Execution model¶
If you’ve read the Overview and Tutorial, you should already be familiar with how Fabric operates in the base case (a single task on a single host.) However, in many situations you’ll find yourself wanting to execute multiple tasks and/or on multiple hosts. Perhaps you want to split a big task into smaller reusable parts, or crawl a collection of servers looking for an old user to remove. Such a scenario requires specific rules for when and how tasks are executed.
This document explores Fabric’s execution model, including the main execution loop, how to define host lists, how connections are made, and so forth.
Execution strategy¶
Fabric defaults to a single, serial execution method, though there is an alternative parallel mode available as of Fabric 1.3 (see Parallel execution). This default behavior is as follows:
- A list of tasks is created. Currently this list is simply the arguments given to fab, preserving the order given.
- For each task, a task-specific host list is generated from various sources (see How host lists are constructed below for details.)
- The task list is walked through in order, and each task is run once per host in its host list.
- Tasks with no hosts in their host list are considered local-only, and will always run once and only once.
Thus, given the following fabfile:
from fabric.api import run, env
env.hosts = ['host1', 'host2']
def taskA():
run('ls')
def taskB():
run('whoami')
and the following invocation:
$ fab taskA taskB
you will see that Fabric performs the following:
taskA
executed onhost1
taskA
executed onhost2
taskB
executed onhost1
taskB
executed onhost2
While this approach is simplistic, it allows for a straightforward composition of task functions, and (unlike tools which push the multi-host functionality down to the individual function calls) enables shell script-like logic where you may introspect the output or return code of a given command and decide what to do next.
Defining tasks¶
For details on what constitutes a Fabric task and how to organize them, please see Defining tasks.
Defining host lists¶
Unless you’re using Fabric as a simple build system (which is possible, but not the primary use-case) having tasks won’t do you any good without the ability to specify remote hosts on which to execute them. There are a number of ways to do so, with scopes varying from global to per-task, and it’s possible mix and match as needed.
Hosts¶
Hosts, in this context, refer to what are also called “host strings”: Python
strings specifying a username, hostname and port combination, in the form of
username@hostname:port
. User and/or port (and the associated @
or
:
) may be omitted, and will be filled by the executing user’s local
username, and/or port 22, respectively. Thus, admin@foo.com:222
,
deploy@website
and nameserver1
could all be valid host strings.
IPv6 address notation is also supported, for example ::1
, [::1]:1222
,
user@2001:db8::1
or user@[2001:db8::1]:1222
. Square brackets
are necessary only to separate the address from the port number. If no
port number is used, the brackets are optional. Also if host string is
specified via command-line argument, it may be necessary to escape
brackets in some shells.
Note
The user/hostname split occurs at the last @
found, so e.g. email
address usernames are valid and will be parsed correctly.
During execution, Fabric normalizes the host strings given and then stores each part (username/hostname/port) in the environment dictionary, for both its use and for tasks to reference if the need arises. See The environment dictionary, env for details.
Roles¶
Host strings map to single hosts, but sometimes it’s useful to arrange hosts in groups. Perhaps you have a number of Web servers behind a load balancer and want to update all of them, or want to run a task on “all client servers”. Roles provide a way of defining strings which correspond to lists of host strings, and can then be specified instead of writing out the entire list every time.
This mapping is defined as a dictionary, env.roledefs
, which must be
modified by a fabfile in order to be used. A simple example:
from fabric.api import env
env.roledefs['webservers'] = ['www1', 'www2', 'www3']
Since env.roledefs
is naturally empty by default, you may also opt to
re-assign to it without fear of losing any information (provided you aren’t
loading other fabfiles which also modify it, of course):
from fabric.api import env
env.roledefs = {
'web': ['www1', 'www2', 'www3'],
'dns': ['ns1', 'ns2']
}
Role definitions are not necessarily configuration of hosts only, they can
also hold additional role specific settings of your choice. This is achieved
by defining the roles as dicts and host strings under a hosts
key:
from fabric.api import env
env.roledefs = {
'web': {
'hosts': ['www1', 'www2', 'www3'],
'foo': 'bar'
},
'dns': {
'hosts': ['ns1', 'ns2'],
'foo': 'baz'
}
}
In addition to list/iterable object types, the values in env.roledefs
(or value of hosts
key in dict style definition) may be callables, and will
thus be called when looked up when tasks are run instead of at module load
time. (For example, you could connect to remote servers to obtain role
definitions, and not worry about causing delays at fabfile load time when
calling e.g. fab --list
.)
