Up until version 15.0.1 it was sufficient to install a config file with a required SSH identity file in /root/.ssh/ on the awx-task machine.
This no longer works.
I’ve spent an inordinate time [1] trying to get this working for root and awx user, and even tried runner on awx-ee but as far as I can tell, neither ansible(1) nor ansible-playbook(1) are invoking ssh(1) in such a way as that the configuration is used.
I’ve also noticed that ansible isn’t using a pre-configured ansible.cfg file (into which I could place an [ssh_configuration] section. If I create a file it’s used, but as I don’t know how the runner EE is created I’m almost completely lost.
Can somebody help me, please?
-JP
[1] https://jpmens.net/2021/03/25/configure-ssh-proxycommand-for-awx-on-kubernetes/
Hi,
I’ve spend the last month learning the K-word for the awx 18 release and I am planning to do the following approach:
Problem: The proxyjump ssh config asks for a fingerprint/ host verification when connecting. In previous versions you could log in into the container and acknowledge the prompt or change the ssh configuration so that it disables hostchecking (not recommended).
Possible solution:
Create a custom Execution Enviroment
https://www.ansible.com/blog/introduction-to-ansible-builder
In the execution-environment.yml you can add additional_build_steps where you insert your ssh config / keys …
Problem is that it is build into the image so best not publish it to public registries
I haven’t tested it yet but it should work.
Personally I hope project receptor is integrated fast since this would make this obsolete.
kind regards,
We’ve used the ANSIBLE_SSH_ARGS parameters in settings/jobs page succesfully
` “ANSIBLE_SSH_ARGS”: “-C -o ServerAliveInterval=300 -o ControlMaster=auto -o ControlPersist=60s -o ‘ProxyCommand ssh -qx user@jumphost -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null’”
That doesn’t account for the needed IdentityFile to connect to the jump host. 
-JP
Isn’t this whole idea of using bastion hosts covered by https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#isolated-instance-groups ?
“Tower has the ability to optionally define isolated groups inside security-restricted networking zones from which to run jobs and ad hoc commands. Instances in these groups will not have a full installation of Tower, but will have a minimal set of utilities used to run jobs.”
https://www.insentragroup.com/gb/insights/geek-speak/cloud-and-modern-data-center/ansible-awx-with-isolated-nodes/ was the first hit on google for awx
Greetings
Klaas
It has been tested in several environments with AWX 14.1.
You probably missed the version number in the subject; just about EVERYTHING I knew about tower/awx has changed.
Don’t know if this would help but I have had a similar issue with ansible for windows hosts with certificates. AWX has no way to use or configure this. So I made this very hacky thing.
I encrypt my certificate with ansible vault and put it in my project folder. (git based)
The first task I run I copy the file from the project to the container with the copy module.
- name: Get certificate
become: true
become_method: sudo
gather_facts: no
hosts: “all”
vars:
ansible_winrm_cert_key_pem: /key.pem
ansible_winrm_cert_pem: /pub.pem
ansible_winrm_transport: certificate
tasks:
- name: Decrypt certificate key
local_action:
module: ansible.builtin.copy
src: certificates/key_encrypted.pem
dest: /key.pem
decrypt: yes
run_once: True
connection: local
changed_when: False
do the tasks you want
- name: Gather facts
setup:
connection: winrm
In theory this could also work for ssh identity files. It’s pretty fugly and you need to adapt playbooks but it kinda works.
kind regards,