Hi,
I am trying to figure out how to use wait_for to start to detect ssh on a VPC host that needs to use 2 tunnels to be reached. I cannot use the IP address as it collides with my local network. DNS also doesn’t work but my tunnels work fine. I’m using SOCKs because I use a browser to access the VPC too.
Here is my setup in pictograph:
Dev → bastion.Prod → Bastion.AWS → VPC/internal
There is ONLY ssh available via Dev & bastion.Prod, hence SOCKs tunnel1 for the rest of *.example.com hosts. Bastion.AWS can only be reached via Prod via SSH hence a 2nd SOCKS tunnel. Bastion.AWS can only reach VPC via ssh. 10.0.0.0/24 is the bastion subnet. 10.0.1.0/24 is the internal subnet. I’m launching instances into VPC/10.0.1.0
I use Host namespaces in .ssh/config (which are generally NOT dns resolvable from Dev) to decide the tunnel to use.
I can only reach bastion.example.com directly and by it’s resolvable dns name - the only dns resolvable name.
My tunnel works as follows:
`
Host *.example.com
ProxyCommand nc -x localhost:1080 %h %p
Host ec2
ServerAliveInterval 50
DynamicForward localhost:1090
User ec2-user
ProxyCommand nc -x localhost:1080 54.165.xx.yy 22
Host ip-10-0-1-*.ec2.internal
ProxyCommand nc -x localhost:1090 %h %p
User ubuntu
IdentityFile /home/me/.ssh/soc-proto-internal.pem
bastion
Host ip-10-0-0-*.ec2.internal
ProxyCommand nc -x localhost:1090 %h %p
User ec2-user
IdentityFile /home/fortescu/.ssh/soc-proto-useast1.pem
`
tunnel1:
`
dev # ssh -vvv -D 1080 -N -q me@bastion.example.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
`
tunnel2:
`
dev # ssh ec2
Amazon Linux version 2015.03 is available.
[ec2-user@ip-10-0-0-188 ~]$
`
Now, from Dev the following works fine:
`
dev # ssh ip-10.0.1.32
Last login: Tue Jun 2 19:15:07 2015 from ip-10-0-0-188.ec2.internal
ubuntu@ip-10-0-1-32:~$
`
So how can I get this to work with wait_for?! The ‘private_dns_name’ emits and is in the tmp wait_for python script so it’s got the right form. I can even grab the that same address while waiting on wait_for and ssh into it!
Here’s the relevant ansible play:
`
`
- name: Launch Opscenter instances
ec2:
key_name: “{{ key_name }}”
group_id: “{{ security_group }}”
instance_type: “{{ instance_type }}”
image: “{{ image }}”
wait: true
region: “{{ region }}”
vpc_subnet_id: “{{ subnet_id }}”
assign_public_ip: no
ebs_optimized: no
instance_tags:
Name: “cassandra_opscenter”
dbtype: cassandra
register: ec2
- name: Logging
debug: msg=“{{ item }}”
with_items: ec2.instances
- name: Add new instance to host group
add_host: hostname={{ item[‘private_dns_name’] }} ansible_ssh_host={{ item[‘private_dns_name’] }} groups=launched,opscenter_nodes
with_items: ec2.instances
- name: Wait for SSH to come up
local_action: wait_for port=22 host=“{{ item[‘private_dns_name’] }}” search_regex=OpenSSH delay=10
with_items: ec2.instances
I know I must be missing something obvious but it seems like wait_for is stubborning trying to use DNS (which will fail) instead of .ssh/config.
Am I chasing a unicorn here? Can this be made to work?
Any and all advice deeply appreciated.
Chris