Hello,

I was running an older version of ansible, and I couldn’t find a way to get it to connect through a bastion host to run scripts against a destination server, so I tried upgrading ansible. (yum upgrade to 1.6.2)

Now it appears that some things don’t work the way they did eg. it doesn’t seem to recognize the hosts list properly. It used to be that the first line in the .yml file was:

• hosts: $Server_name

but, now that entry results in an error

[prod_deploy@srvtoolbox simontest]$ ansible-playbook fetch_mysql_config2.yml --extra-vars=“Server_name=jruby01”
[WARNING]: The version of gmp you have installed has a known issue regarding
timing vulnerabilities when used with pycrypto. If possible, you should update
it (ie. yum update gmp).

PLAY [$Server_name] ***********************************************************
skipping: no hosts matched

so, I can no longer pass the host name at the command line? or the syntax has changed. fine that’s a new issue i guess.

If I enter the host name in the playbook itself, it appears to work, if the host name is in the ansible list.

I’ve tried a number of methods to get it to recognize host names in ~/.ssh/config but all failed?

eg. [prod_deploy@srvtoolbox simontest]$ ansible-playbook -c ssh fetch_mysql_config2.yml
[WARNING]: The version of gmp you have installed has a known issue regarding
timing vulnerabilities when used with pycrypto. If possible, you should update
it (ie. yum update gmp).

PLAY [tmdb02] *****************************************************************
skipping: no hosts matched

PLAY RECAP ********************************************************************

my .ssh/config file:

[prod_deploy@srvtoolbox simontest]$ cat ~/.ssh/config
Host terremarkjump
HostName 208.39.105.26
User prod_deploy

Host solr4-dih
User prod_deploy
HostName 10.124.33.204
ProxyCommand ssh -q terremarkjump ncat %h 22

Host sprt_liferay_10
User prod_deploy
HostName ec2-54-202-175-96.us-west-2.compute.amazonaws.com

Host tmdb02
User prod_deploy
HostName 10.124.33.250
ProxyCommand ssh -q terremarkjump ncat %h 22

my test playbook:

• hosts: tmdb02
  user: prod_deploy
  sudo: yes
  tasks:
• name: get INVENTORY
  action: fetch src=/etc/my.cnf dest=~

I looked briefly at /usr/lib/python2.6/site-packages/ansible/runner/connection_plugins/ssh.py but, I don’t know enough python to be able to tell if this has anything to do with using the ~/.ssh/config file.

Is anyone aware if the current state of ansible/ssh (not paramiko) documented in plain english, or is there a way to use jump servers via ssh with ansible 1.6.2?

It may well be that I’m doing something silly,

much obliged for any assist

Simon

The $ variables have been dropped from current ansible, they have been deprecated for a loong time. The new way to do the host variables would be writing plays like this:

hosts: “{{server_name}}”

and pass on the command line as before, there is some more advanced stuff you can do now, like using --limit or doing this

hosts: “{{server_name|default(‘all’)}}”

the ssh config should be picked up normally, I still use it for some bastion jump hosts w/o issues.
​

ok i havent used Ansible before. Are you saying I don’t have to pass any switch to use SSH; it uses Paramiko and if it doesn’t find a hostname, it tries ssh config? it just keeps giving me the error"No hosts matched",

ok i havent used Ansible before. Are you saying I don’t have to pass any switch to use SSH; it uses Paramiko and if it doesn’t find a hostname, it tries ssh config? it just keeps giving me the error"No hosts matched",

Current versions of ansible use openssh as a library for connections by default. You can also ask ansible to use paramiko instead. If you’re using openssh, your ssh config will get picked up, if you’re using paramiko, it won’t.

“No hosts matched” is, I believe, unrelated- it means that there are no hosts in your inventory in the specified group.

ok clearly I am doing something dumb.

I have an entry in ~/.ssh/config for destination host: tmdb02

Host tmdb02
User prod_deploy
HostName 10.124.33.250
ProxyCommand ssh -q terremarkjump ncat %h 22

I can ssh to it normally eg. ssh tmdb02

I’ve updated a test playbook to use the new server name syntax eg.

• hosts: “{{server_name}}”
  user: prod_deploy
  sudo: yes
  tasks:

Store file into /tmp/fetched/host.example.com/tmp/somefile

• name: get INVENTORY
  action: fetch src=/etc/my.cnf dest=~

I try to run it:

ansible-playbook /home/prod_deploy/simontest/fetch_mysql_config2.yml --extra-vars=“server_name=jruby03”

and this works: jruby03 is listed in /etc/ansible/hosts

If I try a name that is listed in my ssh config, it fails as previously indicated. So, I need to add an entry or two to /etc/ansible/hosts. The server I’m trying to hit is on the other side of a jump server. How do i set this up in /etc/ansible/hosts?

Ansible only wants to talk to hosts in its inventory. If you want your inventory to be your ssh config file, there is a dynamic inventory script called ‘ssh_config.py’ that ships with ansible that will do that for you.

also, remove "user: prod_deploy"​ from your playbook, using a ‘user’ will avoid using your .ssh/config file, since you are already setting it there, it is redundant.

Hi Henry,

I am most definitely stupider than normal; I blame a recent pigeon infestation and the resulting lack of sleep.

I did not find that script on my system, so I downloaded it from here https://github.com/ansible/ansible/blob/release1.6.2/plugins/inventory/ssh_config.py. It appears to be throwing a python error:

[prod_deploy@srvtoolbox ansible]$ ./ssh_config.py --list
Traceback (most recent call last):
File “./ssh_config.py”, line 111, in
main(sys.argv[1:])
File “./ssh_config.py”, line 105, in main
print_list()
File “./ssh_config.py”, line 72, in print_list
cfg = get_config()
File “./ssh_config.py”, line 67, in get_config
ret_dict[host] = _copy[‘config’]
KeyError: ‘config’

I think you wrote it? Perhaps it would be better if I went away and hunted some pigeons, and got some sleep, and then come back. I feel like I’m getting closer to a solution, even if I’m not getting any smarter.

Have you got a suggestion for next steps? Thank you for your patience,

Hi Henry,

I am most definitely stupider than normal; I blame a recent pigeon
infestation and the resulting lack of sleep.

I did not find that script on my system, so I downloaded it from here
https://github.com/ansible/ansible/blob/release1.6.2/plugins/inventory/ssh_config.py.
It appears to be throwing a python error:
[prod_deploy@srvtoolbox ansible]$ ./ssh_config.py --list
Traceback (most recent call last):
  File "./ssh_config.py", line 111, in <module>
    main(sys.argv[1:])
  File "./ssh_config.py", line 105, in main
    print_list()
  File "./ssh_config.py", line 72, in print_list
    cfg = get_config()
  File "./ssh_config.py", line 67, in get_config
    ret_dict[host] = _copy['config']
KeyError: 'config'

I think you wrote it? Perhaps it would be better if I went away and hunted
some pigeons, and got some sleep, and then come back. I feel like I'm
getting closer to a solution, even if I'm not getting any smarter.

I did- or at least the line in question. I may have relied too closely
on my ability to read the paramiko source code and infer its api
contract.

I wrote a stupid patch:
https://github.com/hfinucane/ansible/tree/feature/paramiko-safety

let me know if that works out for you, or if more things are broken.

Hi Henry,

Thank you so much for such quick responses!

I have not used git much, here is what I did:

-browsed to https://github.com/hfinucane/ansible/blob/feature/paramiko-safety/plugins/inventory/ssh_config.py
-cut and paste the script into /usr/lib/python2.6/site-packages/ansible/runner/connection_plugins/
-since all of the ansible files are owned by root, I put a copy of ssh_config.py in my user directory so I could run it directly, and made it executable

here are results of test

[prod_deploy@srvtoolbox simontest]$ ./ssh_config.py --list
{“ssh_config”: , “_meta”: {“hostvars”: {}}}

and

[prod_deploy@srvtoolbox simontest]$ ansible tmdb02 -m ping
No hosts matched

I hope that I’ve gone about this in an acceptable way; thank you again for your patience,

Simon

I talked to Simon a little bit out of band, it looks like the problem
is his version of Paramiko- it predates both the initial and the
working ProxyCommand implementation. You need Paramiko >= 1.10 for
parsing support, and if you want to use Paramiko as a transport you
want >= 1.10.6 .

Hello again, we have updated Paramiko but it appears I still have issues.

ssh_config.py works when I don’t have to hop through a bastion host. When I have to go through a bastion host, it appears to ignore the Proxy variable. I created an entry in ssh config file for jruby1. (The name in the ansible hosts file is jruby01):
[prod_deploy@srvtoolbox simontest]$ ansible-playbook -i /home/prod_deploy/simontest/ssh_config.py fetch_mysql_config2.yml --extra-vars=“server_name=jruby1”

prod_deploy@srvtoolbox simontest]$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

[prod_deploy@srvtoolbox log]$ ANSIBLE_SSH_ARGS=“” ansible tmdb02 -i /home/prod_deploy/simontest/ssh_config.py -m ping -c ssh -vvvv
<10.124.33.250> ESTABLISH CONNECTION FOR USER: prod_deploy
<10.124.33.250> REMOTE_MODULE ping
<10.124.33.250> EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, u’10.124.xx.xxx’, “/bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1405085298.07-20022175021754 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1405085298.07-20022175021754 && echo $HOME/.ansible/tmp/ansible-tmp-1405085298.07-20022175021754’”]
tmdb02 | FAILED => SSH encountered an unknown error. The output was:
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/prod_deploy/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.124.xx.xxx [10.124.xx.xxx] port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: connect to address 10.124.xx.xxx port 22: No route to host
ssh: connect to host 10.124.xx.xxx port 22: No route to host

[root@srvtoolbox tmp]# pip show pycrypto