Use of roles is not required in any way – it’s simply a convenience in situations where you have common groupings of servers.
How host lists are constructed¶
There are a number of ways to specify host lists, either globally or per-task, and generally these methods override one another instead of merging together (though this may change in future releases.) Each such method is typically split into two parts, one for hosts and one for roles.
Globally, via env
¶
The most common method of setting hosts or roles is by modifying two key-value
pairs in the environment dictionary, env: hosts
and roles
.
The value of these variables is checked at runtime, while constructing each
tasks’s host list.
Thus, they may be set at module level, which will take effect when the fabfile is imported:
from fabric.api import env, run
env.hosts = ['host1', 'host2']
def mytask():
run('ls /var/www')
Such a fabfile, run simply as fab mytask
, will run mytask
on host1
followed by host2
.
Since the env vars are checked for each task, this means that if you have the
need, you can actually modify env
in one task and it will affect all
following tasks:
from fabric.api import env, run
def set_hosts():
env.hosts = ['host1', 'host2']
def mytask():
run('ls /var/www')
When run as fab set_hosts mytask
, set_hosts
is a “local” task – its
own host list is empty – but mytask
will again run on the two hosts given.
Note
This technique used to be a common way of creating fake “roles”, but is less necessary now that roles are fully implemented. It may still be useful in some situations, however.
Alongside env.hosts
is env.roles
(not to be confused with
env.roledefs
!) which, if given, will be taken as a list of role names to
look up in env.roledefs
.
Globally, via the command line¶
In addition to modifying env.hosts
, env.roles
, and
env.exclude_hosts
at the module level, you may define them by passing
comma-separated string arguments to the command-line switches
--hosts/-H
and --roles/-R
, e.g.:
$ fab -H host1,host2 mytask
Such an invocation is directly equivalent to env.hosts = ['host1', 'host2']
– the argument parser knows to look for these arguments and will modify
env
at parse time.
Note
It’s possible, and in fact common, to use these switches to set only a
single host or role. Fabric simply calls string.split(',')
on the given
string, so a string with no commas turns into a single-item list.
It is important to know that these command-line switches are interpreted
before your fabfile is loaded: any reassignment to env.hosts
or
env.roles
in your fabfile will overwrite them.
If you wish to nondestructively merge the command-line hosts with your
fabfile-defined ones, make sure your fabfile uses env.hosts.extend()
instead:
from fabric.api import env, run
env.hosts.extend(['host3', 'host4'])
def mytask():
run('ls /var/www')
When this fabfile is run as fab -H host1,host2 mytask
, env.hosts
will
then contain ['host1', 'host2', 'host3', 'host4']
at the time that
mytask
is executed.
Note
env.hosts
is simply a Python list object – so you may use
env.hosts.append()
or any other such method you wish.
Per-task, via the command line¶
Globally setting host lists only works if you want all your tasks to run on the same host list all the time. This isn’t always true, so Fabric provides a few ways to be more granular and specify host lists which apply to a single task only. The first of these uses task arguments.
As outlined in fab options and arguments, it’s possible to specify per-task arguments via a
special command-line syntax. In addition to naming actual arguments to your
task function, this may be used to set the host
, hosts
, role
or
roles
“arguments”, which are interpreted by Fabric when building host lists
(and removed from the arguments passed to the task itself.)
Note
Since commas are already used to separate task arguments from one another,
semicolons must be used in the hosts
or roles
arguments to
delineate individual host strings or role names. Furthermore, the argument
must be quoted to prevent your shell from interpreting the semicolons.
Take the below fabfile, which is the same one we’ve been using, but which doesn’t define any host info at all:
from fabric.api import run
def mytask():
run('ls /var/www')
To specify per-task hosts for mytask
, execute it like so:
$ fab mytask:hosts="host1;host2"
This will override any other host list and ensure mytask
always runs on
just those two hosts.
Per-task, via decorators¶
If a given task should always run on a predetermined host list, you may wish to
specify this in your fabfile itself. This can be done by decorating a task
function with the hosts
or roles
decorators. These decorators take a variable argument list, like so:
from fabric.api import hosts, run
@hosts('host1', 'host2')
def mytask():
run('ls /var/www')
They will also take an single iterable argument, e.g.:
my_hosts = ('host1', 'host2')
@hosts(my_hosts)
def mytask():
# ...
When used, these decorators override any checks of env
for that particular
task’s host list (though env
is not modified in any way – it is simply
ignored.) Thus, even if the above fabfile had defined env.hosts
or the call
to fab uses --hosts/-H
, mytask
would still run
on a host list of ['host1', 'host2']
.
