我正在尝试通过 IAP 连接到 GCP 计算实例。我有一个具有权限的服务帐户。
我试过以下
ansible -vvvv GCP -m ping
, 错误是因为找不到主机名 bc 我没有外部 ip ssh_executeable=wrapper.sh
喜欢 here 2 号几乎可以工作,但正则表达式命令很麻烦。
有原生的ansible解决方案吗?
编辑: gcp_compute 动态 list 确实适用于 ping 实例,但不适用于管理实例。
Ansible 在通过 IAP 进行隧道传输时不支持包或系统管理。
最佳答案
对于那些仍在寻找在内部 IP 上使用 IAP SSH 和 Ansible 的解决方案的人。我对列出的脚本进行了一些更改 here
我的主要问题是我必须添加 --zone 作为选项,如 gcloud
通过 Ansible 运行时不会自动检测到这一点。
因为我不想调用 CLI,增加更多等待时间,所以我选择使用 group_vars 来设置我的 ssh 选项。这也允许我为 gcloud compute ssh
指定其他选项。命令。
以下是设置所需文件的内容:
ansible.cfg
[inventory]
enable_plugins = gcp_compute
[defaults]
inventory = misc/inventory.gcp.yml
interpreter_python = /usr/bin/python
[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required
# to execute a module on the remote server.
# This can result in a significant performance improvement
# when enabled.
pipelining = True
scp_if_ssh = False
ssh_executable = misc/gcp-ssh-wrapper.sh
ssh_args = None
杂项/gcp-ssh-wrapper.sh #!/bin/bash
# This is a wrapper script allowing to use GCP's IAP SSH option to connect
# to our servers.
# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"
# Unfortunately ansible has hardcoded ssh options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for ssh_arg in "${@: 1: $# -3}" ; do
if [[ "${ssh_arg}" == --* ]] ; then
opts+="${ssh_arg} "
fi
done
exec gcloud compute ssh $opts "${host}" -- -C "${cmd}"
group_vars/all.yml ---
ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet
如您所见,通过使用 group_vars 中的 ansible_ssh_args,我们现在可以通过 list 中已知的区域。如果您还希望能够通过 gcloud 命令复制文件,可以使用以下配置:
ansible.cfg
[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled.
pipelining = True
ssh_executable = misc/gcp-ssh-wrapper.sh
ssh_args = None
# Tell ansible to use SCP for file transfers when connection is set to SSH
scp_if_ssh = True
scp_executable = misc/gcp-scp-wrapper.sh
杂项/gcp-scp-wrapper.sh #!/bin/bash
# This is a wrapper script allowing to use GCP's IAP option to connect
# to our servers.
# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"
# Unfortunately ansible has hardcoded scp options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for scp_arg in "${@: 1: $# -3}" ; do
if [[ "${scp_arg}" == --* ]] ; then
opts+="${scp_arg} "
fi
done
# Remove [] around our host, as gcloud scp doesn't understand this syntax
cmd=`echo "${cmd}" | tr -d []`
exec gcloud compute scp $opts "${host}" "${cmd}"
group_vars/all.yml ---
ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet
ansible_scp_extra_args: --tunnel-through-iap --zone={{ zone }} --quiet
关于google-cloud-platform - Ansible GCP IAP 隧道,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58996471/