ansible-ssh
ansible-ssh copied to clipboard
selivan
Various improvements
i don't know if the project is still alive, but i added the posibility to use a jumphost and different usernames, as in my setup, ansible runs in a pipeline with a non personal account (NPA), but i can connect to the hosts with my own username. If you want, i can create a PR to merge it back.
@cselaru Alive, not actively developed because now I prefer script that generates ssh config from ansible inventory, leaving custom entries untouched. Someday I will find time to make it less ugly and put on github.
I also use jumphost, I setup it using ansible variables magic, so ansible-ssh should works with that without modifications: https://selivan.github.io/2020/10/30/ansible-ssh-bastion-host-with-variables.html
I would be happy to see both features(jump host and NPA) in separate PRs, I will look if I can merge them.
i cannot use ansible variables in my setup, to configure a jumphost, because playbooks run in Ansible Tower and there they don't need a jumphost. i only need the jumphost when i try to connect from local laptop, so i would prefer to keep these setting separate from ansible. Your reply gave me some improvement ideas so, first, i will work on that and then do the PRs. Thanks!
We maintain many repositories with customer specific playbooks and host data, so ansible-ssh really helps us logging in on the right customer system if needed, but also have multiple cases where ssh.config has been configured for bastions / jump hosts. So i for one would be very interested in a solution to use that info from ssh.config
@GamerGun Could you show your ansible configuration so that I understand how you use the jump host? There are several ways to do that.
I am not much using ansible-ssh now, I switched to generating .ssh/config from ansible inventory using project-specific prefixes. But I can look into that option.
Sure!
ansible.cfg
[defaults]
retry_files_enabled = False
roles_path=./roles
[ssh_connection]
ssh_args = -F ssh.config -vv
ssh.config
Host staging_bastion
User gamergun
HostName 6.7.8.9.0
ControlMaster auto
ControlPath ~/.ssh/ansible-%r@%h:%p
ControlPersist 5m
StrictHostKeyChecking no
Host production_bastion
User gamergun
HostName 1.2.3.4.5
ControlMaster auto
ControlPath ~/.ssh/ansible-%r@%h:%p
StrictHostKeyChecking no
ControlPersist 5m
Host 172.17.*
ProxyCommand ssh -W %h:%p staging_bastion -F ./ssh.config
StrictHostKeyChecking no
User gamergun
Host 172.16.*
ProxyCommand ssh -W %h:%p production_bastion -F ./ssh.config
StrictHostKeyChecking no
User gamergun
So manually we do for example;
ssh -F ssh.config 172.16.50.105
@GamerGun
Could you please also post output of ansible --version and ansible-config dump | grep -i ssh (excluding private parts)?
I can not get ssh_agrs from [ssh_connection] in ansible-config dump with my ansible 2.10
@selivan Sure thing Ansible is installed locally with brew (Mac)
ansible 2.10.6
config file = /Users/tomextel/git/ansible-playbooks-uniface/ansible.cfg
configured module search path = ['/Users/tomextel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/3.0.0/libexec/lib/python3.9/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.9.2 (default, Feb 24 2021, 13:26:09) [Clang 12.0.0 (clang-1200.0.32.29)]
The config dump
ANSIBLE_SSH_ARGS(/Users/gamergun/git/ansible-playbooks-customer/ansible.cfg) = -F ssh.config
ANSIBLE_SSH_CONTROL_PATH(default) = None
ANSIBLE_SSH_CONTROL_PATH_DIR(default) = ~/.ansible/cp
ANSIBLE_SSH_EXECUTABLE(default) = ssh
ANSIBLE_SSH_RETRIES(default) = 0
DEFAULT_SCP_IF_SSH(default) = smart
DEFAULT_SSH_TRANSFER_METHOD(default) = None
NETCONF_SSH_CONFIG(default) = None
Although i'm a bit confused, just tried ansible-ssh on this customer and that seemed to work with a jumphost?
./ansible-ssh stg-jira
ssh_args: -F ssh.config
ssh_executable: ssh
ansible_host: 1.2.3.4
ansible_user: gamergun
ansible_port:
ansible_ssh_private_key_file:
ansible_ssh_common_args:
ansible_ssh_extra_args:
result command: ssh [email protected] -F ssh.config
Last login: Fri Mar 5 10:00:27 2021 from xxx.eu-west-1.compute.internal
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[gamergun@ip-1-2-3-4 ~]$
There is no way to connect to that IP directly (1.2.3.4 is a 10. ip) - can't ping or ssh to it - so this must have gone through the jumphost. The "result command" confirms that.
So i wonder in which case it did fail for me recently ...
@GamerGun
ANSIBLE_SSH_ARGS(/Users/gamergun/git/ansible-playbooks-customer/ansible.cfg) = -F ssh.config
Looks like it works in your case, because ansible-ssh utilizes ANSIBLE_SSH_ARGS.
@cselaru Check out the new version, now it can render jinja templates inside variables if present. May be that will resolve your using jumphost issue.