如何使ansible连接到linux跳转服务器后面的windows主机

我想配置只能通过Linux跳转主机访问子网的Windows主机.

Windows机器使用winrm连接方法.Linux跳转服务器可通过SSH获得.

我可以直接使用以下命令访问Windows主机:

ansible_connection: winrm

如果我尝试通过以下方式将任务委派给Linux跳转服务器(可以直接访问Windows):

- name: Ping windows
  hosts: windows_machines
  tasks:
    - name: ping
      win_ping:
      delegate_to: "{{ item }}"
      with_items: "{{ groups['jump_servers'][0] }}"

它尝试连接以建立与跳转主机的WINRM连接.不完全是我的想法.

请注意,对于windows_machines组,我定义了group_vars:

ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

我应该如何通过堡垒主机配置Windows主机？

我的首要任务是将所有配置放在一个地方,而不是将Ansible的一部分分配给堡垒/跳转主机.我去为5986端口建立ssh隧道.这是完整的任务:

- name: Tunneled configuration of Windows host in a subnet
  hosts: windows
  connection: local #This is the trick to connect to localhost not actual host
  gather_facts: no
  tasks:
    - name: First setup a tunnel
      local_action: command ssh -Nf -4 -o ControlPersist=1m -o ControlMaster=auto -o ControlPath="~/.ssh/mux2win-%r@%h:%p" -o StrictHostKeyChecking=no -o PasswordAuthentication=no -o UserKnownHostsFile="/dev/null" -i {{ hostvars[item].ansible_ssh_private_key_file }} {{ hostvars[item].ansible_ssh_user }}@{{ hostvars[item].ansible_host }} -L {{ ansible_port }}:{{ actual_host }}:{{ ansible_port }}
      with_items:
        - "{{ groups['jump_servers'][0] }}" #I know my topology so I know which host to use
    - name: (optional) Second ensure it is up
      local_action: command ssh -O check -S "~/.ssh/mux2win-%r@%h:%p" {{ hostvars[item].ansible_ssh_user }}@{{ hostvars[item].ansible_host }}
      with_items:
        - "{{ groups['jump_servers'][0] }}"

    # ------- actual windows tasks (from ansible examples) ------------
    - name: Ping
      connection: local
      win_ping:
    - name: test raw module- run ipconfig
      raw: ipconfig
      register: ipconfig
    - debug: var=ipconfig

    - name: Test stat module- test stat module on file
      win_stat: path="C:/Windows/win.ini"
      register: stat_file

    - debug: var=stat_file

    - name: Check stat_file result
      assert:
          that:
             - "stat_file.stat.exists"
             - "not stat_file.stat.isdir"
             - "stat_file.stat.size > 0"
             - "stat_file.stat.md5"
    # ------- end of actual windows tasks ------------

    - name: Stop the tunnel. It would stop anyway after 1m.
      local_action: command ssh -O stop -S "~/.ssh/mux2win-%r@%h:%p" {{ hostvars[item].ansible_ssh_user }}@{{ hostvars[item].ansible_host }}
      with_items:
        - "{{ groups['jump_servers'][0] }}"

为此,我不得不稍微修改库存文件:

[windows]
windows1 ansible_host=127.0.0.1 ansible_ssh_user=Administrator  actual_host=192.168.0.2 (...)

Ansible可以通过访问5986本地主机上的端口进行连接,因此必须将ansible_host设置为127.0.0.1并设置自定义变量的Windows机器的实际ip信息actual_host.