Bastion / Jump host support needed (ansible_ssh_common_args & ansible_ssh_extra_args support)

[egg82]

Prerequisites

• This was not already reported in the past (duplicate check)
• It does reproduce it with code from main branch (latest unreleased version)
• I include a minimal example for reproducing the bug
• The bug is not trivial, as for those a direct pull-request is preferred
• Running pip check does not report any conflicts
• I was able to reproduce the issue on a different machine
• The issue is not specific to any driver other than 'default' one

Environment

molecule 6.0.3 using python 3.9
ansible:2.15.13
default:6.0.3 from molecule
molecule-proxmox:0.9.0 from molecule_proxmox

What happened

Referencing meffie/molecule-proxmox#27

Sometimes your VMs are behind a jump host (or a few) - or you just need to add extra SSH arguments.

After a lot of trial-and-error and digging through the codebases of both molecule-proxmox and molecule, I managed the following in the molecule.yml file, which mostly works:

---
driver:
  name: molecule-proxmox
  options:
    api_host: calipso.internal.iss
    api_port: 8006
    api_user: root@pam
    api_password: ${PROXMOX_PASSWORD}
    node: calipso
    ssh_user: molecule
    ssh_identity_file: ~/.ssh/id_molecule_ed25519
    sethostname: false
    timeout: 300

provisioner:
  connection_options:
    ansible_ssh_common_args: -J [email protected]

platforms:
  - name: molecule-${USER}-rocky9-server-updated
    template_name: rocky9-server-updated

This works for molecule create, molecule destroy, and molecule converge just fine, which is great.

The problem is molecule login doesn't use the jump host, opting to connect to the endpoint directly:

WARNING  Driver molecule-proxmox does not provide a schema.
INFO     Running default > login
ssh: connect to host 10.100.40.109 port 22: Connection refused

Note that the Connection refused is due to a REJECT rule in my firewall for any RFC1918 address that isn't in a known subnet. I have confirmed that molecule login attempts to connect directly to the endpoint IP, bypassing any request to use the jump host.

Official support for ansible_ssh_common_args and ansible_ssh_extra_args would be great!

---

@IamLunchbox managed to dig further and found the following:

molecule login (opposed to other steps of molecule) doesn't use the ansible python class to execute the login. This probably must be done because an interactive connection with a host is not possible in ansible.

Your settings are not picked up by molecule login here, because molecule login does only
use a hardcoded set of options to connect. When I debugged molecule the options were:

p(self._config.driver.login_cmd_template)
ssh {address} -l {user} -p {port} -i {identity_file} -o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s -o ForwardX11=no -o LogLevel=ERROR -o IdentitiesOnly=yes -o StrictHostKeyChecking=no

Reproducing example

---
driver:
  name: molecule-proxmox
  options:
    api_host: calipso.internal.iss
    api_port: 8006
    api_user: root@pam
    api_password: ${PROXMOX_PASSWORD}
    node: calipso
    ssh_user: molecule
    ssh_identity_file: ~/.ssh/id_molecule_ed25519
    sethostname: false
    timeout: 300

provisioner:
  connection_options:
    ansible_ssh_common_args: -J [email protected]

platforms:
  - name: molecule-${USER}-rocky9-server-updated
    template_name: rocky9-server-updated

[ssbarnea]

A PR to address this would be welcomed.

[IamLunchbox]

Do you have a suggestion how this could be accomplished? Most of the other molecule command use the Ansible python class to retreive the options dict.

Would you suggest to use the same approach in this context? Wouldn't that require starting an ansible context, while one is not needed here?

Or is parsing molecule.yml within login script an alternative option?