Np, Matt, Ok. That makes sense.
Thanks, -T On Mon, Nov 24, 2014 at 2:05 PM, Matt Davis <[email protected]> wrote: > Sorry for going dark on this thread- I had my notification settings for > both GG and Github pointing at a dead work email. > > I'm sure ping wouldn't work on a private host out of the box, though I > suspect you can probably get it working with delegate_to (or easily enhance > it to work). > > > On Thursday, November 6, 2014 1:06:45 PM UTC-8, Tennis Smith wrote: >> >> >> Damn. I just thought of something. >> >> How will "ansible -m ping <somewhere_behind_a_bastion_host>" work? >> >> Hope I've overlooked something, but that could be a snag. >> >> -T >> >> On Monday, November 3, 2014 6:15:37 PM UTC-6, Matt Davis wrote: >>> >>> OK, PR 9477 <https://github.com/ansible/ansible/pull/9477> implements >>> bastion host/port/user/key and ssh_args as inventory vars... >>> >>> On Thursday, October 30, 2014 2:01:03 PM UTC-7, Michael DeHaan wrote: >>>> >>>> i.e. let's have both, if we want. >>>> >>>> >>>> >>>> On Thu, Oct 30, 2014 at 4:59 PM, Michael DeHaan <[email protected]> >>>> wrote: >>>> >>>>> Commented on Matt's PR, but I think this is a good start. >>>>> >>>>> I have also mentioned recently (today) that adding ansible_ssh_args as >>>>> an inventory variable is also fine with me, to override what might be set >>>>> in ansible.cfg. >>>>> >>>>> >>>>> >>>>> On Thu, Oct 30, 2014 at 3:31 PM, Matt Martz <[email protected]> wrote: >>>>> >>>>>> I submitted a PR a month or so ago as a possible solution to >>>>>> specifying bastion hosts via an inventory variable: >>>>>> >>>>>> https://github.com/ansible/ansible/pull/9122 >>>>>> >>>>>> >>>>>> On Thursday, October 30, 2014, Tennis Smith <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Here is a possible compromise. Another way >>>>>>> <http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts> >>>>>>> to use a proxy is via this kind of ssh construct: >>>>>>> >>>>>>> ssh -o "ForwardAgent=yes" -tt [email protected] ssh -tt [email protected] >>>>>>> >>>>>>> It accomplishes the same thing. Could that be passed somehow in >>>>>>> Ansible in its current code? >>>>>>> >>>>>>> -T >>>>>>> >>>>>>> >>>>>>> On Wednesday, October 29, 2014 1:04:01 PM UTC-5, Matt Davis wrote: >>>>>>>> >>>>>>>> I suppose I could do both. I personally prefer the explicit vars- I >>>>>>>> find it makes the playbooks more readable and maintainable than >>>>>>>> deciphering >>>>>>>> ssh_args line noise. I can see where it'd nice to have the "escape >>>>>>>> hatch" >>>>>>>> to do unsupported things, though, too. The trick is getting everything >>>>>>>> to >>>>>>>> behave if things get set with the explicit vars and also in ssh_args- >>>>>>>> there's a bit of code in ssh.py to deal with that already (ssh_args >>>>>>>> takes >>>>>>>> precedence IIRC), but there would probably need to be a lot more to >>>>>>>> make it >>>>>>>> really robust. >>>>>>>> >>>>>>>> On Wednesday, October 29, 2014 10:26:26 AM UTC-7, erewh0n wrote: >>>>>>>>> >>>>>>>>> If there was a more generic "ansible_ssh_args" parameter, it could >>>>>>>>> be used however the user sees fit. It's a more flexible approach >>>>>>>>> because >>>>>>>>> it assumes less about how the parameter might be used or implemented >>>>>>>>> in >>>>>>>>> SSH. It just means a little more overhead for the user to know how to >>>>>>>>> construct that string correctly. