Re: [ansible-project] Re: Connect via NOT a bastion jump host

2018-11-28 Thread Mark Zhitomirski
On Wed, Nov 28, 2018 at 1:43 PM  wrote:

> Of course, thanks for asking;
> My company has HP Network Automation (HP NA) host which provides universal
> access to all network devices. It behaves like a jump host, but, not SSH
> jump host. We ssh to it, authenticate and then get onto local CLI - which
> is specialised for managing the database of devices on the HP NA and to
> connect to them (allowing for logging of the session, different setups and
> so on).
> Here is the problem:
> HP NA is not SSH bastion so no SSH forwarding (-J, -W, -tt options) works.
>
I see your problem and feel your pain.

It has to be a two stage connection
>
to my understanding this is not how Ansible works

to a device if HP NA was to be used (in our case, it has to be).
> First of all, I do not have a way to tell Ansible to connect to a device
> by ssh-ing to HP NA server, then to start a new session to a device using 
> *connect
> 'device_name'* command to get the actual device prompt.
> What I wanted to achieve:
> I wanted to modify network_cli plugin
>
that's way above my Ansible knowledge. I suppose network_cli
(https://docs.ansible.com/ansible/2.7/plugins/connection/network_cli.html)
is not a transport for Ansible and it cannot be used as such.
Firing a single CLI command on the host and returning output is what it is
used for I guess.
Regards,
Mark

to add a fixed server and a couple of additional steps, so it looks like
> this - very high level:
> ansible -i inventory.ans playbook.yml
> (inventory.ans contains real IP addresses and/or device names known to HP
> NA, playbook.yml conatins network_cli_HPNA modified connector to be used
> and arbitrary task)
> I thought that ansible-playbook will call network_cli_HPNA at some point
> to establish a session and I would intercept it there, connect first to HP
> NA server, then, after verifying sanity, issue connect device, where device
> is the information in the playbook and supplied by ansible-playboook when
> it calls network_cli.
> Now, that does not happen early enough (or I did not understand this well).
> What I saw was that after I start ansible-playbook and ingest modules and
> parse playbook, I call paramiko_ssh to establish a permanent connection
> (which times out, as I can not access devices directly), but, network_cli
> is never visited...
> I saw that connection is brought up in paramiko_ssh and we could possibly
> change it there, but, that would ruin any upgrade down the road - I wanted
> to fork this later, when I will not put anyone else in jeopardy (those who
> use paramiko_ssh as a regular connector plugin).
> I hope that this helps.
> Thanks,
> Vladan
>
> On Wednesday, 28 November 2018 09:45:35 UTC, Mark Zhitomirski wrote:
>>
>> can you kindly present your case? It's not easy to see what you are
>> trying and where it fails.
>> Regards,
>> Mark
>>
>>
>> On Tue, Nov 27, 2018 at 7:58 PM  wrote:
>>
>>> As far as I have seen, it is not trivial - looks like although plugin
>>> for network_cli is selected, the paramiko_ssh plugin is used to handle
>>> actual ssh session. Considereing it is easy to send additional command, it
>>> is not easy to keep all that without significantly touching classes defined
>>> in Ansible. And I wanted something like 5 lines of code ...
>>> I almost gave up on this effort...
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ansible-proje...@googlegroups.com.
>>> To post to this group, send email to ansible...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/821650d7-1495-49be-9535-b05fa16b4ced%40googlegroups.com
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> --
>> MZ
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/6e90d8cf-b248-46a3-921d-208e7e678f54%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
MZ

