Ansible 与堡垒主机/跳箱? [英] Ansible with a bastion host / jump box?
问题描述
我很确定我在 ansible 文档中看到了一个功能,您可以告诉它要连接到某些主机,它首先需要通过 DMZ 主机建立隧道.但是,除了邮件列表上的一些辩论之外,我似乎找不到任何文档.
I'm fairly certain I've seen a feature in the ansible documentation where you can tell it that to connect to certain hosts it first needs to tunnel through a DMZ host. I can't however seem to find any documentation outside of some debates on the mailing lists.
我知道在这个页面上使用 ssh 配置来破解它http://alexbilbie.com/2014/07/using-ansible-with-a-bastion-host/ 然而,对于任何一种温和监管的环境中的极其常见的要求,这是一个过于复杂的组合.
I'm aware of hacking this in with an ssh config like on this page http://alexbilbie.com/2014/07/using-ansible-with-a-bastion-host/ however that's an overcomplicated kludge for an extremely common requirement in any kind of mildly regulated environment.
有没有办法在不使用自定义 ssh 配置包含和 voodoo netcat 巫术的情况下做到这一点?
Is there a way to do this without using custom ssh config includes and voodoo netcat sorcery?
推荐答案
使用 Ansible 2,这是一个 内置选项:
With Ansible 2, this is a built-in option:
使用 Ansible 2,您可以在 ansible_ssh_common_args 库存变量中设置 ProxyCommand.连接到相关主机时,此变量中指定的任何参数都会添加到 sftp/scp/ssh 命令行.考虑以下广告资源组:
How do I configure a jump host to access servers that I have no direct access to?
With Ansible 2, you can set a ProxyCommand in the ansible_ssh_common_args inventory variable. Any arguments specified in this variable are added to the sftp/scp/ssh command line when connecting to the relevant host(s). Consider the following inventory group:
[gatewayed]
foo ansible_host=192.0.2.1
bar ansible_host=192.0.2.2
您可以使用以下内容创建group_vars/gatewayed.yml:
You can create group_vars/gatewayed.yml with the following contents:
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@gateway.example.com"'
Ansible 会在尝试连接到 gatewayed 组中的任何主机时将这些参数附加到命令行.(除了 ansible.cfg 中的任何 ssh_args 之外,还使用这些参数,因此您无需在 中重复全局 ControlPersist 设置ansible_ssh_common_args.)
Ansible will append these arguments to the command line when trying to connect to any hosts in the group gatewayed. (These arguments are used in addition to any ssh_args from ansible.cfg, so you do not need to repeat global ControlPersist settings in ansible_ssh_common_args.)
请注意,ssh -W 仅适用于 OpenSSH 5.4 或更高版本.对于旧版本,必须在堡垒主机上执行 nc %h:%p 或一些等效命令.
Note that ssh -W is available only with OpenSSH 5.4 or later. With older versions, it’s necessary to execute nc %h:%p or some equivalent command on the bastion host.
这篇关于Ansible 与堡垒主机/跳箱?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!