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wednesday, October 29, 2014 1:04:45 PM UTC-4, Michael Peters >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> I think that would be my preference. I know in the past there's >>>>>>>>>> been >>>>>>>>>> some pushback against implementing more ansible_ssh_* parameters >>>>>>>>>> because that's long rabbit whole considering the number of ssh >>>>>>>>>> configuration parameters that exist. I agree with this point, so >>>>>>>>>> if >>>>>>>>>> adding one more (ansible_ssh_proxy) is too much, then maybe a >>>>>>>>>> last and >>>>>>>>>> final ansible_ssh_config to point to a config file on a >>>>>>>>>> per-host/play/task level. Then anything you want can be put into >>>>>>>>>> that >>>>>>>>>> config file and ansible itself wouldn't have to ever add any >>>>>>>>>> other >>>>>>>>>> ansible_ssh_* parameters. >>>>>>>>>> >>>>>>>>>> Either way would solve the problem, although the latter is more >>>>>>>>>> complicated to implement for users (would probably need to have >>>>>>>>>> the >>>>>>>>>> dynamic inventory dynamically generate ssh config files too). >>>>>>>>>> >>>>>>>>>> On Wed, Oct 29, 2014 at 12:45 PM, Tennis Smith < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> > >>>>>>>>>> > How about implementing "ansible_ssh_proxy" to match >>>>>>>>>> "ansible_ssh_user" and >>>>>>>>>> > "ansible_ssh_host"? >>>>>>>>>> > -T >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > On Wednesday, October 29, 2014 11:36:42 AM UTC-5, erewh0n >>>>>>>>>> wrote: >>>>>>>>>> >> >>>>>>>>>> >> Good point -- so configuration per play might be inflexible. >>>>>>>>>> I guess the >>>>>>>>>> >> better choice is a variable that can be modified per >>>>>>>>>> host/group/play. Call >>>>>>>>>> >> it "ssh_args" and give it the same meaning as >>>>>>>>>> ANSIBLE_SSH_ARGS. Assign it >>>>>>>>>> >> per host, group or play where required and use the "-o" option >>>>>>>>>> to pass in >>>>>>>>>> >> ProxyCommand parameters. >>>>>>>>>> >> >>>>>>>>>> >> This seems pretty clean, although I'm not sure what the >>>>>>>>>> convention is for >>>>>>>>>> >> exposing new "global" variable state in Ansible. :) >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> On Wednesday, October 29, 2014 12:19:41 PM UTC-4, Michael >>>>>>>>>> Peters wrote: >>>>>>>>>> >>> >>>>>>>>>> >>> Another use case to consider (that I myself have come up >>>>>>>>>> against) is >>>>>>>>>> >>> configuring the bastion per-host from a dynamic inventory. >>>>>>>>>> The servers >>>>>>>>>> >>> need to use a different bastion depending on their role and >>>>>>>>>> location. >>>>>>>>>> >>> >>>>>>>>>> >>> On Wed, Oct 29, 2014 at 12:17 PM, erewh0n < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>> > Thinking on this a bit more ... it seems there are two use >>>>>>>>>> cases here: >>>>>>>>>> >>> > how >>>>>>>>>> >>> > to dynamically change your SSH control connection during >>>>>>>>>> playbook >>>>>>>>>> >>> > execution >>>>>>>>>> >>> > and how to subsequently refer to the new bastion host on >>>>>>>>>> subsequent >>>>>>>>>> >>> > calls to >>>>>>>>>> >>> > ansible-playbook. If you could set SSH arguments per play, >>>>>>>>>> then I >>>>>>>>>> >>> > think >>>>>>>>>> >>> > both of these cases are addressed: >>>>>>>>>> >>> > >>>>>>>>>> >>> > - hosts: all >>>>>>>>>> >>> > connection: ssh >>>>>>>>>> >>> > connection_args: >>>>>>>>>> >>> > proxy_host: {{ groups.bastion[0] }} >>>>>>>>>> >>> > proxy_port: 22 >>>>>>>>>> >>> > user: johndoe >>>>>>>>>> >>> > >>>>>>>>>> >>> > The 'connection_args' feature implies you no longer require >>>>>>>>>> SSH