Ansible with a bastion host / jump box?

Question:

I’m fairly certain I’ve seen a feature in the ansible documentation where you can tell it that to connect to certain hosts it first needs to tunnel through a DMZ host. I can’t however seem to find any documentation outside of some debates on the mailing lists.

I’m aware of hacking this in with an ssh config however that’s an overcomplicated kludge for an extremely common requirement in any kind of mildly regulated environment.

Is there a way to do this without using custom ssh config includes and voodoo netcat sorcery?

Answer:

With Ansible 2, this is a built-in option:

How do I configure a jump host to access servers that I have no direct access to?

With Ansible 2, you can set a ProxyCommand in the ansible_ssh_common_args inventory variable. Any arguments specified in this variable are added to the sftp/scp/ssh command line when connecting to the relevant host(s). Consider the following inventory group:

You can create group_vars/gatewayed.yml with the following contents:

Ansible will append these arguments to the command line when trying to connect to any hosts in the group gatewayed. (These arguments are used in addition to any ssh_args from ansible.cfg, so you do not need to repeat global ControlPersist settings in ansible_ssh_common_args.)

Note that ssh -W is available only with OpenSSH 5.4 or later. With older versions, it’s necessary to execute nc %h:%p or some equivalent command on the bastion host.

Leave a Reply