AWX through bastion/jump hosts

[Simon Weald]

I'm looking to manage some nodes which are in a separate subnet behind a jump host. Previously I set up a few SSH config options for my Ansible user and then configured the jump host to respect these (keys, user, ports etc) - doing the same with AWX seems a little out of my reach at the moment. On the IRC channel it was suggested that I could do the same in /var/lib/awx in the awx_task container, so I did this, but to no avail.

I can see AWX attempting to connect in auth.log on the jump host:

Connection closed by 78.x.x.x port 33062 [preauth]

And the full output from AWX is here (suitable sanitised):

https://gist.github.com/analbeard/a950f1e577468a28c02eeb4dbd27338f

Obviously manually adding config files to a container isn't a maintainable way of doing this in future, but I'd like to get it working so I can experiment more. Can anyone suggest where I might be going wrong?

[Matthew Jones]

In this case it looks like I might have given you some incorrect information. Currently in the standalone docker container we run as the root user. I'm going to be changing this in the near future to execute as the awx user (which is our intention)... so for the moment it looks like root is who you'll need to be. Can you try putting that configuration under that user instead? We'll see if we can come up with a more tenable solution in the future.

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/4eabcc40-834f-4116-b2e1-70123ad7b354%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Jones

Principal Software Engineer

Ansible Tower

[Simon Weald]

Not a problem Matt, all input/help is much appreciated!

I have now got this working with your revised advise above - would you like me to open an issue?

Thanks!

On Tuesday, October 3, 2017 at 1:19:47 AM UTC+1, Matthew Jones wrote:

In this case it looks like I might have given you some incorrect information. Currently in the standalone docker container we run as the root user. I'm going to be changing this in the near future to execute as the awx user (which is our intention)... so for the moment it looks like root is who you'll need to be. Can you try putting that configuration under that user instead? We'll see if we can come up with a more tenable solution in the future.

On Mon, Oct 2, 2017 at 7:11 PM, Simon Weald <simon...@gmail.com> wrote:

I'm looking to manage some nodes which are in a separate subnet behind a jump host. Previously I set up a few SSH config options for my Ansible user and then configured the jump host to respect these (keys, user, ports etc) - doing the same with AWX seems a little out of my reach at the moment. On the IRC channel it was suggested that I could do the same in /var/lib/awx in the awx_task container, so I did this, but to no avail.

I can see AWX attempting to connect in auth.log on the jump host:

Connection closed by 78.x.x.x port 33062 [preauth]

And the full output from AWX is here (suitable sanitised):

https://gist.github.com/analbeard/a950f1e577468a28c02eeb4dbd27338f

Obviously manually adding config files to a container isn't a maintainable way of doing this in future, but I'd like to get it working so I can experiment more. Can anyone suggest where I might be going wrong?

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.

To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/4eabcc40-834f-4116-b2e1-70123ad7b354%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Jones]

I know it's weird and probably doesn't seem like it, but this will be the issue where this gets fixed: https://github.com/ansible/awx/issues/89

To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.

To post to this group, send email to awx-p...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/211ee18d-1e36-42b3-8856-a7ab5edbea8a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.