l.covela
/
semaphore
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Actualiser ping-portainer.yml

This commit is contained in:
l.covela 2026-01-19 15:40:27 +01:00
parent 1b3bcc0b44
commit cfed403d5a
1 changed files with 31 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
ping-portainer.yml
View File

@ -1,30 +1,34 @@
--- ---
- name: Reach Portainer via SSH tunnel through bdc - name: Reach Portainer via SSH tunnel through bdc (fixed local port 9443)
hosts: localhost hosts: localhost
connection: local connection: local
gather_facts: false gather_facts: false
vars: vars:
# Bastion SSH
bastion_host: bdc.cci17.fr bastion_host: bdc.cci17.fr
bastion_port: 17100 bastion_port: 17100
bastion_user: ansible bastion_user: ansible
# Portainer interne
portainer_ip: 10.30.0.151 portainer_ip: 10.30.0.151
portainer_port: 9443 portainer_port: 9443
# Port local aléatoire pour éviter les collisions entre jobs # Port local fixe demandé
local_port: "{{ 20000 + (9999 | random) }}" local_port: 9443
# Socket ControlMaster pour fermer proprement le tunnel ssh_control_socket: "/tmp/ssh-tunnel-portainer-9443.sock"
ssh_control_socket: "/tmp/ssh-tunnel-{{ local_port }}.sock" ssh_log: "/tmp/ssh-tunnel-portainer-9443.log"
tasks: tasks:
- block: - block:
- name: Check if local port 9443 is already in use
shell: "ss -lnt | grep -q ':{{ local_port }} '"
register: port_in_use
changed_when: false
failed_when: port_in_use.rc == 0
- name: Open SSH tunnel (local -> portainer via bastion) - name: Open SSH tunnel (local 127.0.0.1:9443 -> portainer via bastion)
shell: | shell: |
rm -f "{{ ssh_log }}"
ssh -p {{ bastion_port }} \ ssh -p {{ bastion_port }} \
-o ExitOnForwardFailure=yes \ -o ExitOnForwardFailure=yes \
-o StrictHostKeyChecking=no \ -o StrictHostKeyChecking=no \
@ -32,39 +36,29 @@
-o ServerAliveInterval=10 \ -o ServerAliveInterval=10 \
-o ServerAliveCountMax=3 \ -o ServerAliveCountMax=3 \
-o ConnectTimeout=10 \ -o ConnectTimeout=10 \
-o LogLevel=DEBUG2 \
-vv \
-M -S {{ ssh_control_socket }} \ -M -S {{ ssh_control_socket }} \
-f -N \ -f -N \
-L 127.0.0.1:{{ local_port }}:{{ portainer_ip }}:{{ portainer_port }} \ -L 127.0.0.1:{{ local_port }}:{{ portainer_ip }}:{{ portainer_port }} \
{{ bastion_user }}@{{ bastion_host }} {{ bastion_user }}@{{ bastion_host }} \
> "{{ ssh_log }}" 2>&1
register: tunnel_open register: tunnel_open
changed_when: true changed_when: true
failed_when: tunnel_open.rc != 0 failed_when: tunnel_open.rc != 0
# Diagnostic utile : montre si SSH a renvoyé quelque chose - name: Wait for local tunnel port 9443 to be listening
- name: Debug tunnel open result (rc/stdout/stderr)
debug:
msg:
- "ssh rc={{ tunnel_open.rc }}"
- "stdout={{ tunnel_open.stdout | default('') }}"
- "stderr={{ tunnel_open.stderr | default('') }}"
- name: Wait for local tunnel port to be listening
wait_for: wait_for:
host: 127.0.0.1 host: 127.0.0.1
port: "{{ local_port }}" port: "{{ local_port }}"
delay: 1 delay: 1
timeout: 30 timeout: 20
- name: Verify local port is listening (extra check)
shell: "ss -lnt | grep -q ':{{ local_port }} '"
changed_when: false
- name: HTTPS check Portainer through tunnel - name: HTTPS check Portainer through tunnel
uri: uri:
url: "https://127.0.0.1:{{ local_port }}/" url: "https://127.0.0.1:{{ local_port }}/"
method: GET method: GET
validate_certs: false validate_certs: false
return_content: false
status_code: [200, 301, 302, 401, 403] status_code: [200, 301, 302, 401, 403]
register: portainer_check register: portainer_check
@ -73,18 +67,23 @@
msg: "✅ Portainer joignable via tunnel (status {{ portainer_check.status }})" msg: "✅ Portainer joignable via tunnel (status {{ portainer_check.status }})"
rescue: rescue:
- name: Explain common causes when tunnel fails - name: Show last 120 lines of SSH verbose log
shell: "tail -n 120 {{ ssh_log }} || true"
register: sshlog_tail
changed_when: false
- name: Failure details
debug: debug:
msg: msg:
- "❌ Le tunnel n'a pas pu être validé." - "❌ Tunnel/Portainer non joignable via 127.0.0.1:9443"
- "Causes fréquentes :" - "Extrait log SSH:"
- "1) Sur OPNsense/bastion, 'Allow SSH port forwarding / TCP forwarding' n'est pas activé." - "{{ sshlog_tail.stdout | default('') }}"
- "2) Le bastion ne peut pas joindre {{ portainer_ip }}:{{ portainer_port }} (routage / firewall)." - "Indications :"
- "3) La clé SSH/credential utilisée par Semaphore n'est pas celle attendue (auth SSH)." - "- 'administratively prohibited' => port forwarding désactivé côté bdc/OPNsense"
- "Regarde le 'stderr' affiché juste avant pour l'erreur exacte." - "- 'connect to host 10.30.0.151 port 9443: ...' => bdc n'atteint pas Portainer (routage/firewall/service)"
always: always:
- name: Close tunnel if opened (ControlMaster) - name: Close tunnel if opened
shell: > shell: >
test -S {{ ssh_control_socket }} && test -S {{ ssh_control_socket }} &&
ssh -p {{ bastion_port }} -S {{ ssh_control_socket }} -O exit ssh -p {{ bastion_port }} -S {{ ssh_control_socket }} -O exit