Re: [ansible-project] Configuring Ansible to run play books through a bastion host on aws/ec2

Wed, 05 Feb 2014 12:40:43 -0800 

On 02/05/2014 02:31 PM, Matt Martz wrote:

I use bastions for nearly all of my communication with servers.  It is
all done via my ~/.ssh/config file.  Something like:

Host bastion
     User                   myuser
     HostName               bastion.example.org
     ProxyCommand           none
     IdentityFile           ~/.ssh/id_rsa
     BatchMode              yes
     PasswordAuthentication no

Host *
     ServerAliveInterval    60
     TCPKeepAlive           yes
     ProxyCommand           ssh -qaY bastion 'nc -w 14400 %h %p'
     ControlMaster          auto
     ControlPath            ~/.ssh/mux-%r@%h:%p
     ControlPersist         8h

In ~/.ansible.cfg I then have

[ssh_connection]
ssh_args = -o ControlPersist=15m -F ~/.ssh/config
scp_if_ssh = True
control_path = ~/.ssh/mux-%%r@%%h:%%p

Nothing else required.  I execute ansible and all my connections go
through the bastion.  Your "Host *" might benefit from being more
targeted.  In any case, I also have to use these same configs for normal
SSH access, so for me it makes sense to just have them in my ssh config.

I really don't see a need to modify anything within Ansible to do this.
When ansible is configured to auto-create a cluster of brand new virtual machines, all connected to a brand new auto-generated vlan, and all behind a single front-end router(again, also a virtual machine), then a series of test cases are run on this isolated universe of machines, then the entire virtualized cluster is thrown away. The machines in the isolated cluster will have the exact same address as *real* internet servers, so it's not possible at all to connect to them directly. 

You'd have to auto-generate the config file for ssh in this case.
ps: Someone kick me later to publish my opennebula dynamic inventory script, and opennebula task(support for template instantiate, vm delete) I'd need to rewrite the the former from perl to python, and the later from shell to python. 

--
You received this message because you are subscribed to the Google Groups "Ansible 
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to