However, decorator host lists do not override per-task command-line arguments, as given in the previous section.
Order of precedence¶
We’ve been pointing out which methods of setting host lists trump the others, as we’ve gone along. However, to make things clearer, here’s a quick breakdown:
- Per-task, command-line host lists (
fab mytask:host=host1
) override absolutely everything else. - Per-task, decorator-specified host lists (
@hosts('host1')
) override theenv
variables. - Globally specified host lists set in the fabfile (
env.hosts = ['host1']
) can override such lists set on the command-line, but only if you’re not careful (or want them to.) - Globally specified host lists set on the command-line (
--hosts=host1
) will initialize theenv
variables, but that’s it.
This logic may change slightly in the future to be more consistent (e.g.
having --hosts
somehow take precedence over env.hosts
in the
same way that command-line per-task lists trump in-code ones) but only in a
backwards-incompatible release.
Combining host lists¶
There is no “unionizing” of hosts between the various sources mentioned in
How host lists are constructed. If env.hosts
is set to ['host1', 'host2', 'host3']
,
and a per-function (e.g. via hosts
) host list is set to
just ['host2', 'host3']
, that function will not execute on host1
,
because the per-task decorator host list takes precedence.
However, for each given source, if both roles and hosts are specified, they will be merged together into a single host list. Take, for example, this fabfile where both of the decorators are used:
from fabric.api import env, hosts, roles, run
env.roledefs = {'role1': ['b', 'c']}
@hosts('a', 'b')
@roles('role1')
def mytask():
run('ls /var/www')
Assuming no command-line hosts or roles are given when mytask
is executed,
this fabfile will call mytask
on a host list of ['a', 'b', 'c']
– the
union of role1
and the contents of the hosts
call.
Host list deduplication¶
By default, to support Combining host lists, Fabric deduplicates the final host list so any given host string is only present once. However, this prevents explicit/intentional running of a task multiple times on the same target host, which is sometimes useful.
To turn off deduplication, set env.dedupe_hosts to
False
.
Excluding specific hosts¶
At times, it is useful to exclude one or more specific hosts, e.g. to override a few bad or otherwise undesirable hosts which are pulled in from a role or an autogenerated host list.
Note
As of Fabric 1.4, you may wish to use skip_bad_hosts instead, which automatically skips over any unreachable hosts.
Host exclusion may be accomplished globally with --exclude-hosts/-x
:
$ fab -R myrole -x host2,host5 mytask
If myrole
was defined as ['host1', 'host2', ..., 'host15']
, the above
invocation would run with an effective host list of ['host1', 'host3',
'host4', 'host6', ..., 'host15']
.
Note
Using this option does not modify
env.hosts
– it only causes the main execution loop to skip the requested hosts.
Exclusions may be specified per-task by using an extra exclude_hosts
kwarg,
which is implemented similarly to the abovementioned hosts
and roles
per-task kwargs, in that it is stripped from the actual task invocation. This
example would have the same result as the global exclude above:
$ fab mytask:roles=myrole,exclude_hosts="host2;host5"
Note that the host list is semicolon-separated, just as with the hosts
per-task argument.
Combining exclusions¶
Host exclusion lists, like host lists themselves, are not merged together
across the different “levels” they can be declared in. For example, a global
-x
option will not affect a per-task host list set with a decorator or
keyword argument, nor will per-task exclude_hosts
keyword arguments affect
a global -H
list.
There is one minor exception to this rule, namely that CLI-level keyword
arguments (mytask:exclude_hosts=x,y
) will be taken into account when
examining host lists set via @hosts
or @roles
. Thus a task function
decorated with @hosts('host1', 'host2')
executed as fab
taskname:exclude_hosts=host2
will only run on host1
.
As with the host list merging, this functionality is currently limited (partly to keep the implementation simple) and may be expanded in future releases.
Intelligently executing tasks with execute
¶
New in version 1.3.
Most of the information here involves “top level” tasks executed via fab, such as the first example where we called fab taskA taskB
.
However, it’s often convenient to wrap up multi-task invocations like this into
their own, “meta” tasks.
Prior to Fabric 1.3, this had to be done by hand, as outlined in
Library Use. Fabric’s design eschews magical behavior, so simply
calling a task function does not take into account decorators such as
roles
.
