Hi All,
I have requirement to automate some tasks via ansible playbook, the problem is I cannot go to the serves directly I need to go to remote nodes via bastion node. Could anyone pls help how can I write the same inside inventory. Below is the example how I am connecting to the remote host via bastion host.
ssh user@@ -p 8022
Will McDonald wrote:
https://www.jeffgeerling.com/blog/2022/
using-ansible-playbook-ssh-bastion-jump-host
Odd that uses ProxyCommand in `ansible_ssh_common_args` and
not the far simpler ProxyJump, which it does mention in the
~/.ssh/config method. The `-J` shortcut for that is even
better.
Perhaps it does that to illsutrate a more complex use case,
where the bastion runs on a different port, but if you're
not doing that, it's likely simpler to skip it and use the
`-J` argument.
I would expect (but have not tested) this works:
ansible_ssh_common_args='-J $your_bastion_hostname'
ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
any host folks would be using as an ansible control host.
Hi Todd,
Thank you for sharing the same, however, I have already checked this article.
I have a requirement to connect Host-A then I can connect Host-B. I can’t connect Host-B directly. So in this case how to execute the playbook task on Host-B from Control Machine? Because my control machine is centralized. Hence, my question is how to execute the playbook task on Host-B directly from the control machine via bastion host-: Below is an example of how I am connecting to the remote host via bastion host using ssh. ssh user@@ -p 8022 In the playbook I have created the inventory, however, while running the same I am getting the below error-: cat lab.txt [need_bastion] bastion-host [need_bastion:vars] ansible_ssh_common_args=‘-o StrictHostKeyChecking=no -o ProxyJump=“user@@:8022”’ PLAY [copy file from jump to remote servers] ******************************************************************************************************** TASK [copy node exporter package] ************************************************************************************************************************ Password: Password: fatal: [IP]: UNREACHABLE! => {“changed”: false, “msg”: “Failed to connect to the host via ssh: Connection timed out during banner exchange”, “unreachable”: true} PLAY RECAP *********************************************************************************************************************************************** IP : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
Hi,
Monica wrote:
Thank you for sharing the same, however, I have already
checked this article.
I was simply quoting the article which Will kindly shared to
mention that ProxyJump / -J might be a simpler method, even
within ansible_ssh_common_args.
[I reformatted some of the text you wrote as it arrived at
the list as one large block, which was rather hard to read.]
I have a requirement to connect Host-A then I can connect
Host-B. I can’t connect Host-B directly. So in this case
how to execute the playbook task on Host-B from Control
Machine? Because my control machine is centralized. Hence,
my question is how to execute the playbook task on Host-B
directly from the control machine via bastion host-: Below
is an example of how I am connecting to the remote host
via bastion host using ssh.ssh user@<remote-host IP>@<bastion-host-IP> -p 8022
Note that the ssh_config man page says of ProxyJump:
Specifies one or more jump proxies as either
[user@]host[:port] or an ssh URI.
It has further text regarding configuration applied to the
jump (aka bastion) host, which is worth reading.
Ansible uses the value from `ansible_ssh_common_args` to
create the full ssh command to connect to each host, so
`@<remote-host>` should not be included if you're using
ansible to connect to <remote-host> via <bastion-host>.
(If you've got multiple bastion hosts to pass through from
<control-host> to <remote-host>, you should probably get
things working with ssh directly and then map that to either
`ansible_ssh_common_args` or the `.ssh/config` of the user
running ansible on the control host.)
All that said, if you're going from <control-host> to
<remote-host> via <bastion-host> (on port 8022), I think
this would look like:
ansible_ssh_common_args='-J <bastion-user>@<bastion-host>:8022'
(I skipped the StrictHostKeyChecking option there simply for
brevity. I replaced -o ProxyJump with -J for the same
reason.)
That connects to the <remote-host> via the bastion host as
the given user and at the given port.
I find testing with the ansible ping module is helpful in
cases like this. It makes it easier to separate issues with
the playbook from issues with the ssh configuration. E.g.:
ansible <remote-host> -om ping
That should return:
<remote-host> | SUCCESS => {"changed": false,"ping": "pong"}
If not, adding -vvv to the command will show the ssh command
ansible used, which can be checked for sanity (and/or
compared to what works when you run ssh directly to get from
<control-host> to <remote-host> via <bastion-host>).
I agree with Tood, that setting up a propper ~/.ssh/config should be the way to do this. something like ...
Host jumphost
HostName jumphost.blub.com
User username
PreferredAuthentication publickey
IdentityFile ~/.ssh/demo.ed25519
Host internal-target
Hostname target.blub.com
ProxyJump jumphost
User username
PreferredAuthentication publickey
IdentityFile ~/.ssh/demo.ed25519
... should do it I believe
Hi Todd,
Thank you for explaining the same, however I am still getting the same error-:
Hi
Can you please try to this way
[remote-nodes]
remote-node-1 ansible_host= ansible_user=user ansible_ssh_common_args=‘-o ProxyCommand=“ssh -W %h:%p -p 8022 user@”’
remote-node-2 ansible_host= ansible_user=user ansible_ssh_common_args=‘-o ProxyCommand=“ssh -W %h:%p -p 8022 user@”’
Hi Avinash.
Thanks you for the update. I am still facing the issue.
Connection timed out during banner exchange", “unreachable”: true
what I would try is
Hi,
Can anyone help me on this, still I am facing the issue.
Hi Vladimir Botka,
Looking for your support on this.
Hi Monica,
Hi Vladimir Botka,
Looking for your support on this.
You said you can "connect to the remote host via bastion host
using ssh".
ssh user@<remote-host IP>@<bastion-host-IP> -p 8022
Let me ask you first. Wouldn't an Ansible controller in the internal
network serve you use-case better?
ext_net <-> bastion_host <-> ansible_controller <-> remote_host
You should store you projects in a version control. Why don't you
clone the projects on the controller and run your playbooks from
there? This has many advantages:
* The configuration is simpler
* You can limit the external SSH access to single host
* Playbooks in the local network run faster
* The execution of the projects don't depend on the throughput and
quality of the external network
* You can use *ansible-pull* on the controller to update the
projects automatically
* You can schedule the projects' updating to off-peak times
Why do you want to run Ansible via proxy?