semaphoreui
How to use bastion in Semaphore
I installed the latest version of Semaphore via Snap on an Ubuntu VM. It works well when I run tasks against nodes with public IPs. However, when remote nodes only have private IPs and need to be reached via a bastion server, tasks always fail saying the remote node is unreachable. My inventory file looks like below
all:
hosts:
vm01:
ansible_host: <private_ip>
vars:
bastion: <bastion_public_ip>
ansible_ssh_private_key_file: /var/snap/semaphore/current/my_private_key.pem
ansible_ssh_common_args: "-o ProxyCommand='ssh -q ubuntu@{{bastion}} -o IdentityFile=/var/snap/semaphore/current/my_private_key.pem -W %h:%p'"
ansible_user: administrator
ansible_shell_type: cmd
This works well if I run Ansible directly from the VM, but running it from Semaphore fails.
Does anyone know how to resolve this problem?
Meanwhile is there a way to change the ssh config file (~/.ssh/config on Ubuntu, but don't know where the counterpart file is in snap) within the Semaphore snap?
I have been looking at this as it would be amazing, but we too have a need to use a ProxyJump setting to get to some hosts.
will try some things and report back if I can get things to work
This is how I use a bastion server and setup with Semaphore.
ssh-bastion.cfg
StrictHostKeyChecking no
Host bastion
ProxyJump none
Hostname [host]
User [user]
IdentityFile [identity-file]
Host *
ProxyJump bastion
Then in the environment section under "Extra variables" set "ansible_ssh_common_args" to -F [path-to-cfg]. E.G.
{
"ansible_ssh_common_args": "-F ./ssh-bastion.cfg",
}
nice, will have a look at that. the docs could do with a lot of updates for things like this
This is how I use a bastion server and setup with Semaphore.
ssh-bastion.cfg
StrictHostKeyChecking no Host bastion ProxyJump none Hostname [host] User [user] IdentityFile [identity-file] Host * ProxyJump bastionThen in the environment section under "Extra variables" set "ansible_ssh_common_args" to -F [path-to-cfg]. E.G.
{ "ansible_ssh_common_args": "-F ./ssh-bastion.cfg", }
Thanks for this. Helped me somewhat but I am still having issues. In my case (docker install) I am able to connect to the bastion host, but it seems there is no ssh-agent running in the container and so key forwarding isn't possible AFAIK.
Is your setup working with ssh-key forwarding (-A option in ssh client). Or did you get this working my making sure each host accepts the bastion server's own ssh key?
I am using semphore with docker.
if i debug my ssh session i can see a private key is used for example: -o 'IdentityFile="/tmp/semaphore/access_key_455212606"'
This is the ssh key in "User Credentials" from my inventory in semaphore.
I would like to use that key also for my bastion connection.
If i somehow can consume the Path /tmp/semaphore/access_key_455212606 from the current run in a Variable like "current_access_key_path" i should be able to connect by only setting ansible_ssh_common_args.
like this: ansible_ssh_common_args: '-o ProxyCommand="ssh -i {{ current_access_key_path }} -W %h:%p -q {{ bastion_user }}@{{ bastion_host }}"'
In this variant we don't need (to deploy) a extra ssh clinet config (ssh-bastion.cfg) and we can use the "User Credentials" ssh key from inventory(instead of a extra ssh key that is accessible for all projects?).
like this: ansible_ssh_common_args: '-o ProxyCommand="ssh -i {{ current_access_key_path }} -W %h:%p -q {{ bastion_user }}@{{ bastion_host }}"'
Either like this, or using an ssh-agent with the key loaded into it which would then be used for the proxy command. This approach works outside of semaphore, without need for specifying key in the proxy command in ansible, or specifying an ssh config file.
This would not stop any one from configuring another key, through file or config either, but make the setup simpler.
