Using connection delegation with mitogen for Ansible

This should be a very short blog post, but long enough to justify a blog post instead of a 'tweet' : I had myself a small issue with mitogen plugin in our Ansible infra.

To cut a long story short, everybody knows that ansible relies on ssh as transport. So one can use traditional ~/.ssh/config tuning to declare ProxyJump for some hosts, etc

But when you use mitogen (we do), in the official doc there is a mention of specific parameter for connection delegation : mitogen_via

The simple example on the webpage seems trivial and if you have multiple hosts that need to be configured from remote ansible+mitogen combo, using mitogen would speed things up as it would know about the host topology.

That's what I thought when having a look at the simple inventory on that web page:

[dc2]
web1.dc2
web2.dc2
web3.dc2

[dc2:vars]
mitogen_via = bastion.dc2

Sounds easy but when I tried quickly to use mitogen_via , something that I thought would be obvious in fact wasn't. My understanding was that mitogen would automatically force agent forwarding when going through the bastion host. A simple ansible -m ping (let's assume web1.dc2 in their example) returned me :

web1.dc2 | UNREACHABLE! => {
    "changed": false,
    "msg": "error occurred on host bastion.dc2: SSH authentication is incorrect",
    "unreachable": true
}

Well, we can see from the returned json that it was trying to pass through bastion.dc2 and that's confirmed on web1.dc2 :

Oct 28 15:52:36 web1.dc2 sshd[12913]: Connection closed by <ip_from_bastion.dc2> port 56728 [preauth]

Then I thought about something that was obvious to me but that mitogen (just reusing underlying ssh) doesn't do automatically : Forwarding the ssh agent to the nodes behind.

We can easily solve that with one simple ansible parameter : ansible has the ansible_ssh_common_args and ansible_ssh_extra_args parameters, specific to the SSH connection

So what about we force Agent Forward just on that bastion host and see how that works ? That means that in our inventory (but can go to host_vars/bastion.dc2 too) we just have to add parameter:

bastion.dc2 ansible_ssh_extra_args='-o ForwardAgent=yes'

Let's try again :

web1.dc2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

Good, so we can push that for our bastion hosts (used in inventory for mitogen_via) in host_vars or group_vars and call it a day. The reason why I prefer using ansible_ssh_extra_args is that it will merge and add settings, in case you have already something like this in your ansible.cfg :

[ssh_connection]
ssh_args =

I like the logic that we don't need to modify ~/.ssh/config with all exceptions to reflect the infra layout but we can just reflect it in ansible inventory

Arrfab's blog Some tips and tricks, mostly around CentOS

Using connection delegation with mitogen for Ansible