无法通过堡垒对 EC2 主机使用 Ansible `copy` 操作
Unable to use Ansible `copy` operation to EC2 host via bastion
我正在尝试在堡垒后面的 AWS 上设置 EC2 实例 VM。 Ansible 性能非常慢,但对于大多数操作来说是可以忍受的,但是文件复制操作只是挂起,我真的看不出问题是什么。角色和剧本在连接到面向 public 的 EC2 实例时工作正常。复制节是:
- name: Copy all files from local dir to remote dir
copy:
src: files/files_to_host/
dest: /home/ec2-user
owner: ec2-user
group: ec2-user
mode: 0644
在src位置有22个文件共22MB和一些子目录。我已经尝试了以下基于 Jeff Geerling's post and this Stack Overflow post 的 ansible.cfg 但它没有帮助(尝试了各种行 commented/uncommented):
[ssh_connection]
scp_if_ssh = true
; ssh_args = -o ServerAliveInterval=30
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q myuser@bastion"'
当我 运行
ansible-playbook -vvvv -i 10.0.129.157, -u ec2-user my-playbook.yml
我收到以下错误(为便于阅读而格式化):
TASK [Gathering Facts] *********************************************************************************************************************************************************
task path: /Users/myuser/ansible/my-playbook.yml:5
<10.0.129.157> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<10.0.129.157> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o 'ControlPath="/Users/myuser/.ansible/cp/0cdf5a0bfd"' 10.0.129.157 '/bin/sh -c '"'"'echo ~ec2-user && sleep 0'"'"''
<10.0.129.157> (255, b'', b'OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile \'~/.ssh/known_hosts\' -> \'/Users/myuser/.ssh/known_hosts\'
debug3: expanded UserKnownHostsFile \'~/.ssh/known_hosts2\' -> \'/Users/myuser/.ssh/known_hosts2\'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/myuser/.ansible/cp/0cdf5a0bfd" does not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.0.129.157 [10.0.129.157] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 10.0.129.157 port 22: Operation timed out
ssh: connect to host 10.0.129.157 port 22: Operation timed out
')
fatal: [10.0.129.157]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket \"/Users/myuser/.ansible/cp/0cdf5a0bfd\" does not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.0.129.157 [10.0.129.157] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 10.0.129.157 port 22: Operation timed out
ssh: connect to host 10.0.129.157 port 22: Operation timed out",
"unreachable": true
}
如果我按照 https://blog.keyboardinterrupt.com/ansible-jumphost/ 中的建议使用 sshuttle 打开通往堡垒的隧道,我可以执行远程操作,但是从本地到远程的文件复制会出现类似
的错误
<10.0.129.157> (0, b'/home/ec2-user\n', b"OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 17624
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 0
")
我能够成功快速地使用 ssh -J 和 sftp -J,并且我能够通过 ssh over sshuttle 访问远程主机。我已经将这两行添加到堡垒 /etc/ssh/sshd_config
MaxStartups 50:30:80
MaxSessions 50
我需要做什么才能让 Ansible 通过 bastion 正常工作?
虽然我仍然真的不知道为什么我以前的尝试部分奏效而不是完全失败或完全成功,但我找到了一个我很满意的解决方案,它不需要中央静态配置文件(即不需要 ansible.cfg 或 ini 文件)或任何其他实用程序:
ansible-playbook -i 10.0.130.90, -u ec2-user myplaybook.yml --ssh-common-args "-J myuser@bastion"
这假定两个主机的 ssh-keys 都添加到 ssh,例如ssh-add
我正在尝试在堡垒后面的 AWS 上设置 EC2 实例 VM。 Ansible 性能非常慢,但对于大多数操作来说是可以忍受的,但是文件复制操作只是挂起,我真的看不出问题是什么。角色和剧本在连接到面向 public 的 EC2 实例时工作正常。复制节是:
- name: Copy all files from local dir to remote dir
copy:
src: files/files_to_host/
dest: /home/ec2-user
owner: ec2-user
group: ec2-user
mode: 0644
在src位置有22个文件共22MB和一些子目录。我已经尝试了以下基于 Jeff Geerling's post and this Stack Overflow post 的 ansible.cfg 但它没有帮助(尝试了各种行 commented/uncommented):
[ssh_connection]
scp_if_ssh = true
; ssh_args = -o ServerAliveInterval=30
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q myuser@bastion"'
当我 运行
ansible-playbook -vvvv -i 10.0.129.157, -u ec2-user my-playbook.yml
我收到以下错误(为便于阅读而格式化):
TASK [Gathering Facts] *********************************************************************************************************************************************************
task path: /Users/myuser/ansible/my-playbook.yml:5
<10.0.129.157> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<10.0.129.157> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o 'ControlPath="/Users/myuser/.ansible/cp/0cdf5a0bfd"' 10.0.129.157 '/bin/sh -c '"'"'echo ~ec2-user && sleep 0'"'"''
<10.0.129.157> (255, b'', b'OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile \'~/.ssh/known_hosts\' -> \'/Users/myuser/.ssh/known_hosts\'
debug3: expanded UserKnownHostsFile \'~/.ssh/known_hosts2\' -> \'/Users/myuser/.ssh/known_hosts2\'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/myuser/.ansible/cp/0cdf5a0bfd" does not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.0.129.157 [10.0.129.157] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 10.0.129.157 port 22: Operation timed out
ssh: connect to host 10.0.129.157 port 22: Operation timed out
')
fatal: [10.0.129.157]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket \"/Users/myuser/.ansible/cp/0cdf5a0bfd\" does not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.0.129.157 [10.0.129.157] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 10.0.129.157 port 22: Operation timed out
ssh: connect to host 10.0.129.157 port 22: Operation timed out",
"unreachable": true
}
如果我按照 https://blog.keyboardinterrupt.com/ansible-jumphost/ 中的建议使用 sshuttle 打开通往堡垒的隧道,我可以执行远程操作,但是从本地到远程的文件复制会出现类似
的错误<10.0.129.157> (0, b'/home/ec2-user\n', b"OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 17624
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 0
")
我能够成功快速地使用 ssh -J 和 sftp -J,并且我能够通过 ssh over sshuttle 访问远程主机。我已经将这两行添加到堡垒 /etc/ssh/sshd_config
MaxStartups 50:30:80
MaxSessions 50
我需要做什么才能让 Ansible 通过 bastion 正常工作?
虽然我仍然真的不知道为什么我以前的尝试部分奏效而不是完全失败或完全成功,但我找到了一个我很满意的解决方案,它不需要中央静态配置文件(即不需要 ansible.cfg 或 ini 文件)或任何其他实用程序:
ansible-playbook -i 10.0.130.90, -u ec2-user myplaybook.yml --ssh-common-args "-J myuser@bastion"
这假定两个主机的 ssh-keys 都添加到 ssh,例如ssh-add