rub*_*bio 9 ansible google-cloud-platform
I\xe2\x80\x99m 尝试通过 IAP 连接到 GCP 计算实例。我有一个具有权限的服务帐户。
\n\n我尝试过以下方法
\n\nansible -vvvv GCP -m ping由于找不到主机名而出现错误,因为我没有外部 IPssh_executeable=wrapper.sh像这里一样设置了2 号几乎可以工作,但正则化命令很糟糕。
\n\n有原生的ansible解决方案吗?
\n\n编辑: gcp_compute 动态清单确实适用于 ping 实例,但不适用于管理实例。
\n\nAnsible 在通过 IAP 进行隧道传输时不支持包或系统管理。
\n对于那些仍在寻找在内部 IP 上使用 IAP SSH 和 Ansible 的解决方案的人。我对此处列出的脚本进行了一些更改
我的主要问题是我必须添加 --zone 作为选项,因为gcloud在通过 Ansible 运行时不会自动检测到这一点。由于我不想调用 CLI,增加更多等待时间,因此我选择使用 group_vars 来设置 ssh 选项。这还允许我为命令指定其他选项gcloud compute ssh。
以下是设置所需文件的内容:
ansible.cfg
[inventory]
enable_plugins = gcp_compute
[defaults]
inventory = misc/inventory.gcp.yml
interpreter_python = /usr/bin/python
[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required
# to execute a module on the remote server.
# This can result in a significant performance improvement
# when enabled.
pipelining = True
scp_if_ssh = False
ssh_executable = misc/gcp-ssh-wrapper.sh
ssh_args = None
杂项/gcp-ssh-wrapper.sh
#!/bin/bash
# This is a wrapper script allowing to use GCP's IAP SSH option to connect
# to our servers.
# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"
# Unfortunately ansible has hardcoded ssh options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for ssh_arg in "${@: 1: $# -3}" ; do
if [[ "${ssh_arg}" == --* ]] ; then
opts+="${ssh_arg} "
fi
done
exec gcloud compute ssh $opts "${host}" -- -C "${cmd}"
group_vars/all.yml
---
ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet
正如您所看到的,通过使用 group_vars 中的 ansible_ssh_args,我们现在可以传递该区域,因为它已经通过清单已知。
如果您还希望能够通过 gcloud 命令复制文件,可以使用以下配置:
ansible.cfg
[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled.
pipelining = True
ssh_executable = misc/gcp-ssh-wrapper.sh
ssh_args = None
# Tell ansible to use SCP for file transfers when connection is set to SSH
scp_if_ssh = True
scp_executable = misc/gcp-scp-wrapper.sh
杂项/gcp-scp-wrapper.sh
#!/bin/bash
# This is a wrapper script allowing to use GCP's IAP option to connect
# to our servers.
# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"
# Unfortunately ansible has hardcoded scp options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for scp_arg in "${@: 1: $# -3}" ; do
if [[ "${scp_arg}" == --* ]] ; then
opts+="${scp_arg} "
fi
done
# Remove [] around our host, as gcloud scp doesn't understand this syntax
cmd=`echo "${cmd}" | tr -d []`
exec gcloud compute scp $opts "${host}" "${cmd}"
group_vars/all.yml
---
ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet
ansible_scp_extra_args: --tunnel-through-iap --zone={{ zone }} --quiet
| 归档时间: |
|
| 查看次数: |
4461 次 |
| 最近记录: |