Ansible Doesn't Use SSH Config File specified by ssh_args?

Ansible 1.6.1

I’m trying to set things up so that I can specify a bastion host as a gateway
to my other machines.

I’d like Ansible to use an SSH config file that I keep in git.

So, I have a file named “sshconfig” with:

Host *

ServerAliveInterval 60

TCPKeepAlive yes

ProxyCommand ssh 55.232.102.151 ‘nc %h %p’

ControlMaster auto

Where 55.232.102.151 is the bastion IP address.

My ansible.cfg file looks like:

[defaults]

transport = ssh

ssh_args = -F sshconfig -o ControlPersist=15m

If I run “ssh -F sshconfig me@44.55.66.77” it uses the bastion server as expected.

But Ansible doesn’t ever seem to use my “sshconfig” file (I don’t see anything about

it in the verbose output, nor the bastion IP address). ’

Does ssh_args actually permit “-F sshconfig” or does it only allow “-o param=something” options?

J

Ansible will use your SSH config when using the ssh (not paramiko) transport, perhaps it’s not finding it for some reason.

paramiko would be the default if you were running from RHEL/CentOS 6 or before, where OpenSSH is not new enough to support ControlMaster, and paramiko is therefore still faster. (review for everyone: accelerate mode is the performance option there, since pipeling is OpenSSH only).

Let’s start with what OS you are running form as that may highlight that transport question. If not, we can ask other questions.

I’m running ansible 1.6.1 on MacOSX 10.9.3. The target systems are CentOS 6.

J

Hmm.

So that’s definitely OpenSSH by default.

Commands to ssh config are arbitrary and are handled here:

https://github.com/ansible/ansible/blob/devel/lib/ansible/runner/connection_plugins/ssh.py#L60

Can you try specifying a full path to your SSH config file? Might be a case of relative path.

That didn’t make a difference.
I know that ansible is using that ansible.cfg file because I can put a “remote_user = xxx” line
at the end of it and ansible uses that.

It would be helpful if someone could simply add “ssh_args= -F sshconfig” to an ansible.cfg
file and show some output that proves that Ansible is using it.

J

FWIW, I got this idea from you :slight_smile: - reference: https://groups.google.com/d/msg/ansible-project/AOt-5fgBzho/hEDnnOrJkC8J
However, I’ve never seen an implementation of it or a working example that’s been tested. I think someone posted an
example where they had “-F ~/.ssh/config” but since that’s the default ssh config file (ssh will use ~/.ssh/config whether or not
your specify it with the -F flag) it doesn’t really test whether it’s working or not. :slight_smile:

J

I think what Michael meant was to specify the full path to the sshconfig file, ie. “-F /path/to/mysshconfig” instead of a relative path.

Yes. I tried that. No difference. As I mentioned, it’s clear that Ansible is using my ansible.cfg file. For example, if I set the remote_user in my ansible.cfg to:

[defaults]

transport=ssh

ssh_args= -F /work/sshconfig

remote_user=dummyuser

Then everything fails because Ansible tries to use “dummyuser” to connect.

I’m still wondering if anyone has ever successfully used ssh_args with anything besides “-o param=value” directives.

What is ansible doing, for example, if you put “-v” or “-f” in ssh_args? They seem to have no effect.

J

ssh_args does not go under the [defaults] section. It belongs under a section titled [ssh_connection]

Thanks. That got things working. It would be nice if Ansible did some basic syntax checking on the cfg file. :slight_smile:

So if you have multiple bastion files, but no specific domain name you can wildcard off of (e.g. “Host *.mydomain.com”, "Host “.anotherdom.com”, etc), what is the Ansible best practice for handling multiple clusters with a bastion server for each
cluster? Reference: https://groups.google.com/d/msg/ansible-project/bWdWJ4UtkFQ/fXHO3MDvF_kJ

J

“Ansible best practice for handling multiple clusters with a bastion server for each
cluster?”

Per host settings in your SSH config file.

So, if a lot of your machines have IP addresses (or very different domain names) then you’d have
to create an ssh config file entry for each individual IP address, right? Because there’d be no way
to use wildcards. Am I missing something here?

Example:

Host 33.44.55.66
ServerAliveInterval 60
TCPKeepAlive yes
ProxyCommand ssh 55.232.102.151 ‘nc %h %p’
ControlMaster auto

Host 22.33.44.55
ServerAliveInterval 60
TCPKeepAlive yes
ProxyCommand ssh 55.232.102.151 ‘nc %h %p’
ControlMaster auto

…and so on…

J

if using the ssh connection plugin, it supports whatever ssh does, so wildcards should work​.

To clarify further – I know that I can use wildcards in the ssh config file like:


Host *.example.com

Host 128.220.19.*

But what if I have a lot of different IP addresses or host names? Then I’d have to simply have a separate entry in my ssh config
file for each one?

J

“Then I’d have to simply have a separate entry in my ssh config
file for each one?”

Yes, because you just said you couldn’t use wildcards :slight_smile:

+1 to having private hostnames or conventions to make that easier.