From cfed403d5a524162b2e3b0b15a7e989055527f52 Mon Sep 17 00:00:00 2001
From: "l.covela" <l.covela@charente-maritime.cci.fr>
Date: Mon, 19 Jan 2026 15:40:27 +0100
Subject: [PATCH] Actualiser ping-portainer.yml

---
 ping-portainer.yml | 63 +++++++++++++++++++++++-----------------------
 1 file changed, 31 insertions(+), 32 deletions(-)

diff --git a/ping-portainer.yml b/ping-portainer.yml
index aed60f4..f6a8a84 100644
--- a/ping-portainer.yml
+++ b/ping-portainer.yml
@@ -1,30 +1,34 @@
 ---
-- name: Reach Portainer via SSH tunnel through bdc
+- name: Reach Portainer via SSH tunnel through bdc (fixed local port 9443)
   hosts: localhost
   connection: local
   gather_facts: false
 
   vars:
-    # Bastion SSH
     bastion_host: bdc.cci17.fr
     bastion_port: 17100
     bastion_user: ansible
 
-    # Portainer interne
     portainer_ip: 10.30.0.151
     portainer_port: 9443
 
-    # Port local aléatoire pour éviter les collisions entre jobs
-    local_port: "{{ 20000 + (9999 | random) }}"
+    # Port local fixe demandé
+    local_port: 9443
 
-    # Socket ControlMaster pour fermer proprement le tunnel
-    ssh_control_socket: "/tmp/ssh-tunnel-{{ local_port }}.sock"
+    ssh_control_socket: "/tmp/ssh-tunnel-portainer-9443.sock"
+    ssh_log: "/tmp/ssh-tunnel-portainer-9443.log"
 
   tasks:
     - block:
+        - name: Check if local port 9443 is already in use
+          shell: "ss -lnt | grep -q ':{{ local_port }} '"
+          register: port_in_use
+          changed_when: false
+          failed_when: port_in_use.rc == 0
 
-        - name: Open SSH tunnel (local -> portainer via bastion)
+        - name: Open SSH tunnel (local 127.0.0.1:9443 -> portainer via bastion)
           shell: |
+            rm -f "{{ ssh_log }}"
             ssh -p {{ bastion_port }} \
               -o ExitOnForwardFailure=yes \
               -o StrictHostKeyChecking=no \
@@ -32,39 +36,29 @@
               -o ServerAliveInterval=10 \
               -o ServerAliveCountMax=3 \
               -o ConnectTimeout=10 \
+              -o LogLevel=DEBUG2 \
+              -vv \
               -M -S {{ ssh_control_socket }} \
               -f -N \
               -L 127.0.0.1:{{ local_port }}:{{ portainer_ip }}:{{ portainer_port }} \
-              {{ bastion_user }}@{{ bastion_host }}
+              {{ bastion_user }}@{{ bastion_host }} \
+              > "{{ ssh_log }}" 2>&1
           register: tunnel_open
           changed_when: true
           failed_when: tunnel_open.rc != 0
 
-        # Diagnostic utile : montre si SSH a renvoyé quelque chose
-        - name: Debug tunnel open result (rc/stdout/stderr)
-          debug:
-            msg:
-              - "ssh rc={{ tunnel_open.rc }}"
-              - "stdout={{ tunnel_open.stdout | default('') }}"
-              - "stderr={{ tunnel_open.stderr | default('') }}"
-
-        - name: Wait for local tunnel port to be listening
+        - name: Wait for local tunnel port 9443 to be listening
           wait_for:
             host: 127.0.0.1
             port: "{{ local_port }}"
             delay: 1
-            timeout: 30
-
-        - name: Verify local port is listening (extra check)
-          shell: "ss -lnt | grep -q ':{{ local_port }} '"
-          changed_when: false
+            timeout: 20
 
         - name: HTTPS check Portainer through tunnel
           uri:
             url: "https://127.0.0.1:{{ local_port }}/"
             method: GET
             validate_certs: false
-            return_content: false
             status_code: [200, 301, 302, 401, 403]
           register: portainer_check
 
@@ -73,18 +67,23 @@
             msg: "✅ Portainer joignable via tunnel (status {{ portainer_check.status }})"
 
       rescue:
-        - name: Explain common causes when tunnel fails
+        - name: Show last 120 lines of SSH verbose log
+          shell: "tail -n 120 {{ ssh_log }} || true"
+          register: sshlog_tail
+          changed_when: false
+
+        - name: Failure details
           debug:
             msg:
-              - "❌ Le tunnel n'a pas pu être validé."
-              - "Causes fréquentes :"
-              - "1) Sur OPNsense/bastion, 'Allow SSH port forwarding / TCP forwarding' n'est pas activé."
-              - "2) Le bastion ne peut pas joindre {{ portainer_ip }}:{{ portainer_port }} (routage / firewall)."
-              - "3) La clé SSH/credential utilisée par Semaphore n'est pas celle attendue (auth SSH)."
-              - "Regarde le 'stderr' affiché juste avant pour l'erreur exacte."
+              - "❌ Tunnel/Portainer non joignable via 127.0.0.1:9443"
+              - "Extrait log SSH:"
+              - "{{ sshlog_tail.stdout | default('') }}"
+              - "Indications :"
+              - "- 'administratively prohibited' => port forwarding désactivé côté bdc/OPNsense"
+              - "- 'connect to host 10.30.0.151 port 9443: ...' => bdc n'atteint pas Portainer (routage/firewall/service)"
 
       always:
-        - name: Close tunnel if opened (ControlMaster)
+        - name: Close tunnel if opened
           shell: >
             test -S {{ ssh_control_socket }} &&
             ssh -p {{ bastion_port }} -S {{ ssh_control_socket }} -O exit