Hi Benno, Et voila! That worked great.
A deep bow. Chris On Tuesday, June 2, 2015 at 8:21:19 PM UTC-7, [email protected] wrote: > > Hi, > > I am trying to figure out how to use wait_for to start to detect ssh on a > VPC host that needs to use 2 tunnels to be reached. I cannot use the IP > address as it collides with my local network. DNS also doesn't work but my > tunnels work fine. I'm using SOCKs because I use a browser to access the > VPC too. > > Here is my setup in pictograph: > > Dev -> bastion.Prod -> Bastion.AWS -> VPC/internal > > There is ONLY ssh available via Dev & bastion.Prod, hence SOCKs tunnel1 > for the rest of *.example.com hosts. Bastion.AWS can only be reached via > Prod via SSH hence a 2nd SOCKS tunnel. Bastion.AWS can only reach VPC via > ssh. 10.0.0.0/24 is the bastion subnet. 10.0.1.0/24 is the internal > subnet. I'm launching instances into VPC/10.0.1.0 > > I use Host namespaces in .ssh/config (which are generally NOT dns > resolvable from Dev) to decide the tunnel to use. > > I can only reach bastion.example.com directly and by it's resolvable dns > name - the only dns resolvable name. > > My tunnel works as follows: > > Host *.example.com > ProxyCommand nc -x localhost:1080 %h %p > Host ec2 > ServerAliveInterval 50 > DynamicForward localhost:1090 > User ec2-user > ProxyCommand nc -x localhost:1080 54.165.xx.yy 22 > > Host ip-10-0-1-*.ec2.internal > ProxyCommand nc -x localhost:1090 %h %p > User ubuntu > IdentityFile /home/me/.ssh/soc-proto-internal.pem > # bastion > Host ip-10-0-0-*.ec2.internal > ProxyCommand nc -x localhost:1090 %h %p > User ec2-user > IdentityFile /home/fortescu/.ssh/soc-proto-useast1.pem > > > > tunnel1: > > dev # ssh -vvv -D 1080 -N -q [email protected] > > OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 > > tunnel2: > > dev # ssh ec2 > > Amazon Linux version 2015.03 is available. > > [ec2-user@ip-10-0-0-188 ~]$ > > Now, from Dev the following works fine: > dev # ssh ip-10.0.1.32 > > Last login: Tue Jun 2 19:15:07 2015 from ip-10-0-0-188.ec2.internal > > ubuntu@ip-10-0-1-32:~$ > > So how can I get this to work with wait_for?! The 'private_dns_name' > emits and is in the tmp wait_for python script so it's got the right form. > I can even grab the that same address while waiting on wait_for and ssh > into it! > Here's the relevant ansible play: > > > - name: Launch Opscenter instances > > ec2: > > key_name: "{{ key_name }}" > > group_id: "{{ security_group }}" > > instance_type: "{{ instance_type }}" > > image: "{{ image }}" > > wait: true > > region: "{{ region }}" > > vpc_subnet_id: "{{ subnet_id }}" > > assign_public_ip: no > > ebs_optimized: no > > instance_tags: > > Name: "cassandra_opscenter" > > dbtype: cassandra > > > register: ec2 > > > - name: Logging > > debug: msg="{{ item }}" > > with_items: ec2.instances > > > - name: Add new instance to host group > > add_host: hostname={{ item['private_dns_name'] }} > ansible_ssh_host={{ item['private_dns_name'] }} > groups=launched,opscenter_nodes > > with_items: ec2.instances > > > - name: Wait for SSH to come up > > local_action: wait_for port=22 host="{{ item['private_dns_name'] }}" > search_regex=OpenSSH delay=10 > > with_items: ec2.instances > I know I must be missing something obvious but it seems like wait_for is > stubborning trying to use DNS (which will fail) instead of .ssh/config. > > Am I chasing a unicorn here? Can this be made to work? > > Any and all advice deeply appreciated. > > Chris > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/417f7389-2abd-40af-9d59-e375e74dc5a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
