael DeHaan <michael...@gmail.com> wrote:

You left off the ansible_ which matters

I left it off initially because I was trying to use my own variable, ssh_port, which I define in the group_vars file tree, and use in the sshd_config template. I was hoping I could reuse the same variable to specify the ssh connection port.

I am not trying to do that anymore, and am satisfied with ansible_ssh_port, although my attempts uncovered an issue with ansible_ssh_port, where it is not used for the GATHERING FACTS task, which happens to be the first task, so when it fails, execution aborts, and it *looks* like ansible_ssh_port is not being recognized at all. With that issue fixed (ansible_ssh_port is used for GATHERING FACTS now), ansible_ssh_port does what I want, and ssh_port (my own variable) is only used for templating.

I also realize now that using the same template variable for connections will not work: if a remote machine is initially using a different port, trying to change it by setting my template variable to a different port will cause the connection to fail (if it uses the same variable to connect).

I hope I clarified things. Again, I was not expecting ssh_port to do what ansible_ssh_port does. I was trying to over-use my own variable for things it shouldn't be doing.

[Lee S.]

I've found I can't override ansible_ssh_port at all.  My hosts file defines ansible_ssh_port at the top, set to my custom port.

I've tried overriding it to set it 22 for new hosts on the new host's line in the hosts file, and also on the command line using -e ansible_ssh_port=22, and neither of these changes seem to have an effect.  It always connects to the ansible_ssh_port defined at the top of the hosts file.

[Michael DeHaan]

It depends on what version you are using where the extra_vars priority is.

However, the only intent of this variable is set in the inventory
file, you shouldn't need or want to override it elsewhere.

> --
>
>

[Ahmad Khayyat]

On Thu, Nov 29, 2012 at 3:41 PM, Lee S. <lse...@gmail.com> wrote:

I've found I can't override ansible_ssh_port at all.  My hosts file defines ansible_ssh_port at the top, set to my custom port.

Here is how it is working for me, using a recent ansible checkout:

I set every host's default ssh port in the inventory on the host line as follows:

server1:2222 

Then, I override it on the command line using '-e ansible_ssh_port=22'