我试图在一个堡垒后面的AWS上设置一个EC2实例VM。Ansible的性能非常慢,但对大多数操作来说还可以忍受,但文件复制操作只是挂起,我真的看不出问题是什么。角色和剧本连接到面向公共的EC2实例后工作良好。copy节是:
- name: Copy all files from local dir to remote dir
copy:
src: files/files_to_host/
dest: /home/ec2-user
owner: ec2-user
group: ec2-user
mode: 0644
在src位置有22个文件和一些子目录,共计22MB。我尝试了以下ansible.cfg基于Jeff Geerling的帖子和这个Stack Overflow帖子,但它没有帮助(尝试了各种行注释/未注释):
[ssh_connection]
scp_if_ssh = true
; ssh_args = -o ServerAliveInterval=30
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q myuser@bastion"'
,当我运行
时ansible-playbook -vvvv -i 10.0.129.157, -u ec2-user my-playbook.yml
我得到以下错误(为便于阅读而格式化):
TASK [Gathering Facts] *********************************************************************************************************************************************************
task path: /Users/myuser/ansible/my-playbook.yml:5
<10.0.129.157> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<10.0.129.157> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o 'ControlPath="/Users/myuser/.ansible/cp/0cdf5a0bfd"' 10.0.129.157 '/bin/sh -c '"'"'echo ~ec2-user && sleep 0'"'"''
<10.0.129.157> (255, b'', b'OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/myuser/.ansible/cp/0cdf5a0bfd" does not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.0.129.157 [10.0.129.157] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 10.0.129.157 port 22: Operation timed out
ssh: connect to host 10.0.129.157 port 22: Operation timed out
')
fatal: [10.0.129.157]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/myuser/.ansible/cp/0cdf5a0bfd" does not exist
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.0.129.157 [10.0.129.157] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 10.0.129.157 port 22: Operation timed out
ssh: connect to host 10.0.129.157 port 22: Operation timed out",
"unreachable": true
}
如果我按照https://blog.keyboardinterrupt.com/ansible-jumphost/上的建议使用sshuttle打开通往堡垒的隧道,我可以执行远程操作,但是从本地到远程的文件复制会出现如下错误:
<10.0.129.157> (0, b'/home/ec2-usern', b"OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.129.157 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/myuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/myuser/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 17624
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 0
")
我能够成功和快速地使用ssh -J和sftp -J,并且我能够通过ssh通过sshuttle访问远程主机。我已经将这两行添加到堡垒/etc/ssh/sshd_config
MaxStartups 50:30:80
MaxSessions 50
我需要做什么才能让Ansible通过堡垒正确工作?
虽然我仍然不知道为什么我以前的尝试部分工作,而不是完全失败或完全成功,我已经找到了一个解决方案,我很高兴,不需要一个中央静态配置文件(即没有ansible.cfg或ini文件在所有)或任何额外的实用程序:
ansible-playbook -i 10.0.130.90, -u ec2-user myplaybook.yml --ssh-common-args "-J myuser@bastion"
这假定两个主机的ssh-key都被添加到ssh中,例如使用ssh-add