Ansible 与堡垒主机/跳箱? [英] Ansible with a bastion host / jump box?

问题描述

我很确定我在 ansible 文档中看到了一个功能，您可以告诉它要连接到某些主机，它首先需要通过 DMZ 主机建立隧道.但是，除了邮件列表上的一些辩论之外，我似乎找不到任何文档.

I'm fairly certain I've seen a feature in the ansible documentation where you can tell it that to connect to certain hosts it first needs to tunnel through a DMZ host. I can't however seem to find any documentation outside of some debates on the mailing lists.

我知道在这个页面上使用 ssh 配置来破解它http://alexbilbie.com/2014/07/using-ansible-with-a-bastion-host/ 然而，对于任何一种温和监管的环境中的极其常见的要求，这是一个过于复杂的组合.

I'm aware of hacking this in with an ssh config like on this page http://alexbilbie.com/2014/07/using-ansible-with-a-bastion-host/ however that's an overcomplicated kludge for an extremely common requirement in any kind of mildly regulated environment.

有没有办法在不使用自定义 ssh 配置包含和 voodoo netcat 巫术的情况下做到这一点?

Is there a way to do this without using custom ssh config includes and voodoo netcat sorcery?

推荐答案

使用 Ansible 2，这是一个 内置选项:

With Ansible 2, this is a built-in option:

使用 Ansible 2，您可以在 ansible_ssh_common_args 库存变量中设置 ProxyCommand.连接到相关主机时，此变量中指定的任何参数都会添加到 sftp/scp/ssh 命令行.考虑以下广告资源组:

How do I configure a jump host to access servers that I have no direct access to?

With Ansible 2, you can set a ProxyCommand in the ansible_ssh_common_args inventory variable. Any arguments specified in this variable are added to the sftp/scp/ssh command line when connecting to the relevant host(s). Consider the following inventory group:

[gatewayed]
foo ansible_host=192.0.2.1
bar ansible_host=192.0.2.2

您可以使用以下内容创建group_vars/gatewayed.yml:

You can create group_vars/gatewayed.yml with the following contents:

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@gateway.example.com"'

Ansible 会在尝试连接到 gatewayed 组中的任何主机时将这些参数附加到命令行.(除了 ansible.cfg 中的任何 ssh_args 之外，还使用这些参数，因此您无需在 中重复全局 ControlPersist 设置ansible_ssh_common_args.)

Ansible will append these arguments to the command line when trying to connect to any hosts in the group gatewayed. (These arguments are used in addition to any ssh_args from ansible.cfg, so you do not need to repeat global ControlPersist settings in ansible_ssh_common_args.)

请注意，ssh -W 仅适用于 OpenSSH 5.4 或更高版本.对于旧版本，必须在堡垒主机上执行 nc %h:%p 或一些等效命令.

Note that ssh -W is available only with OpenSSH 5.4 or later. With older versions, it’s necessary to execute nc %h:%p or some equivalent command on the bastion host.

这篇关于Ansible 与堡垒主机/跳箱?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！