Matt, doesn't this prevent you from using ec2 dynamic inventory? For me being unable to dynamically discover instances as they come and go in the VPC is huge limitation.
On Thursday, February 6, 2014 7:31:20 AM UTC+11, Matt Martz wrote: > > I use bastions for nearly all of my communication with servers. It is all > done via my ~/.ssh/config file. Something like: > > Host bastion > User myuser > HostName bastion.example.org > ProxyCommand none > IdentityFile ~/.ssh/id_rsa > BatchMode yes > PasswordAuthentication no > > Host * > ServerAliveInterval 60 > TCPKeepAlive yes > ProxyCommand ssh -qaY bastion 'nc -w 14400 %h %p' > ControlMaster auto > ControlPath ~/.ssh/mux-%r@%h:%p > ControlPersist 8h > > In ~/.ansible.cfg I then have > > [ssh_connection] > ssh_args = -o ControlPersist=15m -F ~/.ssh/config > scp_if_ssh = True > control_path = ~/.ssh/mux-%%r@%%h:%%p > > Nothing else required. I execute ansible and all my connections go > through the bastion. Your "Host *" might benefit from being more targeted. > In any case, I also have to use these same configs for normal SSH access, > so for me it makes sense to just have them in my ssh config. > > I really don't see a need to modify anything within Ansible to do this. > -- > Matt Martz > [email protected] <javascript:> > > On February 5, 2014 at 2:09:24 PM, Adam Heath ([email protected] > <javascript:>) wrote: > > I just looked over ssh.py and ssh_old.py; if I were to actually want to > sit down and do this, I would factor those 2 classes, into a common base > class, then introduce a third version that supported ProxyCommand. > > ps: I notice something odd in the two files above: > > == > - def exec_command(self, cmd, tmp_path, sudo_user=None, > sudoable=False, executable='/bin/sh', in_data=None, su=False, > su_user=None): > + def exec_command(self, cmd, tmp_path, sudo_user=None, > sudoable=False, executable='/bin/sh', in_data=None, su_user=None, > su=False): > == > > Why is the order of the last 2 args reversed for those two files? Seems > like it might cause some confusion. > > On 02/05/2014 01:51 PM, Adam Heath wrote: > > I've had musings on that too. Currently, I think you'd have to manually > > configure $HOME/.ssh/config, with ProxyCommand. > > > > However, I just had a thought. What if there was an > > ansible_ssh_proxy=$other_inventory_host feature? When set, ansible > > would auto-add the -o ProxyCommand="$something". > > > > This is just some random brainstorm ramblings. > > > > On 02/05/2014 12:59 PM, Jeff Lord wrote: > >> Hello, > >> > >> I am building out an env in AWS using ansible and would like to > >> configure all of my hosts by running through a single bastion host > which > >> has port 22 open. > >> Laptop -> AWS Bastion -> AWS private network instances > >> > >> Is there a good example of how to configure the proxy around? > >> > >> Thank You in advance, > > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/41fc268e-ebc7-4b69-a75b-c694ab6dc46a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