New in Fabric 1.3 is the execute
helper function, which takes a
task object or name as its first argument. Using it is effectively the same as
calling the given task from the command line: all the rules given above in
How host lists are constructed apply. (The hosts
and roles
keyword arguments to
execute
are analogous to CLI per-task arguments, including how they override all other host/role-setting
methods.)
As an example, here’s a fabfile defining two stand-alone tasks for deploying a Web application:
from fabric.api import run, roles
env.roledefs = {
'db': ['db1', 'db2'],
'web': ['web1', 'web2', 'web3'],
}
@roles('db')
def migrate():
# Database stuff here.
pass
@roles('web')
def update():
# Code updates here.
pass
In Fabric <=1.2, the only way to ensure that migrate
runs on the DB servers
and that update
runs on the Web servers (short of manual
env.host_string
manipulation) was to call both as top level tasks:
$ fab migrate update
Fabric >=1.3 can use execute
to set up a meta-task. Update the
import
line like so:
from fabric.api import run, roles, execute
and append this to the bottom of the file:
def deploy():
execute(migrate)
execute(update)
That’s all there is to it; the roles
decorators will be honored as expected, resulting in the following execution sequence:
migrate
ondb1
migrate
ondb2
update
onweb1
update
onweb2
update
onweb3
Warning
This technique works because tasks that themselves have no host list (this
includes the global host list settings) only run one time. If used inside a
“regular” task that is going to run on multiple hosts, calls to
execute
will also run multiple times, resulting in
multiplicative numbers of subtask calls – be careful!
If you would like your execute
calls to only be called once, you
may use the runs_once
decorator.
Leveraging execute
to access multi-host results¶
In nontrivial Fabric runs, especially parallel ones, you may want to gather up a bunch of per-host result values at the end - e.g. to present a summary table, perform calculations, etc.
It’s not possible to do this in Fabric’s default “naive” mode (one where you
rely on Fabric looping over host lists on your behalf), but with execute
it’s pretty easy. Simply switch from calling the actual work-bearing task, to
calling a “meta” task which takes control of execution with execute
:
from fabric.api import task, execute, run, runs_once
@task
def workhorse():
return run("get my infos")
@task
@runs_once
def go():
results = execute(workhorse)
print results
In the above, workhorse
can do any Fabric stuff at all – it’s literally
your old “naive” task – except that it needs to return something useful.
go
is your new entry point (to be invoked as fab go
, or whatnot) and
its job is to take the results
dictionary from the execute
call and do
whatever you need with it. Check the API docs for details on the structure of
that return value.
Using execute
with dynamically-set host lists¶
A common intermediate-to-advanced use case for Fabric is to parameterize lookup
of one’s target host list at runtime (when use of Roles does not
suffice). execute
can make this extremely simple, like so:
from fabric.api import run, execute, task
# For example, code talking to an HTTP API, or a database, or ...
from mylib import external_datastore
# This is the actual algorithm involved. It does not care about host
# lists at all.
def do_work():
run("something interesting on a host")
# This is the user-facing task invoked on the command line.
@task
def deploy(lookup_param):
# This is the magic you don't get with @hosts or @roles.
# Even lazy-loading roles require you to declare available roles
# beforehand. Here, the sky is the limit.
host_list = external_datastore.query(lookup_param)
# Put this dynamically generated host list together with the work to be
# done.
execute(do_work, hosts=host_list)
For example, if external_datastore
was a simplistic “look up hosts by tag
in a database” service, and you wanted to run a task on all hosts tagged as
being related to your application stack, you might call the above like this:
$ fab deploy:app
But wait! A data migration has gone awry on the DB servers. Let’s fix up our migration code in our source repo, and deploy just the DB boxes again:
$ fab deploy:db
This use case looks similar to Fabric’s roles, but has much more potential, and is by no means limited to a single argument. Define the task however you wish, query your external data store in whatever way you need – it’s just Python.
The alternate approach¶
Similar to the above, but using fab
’s ability to call multiple tasks in
succession instead of an explicit execute
call, is to mutate
env.hosts in a host-list lookup task and then call do_work
in the same session:
from fabric.api import run, task
from mylib import external_datastore
# Marked as a publicly visible task, but otherwise unchanged: still just
# "do the work, let somebody else worry about what hosts to run on".
@task
def do_work():
run("something interesting on a host")
@task
def set_hosts(lookup_param):
# Update env.hosts instead of calling execute()
env.hosts = external_datastore.query(lookup_param)
Then invoke like so:
$ fab set_hosts:app do_work
One benefit of this approach over the previous one is that you can replace
do_work
with any other “workhorse” task:
$ fab set_hosts:db snapshot
$ fab set_hosts:cassandra,cluster2 repair_ring
$ fab set_hosts:redis,environ=prod status
Failure handling¶
Once the task list has been constructed, Fabric will start executing them as outlined in Execution strategy, until all tasks have been run on the entirety of their host lists. However, Fabric defaults to a “fail-fast” behavior pattern: if anything goes wrong, such as a remote program returning a nonzero return value or your fabfile’s Python code encountering an exception, execution will halt immediately.
This is typically the desired behavior, but there are many exceptions to the
rule, so Fabric provides env.warn_only
, a Boolean setting. It defaults to
False
, meaning an error condition will result in the program aborting
immediately. However, if env.warn_only
is set to True
at the time of
failure – with, say, the settings
context
manager – Fabric will emit a warning message but continue executing.
To signal a failure error from a Fabric task, use the abort
.
abort
signals an error as if it had been detected by Fabric and
follows the regular execution model for control flow.
Connections¶
fab
itself doesn’t actually make any connections to remote hosts. Instead,
it simply ensures that for each distinct run of a task on one of its hosts, the
env var env.host_string
is set to the right value. Users wanting to
leverage Fabric as a library may do so manually to achieve similar effects
(though as of Fabric 1.3, using execute
is preferred and more
powerful.)
env.host_string
is (as the name implies) the “current” host string, and is
what Fabric uses to determine what connections to make (or re-use) when
network-aware functions are run. Operations like run
or
put
use env.host_string
as a lookup key in a shared
dictionary which maps host strings to SSH connection objects.
Note
The connections dictionary (currently located at
fabric.state.connections
) acts as a cache, opting to return previously
created connections if possible in order to save some overhead, and
creating new ones otherwise.
Lazy connections¶
Because connections are driven by the individual operations, Fabric will not actually make connections until they’re necessary. Take for example this task which does some local housekeeping prior to interacting with the remote server:
from fabric.api import *
@hosts('host1')
def clean_and_upload():
local('find assets/ -name "*.DS_Store" -exec rm '{}' \;')
local('tar czf /tmp/assets.tgz assets/')
put('/tmp/assets.tgz', '/tmp/assets.tgz')
with cd('/var/www/myapp/'):
run('tar xzf /tmp/assets.tgz')
What happens, connection-wise, is as follows:
- The two
local
calls will run without making any network connections whatsoever; put
asks the connection cache for a connection tohost1
;- The connection cache fails to find an existing connection for that host
string, and so creates a new SSH connection, returning it to
put
; put
uploads the file through that connection;- Finally, the
run
call asks the cache for a connection to that same host string, and is given the existing, cached connection for its own use.
Extrapolating from this, you can also see that tasks which don’t use any network-borne operations will never actually initiate any connections (though they will still be run once for each host in their host list, if any.)
Closing connections¶
Fabric’s connection cache never closes connections itself – it leaves this up to whatever is using it. The fab tool does this bookkeeping for you: it iterates over all open connections and closes them just before it exits (regardless of whether the tasks failed or not.)
Library users will need to ensure they explicitly close all open connections
before their program exits. This can be accomplished by calling
disconnect_all
at the end of your script.
Note
disconnect_all
may be moved to a more public location in
the future; we’re still working on making the library aspects of Fabric
more solidified and organized.
Multiple connection attempts and skipping bad hosts¶
As of Fabric 1.4, multiple attempts may be made to connect to remote servers before aborting with an error: Fabric will try connecting env.connection_attempts times before giving up, with a timeout of env.timeout seconds each time. (These currently default to 1 try and 10 seconds, to match previous behavior, but they may be safely changed to whatever you need.)
Furthermore, even total failure to connect to a server is no longer an absolute
hard stop: set env.skip_bad_hosts to True
and in
most situations (typically initial connections) Fabric will simply warn and
continue, instead of aborting.
New in version 1.4.
Password management¶
Fabric maintains an in-memory password cache of your login and sudo passwords
in certain situations; this helps avoid tedious re-entry when multiple systems
share the same password [1], or if a remote system’s sudo
configuration
doesn’t do its own caching.
Pre-filling the password caches¶
The first layer is a simple default or fallback password value,
env.password (which may also be set at the command line via
--password
or --initial-password-prompt
). This
env var stores a single password which (if non-empty) will be tried in the
event that the host-specific cache (see below) has no entry for the current
host string.
env.passwords (plural!) serves as a per-user/per-host cache, storing the most recently entered password for every unique user/host/port combination (note that you must include all three values if modifying the structure by hand - see the above link for details). Due to this cache, connections to multiple different users and/or hosts in the same session will only require a single password entry for each. (Previous versions of Fabric used only the single, default password cache and thus required password re-entry every time the previously entered password became invalid.)
Auto-filling/updating from user input¶
Depending on your configuration and the number of hosts your session will connect to, you may find setting either or both of the above env vars to be useful. However, Fabric will automatically fill them in as necessary without any additional configuration.
Specifically, each time a password prompt is presented to the user, the value
entered is used to update both the single default password cache, and the cache
value for the current value of env.host_string
.
Specifying sudo
-only passwords¶
In some situations (such as those involving two-factor authentication, or any
other situation where submitting a password at login time is not desired or
correct) you may want to only cache passwords intended for sudo
, instead of
reusing the values for both login and sudo
purposes.
To do this, you may set env.sudo_password or populate
env.sudo_passwords, which mirror env.password
and
env.passwords
(described above). These values will only be used in
responding to sudo
password prompts, and will never be submitted at
connection time.
There is also an analogue to the --password
command line flag, named
--sudo-password
, and like --initial-password-prompt
,
there exists --initial-sudo-password-prompt
.
Note
When both types of passwords are filled in (e.g. if env.password =
"foo"
and env.sudo_password = "bar"
), the sudo
specific passwords
will be used.
Note
Due to backwards compatibility concerns, user-entered sudo
passwords
will still be cached into env.password
/env.passwords
;
env.sudo_password
/env.sudo_passwords
are purely for noninteractive
use.
[1] | We highly recommend the use of SSH key-based access instead of relying on homogeneous password setups, as it’s significantly more secure. |
Leveraging native SSH config files¶
Command-line SSH clients (such as the one provided by OpenSSH) make use of a specific configuration format typically
known as ssh_config
, and will read from a file in the platform-specific
location $HOME/.ssh/config
(or an arbitrary path given to
--ssh-config-path
/env.ssh_config_path.) This
file allows specification of various SSH options such as default or per-host
usernames, hostname aliases, and toggling other settings (such as whether to
use agent forwarding.)
Fabric’s SSH implementation allows loading a subset of these options from one’s
actual SSH config file, should it exist. This behavior is not enabled by
default (in order to be backwards compatible) but may be turned on by setting
env.use_ssh_config to True
at the top of your
fabfile.
If enabled, the following SSH config directives will be loaded and honored by Fabric:
User
andPort
will be used to fill in the appropriate connection parameters when not otherwise specified, in the following fashion:- Globally specified
User
/Port
will be used in place of the current defaults (local username and 22, respectively) if the appropriate env vars are not set. - However, if env.user/env.port are set, they
override global
User
/Port
values. - User/port values in the host string itself (e.g.
hostname:222
) will override everything, including anyssh_config
values.
- Globally specified
HostName
can be used to replace the given hostname, just like with regularssh
. So aHost foo
entry specifyingHostName example.com
will allow you to give Fabric the hostname'foo'
and have that expanded into'example.com'
at connection time.IdentityFile
will extend (not replace) env.key_filename.ForwardAgent
will augment env.forward_agent in an “OR” manner: if either is set to a positive value, agent forwarding will be enabled.ProxyCommand
will trigger use of a proxy command for host connections, just as with regularssh
.ProxyJump
will trigger use of a env.gateway for host connections, which works similarly to regularssh
, but only supports a single hop.Note
If all you want to do is bounce SSH traffic off a gateway, you may find env.gateway to be a more efficient connection method (which will also honor more Fabric-level settings) than the typical
ssh gatewayhost nc %h %p
method of usingProxyCommand
as a gateway.Note
If your SSH config file contains
ProxyCommand
directives and you have set env.gateway to a non-None
value,env.gateway
will take precedence and theProxyCommand
will be ignored.If one has a pre-created SSH config file, rationale states it will be easier for you to modify
env.gateway
(e.g. viasettings
) than to work around your conf file’s contents entirely.Similarly,
env.gateway
takes precedence overProxyJump
in your SSH config.