config >>>>>>>>>> >>> > files >>>>>>>>>> >>> > (but could optionally use them if preferred). It could be >>>>>>>>>> used >>>>>>>>>> >>> > dynamically >>>>>>>>>> >>> > within a playbook to override your defaults that come from >>>>>>>>>> >>> > "ANSIBLE_SSH_ARGS", for example. >>>>>>>>>> >>> > >>>>>>>>>> >>> > I can see an argument for just specifying raw SSH command >>>>>>>>>> line >>>>>>>>>> >>> > arguments as >>>>>>>>>> >>> > well, something like: >>>>>>>>>> >>> > >>>>>>>>>> >>> > - hosts: all >>>>>>>>>> >>> > connection: ssh >>>>>>>>>> >>> > connection_args: >>>>>>>>>> >>> > command_line: "-o ProxyCommand ssh -W %h:%p -l johndoe >>>>>>>>>> johndoe@{{ >>>>>>>>>> >>> > groups.bastion[0] }}" >>>>>>>>>> >>> > >>>>>>>>>> >>> > >>>>>>>>>> >>> > >>>>>>>>>> >>> > -- >>>>>>>>>> >>> > You received this message because you are subscribed to the >>>>>>>>>> Google >>>>>>>>>> >>> > Groups >>>>>>>>>> >>> > "Ansible Project" group. >>>>>>>>>> >>> > To unsubscribe from this group and stop receiving emails >>>>>>>>>> from it, send >>>>>>>>>> >>> > an >>>>>>>>>> >>> > email to [email protected]. >>>>>>>>>> >>> > To post to this group, send email to >>>>>>>>>> [email protected]. >>>>>>>>>> >>> > To view this discussion on the web visit >>>>>>>>>> >>> > >>>>>>>>>> >>> > https://groups.google.com/d/msgid/ansible-project/2f75fa3d- >>>>>>>>>> cc99-4bc5-aa3b-28562d9d8db9%40googlegroups.com. >>>>>>>>>> >>> > For more options, visit https://groups.google.com/d/optout. >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> > -- >>>>>>>>>> > You received this message because you are subscribed to the >>>>>>>>>> Google Groups >>>>>>>>>> > "Ansible Project" group. >>>>>>>>>> > To unsubscribe from this group and stop receiving emails from >>>>>>>>>> it, send an >>>>>>>>>> > email to [email protected]. >>>>>>>>>> > To post to this group, send email to >>>>>>>>>> [email protected]. >>>>>>>>>> > To view this discussion on the web visit >>>>>>>>>> > https://groups.google.com/d/msgid/ansible-project/df0108fb- >>>>>>>>>> 0405-4f10-8b04-2295a3912b7a%40googlegroups.com. >>>>>>>>>> > >>>>>>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>>>>>> >>>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Ansible Project" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To post to this group, send email to ansible-project@googlegroups. >>>>>>> com. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/ansible-project/ >>>>>>> 11928401-fc81-4fe2-946d-7d74dbd671aa%40googlegroups.com >>>>>>> <https://groups.google.com/d/msgid/ansible-project/11928401-fc81-4fe2-946d-7d74dbd671aa%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Matt Martz >>>>>> @sivel >>>>>> sivel.net >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To post to this group, send email to [email protected]. >>>>>> To view this discussion on the web visit https://groups.google.com/d/ >>>>>> msgid/ansible-project/CAD8N0v9HwugTWmfyYJvVJ9JrivRtE >>>>>> 9c-W0RHYgVv4GppgW0gdw%40mail.gmail.com >>>>>> <https://groups.google.com/d/msgid/ansible-project/CAD8N0v9HwugTWmfyYJvVJ9JrivRtE9c-W0RHYgVv4GppgW0gdw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/PdJmnVMhHn0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/de211694-0975-440f-91f2-2ae723386a8d%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/de211694-0975-440f-91f2-2ae723386a8d%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK72EKzk5Nwu1n2W2uYWJ_Ffbt1NhrcA7mg_G3Pyo-DDjZgxuw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
