Ansible Doesn't Use SSH Config File specified by ssh_args?
3,678 views
Skip to first unread message
Slim Slam
May 22, 2014, 6:12:00 PM5/22/14
to ansible...@googlegroups.com
Ansible 1.6.1
I'm trying to set things up so that I can specify a bastion host as a gateway
to my other machines.
I'd like Ansible to use an SSH config file that I keep in git.
So, I have a file named "sshconfig" with:
Host *
ServerAliveInterval 60
TCPKeepAlive yes
ProxyCommand ssh 55.232.102.151 'nc %h %p'
ControlMaster auto
Where 55.232.102.151 is the bastion IP address.
My ansible.cfg file looks like:
[defaults]
transport = ssh
ssh_args = -F sshconfig -o ControlPersist=15m
If I run "ssh -F sshconfig m...@44.55.66.77" it uses the bastion server as expected.
But Ansible doesn't ever seem to use my "sshconfig" file (I don't see anything about
it in the verbose output, nor the bastion IP address). '
Does ssh_args actually permit "-F sshconfig" or does it only allow "-o param=something" options?
J
Michael DeHaan
May 23, 2014, 8:31:58 AM5/23/14
to ansible...@googlegroups.com
Ansible will use your SSH config when using the ssh (not paramiko) transport, perhaps it's not finding it for some reason.
paramiko would be the default if you were running from RHEL/CentOS 6 or before, where OpenSSH is not new enough to support ControlMaster, and paramiko is therefore still faster. (review for everyone: accelerate mode is the performance option there, since pipeling is OpenSSH only).
Let's start with what OS you are running form as that may highlight that transport question. If not, we can ask other questions.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/25b6293f-28b7-4e45-9f52-0cf4b53383f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Slim Slam
May 23, 2014, 9:00:28 AM5/23/14
to ansible...@googlegroups.com
I'm running ansible 1.6.1 on MacOSX 10.9.3. The target systems are CentOS 6.
J
Michael DeHaan
May 23, 2014, 11:09:32 AM5/23/14
to ansible...@googlegroups.com
Hmm.
So that's definitely OpenSSH by default.
Commands to ssh config are arbitrary and are handled here:
Can you try specifying a full path to your SSH config file? Might be a case of relative path.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6fd8af45-ae09-45dc-9167-fd492db99dd0%40googlegroups.com.
Slim Slam
May 23, 2014, 11:39:52 AM5/23/14
to ansible...@googlegroups.com
That didn't make a difference.
I know that ansible is using that ansible.cfg file because I can put a "remote_user = xxx" line
at the end of it and ansible uses that.
It would be helpful if someone could simply add "ssh_args= -F sshconfig" to an ansible.cfg
file and show some output that proves that Ansible is using it.
J
Slim Slam
May 23, 2014, 12:30:59 PM5/23/14
to ansible...@googlegroups.com
FWIW, I got this idea from you :-) - reference: https://groups.google.com/d/msg/ansible-project/AOt-5fgBzho/hEDnnOrJkC8J
However, I've never seen an implementation of it or a working example that's been tested. I think someone posted an
example where they had "-F ~/.ssh/config" but since that's the default ssh config file (ssh will use ~/.ssh/config whether or not
your specify it with the -F flag) it doesn't really test whether it's working or not. :-)
J
James Cammarata
May 23, 2014, 4:04:33 PM5/23/14
to ansible...@googlegroups.com
I think what Michael meant was to specify the full path to the sshconfig file, ie. "-F /path/to/mysshconfig" instead of a relative path.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f4ec2561-a925-47a7-99e5-7116db810100%40googlegroups.com.
Slim Slam
May 23, 2014, 5:53:19 PM5/23/14
to ansible...@googlegroups.com
Yes. I tried that. No difference. As I mentioned, it's clear that Ansible is using my ansible.cfg file. For example, if I set the remote_user in my ansible.cfg to:
[defaults]
transport=ssh
ssh_args= -F /work/sshconfig
remote_user=dummyuser
Then everything fails because Ansible tries to use "dummyuser" to connect.
I'm still wondering if anyone has ever successfully used ssh_args with anything besides "-o param=value" directives.
What is ansible doing, for example, if you put "-v" or "-f" in ssh_args? They seem to have no effect.
J
Matt Martz
May 23, 2014, 6:10:32 PM5/23/14
to Slim Slam, ansible...@googlegroups.com
ssh_args does not go under the [defaults] section. It belongs under a section titled [ssh_connection]
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/090b1989-ed9c-4ae8-9a15-ecefd329ca96%40googlegroups.com.
Slim Slam
May 24, 2014, 8:04:58 AM5/24/14
to ansible...@googlegroups.com, Slim Slam
Thanks. That got things working. It would be nice if Ansible did some basic syntax checking on the cfg file. :-)
So if you have multiple bastion files, but no specific domain name you can wildcard off of (e.g. "Host *.mydomain.com", "Host ".anotherdom.com", etc), what is the Ansible best practice for handling multiple clusters with a bastion server for each
cluster? Reference: https://groups.google.com/d/msg/ansible-project/bWdWJ4UtkFQ/fXHO3MDvF_kJ
J
Michael DeHaan
May 25, 2014, 4:54:15 PM5/25/14
to ansible...@googlegroups.com, Slim Slam
"Ansible best practice for handling multiple clusters with a bastion server for each
cluster?"
Per host settings in your SSH config file.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9efa7c9d-8d22-4228-8dc0-86eab4b31184%40googlegroups.com.
Slim Slam
May 25, 2014, 8:49:17 PM5/25/14
to ansible...@googlegroups.com, Slim Slam
So, if a lot of your machines have IP addresses (or very different domain names) then you'd have
to create an ssh config file entry for each individual IP address, right? Because there'd be no way
to use wildcards. Am I missing something here?
Example:
Host 33.44.55.66
ServerAliveInterval 60
TCPKeepAlive yes
ProxyCommand ssh 55.232.102.151 'nc %h %p'
ControlMaster auto
Host 22.33.44.55
ServerAliveInterval 60
TCPKeepAlive yes
ProxyCommand ssh 55.232.102.151 'nc %h %p'
ControlMaster auto
...and so on.....
J
Brian Coca
May 25, 2014, 10:06:12 PM5/25/14
to ansible...@googlegroups.com
if using the ssh connection plugin, it supports whatever ssh does, so wildcards should work.
Slim Slam
May 25, 2014, 11:51:24 PM5/25/14
to ansible...@googlegroups.com, Slim Slam
To clarify further -- I know that I can use wildcards in the ssh config file like:
Host *.example.comHost 128.220.19.*
But what if I have a lot of different IP addresses or host names? Then I'd have to simply have a separate entry in my ssh config
file for each one?
J
Michael DeHaan
May 27, 2014, 4:09:43 PM5/27/14
to ansible...@googlegroups.com, Slim Slam
"Then I'd have to simply have a separate entry in my ssh config
file for each one?"
Yes, because you just said you couldn't use wildcards :)
+1 to having private hostnames or conventions to make that easier.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0c16cf5f-e2f5-4c05-9fde-2fe7e93b438b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages