There are many reasons for using bastion hosts:
The latter case is quite boring as ansible doesn't support windows as a client platform.
A standard approach is:
We'll do this via two configuration files:
This approach allows us:
In [ ]:
cd /notebooks/exercise-06/
Instead of continuously passing options to ssh, we can use -F ssh_config
and put configurations there.
In [ ]:
!cat ssh_config
If we don't use it, we can turn off GSSApiAuthentication
which attempts may slow down the connection.
Inhibit PKI authentication is insecure by design:
#
# the password is sent to the bastion via a
# cleartext file.
Match Host 172.25.0.*
ProxyCommand sshpass -f cleartext-bastion-password ssh -F config jump@bastion -W %h:%p
Test connectivity to the bastion. Check your host ips and modify ssh_config
accordingly.
Replace ALL bastion occurrencies, including the one below the BEWARE note
In [ ]:
fmt=r'{{.NetworkSettings.IPAddress}}'
!docker -H tcp://172.17.0.1:2375 inspect ansible101_bastion_1 --format {fmt} # pass variables *before* commands ;)
Write the ssh-copy-id.yml playbook to install an ssh key to the bastion.
Bastion credentials are:
root
root
Try to do it without watching the previous exercises:
ansible.cfg
[ssh_connection]
arguments to avoid ssh key mismatchesvault.yml
. inventory
file You can reuse the old id_ansible key or:
ssh_config
Hint:
bastion
node;
In [ ]:
# Use this cell to create the pin file and then encrypt the vault
In [ ]:
# Use this cell to test/run the playbook. You can --limit the execution to the bastion host only.
In [ ]:
!ssh -Fssh_config bastion hostname
Uncomment the last lines of ssh_config
and try to use bastion for connecting to the other hosts
In [ ]:
fmt=r'{{.NetworkSettings.IPAddress}}'
!docker -H tcp://172.17.0.1:2375 inspect ansible101_web_1 --format {fmt} # pass variables *before* commands ;)
In [ ]:
!ssh -F ssh_config root@172.17.0.4 ip -4 -o a # get host ip
Configure your ansible.cfg
so that every web host is accessed via the bastion.
ps -ef | grep ssh
on your docker host to check all the ProxyCommand
processes.
In [ ]: