Ansible: Proxy using ProxyCommand

https://stackoverflow.com/questions/28553307/ansible-using-custom-ssh-config-file

and https://stackoverflow.com/questions/38651791/is-it-possible-to-add-ansible-ssh-common-args-in-inventory-file

https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/

Ansible: running through a bastion host

E.g. in inventory create:

ssh-config.yml

with:

ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p {{ AWS_IAM_ID }}@hostname' -o ControlMaster=auto -o ControlPersist=30m -o StrictHostKeyChecking=no"

Then make sure you’ve got both your private keys (bastion and destination) added via ssh-add.

E.g. ssh-add ~/.ssh/id_rsa

etc…

Debugging

  1. use ansible -vvvv to get ssh output
  2. run this ssh command
  3. I was getting

ec2-user@<ip>: Permission denied (publickey).

4. ssh to bastion and check you can access that host

5. on the bastion check the sshd logs

tail -f /var/log/auth.log

which revealed nothing.

i.e. the first line shows the successful ssh connection to the jumpbox. The second shows the disconnect.

Note: setting sshd logging to verbose did not help. e.g.

6. checking the destination box

Note this had a different sshd log at:

/var/log/secure

A successful connection (i.e. directly from the bastion host) would show:

Accepted publickey for ec2-user

but via the proxy command I’d get:

Connection closed by <bastion> [preauth]

 

 

 

Ansible: Dynamic Inventory (using the AWS EC2 External Inventory Script)

Where hosts can appear and disappear (e.g. with AWS ASGs) the EC2 external inventory script (ec2.py) comes in useful.

All you need to do is to export your AWS keys as environment variables and ec2.py is good.

ec2.ini options

The EC2 inventory output can become very large. To manage its size, you can configure which groups should be created using ec2.ini options. E.g.

Note on how these are created:

  • format is tag_KEY_VALUE
  • special characters are changed to an underscore

E.g. with a NAME of my instance name we would get a tag of  tag_NAME_my_instance_name.

 

These inikeys are read in ec2.py. E.g.

See also:

https://github.com/ansible/ansible/blob/devel/contrib/inventory/ec2.py#L482

and

https://docs.ansible.com/ansible/2.6/user_guide/intro_dynamic_inventory.html#example-aws-ec2-external-inventory-script