Building an Ansible Sandpit using Vagrant

Vagrant SSH connections are built for host to box, not box to box. In this post I detail how to fix this with an aim to build an Ansible sandpit.

Ansible and Vagrant

Before I start using Ansible with network devices, I thought I should get to know it in its native environment, that of Linux server management. I'm working through the O'Reilly Media book 'Ansible Up and Running' which suggests trying out Ansible using light-weight Vagrant ubuntu boxes as the host subjects to be toyed with.

With an eye to converting what I'm learning to the gladitorial arena populated by routers and switches the suggested setup left me cold. Ansible does not support Windows as the control machine so the suggestion is to fire up a Linux host onto which Vagrant and the boxes are installed, using port forwarding to emulate the beloved network.

Port forwarding? No thanks

Now you may be cool with port forwarding but that stuff doesn't fly with me, I want to at least pretend I'm playing networks, so I thought I would take a different approach by building a Linux VM as the control and separate Vagrant boxes all attached to a host-only network, all on my Wins PC.

Agreed, this is completely unneccessary, but it did reveal a quirk of Vagrant SSH, which is the primary reason for being of this post.

Host to box, not box to box

By default Vagrant is setup to support SSH from a host device to the local Vagrant nodes, not SSH between Vagrant nodes, nor between my Linux VM and Vagrant boxes.
To this end, Vagrant installs a private key on the host and only public keys on the Vagrant boxes. Thus you can 'vagrant ssh' from host to box but you cannot SSH from box to box, they both only have public keys, no private.

Another detail to be aware of here is that Vagrant uses multiple private keys on the host. There's the insecure private key, used during initial box instantiation, which, by default, is replaced by a new per-box private key as part of the build.

Back to Ansible

Here's what I want to build.

This is just my own lab, I'm not concerned about security so I can use the Vagrant insecure key, that way I do not have to wait for Vagrant to generate new keys for each box. That means to get Ansible 'ping-ponging' with my Vagrant boxes I need to do the following:

1. Tell Vagrant to stick with the insecure private key.
In your Vagrantfile add:
config.ssh.insert_key = false

2. Locate the Ansible 'insecure private key' on the host machine, copy it to my Linux VM
I found it in C:Users\<username>\.vagrant.d

3. Restrict the permissions of the private key
SSH will reject a private key that does not have private file permissions. Enter the following to appease the SSH nanny:
sudo chmod 600 /path/to/insecure_private_key

4. Tell Ansible to use the private key, 'vagrant' user and turn off host key checking
The latter step is so you don't get a warning every time you SSH to a newly built Vagrant box.
Add this to your ansible.cfg file (default location is /etc/ansible).

private_key_file = /path/to/insecure_private_key
remote_user = vagrant
host_key_checking = False

Host-only Network

Finally, the host-only network is a network type in Virtualbox.
Go to Settings > Network > Attached to: > Host-only Adapter

To add Vagrant boxes to this network, update your Vagrantfile with: :private_network, ip: "<ip_address>"