Isolated nodes workaroud using jump hosts

Archives AWX Project
1

Hi all

As an alternative to the isolated nodes feature, not available yet, I am trying to implement this with jump hosts, reading this https://docs.ansible.com/ansible-tower/latest/html/administration/tipsandtricks.html#setting-up-a-jump-host-to-use-with-tower.

My idea is to have all the SSH keys in tower, and set for each host that needs a jump host a variable that sets the way to connect to it using the jump host (ssh -W %h:%p jumphost1). Then, I would configure .ssh/config in the tasks nodes (is this right?) defining the jump host, and the way to connect to that, but I don’t want to have their SSH keys locally (as I already have them in AWX).

How can I access SSH keys from the CLI? For example:

Host jumphost1
IdentityFile >(tower-cli credential get …)
User xxxx

But “tower-cli credential get” only gives me the information about the credential, not the credential itself. Is there any command to achieve this? Would this redirect work in the ssh config?

2

We specifically do not allow reading credential values out of the system. Tower isn’t designed to be a standalone credential management system.

3

Thanks Matthew for the answer, I understand the limitation. Does anyone have any approach or suggestions about this procedure? Some other ideas?

With this workaround, If jump hosts credentials can’t be fetched from Tower, they could be stored locally in Tower task nodes, and “main” nodes credentials can be fetched from Tower; indeed, “jump hosts” don’t have anything, they are just bastion hosts, with limited access users.

Kind regards.

4

We added something like this to the hosts variables for any hosts that need to be isolated (this is done via our dynamic inventory script):

ansible_ssh_common_args: >-
-o ProxyCommand=“ssh -W %h:%p -q -o UserKnownHostsFile=/dev/null -o
StrictHostKeyChecking=no username-with-credentials-in-AWX@jump-host-name.dc”

Be sure to increase your MaxStartups and MaxSessions in the sshd config of the jumphost. We have 100 for MaxSessions and 100:30:100 for MaxStartups (your mileage may vary).

We didn’t add any special ssh config for the “username-with-credentials-in-AWX” on the jump host. We did, however, limit access via firewall so that only the AWX hosts can ssh to the jump hosts.

5

Thanks! This is very similar to what I want to do… But the issue here is to have the keys in two places, in AWX and in the task nodes, as there is no API to get host credentials, as Matthew said.

Glad to see that more people has this issue, with similar workarounds.

Regards!

6

I’m not sure how other people handle it, but we have internal playbooks we use to configure the AWX hosts. One of the things those do is clone the AWX repo and prepare the AWX installer playbooks (playbooks configuring playbooks… what could go wrong?).

In those first playbooks, we can handle things such as putting ssh keys (stored in Ansible Vault) on the jump hosts. It only needs to be done when you provision new jump hosts (or change the keys).