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@goog

Re: [ansible-project] Re: Connect via NOT a bastion jump host

2018-11-28 Thread vladan . milosevic . private
Of course, thanks for asking;
My company has HP Network Automation (HP NA) host which provides universal 
access to all network devices. It behaves like a jump host, but, not SSH 
jump host. We ssh to it, authenticate and then get onto local CLI - which 
is specialised for managing the database of devices on the HP NA and to 
connect to them (allowing for logging of the session, different setups and 
so on).
Here is the problem:
HP NA is not SSH bastion so no SSH forwarding (-J, -W, -tt options) works. 
It has to be a two stage connection to a device if HP NA was to be used (in 
our case, it has to be).
First of all, I do not have a way to tell Ansible to connect to a device by 
ssh-ing to HP NA server, then to start a new session to a device using *connect 
'device_name'* command to get the actual device prompt.
What I wanted to achieve:
I wanted to modify network_cli plugin to add a fixed server and a couple of 
additional steps, so it looks like this - very high level:
ansible -i inventory.ans playbook.yml
(inventory.ans contains real IP addresses and/or device names known to HP 
NA, playbook.yml conatins network_cli_HPNA modified connector to be used 
and arbitrary task)
I thought that ansible-playbook will call network_cli_HPNA at some point to 
establish a session and I would intercept it there, connect first to HP NA 
server, then, after verifying sanity, issue connect device, where device is 
the information in the playbook and supplied by ansible-playboook when it 
calls network_cli.
Now, that does not happen early enough (or I did not understand this well).
What I saw was that after I start ansible-playbook and ingest modules and 
parse playbook, I call paramiko_ssh to establish a permanent connection 
(which times out, as I can not access devices directly), but, network_cli 
is never visited...
I saw that connection is brought up in paramiko_ssh and we could possibly 
change it there, but, that would ruin any upgrade down the road - I wanted 
to fork this later, when I will not put anyone else in jeopardy (those who 
use paramiko_ssh as a regular connector plugin).
I hope that this helps.
Thanks,
Vladan

On Wednesday, 28 November 2018 09:45:35 UTC, Mark Zhitomirski wrote:
>
> can you kindly present your case? It's not easy to see what you are trying 
> and where it fails.
> Regards,
> Mark
>
>
> On Tue, Nov 27, 2018 at 7:58 PM > 
> wrote:
>
>> As far as I have seen, it is not trivial - looks like although plugin for 
>> network_cli is selected, the paramiko_ssh plugin is used to handle actual 
>> ssh session. Considereing it is easy to send additional command, it is not 
>> easy to keep all that without significantly touching classes defined in 
>> Ansible. And I wanted something like 5 lines of code ...
>> I almost gave up on this effort...
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com .
>> To post to this group, send email to ansible...@googlegroups.com 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/821650d7-1495-49be-9535-b05fa16b4ced%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> -- 
> MZ
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6e90d8cf-b248-46a3-921d-208e7e678f54%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [ansible-project] Re: Connect via NOT a bastion jump host

2018-11-28 Thread Mark Zhitomirski
can you kindly present your case? It's not easy to see what you are trying
and where it fails.
Regards,
Mark


On Tue, Nov 27, 2018 at 7:58 PM  wrote:

> As far as I have seen, it is not trivial - looks like although plugin for
> network_cli is selected, the paramiko_ssh plugin is used to handle actual
> ssh session. Considereing it is easy to send additional command, it is not
> easy to keep all that without significantly touching classes defined in
> Ansible. And I wanted something like 5 lines of code ...
> I almost gave up on this effort...
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/821650d7-1495-49be-9535-b05fa16b4ced%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
MZ

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAJLNCaTMRUiX4ut944mXY5axmKvuaHQCSeTTpfx6BbM8y3LukA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[ansible-project] Re: Connect via NOT a bastion jump host

2018-11-27 Thread vladan . milosevic . private
As far as I have seen, it is not trivial - looks like although plugin for 
network_cli is selected, the paramiko_ssh plugin is used to handle actual 
ssh session. Considereing it is easy to send additional command, it is not 
easy to keep all that without significantly touching classes defined in 
Ansible. And I wanted something like 5 lines of code ...
I almost gave up on this effort...

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/821650d7-1495-49be-9535-b05fa16b4ced%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[ansible-project] Re: Connect via NOT a bastion jump host

2018-04-10 Thread jose
Hello Anton, did you manage to get this working, I am trying to do the same 
exact thing but I do not see how it could be done?

Cordially
Jose

On Monday, February 27, 2017 at 2:10:24 PM UTC+1, Anton Kirichenko wrote:

> Hello,
>
> Sorry for a lame question, but I'm trying to enable Ansible to manage 
> Cisco routers which are reachable only from a sinlge management host. That 
> host is  HP NA server, where users could connect by ssh and then manually 
> build  connection (ssh/telnet)  to the final destination (i.e. routers).
> I've already read about known ways to establish SSH session via 
> jump/bastion hosts  using "proxycommand" and "ssh -W", but my case is a 
> little bit different.  HPNA jump host has it's own CLI, where users call 
> command "connect ROUTER_NAME"  to connect to routers.
> In other words it looks like  "laptop -> ssh -> HPNA -> HPNA CLI command 
> "connect router Bla" -> ssh/telnet(rare case) -> router"
>
> I wonder if Ansible has any modules wich would wrap that  command "connect 
> router Bla" to ssh session established from my laptop to the jump host ?
>
> Thank you
> Anton
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/1e4eb2b4-654a-40b8-acc0-8fe4b415e44f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.