Using Ansible with bastion host
UPD Another article on the this topic, using variables instead of ssh config file: Using Ansible with bastion or jump host with variables.
Sometimes due to network configuration or security reasons you can’t access a host directly, but should use intermediate host, so-called bastion host.
I got this setup from this article by Scott Lowe, but
ssh.cfg is adjusted so that mentioning exact network mask is not necessary.
[ssh_connection] # -C enable compression ssh_args = -C -F ./ssh.cfg
# All hosts Host * # Security ForwardAgent no # Connection multiplexing ControlMaster auto ControlPersist 2m ControlPath ~/.ssh/ansible-%r@%h:%p # Connect through bastion hosts ProxyCommand ssh -W %h:%p bastion1 # Second bastion if first is down #ProxyCommand ssh -W %h:%p bastion2 # Bastion hosts Host bastion1 HostName 10.0.0.1 ProxyCommand none Host bastion2 HostName 10.0.0.2 ProxyCommand none
Somewhere in inventory, to avoid repeating bastion IP addresses twice:
[bastion] bastion1 ansible_ssh_host=bastion1 bastion2 ansible_ssh_host=bastion2
P.S. Starting from Ansible 2, you can also use
ansible_ssh_common_args inventory variable: Ansible FAQ.
UPD: stemid85 on Reddit pointed out the way to use a chain of bation hosts:
Host bastion1 HostName 192.168.1.1 ProxyCommand none Host bastion2 HostName 192.168.2.2 ProxyCommand ssh bastion1 -W %h:%p Host target ProxyCommand ssh bastion2 -W %h:%p