AWX credential to access jumphost used in proxycommand directive

508 views
Skip to first unread message

Rod Oliver

unread,
Sep 27, 2018, 4:36:13 AM9/27/18
to AWX Project
I have added a SSH config file and key to the awx_task container to authenticate against a jumphost that is referred to in an inventory file with the variable "ansible_ssh_common_args". With this I'm able to run jobs which use this inventory via the jumphost. My reading of the Tower docs is that a Tower/AWX credential cannot be used to connect to a jumphost

Pushing the SSH config file and key manually to the awx_task container doesn't seem to be a good way of working with a jumphost. Is there an automated way of doing this, that would enable me to add/remove entries from SSH config and add/remove SSH keys from the AWX container?

Cesar Sanchez

unread,
Sep 27, 2018, 11:44:29 AM9/27/18
to AWX Project
What we do, is that we set our dynamic inventories having the whole ProxyCommand indicating the jumphost, so for example:

[server1]
server1.domain ansible_ssh_common_args='-i <path-to-your-ssh-key> -o IdentitiesOnly=yes -o ProxyCommand="ssh -A -W %h%p -p 22 -o User=<user> -o IdentitiesOnly=yes -i <path-to-your-key> <bastion-host-ip>"'

You can create a volume for the docker container to load your shared ssh keys, for example. 

-Cesar

cre...@groupon.com

unread,
Sep 28, 2018, 10:46:20 AM9/28/18
to AWX Project
+1 we take the same approach, it works well.

Frank Dias

unread,
Oct 12, 2018, 10:08:27 PM10/12/18
to AWX Project
Where do you set the variable, can you set it in the inventory variable. Can one of you share a screen shot

Frank Dias

unread,
Oct 13, 2018, 2:19:06 PM10/13/18
to AWX Project
I have tried adding the following to the variables section of an inventory
ansible_user: centos
ansible_connection: ssh
ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -A -W %h:%p -q cen...@x.x.x.x -i /var/lib/awx/projects/keys/jump.pem"'


when I run the job it is failing;

<172.19.50.51> (255, '', 'OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 58: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket "/tmp/awx_31_PZyy3K/cp/52961c7d86" does not exist\r\ndebug1: Executing proxy command: exec ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -A -W 172.19.50.51:22 -q cen...@x.x.x.x -i /var/lib/awx/projects/keys/jump.pem\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: permanently_set_uid: 0/0\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ssh/id_rsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ssh/id_rsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ssh/id_dsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: permanently_drop_suid: 0\r\ndebug…
87
fatal: [172.19.50.51]: UNREACHABLE! => {
88
"changed": false,
89
"msg": "Failed to connect to the host via ssh: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 58: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/tmp/awx_31_PZyy3K/cp/52961c7d86\" does not exist\r\ndebug1: Executing proxy command: exec ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -A -W 172.19.50.51:22 -q cen...@x.x.x.x -i /var/lib/awx/projects/keys/jump.pem\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: permanently_set_uid: 0/0\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ssh/id_rsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ssh/id_rsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ss…

what am I doing wrong here?
/var/lib/awx/projects/keys/ is visible in awx-tasks docker container

Frank Dias

unread,
Oct 13, 2018, 4:10:13 PM10/13/18
to AWX Project
After working on this for a few hours I now have it working

here is my var ssetting;
---
ansible_user: centos
ansible_connection: ssh
ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -i /var/lib/awx/projects/keys/jump.pem -W %h:%p -q cen...@x.x.x.x"'

I had to also make changes to the jumphost sshd_config to allow forwarding.

rakesh boinapally

unread,
Dec 2, 2022, 2:23:14 PM12/2/22
to AWX Project
Just curious where did you change sshd_config setting ? I mean is it on the target host or awx host itself

Manolis Kartsonakis

unread,
Dec 5, 2022, 7:30:37 AM12/5/22
to AWX Project
We have our ssh config copied in the Execution environment image so it is applying the Proxycommand for all target hosts. Strangely awx@jumphost ... is working without specifying or copying somewhere in the container the private key file.
So we assumed that somehow the key part is successfully  loaded and used from the credential from awx in our job templates (which is using the same username).
Reply all
Reply to author
Forward
0 new messages