Using an Ansible playbook with an SSH bastion / jump host
source link: https://www.jeffgeerling.com/blog/2022/using-ansible-playbook-ssh-bastion-jump-host
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Using an Ansible playbook with an SSH bastion / jump host
January 27, 2022
Since I've set this up a number of times, but I just realized I've never documented it on my blog, I thought I'd finally do that.
I have a set of servers that are running on a private network. That network is connected to the Internet through a single reverse proxy / 'bastion' host.
But I still want to be able to manage the servers on the private network behind the bastion from outside.
The way to do that with Ansible is to describe how to connect through the proxy server in Ansible's inventory.
In my case, I had an inventory file like the following:
[proxy]
bastion.example.com
[nodes]
private-server-1.example.com
private-server-2.example.com
private-server-3.example.com
If I am connected to the private network directly, I can just run ansible
commands and playbooks, and Ansible can see all the servers and connect to them (assuming my SSH config is otherwise correct).
From the outside, though, I need to modify my inventory to look like the following:
[proxy]
bastion.example.com
[nodes]
private-server-1.example.com
private-server-2.example.com
private-server-3.example.com
[nodes:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -p 2222 -W %h:%p -q [email protected]"'
This sets up an SSH proxy through bastion.example.com on port 2222 (if using the default port, 22, you can drop the port argument). The -W
argument tells SSH it can forward stdin and stdout through the host and port, effectively allowing Ansible to manage the node behind the bastion/jump server.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK