How to specify ssh config and key for an ansible execution environment?
I'm trying to setup an ansible execution environment and have trouble finding the correct way to specify the ssh config and key to use.
Specifically, I would like to use the following ssh config entry:
Host <host>
User root
ProxyCommand /bin/bash -c "ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' root@<domain> -W [%h]:%p"
IdentityFile /runner/.ssh/<keyfile>
IdentitiesOnly yes
I tried adding the config to the execution environment with these build steps:
additional_build_steps:
prepend_base:
- COPY _build/configs/config /etc/ssh/ssh_config.d/
- RUN chmod 700 /etc/ssh/ssh_config.d
- RUN chmod 600 /etc/ssh/ssh_config.d/*
- RUN chown 1000 -R /etc/ssh/ssh_config.d
And then use it in the corresponding inventory:
vars:
ansible_ssh_common_args: '-F /etc/ssh/ssh_config.d/config'
ansible_ssh_private_key_file: '~/.ssh/<keyfile>'
Which results in the error message
no such identity: /runner/.ssh/<keyfile>: No such file or directory
I think this means that the config was successfully added to the image and is being used, but the keyfile is not being mounted.
I have two questions:
- Is this the correct / recommended way to add ssh config to an ansible execution environment?
- What would be the correct way to mount / add the required ssh key to the execution environment?
Answers
It looks like you are mixing up the configuration for Ansible and the configuration for the SSH client.
Let's clarify the two:
-
Ansible Configuration: This is typically done in the Ansible inventory file or in Ansible configuration files (e.g., ansible.cfg). It includes settings like
ansible_ssh_common_args
,ansible_ssh_private_key_file
, etc. These settings are used by Ansible when connecting to the hosts specified in the inventory. -
SSH Client Configuration: This is done in the SSH client configuration file (usually located at ~/.ssh/config or /etc/ssh/ssh_config). It includes settings like
Host
,User
,ProxyCommand
,IdentityFile
, etc. These settings are used by the SSH client when connecting to remote hosts.
Based on your setup, it seems like you want to use a specific SSH client configuration (specified in your SSH config file) when Ansible connects to the hosts, and also specify the SSH key to use.
Here's what you can do:
-
Specify the SSH key in your Ansible inventory file or in your Ansible playbook using
ansible_ssh_private_key_file
. Make sure to use the correct path to the SSH key file. -
Ensure that your SSH config file is accessible to Ansible when it runs. You can do this by mounting the SSH config file into the Ansible execution environment.
For example, in your Dockerfile or build steps, copy the SSH config file into the container:
COPY _build/configs/config /etc/ssh/ssh_config.d/
RUN chmod 700 /etc/ssh/ssh_config.d
RUN chmod 600 /etc/ssh/ssh_config.d/*
RUN chown 1000 -R /etc/ssh/ssh_config.d
Then, in your Ansible inventory or playbook, set the ansible_ssh_common_args
to point to this SSH config file:
vars:
ansible_ssh_common_args: '-F /etc/ssh/ssh_config.d/config'
ansible_ssh_private_key_file: '/path/to/ssh/keyfile'
Make sure to replace /path/to/ssh/keyfile
with the actual path to your SSH private key file.
This way, Ansible will use the SSH client configuration specified in your SSH config file (/etc/ssh/ssh_config.d/config
) when connecting to hosts, and it will use the specified SSH private key file for authentication.