Sorry for a lame question, but I’m trying to enable Ansible to manage Cisco routers which are reachable only from a sinlge management host. That host is HP NA server, where users could connect by ssh and then manually build connection (ssh/telnet) to the final destination (i.e. routers).
I’ve already read about known ways to establish SSH session via jump/bastion hosts using “proxycommand” and “ssh -W”, but my case is a little bit different. HPNA jump host has it’s own CLI, where users call command “connect ROUTER_NAME” to connect to routers.
In other words it looks like “laptop → ssh → HPNA → HPNA CLI command “connect router Bla” → ssh/telnet(rare case) → router”
I wonder if Ansible has any modules wich would wrap that command “connect router Bla” to ssh session established from my laptop to the jump host ?
As far as I have seen, it is not trivial - looks like although plugin for network_cli is selected, the paramiko_ssh plugin is used to handle actual ssh session. Considereing it is easy to send additional command, it is not easy to keep all that without significantly touching classes defined in Ansible. And I wanted something like 5 lines of code …
I almost gave up on this effort…
Of course, thanks for asking;
My company has HP Network Automation (HP NA) host which provides universal access to all network devices. It behaves like a jump host, but, not SSH jump host. We ssh to it, authenticate and then get onto local CLI - which is specialised for managing the database of devices on the HP NA and to connect to them (allowing for logging of the session, different setups and so on).
Here is the problem:
HP NA is not SSH bastion so no SSH forwarding (-J, -W, -tt options) works. It has to be a two stage connection to a device if HP NA was to be used (in our case, it has to be).
First of all, I do not have a way to tell Ansible to connect to a device by ssh-ing to HP NA server, then to start a new session to a device using connect ‘device_name’ command to get the actual device prompt.
What I wanted to achieve:
I wanted to modify network_cli plugin to add a fixed server and a couple of additional steps, so it looks like this - very high level:
ansible -i inventory.ans playbook.yml
(inventory.ans contains real IP addresses and/or device names known to HP NA, playbook.yml conatins network_cli_HPNA modified connector to be used and arbitrary task)
I thought that ansible-playbook will call network_cli_HPNA at some point to establish a session and I would intercept it there, connect first to HP NA server, then, after verifying sanity, issue connect device, where device is the information in the playbook and supplied by ansible-playboook when it calls network_cli.
Now, that does not happen early enough (or I did not understand this well).
What I saw was that after I start ansible-playbook and ingest modules and parse playbook, I call paramiko_ssh to establish a permanent connection (which times out, as I can not access devices directly), but, network_cli is never visited…
I saw that connection is brought up in paramiko_ssh and we could possibly change it there, but, that would ruin any upgrade down the road - I wanted to fork this later, when I will not put anyone else in jeopardy (those who use paramiko_ssh as a regular connector plugin).
I hope that this helps.
Thanks,
Vladan
Of course, thanks for asking;
My company has HP Network Automation (HP NA) host which provides universal access to all network devices. It behaves like a jump host, but, not SSH jump host. We ssh to it, authenticate and then get onto local CLI - which is specialised for managing the database of devices on the HP NA and to connect to them (allowing for logging of the session, different setups and so on).
Here is the problem:
HP NA is not SSH bastion so no SSH forwarding (-J, -W, -tt options) works.
I see your problem and feel your pain.
It has to be a two stage connection
to my understanding this is not how Ansible works
to a device if HP NA was to be used (in our case, it has to be).
First of all, I do not have a way to tell Ansible to connect to a device by ssh-ing to HP NA server, then to start a new session to a device using connect ‘device_name’ command to get the actual device prompt.
What I wanted to achieve:
I wanted to modify network_cli plugin
that’s way above my Ansible knowledge. I suppose network_cli
(https://docs.ansible.com/ansible/2.7/plugins/connection/network_cli.html)
is not a transport for Ansible and it cannot be used as such.
Firing a single CLI command on the host and returning output is what it is used for I guess.
Regards,
Mark