Use Ansible with suSSHi

In this tutorial, you will learn how-to use Ansible with suSSHi.

Requirements

We assume that the Ansible user authenticates to the suSSHi Gateway and the Ansible clients using the public key method (SSH agent forwarding). We also expect an existing access rule that allows appropriate connections.

Below we describe two ways in which Ansible can be used with suSSHi. In the first example, we use a regular OpenSSH client, while in the second example, we use a patched OpenSSH client.

Both methods require that the SSH agent has been started beforehand, for example, by executing the following command:

root@ansible-master:/ansible# eval $(ssh-agent)
Agent pid 76

For better understanding, we summarize the components involved in the following table:

Description	Value
suSSHi User	wasabi
suSSHi Gateway	gateway.intra.susshi.io
Ansible User	root
Ansible Master	ansible-master.intra.susshi.io
Ansible Client 1	ansible-slave-1.extra.susshi.io
Ansible Client 2	ansible-slave-2.extra.susshi.io

1. SSH Client w/o suSSHi OpenSSH Patch

The OpenSSH client-side configuration file is named config and is organized into sections. Each section starting with the Host directive contains specific SSH options used when establishing a connection with the remote SSH server. Depending on your needs and setup, you may need to use such a configuration.

Below you will find one of many configuration variants based on the example setup:

~/.ssh/config

Host *
    IdentityFile      /root/.ssh/id_rsa
    AddKeysToAgent    yes
    ForwardAgent      yes

Host ansible-slave-1
    HostName          gateway.intra.susshi.io
    User              wasabi@root@ansible-slave-1.extra.susshi.io

Host ansible-slave-2
    HostName          gateway.intra.susshi.io
    User              wasabi@root@ansible-slave-2.extra.susshi.io

If non-standard ports are used in your setup, in the following example port 50022 for the suSSHi Gateway and port 60022 for the Ansible slave ansible-slave-1, you can specify them as follows:

Example ~/.ssh/config using non-standard ports

Host ansible-slave-1
    HostName          gateway.intra.susshi.io
    User              wasabi@root@ansible-slave-1.extra.susshi.io:60022
    Port              50022

Ansible uses an inventory file to keep track of which hosts are part of your infrastructure. For our tutorial, we use the following simple inventory file:

inventory.yaml

---
all:
  hosts:
    ansible-slave-1:
      ansible_host: ansible-slave-1
    ansible-slave-2:
      ansible_host: ansible-slave-2

If everything has been configured correctly, a basic connection test should produce some output like this:

root@ansible-master:/ansible# ansible -i inventory.yaml all -m ping
ansible-slave-2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
ansible-slave-1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}

2. SSH Client with suSSHi OpenSSH Patch

In this case, the SSH client configuration simplifies as we can now move the user and host specific parts to the Ansible configuration.

~/.ssh/config

Host *
    IdentityFile      /root/.ssh/id_rsa
    AddKeysToAgent    yes
    ForwardAgent      yes

In order to use the configuration options introduced with the suSSHi OpenSSH patch, we specify them with the ssh_args key in the Ansible configuration:

/etc/ansible/ansible.cfg

[ssh_connection]
ssh_args = -o SusshiGateway=gateway.intra.susshi.io -o SusshiUser=wasabi -o ControlMaster=auto -o ControlPersist=60s

Note

The values for ControlMaster and ControlPersist are defaults for ssh_args and should be kept unless you have a good reason to change them.

Note

If your suSSHi Gateway operates on a non-standard port, for example 50022, you have to add -o Port=50022 to ssh_args.

inventory.yaml

---
all:
  hosts:
    ansible-slave-1:
      ansible_host: root@ansible-slave-1.extra.susshi.io
    ansible-slave-2:
      ansible_user: root
      ansible_host: ansible-slave-2.extra.susshi.io

Note

As shown in the example above, you can specify the Ansible user either dedicatedly with the ansible_user key or combined with the ansible_host key (<ansible_user>@<ansible_host>).

Note

If non-standard ports are used in your setup, you can specify the port number, in this example port 60022, using the ansible_host key, e. g. root@ansible-slave-1.extra.susshi.io:60022.

Finally, a successful basic connection test should produce some output like this:

root@ansible-master:/ansible# ansible -i inventory.yaml all -m ping
ansible-slave-2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
ansible-slave-1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}