How/where to configure SSH ProxyJump (bastion host) in AWX >= 18.0.0?
1,742 views
Skip to first unread message
Jan-Piet Mens
Mar 29, 2021, 9:34:07 AM3/29/21
to AWX Project
Up until version 15.0.1 it was sufficient to install a config file with a required SSH identity file in /root/.ssh/ on the awx-task machine.
This no longer works.
I've spent an inordinate time [1] trying to get this working for root and awx user, and even tried runner on awx-ee but as far as I can tell, neither ansible(1) nor ansible-playbook(1) are invoking ssh(1) in such a way as that the configuration is used.
I've also noticed that ansible isn't using a pre-configured ansible.cfg file (into which I could place an [ssh_configuration] section. If I create a file it's used, but as I don't know how the runner EE is created I'm almost completely lost.
Can somebody help me, please?
-JP
Stefan Coussens
Mar 30, 2021, 3:22:48 AM3/30/21
to Jan-Piet Mens, AWX Project
Hi,
I've spend the last month learning the K-word for the awx 18 release and I am planning to do the following approach:
Problem: The proxyjump ssh config asks for a fingerprint/ host verification when connecting. In previous versions you could log in into the container and acknowledge the prompt or change the ssh configuration so that it disables hostchecking (not recommended).
Possible solution:
Create a custom Execution Enviroment
In the execution-environment.yml you can add additional_build_steps where you insert your ssh config / keys ...
Problem is that it is build into the image so best not publish it to public registries
I haven't tested it yet but it should work.
Personally I hope project receptor is integrated fast since this would make this obsolete.
kind regards,
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/d3d93ae0-08e8-441f-b52f-81c01be138c3n%40googlegroups.com.
David Safanyuk
Mar 31, 2021, 10:14:04 AM3/31/21
to AWX Project
We've used the `ANSIBLE_SSH_ARGS` parameters in settings/jobs page succesfully
` "ANSIBLE_SSH_ARGS": "-C -o ServerAliveInterval=300 -o ControlMaster=auto -o ControlPersist=60s -o 'ProxyCommand ssh -qx user@jumphost -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"
` "ANSIBLE_SSH_ARGS": "-C -o ServerAliveInterval=300 -o ControlMaster=auto -o ControlPersist=60s -o 'ProxyCommand ssh -qx user@jumphost -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"
Jan-Piet Mens
Mar 31, 2021, 10:20:42 AM3/31/21
to AWX Project
That doesn't account for the needed IdentityFile to connect to the jump host. :)
-JP
Klaas Demter
Mar 31, 2021, 10:29:37 AM3/31/21
to awx-p...@googlegroups.com
Isn't this whole idea of using bastion hosts covered by
https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#isolated-instance-groups
?
"Tower has the ability to optionally define isolated groups inside security-restricted networking zones from which to run jobs and ad hoc commands. Instances in these groups will not have a full installation of Tower, but will have a minimal set of utilities used to run jobs."
https://www.insentragroup.com/gb/insights/geek-speak/cloud-and-modern-data-center/ansible-awx-with-isolated-nodes/
was the first hit on google for awx :)
Greetings
Klaas
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/fc3e146a-d881-4b9d-a249-529bbb155540n%40googlegroups.com.
Jan-Piet Mens
Mar 31, 2021, 11:10:28 AM3/31/21
to AWX Project
> It has been tested in several environments with AWX 14.1.
You probably missed the version number in the subject; just about EVERYTHING I knew about tower/awx has changed.
Stefan Coussens
Mar 31, 2021, 11:39:06 AM3/31/21
to Jan-Piet Mens, AWX Project
Don't know if this would help but I have had a similar issue with ansible for windows hosts with certificates. AWX has no way to use or configure this. So I made this very hacky thing.
connection: winrm
I encrypt my certificate with ansible vault and put it in my project folder. (git based)
The first task I run I copy the file from the project to the container with the copy module.
- name: Get certificate
become: true
become_method: sudo
gather_facts: no
hosts: "all"
vars:
ansible_winrm_cert_key_pem: /key.pem
ansible_winrm_cert_pem: /pub.pem
ansible_winrm_transport: certificate
tasks:
- name: Decrypt certificate key
local_action:
module: ansible.builtin.copy
src: certificates/key_encrypted.pem
dest: /key.pem
decrypt: yes
run_once: True
connection: local
changed_when: False
become: true
become_method: sudo
gather_facts: no
hosts: "all"
vars:
ansible_winrm_cert_key_pem: /key.pem
ansible_winrm_cert_pem: /pub.pem
ansible_winrm_transport: certificate
tasks:
- name: Decrypt certificate key
local_action:
module: ansible.builtin.copy
src: certificates/key_encrypted.pem
dest: /key.pem
decrypt: yes
run_once: True
connection: local
changed_when: False
# do the tasks you want
- name: Gather facts
setup:connection: winrm
In theory this could also work for ssh identity files. It's pretty fugly and you need to adapt playbooks but it kinda works.
kind regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/00bbb5bb-eb71-47ae-a088-756fb3614e73n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages