Re: [ansible-project] Need to automate task via bastion host

[Vladimir Botka]

Hi Monica,

On Sun, 16 Apr 2023 00:23:14 -0700 (PDT)
Monica  wrote:

> Hi  Vladimir Botka,
> Looking for your support on this.

You said you can "connect to the remote host via bastion host
using ssh".

shell> ssh user@@ -p 8022

Let me ask you first. Wouldn't an Ansible controller in the internal
network serve you use-case better?

 ext_net <-> bastion_host <-> ansible_controller <-> remote_host

You should store you projects in a version control. Why don't you
clone the projects on the controller and run your playbooks from
there? This has many advantages:

 * The configuration is simpler
 * You can limit the external SSH access to single host
 * Playbooks in the local network run faster
 * The execution of the projects don't depend on the throughput and
   quality of the external network
 * You can use *ansible-pull* on the controller to update the
   projects automatically
 * You can schedule the projects' updating to off-peak times

Why do you want to run Ansible via proxy?

-- 
Vladimir Botka

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/20230416132743.16fb3f4a%40gmail.com.


pgpluFiJdA3XJ.pgp
Description: OpenPGP digital signature

Re: Re: [ansible-project] Need to automate task via bastion host

[Monica]

Hi  Vladimir Botka,

Looking for your support on this.

On Wednesday, April 12, 2023 at 11:00:45 AM UTC+5:30 Monica wrote:

> Hi,
>
> Can anyone help me on this, still I am facing the issue.
>
> On Tuesday, April 4, 2023 at 3:17:43 PM UTC+5:30 dulh...@mailbox.org 
> wrote:
>
> what I would try is 
>   
> 1. create an *~/.ssh/conf* file as per the example I sent 
> 2. use Ansible as if there was no jumphost involved at all 
>   
>   
>   
> -- Original Message -- 
> From: Monica  
> To: Gunnar Wagner  
> Date: 04/03/2023 6:11 PM CEST 
> Subject: Re: [ansible-project] Need to automate task via bastion host 
>   
>   
> hi Gunnar, 
>   
> I tried this and the same didn't work out-: 
>   
> [remote-nodes] 
> remote-node-1 ansible_host= ansible_user=user 
> ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
> user@"' 
> remote-node-2 ansible_host= ansible_user=user 
> ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
> user@"' 
>   
> On Mon, Apr 3, 2023 at 6:00 PM Gunnar Wagner  
> wrote: 
>
> it is not quite clear what exactly you have tried & did not work 
>
> On 04/03/2023 12:32 PM CEST Monica  wrote: 
>   
>   
> Hi Todd, 
>   
> Thank you for explaining the same, however I am still getting the same 
> error-: 
>   
>   
>
> On Mon, Apr 3, 2023 at 11:13 AM dulhaver via Ansible Project <
> ansible...@googlegroups.com> wrote: 
>
> I agree with Tood, that setting up a propper ~/.ssh/config should be the 
> way to do this. something like ... 
>
>Host jumphost 
>   HostName jumphost.blub.com 
>   User username 
>   PreferredAuthentication publickey 
>   IdentityFile ~/.ssh/demo.ed25519 
>
>Host internal-target 
>   Hostname target.blub.com 
>   ProxyJump jumphost 
>   User username 
>   PreferredAuthentication publickey 
>   IdentityFile ~/.ssh/demo.ed25519 
>
>
> ... should do it I believe 
>
>
> > On 04/02/2023 10:51 PM CEST Todd Zullinger  wrote: 
> > 
> >  
> > Will McDonald wrote: 
> > > https://www.jeffgeerling.com/blog/2022/ 
> > > using-ansible-playbook-ssh-bastion-jump-host 
> > 
> > Odd that uses ProxyCommand in `ansible_ssh_common_args` and 
> > not the far simpler ProxyJump, which it does mention in the 
> > ~/.ssh/config method.  The `-J` shortcut for that is even 
> > better. 
> > 
> > Perhaps it does that to illsutrate a more complex use case, 
> > where the bastion runs on a different port, but if you're 
> > not doing that, it's likely simpler to skip it and use the 
> > `-J` argument. 
> > 
> > I would expect (but have not tested) this works: 
> > 
> > ansible_ssh_common_args='-J $your_bastion_hostname' 
> > 
> > ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on 
> > any host folks would be using as an ansible control host. 
> > 
> > -- 
> > Todd 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Ansible Project" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ansible-proje...@googlegroups.com. 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com.
>  
>
>
> --- 
> gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090 
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-proje...@googlegroups.com. 
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org.
>  
>
>
>
>   
>
>  
> -- 
>
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-proje...@googlegroups.com. 
>
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com
>  
> <https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com?utm_medium=email_source=footer>.
>  
>
>
>   
>
>  
>
>
>  
>   
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/048feeb7-21e6-43c1-88f9-63949834e3c0n%40googlegroups.com.

Re: Re: [ansible-project] Need to automate task via bastion host

[Monica]

Hi,

Can anyone help me on this, still I am facing the issue.

On Tuesday, April 4, 2023 at 3:17:43 PM UTC+5:30 dulh...@mailbox.org wrote:

what I would try is 
  
1. create an *~/.ssh/conf* file as per the example I sent 
2. use Ansible as if there was no jumphost involved at all 
  
  
  
-- Original Message -- 
From: Monica  
To: Gunnar Wagner  
Date: 04/03/2023 6:11 PM CEST 
Subject: Re: [ansible-project] Need to automate task via bastion host 
  
  
hi Gunnar, 
  
I tried this and the same didn't work out-: 
  
[remote-nodes] 
remote-node-1 ansible_host= ansible_user=user 
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
user@"' 
remote-node-2 ansible_host= ansible_user=user 
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
user@"' 
  
On Mon, Apr 3, 2023 at 6:00 PM Gunnar Wagner  wrote: 

it is not quite clear what exactly you have tried & did not work 

On 04/03/2023 12:32 PM CEST Monica  wrote: 
  
  
Hi Todd, 
  
Thank you for explaining the same, however I am still getting the same 
error-: 
  
  

On Mon, Apr 3, 2023 at 11:13 AM dulhaver via Ansible Project <
ansible...@googlegroups.com> wrote: 

I agree with Tood, that setting up a propper ~/.ssh/config should be the 
way to do this. something like ... 

   Host jumphost 
  HostName jumphost.blub.com 
  User username 
  PreferredAuthentication publickey 
  IdentityFile ~/.ssh/demo.ed25519 

   Host internal-target 
  Hostname target.blub.com 
  ProxyJump jumphost 
  User username 
  PreferredAuthentication publickey 
  IdentityFile ~/.ssh/demo.ed25519 


... should do it I believe 


> On 04/02/2023 10:51 PM CEST Todd Zullinger  wrote: 
> 
>  
> Will McDonald wrote: 
> > https://www.jeffgeerling.com/blog/2022/ 
> > using-ansible-playbook-ssh-bastion-jump-host 
> 
> Odd that uses ProxyCommand in `ansible_ssh_common_args` and 
> not the far simpler ProxyJump, which it does mention in the 
> ~/.ssh/config method.  The `-J` shortcut for that is even 
> better. 
> 
> Perhaps it does that to illsutrate a more complex use case, 
> where the bastion runs on a different port, but if you're 
> not doing that, it's likely simpler to skip it and use the 
> `-J` argument. 
> 
> I would expect (but have not tested) this works: 
> 
> ansible_ssh_common_args='-J $your_bastion_hostname' 
> 
> ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on 
> any host folks would be using as an ansible control host. 
> 
> -- 
> Todd 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
"Ansible Project" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
email to ansible-proje...@googlegroups.com. 
> To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com. 


--- 
gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090 

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group. 
To unsubscribe from this group and stop receiving emails from it, send an 
email to ansible-proje...@googlegroups.com. 
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org.
 



  

 
-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group. 
To unsubscribe from this group and stop receiving emails from it, send an 
email to ansible-proje...@googlegroups.com. 

To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com
 
<https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com?utm_medium=email_source=footer>.
 


  

 


 
  

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/49ee55b4-4f6f-4935-b3c4-e14ffe892c92n%40googlegroups.com.

Fwd: Re: [ansible-project] Need to automate task via bastion host

[dulhaver via Ansible Project]

what I would try is
 
1. create an ~/.ssh/conf file as per the example I sent
2. use Ansible as if there was no jumphost involved at all
 
 
 
-- Original Message --
From: Monica 
To: Gunnar Wagner 
Date: 04/03/2023 6:11 PM CEST
Subject: Re: [ansible-project] Need to automate task via bastion host
 
 
hi Gunnar,
 
I tried this and the same didn't work out-:
 
[remote-nodes]
remote-node-1 ansible_host= ansible_user=user 
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
user@"'
remote-node-2 ansible_host= ansible_user=user 
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
user@"'
 
On Mon, Apr 3, 2023 at 6:00 PM Gunnar Wagner mailto:gunnar.wag...@mailbox.org> wrote:

> it is not quite clear what exactly you have tried & did not work
> 
> > On 04/03/2023 12:32 PM CEST Monica  > mailto:monicaacision1...@gmail.com> wrote:
> >  
> >  
> > Hi Todd,
> >  
> > Thank you for explaining the same, however I am still getting the same 
> > error-:
> >  
> >  
> > 
> > On Mon, Apr 3, 2023 at 11:13 AM dulhaver via Ansible Project 
> > mailto:ansible-project@googlegroups.com> 
> > wrote:
> > 
> > > I agree with Tood, that setting up a propper ~/.ssh/config should be the 
> > > way to do this. something like ...
> > > 
> > >Host jumphost
> > >   HostNamehttp://jumphost.blub.com
> > >   User username
> > >   PreferredAuthentication publickey
> > >   IdentityFile ~/.ssh/demo.ed25519
> > > 
> > >Host internal-target
> > >   Hostnamehttp://target.blub.com
> > >   ProxyJump jumphost
> > >   User username
> > >   PreferredAuthentication publickey
> > >   IdentityFile ~/.ssh/demo.ed25519
> > > 
> > > 
> > > ... should do it I believe
> > > 
> > > 
> > > > On 04/02/2023 10:51 PM CEST Todd Zullinger  > > > mailto:t...@pobox.com> wrote:
> > > >
> > > > 
> > > > Will McDonald wrote:
> > > > > https://www.jeffgeerling.com/blog/2022/
> > > > > using-ansible-playbook-ssh-bastion-jump-host
> > > >
> > > > Odd that uses ProxyCommand in `ansible_ssh_common_args` and
> > > > not the far simpler ProxyJump, which it does mention in the
> > > > ~/.ssh/config method.  The `-J` shortcut for that is even
> > > > better.
> > > >
> > > > Perhaps it does that to illsutrate a more complex use case,
> > > > where the bastion runs on a different port, but if you're
> > > > not doing that, it's likely simpler to skip it and use the
> > > > `-J` argument.
> > > >
> > > > I would expect (but have not tested) this works:
> > > >
> > > > ansible_ssh_common_args='-J $your_bastion_hostname'
> > > >
> > > > ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
> > > > any host folks would be using as an ansible control host.
> > > >
> > > > --
> > > > Todd
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google 
> > > > Groups "Ansible Project" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send 
> > > > an email to ansible-project+unsubscr...@googlegroups.com 
> > > > mailto:ansible-project%2bunsubscr...@googlegroups.com.
> > > > To view this discussion on the web visit 
> > > > https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com.
> > > 
> > > ---
> > > gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090
> > > 
> > > --
> > > You received this message because you are subscribed to the Google Groups 
> > > "Ansible Project" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an 
> > > email to ansible-project+unsubscr...@googlegroups.com 
> > > mailto:ansible-project%2bunsubscr...@googlegroups.com.
> > > To view this discussion on the web visit 
> > > https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org.
> > > 
> > 
> >  
> > --
> > 
> >  
> > 
> >  
> > 
> > Thanks and Regards,
> > 
> >  
> > 
> >  
> > 
> > Monika Dharmshaktu
> > 
> > 
> >  EMail: monicaacision1...@gmail.com mailto:monicaacision1...@g

Re: [ansible-project] Need to automate task via bastion host

[Monica]

Hi Avinash.

Thanks you for the update. I am still facing the issue.

Connection timed out during banner exchange", "unreachable": true
On Monday, April 3, 2023 at 4:08:59 PM UTC+5:30 Avinash Jadhav wrote:

> Hi
>
> Can you please try to this way 
>
>
> [remote-nodes]
> remote-node-1 ansible_host= ansible_user=user 
> ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
> user@"'
> remote-node-2 ansible_host= ansible_user=user 
> ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 
> user@"'
>
>
> On Mon, Apr 3, 2023, 4:02 PM Monica  wrote:
>
>> Hi Todd,
>>
>> Thank you for explaining the same, however I am still getting the same 
>> error-:
>>
>>
>>
>> On Mon, Apr 3, 2023 at 11:13 AM dulhaver via Ansible Project <
>> ansible...@googlegroups.com> wrote:
>>
>>> I agree with Tood, that setting up a propper ~/.ssh/config should be the 
>>> way to do this. something like ...
>>>
>>>Host jumphost
>>>   HostName jumphost.blub.com
>>>   User username
>>>   PreferredAuthentication publickey
>>>   IdentityFile ~/.ssh/demo.ed25519
>>>
>>>Host internal-target
>>>   Hostname target.blub.com
>>>   ProxyJump jumphost
>>>   User username
>>>   PreferredAuthentication publickey
>>>   IdentityFile ~/.ssh/demo.ed25519
>>>
>>>
>>> ... should do it I believe
>>>
>>>
>>> > On 04/02/2023 10:51 PM CEST Todd Zullinger  wrote:
>>> > 
>>> >  
>>> > Will McDonald wrote:
>>> > > https://www.jeffgeerling.com/blog/2022/
>>> > > using-ansible-playbook-ssh-bastion-jump-host
>>> > 
>>> > Odd that uses ProxyCommand in `ansible_ssh_common_args` and
>>> > not the far simpler ProxyJump, which it does mention in the
>>> > ~/.ssh/config method.  The `-J` shortcut for that is even
>>> > better.
>>> > 
>>> > Perhaps it does that to illsutrate a more complex use case,
>>> > where the bastion runs on a different port, but if you're
>>> > not doing that, it's likely simpler to skip it and use the
>>> > `-J` argument.
>>> > 
>>> > I would expect (but have not tested) this works:
>>> > 
>>> > ansible_ssh_common_args='-J $your_bastion_hostname'
>>> > 
>>> > ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
>>> > any host folks would be using as an ansible control host.
>>> > 
>>> > -- 
>>> > Todd
>>> > 
>>> > -- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups "Ansible Project" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ansible-proje...@googlegroups.com.
>>> > To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com
>>> .
>>>
>>> ---
>>> gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ansible-proje...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org
>>> .
>>>
>>
>>
>> -- 
>>
>> *Thanks and Regards,*
>>
>>  
>>
>>  
>>
>> *Monika Dharmshaktu*
>>
>>
>>  EMail: monicaac...@gmail.com
>>
>> Cell: +91 9654525106 <+91%2096545%2025106>
>>
>>  
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c79faafe-10b8-408f-9b60-b7bbd05e6104n%40googlegroups.com.

Re: [ansible-project] Need to automate task via bastion host

[Avinash Jadhav]

Hi

Can you please try to this way


[remote-nodes]
remote-node-1 ansible_host= ansible_user=user
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@
"'
remote-node-2 ansible_host= ansible_user=user
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -p 8022 user@
"'


On Mon, Apr 3, 2023, 4:02 PM Monica  wrote:

> Hi Todd,
>
> Thank you for explaining the same, however I am still getting the same
> error-:
>
>
>
> On Mon, Apr 3, 2023 at 11:13 AM dulhaver via Ansible Project <
> ansible-project@googlegroups.com> wrote:
>
>> I agree with Tood, that setting up a propper ~/.ssh/config should be the
>> way to do this. something like ...
>>
>>Host jumphost
>>   HostName jumphost.blub.com
>>   User username
>>   PreferredAuthentication publickey
>>   IdentityFile ~/.ssh/demo.ed25519
>>
>>Host internal-target
>>   Hostname target.blub.com
>>   ProxyJump jumphost
>>   User username
>>   PreferredAuthentication publickey
>>   IdentityFile ~/.ssh/demo.ed25519
>>
>>
>> ... should do it I believe
>>
>>
>> > On 04/02/2023 10:51 PM CEST Todd Zullinger  wrote:
>> >
>> >
>> > Will McDonald wrote:
>> > > https://www.jeffgeerling.com/blog/2022/
>> > > using-ansible-playbook-ssh-bastion-jump-host
>> >
>> > Odd that uses ProxyCommand in `ansible_ssh_common_args` and
>> > not the far simpler ProxyJump, which it does mention in the
>> > ~/.ssh/config method.  The `-J` shortcut for that is even
>> > better.
>> >
>> > Perhaps it does that to illsutrate a more complex use case,
>> > where the bastion runs on a different port, but if you're
>> > not doing that, it's likely simpler to skip it and use the
>> > `-J` argument.
>> >
>> > I would expect (but have not tested) this works:
>> >
>> > ansible_ssh_common_args='-J $your_bastion_hostname'
>> >
>> > ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
>> > any host folks would be using as an ansible control host.
>> >
>> > --
>> > Todd
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "Ansible Project" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to ansible-project+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com
>> .
>>
>> ---
>> gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org
>> .
>>
>
>
> --
>
> *Thanks and Regards,*
>
>
>
>
>
> *Monika Dharmshaktu*
>
>
>  EMail: monicaacision1...@gmail.com
>
> Cell: +91 9654525106
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABAvFDNCqVkZNqBVY7LvsV1crEzVVbDrDZNHVc04nOoXs5x%2BtA%40mail.gmail.com.

Re: [ansible-project] Need to automate task via bastion host

[Monica]

Hi Todd,

Thank you for explaining the same, however I am still getting the same
error-:



On Mon, Apr 3, 2023 at 11:13 AM dulhaver via Ansible Project <
ansible-project@googlegroups.com> wrote:

> I agree with Tood, that setting up a propper ~/.ssh/config should be the
> way to do this. something like ...
>
>Host jumphost
>   HostName jumphost.blub.com
>   User username
>   PreferredAuthentication publickey
>   IdentityFile ~/.ssh/demo.ed25519
>
>Host internal-target
>   Hostname target.blub.com
>   ProxyJump jumphost
>   User username
>   PreferredAuthentication publickey
>   IdentityFile ~/.ssh/demo.ed25519
>
>
> ... should do it I believe
>
>
> > On 04/02/2023 10:51 PM CEST Todd Zullinger  wrote:
> >
> >
> > Will McDonald wrote:
> > > https://www.jeffgeerling.com/blog/2022/
> > > using-ansible-playbook-ssh-bastion-jump-host
> >
> > Odd that uses ProxyCommand in `ansible_ssh_common_args` and
> > not the far simpler ProxyJump, which it does mention in the
> > ~/.ssh/config method.  The `-J` shortcut for that is even
> > better.
> >
> > Perhaps it does that to illsutrate a more complex use case,
> > where the bastion runs on a different port, but if you're
> > not doing that, it's likely simpler to skip it and use the
> > `-J` argument.
> >
> > I would expect (but have not tested) this works:
> >
> > ansible_ssh_common_args='-J $your_bastion_hostname'
> >
> > ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
> > any host folks would be using as an ansible control host.
> >
> > --
> > Todd
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-project+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com
> .
>
> ---
> gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org
> .
>


-- 

*Thanks and Regards,*





*Monika Dharmshaktu*


 EMail: monicaacision1...@gmail.com

Cell: +91 9654525106

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CANi23%3Dy4qzVo6Ci9DReu%3DxvLHYx9Swokd_EaB8e1s_%3D_k5hDjQ%40mail.gmail.com.

Re: [ansible-project] Need to automate task via bastion host

[dulhaver via Ansible Project]

I agree with Tood, that setting up a propper ~/.ssh/config should be the way to 
do this. something like ...

   Host jumphost
  HostName jumphost.blub.com
  User username
  PreferredAuthentication publickey
  IdentityFile ~/.ssh/demo.ed25519
   
   Host internal-target
  Hostname target.blub.com
  ProxyJump jumphost
  User username
  PreferredAuthentication publickey
  IdentityFile ~/.ssh/demo.ed25519


... should do it I believe


> On 04/02/2023 10:51 PM CEST Todd Zullinger  wrote:
> 
>  
> Will McDonald wrote:
> > https://www.jeffgeerling.com/blog/2022/
> > using-ansible-playbook-ssh-bastion-jump-host
> 
> Odd that uses ProxyCommand in `ansible_ssh_common_args` and
> not the far simpler ProxyJump, which it does mention in the
> ~/.ssh/config method.  The `-J` shortcut for that is even
> better.
> 
> Perhaps it does that to illsutrate a more complex use case,
> where the bastion runs on a different port, but if you're
> not doing that, it's likely simpler to skip it and use the
> `-J` argument.
> 
> I would expect (but have not tested) this works:
> 
> ansible_ssh_common_args='-J $your_bastion_hostname'
> 
> ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
> any host folks would be using as an ansible control host.
> 
> -- 
> Todd
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com.

---
gunnar wagner | fichtestr. 1, 19386 lübz | fon: 0176 7808 9090

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/404677238.549090.1680500565843%40office.mailbox.org.

Re: [ansible-project] Need to automate task via bastion host

[Todd Zullinger]

Hi,

Monica wrote:
> Thank you for sharing the same, however, I have already
> checked this article.

I was simply quoting the article which Will kindly shared to
mention that ProxyJump / -J might be a simpler method, even
within ansible_ssh_common_args.

[I reformatted some of the text you wrote as it arrived at
the list as one large block, which was rather hard to read.]

> I have a requirement to connect Host-A then I can connect
> Host-B. I can’t connect Host-B directly. So in this case
> how to execute the playbook task on Host-B from Control
> Machine? Because my control machine is centralized. Hence,
> my question is how to execute the playbook task on Host-B
> directly from the control machine via bastion host-: Below
> is an example of how I am connecting to the remote host
> via bastion host using ssh.
>
>   ssh user@@ -p 8022

Note that the ssh_config man page says of ProxyJump:

Specifies one or more jump proxies as either
[user@]host[:port] or an ssh URI.

It has further text regarding configuration applied to the
jump (aka bastion) host, which is worth reading.

Ansible uses the value from `ansible_ssh_common_args` to
create the full ssh command to connect to each host, so
`@` should not be included if you're using
ansible to connect to  via .

(If you've got multiple bastion hosts to pass through from
 to , you should probably get
things working with ssh directly and then map that to either
`ansible_ssh_common_args` or the `.ssh/config` of the user
running ansible on the control host.)

All that said, if you're going from  to
 via  (on port 8022), I think
this would look like:

ansible_ssh_common_args='-J @:8022'

(I skipped the StrictHostKeyChecking option there simply for
brevity.  I replaced -o ProxyJump with -J for the same
reason.)

That connects to the  via the bastion host as
the given user and at the given port.

I find testing with the ansible ping module is helpful in
cases like this.  It makes it easier to separate issues with
the playbook from issues with the ssh configuration.  E.g.:

ansible  -om ping

That should return:

 | SUCCESS => {"changed": false,"ping": "pong"}

If not, adding -vvv to the command will show the ssh command
ansible used, which can be checked for sanity (and/or
compared to what works when you run ssh directly to get from
 to  via ).

-- 
Todd

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ZCpX8kenPz6HVuPL%40pobox.com.

Re: [ansible-project] Need to automate task via bastion host

[Monica]

Hi  Todd,

Thank you for sharing the same, however, I have already checked this 
article.

I have a requirement to connect Host-A then I can connect Host-B. I can’t 
connect Host-B directly. So in this case how to execute the playbook task 
on Host-B from Control Machine? Because my control machine is centralized. 
Hence, my question is how to execute the playbook task on Host-B directly 
from the control machine via bastion host-: Below is an example of how I am 
connecting to the remote host via bastion host using ssh. ssh 
user@@ -p 8022 In the playbook I have 
created the inventory, however, while running the same I am getting the 
below error-: cat lab.txt [need_bastion] bastion-host [need_bastion:vars] 
ansible_ssh_common_args='-o StrictHostKeyChecking=no -o 
ProxyJump="user@@:8022"' PLAY [copy file from 
jump to remote servers] 

 
TASK [copy node exporter package] 

 
Password: Password: fatal: [IP]: UNREACHABLE! => {"changed": false, "msg": 
"Failed to connect to the host via ssh: Connection timed out during banner 
exchange", "unreachable": true} PLAY RECAP 
***
 
IP : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0 

On Monday, April 3, 2023 at 2:21:53 AM UTC+5:30 Todd Zullinger wrote:

Will McDonald wrote: 
> https://www.jeffgeerling.com/blog/2022/ 
> using-ansible-playbook-ssh-bastion-jump-host 

Odd that uses ProxyCommand in `ansible_ssh_common_args` and 
not the far simpler ProxyJump, which it does mention in the 
~/.ssh/config method. The `-J` shortcut for that is even 
better. 

Perhaps it does that to illsutrate a more complex use case, 
where the bastion runs on a different port, but if you're 
not doing that, it's likely simpler to skip it and use the 
`-J` argument. 

I would expect (but have not tested) this works: 

ansible_ssh_common_args='-J $your_bastion_hostname' 

ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on 
any host folks would be using as an ansible control host. 

-- 
Todd 

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4765020f-4259-472a-af7c-a47af04b70e8n%40googlegroups.com.

Re: [ansible-project] Need to automate task via bastion host

[Todd Zullinger]

Will McDonald wrote:
> https://www.jeffgeerling.com/blog/2022/
> using-ansible-playbook-ssh-bastion-jump-host

Odd that uses ProxyCommand in `ansible_ssh_common_args` and
not the far simpler ProxyJump, which it does mention in the
~/.ssh/config method.  The `-J` shortcut for that is even
better.

Perhaps it does that to illsutrate a more complex use case,
where the bastion runs on a different port, but if you're
not doing that, it's likely simpler to skip it and use the
`-J` argument.

I would expect (but have not tested) this works:

ansible_ssh_common_args='-J $your_bastion_hostname'

ProxyJump / -J was added in OpenSSH-7.3 -- so it's surely on
any host folks would be using as an ansible control host.

-- 
Todd

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ZCnqsTK-z1LKdm05%40pobox.com.

Re: [ansible-project] Need to automate task via bastion host

[Will McDonald]

https://www.jeffgeerling.com/blog/2022/using-ansible-playbook-ssh-bastion-jump-host


On Sun, 2 Apr 2023 at 16:35, Monica  wrote:

> Hi All,
>
> I have requirement to automate some tasks via ansible playbook, the
> problem is I cannot go to the serves directly I need to go to remote nodes
> via bastion node. Could anyone pls help how can I write the same inside
> inventory. Below is the example how I am connecting to the remote host via
> bastion host.
>
> ssh user@@ -p 8022
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/19f0148f-01d4-4a4f-82e3-c1270fdbf8f1n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAKtKohRQex33d8xUaBKu1%3DhELWE%3D19vZ%2BzehfxmDfeH_GyAMtA%40mail.gmail.com.

[ansible-project] Need to automate task via bastion host

[Monica]

Hi All,

I have requirement to automate some tasks via ansible playbook, the problem 
is I cannot go to the serves directly I need to go to remote nodes via 
bastion node. Could anyone pls help how can I write the same inside 
inventory. Below is the example how I am connecting to the remote host via 
bastion host.

ssh user@@ -p 8022

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/19f0148f-01d4-4a4f-82e3-c1270fdbf8f1n%40googlegroups.com.