与堡垒主机/跳箱在一起吗? [英] Ansible with a bastion host / jump box?

问题描述

我敢肯定，我已经在ansible文档中看到了一个功能，您可以告诉它要连接到某些主机，它首先需要通过DMZ主机进行隧道传输.但是，我似乎在邮件列表上的某些辩论之外找不到任何文档.

I'm fairly certain I've seen a feature in the ansible documentation where you can tell it that to connect to certain hosts it first needs to tunnel through a DMZ host. I can't however seem to find any documentation outside of some debates on the mailing lists.

我知道可以使用此页面上的ssh配置破解此内容 http://alexbilbie.com/2014/07/using-ansible-with-a-bastion-host/，但是对于在任何温和调节的环境中极为普遍的要求来说，这都是一个过于复杂的问题.

I'm aware of hacking this in with an ssh config like on this page http://alexbilbie.com/2014/07/using-ansible-with-a-bastion-host/ however that's an overcomplicated kludge for an extremely common requirement in any kind of mildly regulated environment.

是否有一种无需使用自定义ssh config include和voodoo netcat巫术的方法?

Is there a way to do this without using custom ssh config includes and voodoo netcat sorcery?

推荐答案

在Ansible 2中，这是内置选项:

With Ansible 2, this is a built-in option:

如何配置跳转主机以访问无法直接访问的服务器?

使用Ansible 2，您可以在 ansible_ssh_common_args 广告资源变量中设置 ProxyCommand .连接到相关主机时，此变量中指定的所有参数都将添加到sftp/scp/ssh命令行中.考虑以下库存组:

How do I configure a jump host to access servers that I have no direct access to?

With Ansible 2, you can set a ProxyCommand in the ansible_ssh_common_args inventory variable. Any arguments specified in this variable are added to the sftp/scp/ssh command line when connecting to the relevant host(s). Consider the following inventory group:

[gatewayed]
foo ansible_host=192.0.2.1
bar ansible_host=192.0.2.2

您可以使用以下内容创建 group_vars/gatewayed.yml :

You can create group_vars/gatewayed.yml with the following contents:

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@gateway.example.com"'

当尝试连接到网关组中的任何主机时，Ansible会将这些参数附加到命令行. (除了 ansible.cfg 中的所有 ssh_args 外，还使用这些参数，因此您无需在中重复全局 ControlPersist 设置ansible_ssh_common_args .)

Ansible will append these arguments to the command line when trying to connect to any hosts in the group gatewayed. (These arguments are used in addition to any ssh_args from ansible.cfg, so you do not need to repeat global ControlPersist settings in ansible_ssh_common_args.)

请注意， ssh -W 仅适用于OpenSSH 5.4或更高版本.对于旧版本，有必要在堡垒主机上执行 nc％h:％p 或某些等效命令.

Note that ssh -W is available only with OpenSSH 5.4 or later. With older versions, it’s necessary to execute nc %h:%p or some equivalent command on the bastion host.

这篇关于与堡垒主机/跳箱在一起吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！