如何配置Ansible跳过两个堡垒主机?

时间:2018-12-29 04:48:34

标签: ssh ansible devops ansible-2.x

我想写一本Ansible剧本(使用Ansible 2.7.5),它将在到达目标服务器之前跳过两台主机以完成诸如安装docker和python等操作。

通过将Ansible添加到我的server1文件中,我可以使Ansible通过一台主机跳入hosts

[server1:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion"'

我还更新了~/.ssh/config文件:

Host bastion
  Hostname YY.YY.YY.YY
  User user
  IdentityFile ~/.ssh/bastion_private_key

Host server1
  Hostname XX.XX.XX.XX
  User user
  IdentityFile ~/.ssh/private_key
  ProxyJump bastion

但是,我现在还需要通过两个主机来执行此操作。我已将以下内容添加到~/.ssh/config

Host server2
  Hostname ZZ.ZZ.ZZ.ZZ
  User user
  IdentityFile ~/.ssh/private_key_3
  ProxyJump server1

这使我可以键入ssh server2并在server2中打开一个外壳。这样似乎行得通。

但是,我不知道如何更改hosts文件以跳过这两个主机。我尝试过:

ansible_ssh_common_args='-o ProxyCommand="ssh -J bastion,server1"'

ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion ssh -W %h:%p -q server1"'

两者都不起作用,并且都导致超时。我应该怎么做才能使Ansible从bastion跳到server1,然后才能到达server2

这是我运行-vvvv(混淆了某些路径和名称)后的结果:

ansible-playbook 2.7.5
  config file = /path/to/dir/ansible.cfg
  configured module search path = [u'/home/user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0]
Using /path/to/dir/ansible.cfg as config file
setting up inventory plugins
/path/to/dir/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
/path/to/dir/hosts did not meet script requirements, check plugin documentation if this is unexpected
/path/to/dir/hosts inventory source with ini plugin
 [WARNING]: Found both group and host with same name: server2

statically imported: /path/to/dir/tasks/ansible.yml
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: enable-ansible.yml *********************************************************************************************************************************
1 plays in enable-ansible.yml

PLAY [server2] ****************************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************************
task path: /path/to/dir/enable-ansible.yml:2
<server2> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<server2> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o 'ProxyCommand=ssh -W %h:%p -q bastion ssh -W %h:%p -q server1' -o ControlPath=/home/user/.ansible/cp/460e3f86d3 server2 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1546192323.33-48994637286535 `" && echo ansible-tmp-1546192323.33-48994637286535="` echo /tmp/ansible-tmp-1546192323.33-48994637286535 `" ) && sleep 0'"'"''
<server2> (255, '', 'OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017\r\ndebug1: Reading configuration data /home/user/.ssh/config\r\ndebug1: /home/user/.ssh/config line 70: Applying options for server2\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket "/home/user/.ansible/cp/460e3f86d3" does not exist\r\ndebug1: Executing proxy command: exec ssh -W SERVER2_IP_ADDRESS:22 -q bastion ssh -W SERVER2_IP_ADDRESS:22 -q server1\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion-cert type -1\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1\r\ndebug1: permanently_drop_suid: 1000\r\nConnection timed out during banner exchange\r\n')
fatal: [server2]: UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017\r\ndebug1: Reading configuration data /home/user/.ssh/config\r\ndebug1: /home/user/.ssh/config line 70: Applying options for server2\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/home/user/.ansible/cp/460e3f86d3\" does not exist\r\ndebug1: Executing proxy command: exec ssh -W SERVER2_IP_ADDRESS:22 -q bastion ssh -W SERVER2_IP_ADDRESS:22 -q server1\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion-cert type -1\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1\r\ndebug1: permanently_drop_suid: 1000\r\nConnection timed out during banner exchange\r\n", 
    "unreachable": true
}
    to retry, use: --limit @/home/user/Documents/repos/cloud-devops/enable-ansible.retry

PLAY RECAP ***************************************************************************************************************************************************
server2                  : ok=0    changed=0    unreachable=1    failed=0 

对于某些添加的上下文,此剧本将以非root帐户身份登录到远程服务器并在其中创建ansible用户。重申一下,当我只跳过一个主机时,此剧本就可以使用。

1 个答案:

答案 0 :(得分:0)

只需使用

ansible_ssh_common_args='-J bastion,server1'