在Gitlab CI中使用Ansible通过JumpServer进行连接

Question

我想配置可通过堡垒主机访问的私有虚拟机。所以我使用ubuntu 20.04镜像，然后我安装了python和所有相关的库，然后我创建了虚拟环境并安装了Ansible。

stages:
  - configure

configure:
  image: ubuntu:20.04
  stage: configure
  before_script:
    - apt-get -y update
    - addgroup deploy
    - mkdir /opt/.env
    - chgrp -R deploy /opt/.env    
    - chmod -R 770 /opt/.env
    - apt install -y build-essential libssl-dev libffi-dev python3-dev
    - apt install -y python3-pip
    - apt install -y python3-venv
    - apt install git -y
    - python3.8 -m venv /opt/.env/basic --system-site-packages
    - source /opt/.env/basic/bin/activate
    - pip install wheel
    - pip install ansible
  script:
    - source /opt/.env/basic/bin/activate
    - echo $my_ssh_key >> .ssh/my_ssh_key.pem
    - chmod 400 .ssh/my_ssh_key.pem
    - mv .ssh /root/.ssh,
    - mv .ansible.cfg /root/.ansible.cfg
    - echo $(ansible --version)
    - ansible-playbook ansible/playbooks/start.yml

我的回购结构如下：

.ssh
   |_ ansible.cfg

ansible
   |_ playbooks

.ansible.cfg

.gitlab-ci.yml

.ansible.cfg的内容：

[ssh_connection]
ssh_args = -F /root/.ssh/ansible.cfg -o ControlMaster=auto -o ControlPersist=60m
control_path = /root/.ssh/ansible-%%r@%%h:%%p

.ssh/.ansible.cfg的内容：

Host BASTION
    HostName x.x.xx.x
    User ec2-user
    IdentityFile /root/.ssh/my_ssh_key.pem
    ControlMaster auto
    ControlPath /root/.ssh/ansible-%r@%h:%p
    ControlPersist 5m
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null


Host 10.*
    User ec2-user
    IdentityFile /root/.ssh/my_ssh_key.pem
    stricthostkeychecking=no
    ProxyJump BASTION

然而，当ansible脚本执行时，我收到以下错误：

 fatal: [10.1.8.58]: UNREACHABLE! => {
     "changed": false,
     "msg": "Failed to connect to the host via ssh: kex_exchange_identification: Connection closed by remote host",
     "unreachable": true
 }

将用户添加到ansible run命令不会更改任何内容(ansible-playbook ansible/playbooks/start.yml -u ec2-user)

有没有人遇到过类似的问题？我现在没有主意，如果有任何想法我将不胜感激。

Answer 1

根据文档，您应该在变量文件中的某个位置设置ansible_ssh_common_args变量：

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@bastion_host"'

以下是文档中常见问题解答的链接：https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-configure-a-jump-host-to-access-servers-that-i-have-no-direct-access-to