SSH Tunneling

Archives Ansible Project
1

Hi
I ssh tunneling possible in ansible? Could I get ansible to use my .ssh/config settings?

Regards

2

Not presently. It’s technically possible but not something I am going to work on. Tools that offer other transports
than SSH don’t have built-in support for SSH tunneling, so that doesn’t seem to be necessary.

You can easily tunnel to somewhere and run ansible from there after you tunnel.

It does seem technically possible:
http://stackoverflow.com/questions/2323471/problem-originating-ssh-tunnels-from-python

However I’m not sure we want to incur the cost of keeping it up. Part of Ansible’s goals are to remain
small and tight, so that means saying no to features that can be easily solved in other ways.

In this case, ssh tunneling to run ansible on the tunneled-to-host seems fair to me.

Thoughts?

–Michael

3

Hi
I support the notion of a tool doing one thing and doing it well, otherwise it becomes fat and unwieldy very quickly…

In our infrastructure we access all servers via bastions which would mean that if I wanted to use ansible it would have to live on the bastion server. I would then need to login to the bastion server with -A (ssh) flag at least and everything should work. Its inconvenient but not impossible. I have a similar setup for me lab environment. All servers in the lab have two interfaces a private and public. public get an ip from the router or local dhcp server that enable me to easily access the server from my desktop. The private network is for running all other services… that way I can keep it separate from production stuff and the lab environment could easily work at home and at work. I have a “bastion” server that I use to connect to my lab environment which is similar to the above. Why am I typing all this, a use case I guess. There is one more advantage of having my lab setup in this way… I can call it any domain… I thus have the following entry in my .ssh/config file:

Host *.example.com
ProxyCommand ssh -q -A root@192.168.12.15 nc %h %p
user root

so even if example.com is not resolvable from my desktop it will be from the bastion host. I thus don’t have to mix lab and prod dns and I can replicate/duplicate without breaking stuff…

I do think other people will have legitimate use cases for ssh forwarding but I also agree that it should not really be ansible’s responsibility. Maybe ansible could “surface” the settings that would allow you to do it, but take no further responsibility?

I have become somewhat of a openssh power user so being limited to the python ssh library feels a bit restrained. One of the things I do is to re-use connections. This makes connecting to a server via a bastion extremely quick if you are already connected to that bastion and could be useful/interesting when you start doing lots of connections in ansible…

Regards

4

nod.

If someone gives me a clean patch for this we can consider it. I am not sure how often the problem of multiple bastion hosts comes into play.

I don’t see of a way for ansible to make this any easier without implementing ssh forwarding directly and also representing the mappings in the host file.

I’d suggest we table this for now until we can get more of the core functionality covered.

The SSH backend is technically pluggable already so there’s not much stopping you from attempting a paramiko-less version using scp and SSH commands. That would cut a dependency. Check out connection.py and see what you can do.

–Michael

–Michael

5

nod.

If someone gives me a clean patch for this we can consider it. I am not sure how often the problem of multiple bastion hosts comes into play.

It’s a late reply as a a victim of multiple bastion hosts… I found the latest Ansible already recognize ProxyCommand in ~/.ssh/config, which Gerhardus claimed not?

Precisely it is the ssh transport providec by ssh.py, whille paramiko_ssh.py does not recognize the configure file yet. Another problem is EL5 paramiko is 1.7.7.1, which does not include the ProxyCommand plugin, although the current paramiko github repo (release 1.11.0) does.

I am wondering whether paramiko is just a interim means for one to get started? Although ControlPersist is a OpenSSH 5.5 feature, the ControlMaster have been a shipped feature for a long time. With ControlMaster enabled, ssh is significantly faster than paramiko, in my case it is 0.3s v.s. 1s. As a result, I guess paramiko is not a recomend transport for production use. If my guess stands, I feel a little hesitated to contribute a patch to add ProxyCommand to paramiko transport.

I don’t see of a way for ansible to make this any easier without implementing ssh forwarding directly and also representing the mappings in the host file.

As stated above, ssh.py already supports ProxyCommand in ~/.ssh/config, it is not easy job to add support for paramiko ( needs many ansible command line options to configure the proxy), say nothing of the missing of ProxyCommand plugin from EL repo. I prefer to ~/.ssh/config understood by ssh transport as a workaround, instead of addtional vars in ansible inventory.

I’d suggest we table this for now until we can get more of the core functionality covered.

The SSH backend is technically pluggable already so there’s not much stopping you from attempting a paramiko-less version using scp and SSH commands.

That might be the now-called ssh.py …