Ansible cascade

Archives Ansible Project
1

Hi,

I’m pretty new with Ansible and I apollogize if my question has a very easy answer.

In my environment I have a KVM host (vdicnode01) where in run a Centos 7 guest (vdicguest01) behind a KVM NAT network. From my Laptop (vdicmanager01) I want to execute an Ansible playbook in order to execute commands in my guest (vdicguest01) that is not directly accessible from my machine (vdicmanager01). Of course I’d like to retrieve the complete output of the command.

I have installed the latest ansible version in my laptop and if necessary I can install the latest ansible version in my kvm host (vdicnode01).

Is there any trick to perform this?

Thanks a lot.
Óscar Segarra

2

Hi everyone!

Nobody has need the same requirement? The same use case aplies in the following scenario:

Laptop with Ansible → FW → Ansible server intermediate → FW → Destination host of my commands

Any help will be really welcome!

Thanks a lot.
Oscar

3

This topic has been covered on the list a few times, and Internet is full of explanation on how to do this since it's an SSH thing and not Ansible thing.
Ansible is using SSH so it support what SSH can do.

It's called by many names so search for jump host, jump server, proxycommand or bastion(or some other names I have forgotten).

4

Hi Kai,

I have found some information in the internet (not so much) but I’m not able to make it work when my end server requires ssh password to be introduced.

Is there any known trick to make this work?

Thanks a lot.
Oscar

5

I mean,

I’m able to connect to my guest through my jump server by setting my .ssh/config file as:

Host vdicnode01
HostName vdicnode01

Host to jump to via jumphost1.example.org

Host vdicone01
HostName vdicone01
ProxyJump vdicnode01

[root@vdicmanager01 ansible]# ssh vdicone01
root@vdicnode01’s password:
root@vdicone01’s password:
Last login: Thu Nov 23 23:41:45 2017 from vdicnode01
[root@vdicone01 ~]#

But from ansible, I’m not able to make it work:

[root@vdicmanager01 ansible]# ansible vdicone01 -m ping -vv
ansible 2.4.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
Using /etc/ansible/ansible.cfg as config file
META: ran handlers
vdicone01 | UNREACHABLE! => {
“changed”: false,
“msg”: “Authentication failure.”,
“unreachable”: true
}
[root@vdicmanager01 ansible]#

Thanks a lot and sorry for my previous missexplanation.

Óscar

6

I'm able to connect to my guest through my jump server by setting my
.ssh/config file as:

Host vdicnode01
  HostName vdicnode01

### Host to jump to via jumphost1.example.org
Host vdicone01
  HostName vdicone01
  ProxyJump vdicnode01

[root@vdicmanager01 ansible]# ssh vdicone01
root@vdicnode01's password:
root@vdicone01's password:

It seams like you need to provide your password twice, I'm not sure that Ansible support that.

Last login: Thu Nov 23 23:41:45 2017 from vdicnode01
[root@vdicone01 ~]#

But from ansible, I'm not able to make it work:

[root@vdicmanager01 ansible]# ansible vdicone01 -m ping -vv
ansible 2.4.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules',
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5
20150623 (Red Hat 4.8.5-16)]
Using /etc/ansible/ansible.cfg as config file
META: ran handlers
*vdicone01 | UNREACHABLE! => {*
* "changed": false,*
* "msg": "Authentication failure.",*
* "unreachable": true*
}
[root@vdicmanager01 ansible]#

Thanks a lot and sorry for my previous missexplanation.

You need to tell Ansible to use password, default Ansible just connect an expect it to work.
If you add -k/--ask-pass to the command line Ansible ask for the password.

If you like this to be default you can change ansible.cfg.

7

Hi,

I have tried with the --ask-pass. In this case system asks for the first password but not the second.

It raises the “Authentication failure” error.

Thanks a lot
Oscar

8

As I suspected Ansible doesn't support that.
Your option is to set up password less ssh keys between the jump host and the remote node or look up ssh agent forwarding on the ansible control machine.

9

Hi,

Is theren’t any option to send the second password as a variable? I have tried to add them as variables in host file but it has not worked.

I cannot use a passwordless key because the process I’m trying to develope is exactly for syncronizing keys between all my hosts. For the first time, I need to acceed with a password.

Or what do you think using a kind of “script module” to send an ansible playbook to jumpserver and execute from there?

Thanks a lot.