Ansible 更改剧本中的 ssh 端口

Question

Here is the inventory file

---
[de-servers]
192.26.32.32

[uk-servers]
172.21.1.23
172.32.2.11

and my playbook is look like this:

- name: Install de-servers configurations
  hosts: de-servers  
  roles:
    - de-server-setup

- name: Install uk-servers configurations
  hosts: uk-servers  
  roles:
    - uk-server-setup

- name: Do some other job on de-servers (cannot be done until uk-servers is installed)
  hosts: de-servers
  roles:
    - de-servers-rest-of-jobs

In role de-servers-setup role the ssh port is changed from 22 to 8888, so when the last task is called it fails because it cannot connect to host through 22 port. How to overcome this ssh port change?

Answer 1

In the role de-server-setup add a task to change the ansible_port host variable.

- name: Change ssh port to 8888
  set_fact:
    ansible_port: 8888

Answer 2

The only thing I can think of that might work would be to create ssh aliases for your hosts. In your .ssh/config :

Host de.1.before
  HostName 192.26.32.32
  Port 22

Host de.1.after
  HostName 192.26.32.32
  Port 8888

Then use these aliases in your Ansible inventory:

[de-servers-before]
de.1.before

[de-servers-after]
de.1.after

And the defined groups then respectively in your plays:

- name: Install de-servers configurations
  hosts: de-servers-before
  roles:
    - de-server-setup

- name: Install uk-servers configurations
  hosts: uk-servers  
  roles:
    - uk-server-setup

- name: Do some other job on de-servers (cannot be done until uk-servers is installed)
  hosts: de-servers-after
  roles:
    - de-servers-rest-of-jobs

Answer 3

My full solution to this was to create a common playbook imported at the top of all other playbooks that checks the status of the non-standard ansible_port defined in the inventory. If the port is open then continue as normal. If it's not open check port 22 and set the ansible_port fact to that if so.

Later, when the SSH server is configured for the first time and the default port is changed to my non-standard port, I then update the ansible_port fact manually in my playbook so that any further Ansible connections in the current run will work as expected.

My inventory looks like this:

[webservers]
web01.somedomain.com ansible_port=1234

My playbook looks like this:

- name: Determine SSH port
  hosts: all
  gather_facts: no
  remote_user: root
  tasks:
    - name: "Check port {{ ansible_port }}"
      wait_for:
        port: "{{ ansible_port }}"
        state: "started"
        host: "{{ inventory_hostname }}"
        connect_timeout: "5"
        timeout: "5"
      delegate_to: "localhost"
      ignore_errors: "yes"
      register: ssh_port

    - name: "Check port 22"
      wait_for:
        port: "22"
        state: "started"
        host: "{{ inventory_hostname }}"
        connect_timeout: "5"
        timeout: "5"
      delegate_to: "localhost"
      ignore_errors: "yes"
      register: ssh_port_default
      when: 
        - ssh_port is defined 
        - ssh_port.state is undefined

    - name: Set SSH port to 22
      set_fact:
        ansible_port: "22"
      when: ssh_port_default.state is defined

Finally, right after the SSH server is configured and the port has been changed I have this:

- name: Set SSH port to 1234
  set_fact:
    ansible_port: "1234"

Answer 4

Easy way, edit /etc/ansible/hosts:

[my_server]
ssdnodes:54321

and you can test it by issuing a ping:

ansible ssdnodes -m ping

and the response would be:

ssdnodes | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Answer 5

I would suggest to put the port number on the inventory file. Like the following example.

[linux-servers]
xcpng5.homelab.com ansible_port=3511
xcpng2.homelab.com ansible_port=3522
xcpng1.homelab.com ansible_port=3523

I was trying to achieve the same and that helped me to set up different ssh port.

Answer 6

I need to change the ssh ports on the hosts I manage and I want to use Ansible to do it. Essentially, Ansible uses the following logic to manage it's SSH connections:

    if self.port is not None:
        ssh -p {{ self.port }} ...
    else:
        ssh ...

where "self.port" is the port specification from the host inventory, or an override via the "-e" parameter, or an explicit declaration of the variables "ansible_port" and/or "ansible_ssh_port". The recommended solution to changing ports is to employ the "wait_for" and "when" modules in "pre_tasks", but there are many inadequacies to this approach, particularly when many hosts are involved and especially when you want to use different ports on different hosts.

I cloned and patched the ssh plugin (versions 1 and 2) to change the logic as follows:

if self.port is not None and self.port is OPEN:
    ssh -p {{ self.port }} ...
else:
    ssh ...

The patch, by itself, makes no changes on the target nodes but allows connections to succeed even if the ports on the nodes haven't changed yet. With the patch, it is now very easy to write roles/tasks to change ssh ports to whatever is in the host inventory.

If you're interested, you can find the patch and samples of how use it at https://github.com/crlb/ansible ; the README.md contains additional information.

Answer 7

Below is my example for connecting with different ssh port using ansible-playbook.

---
- hosts: test-server
  vars:
        ansible_ssh_user: 'rohit'
        ansible_password: '123456'
        ansible_port: '2222'
  tasks:
        - name: "print simple command"
          command: cat /usr/bin/myscript.sh

Answer 8

In your inventory file you can define the ssh port like this

---

[de-servers]

192.26.32.32:8888

[uk-servers]

172.21.1.23:8888

172.32.2.11:8888