IDEA: bosh ssh - tunnel through director VM if cannot access private IP
246 views
Skip to first unread message
Dr Nic Williams
Jan 15, 2013, 11:34:04 AM1/15/13
to bosh...@cloudfoundry.org, Bodaniel Jeanes
Can someone suggest an implementation for this idea; and if its in the scope of my skills I'll try to add it myself. [cc'ing a friend Bo Jeanes who's been fun research and meetup talks on SSH]
[note: also documented at https://cloudfoundry.atlassian.net/browse/CF-228]
Currently, "bosh ssh NAME/INDEX" resolves NAME/INDEX to a private IP for a VM on AWS. Outside of AWS, this IP is meaningless; as such, "bosh ssh" can only be run from within AWS.
An automatic failover could be to use the director's VM as a sort-of bastian host and have the SSH connection tunnel through the director's VM into the target job VM.
What is an example "ssh" command to run on the director VM or on the local CLI machine, to setup a tunnel through to the target private IP host?
Or would this be implemented using a ruby net-ssh library?
Nic
Dr Nic Williams
cell +1 (415) 860-2185
Bo Jeanes
Jan 18, 2013, 3:01:33 PM1/18/13
to Dr Nic Williams, bosh...@cloudfoundry.org
Try something like `ssh -o "ProxyCommand ssh <director vm ip> nc %h %p" <target VM internal IP>`. You would need be able to authenticate directly to the internal host with your private key on your local machine, though.
Dr Nic Williams
Jan 18, 2013, 3:09:42 PM1/18/13
to Bo Jeanes, bosh...@cloudfoundry.org
Nice. I'll investigate that.
Gabi, what is the --gateway_host flag pointing at; the gateway's own SSH agent?
gabi sweda
Jan 22, 2013, 6:11:07 PM1/22/13
to bosh...@cloudfoundry.org
Yes, it uses the ssh running on the host provided.
bosh ssh cloud_controller/0 --gateway_host myjumpbox
Depending on the level of security you need the jumpbox could be accessible from the internet or could require you to be on a VPN before you can reach it. If you set up a key pair it has almost the same user experience as bosh ssh'ing directly.
Getting set up so the director could take on this role should be doable, but I'm not sure you would want your director to have an external address. Depending on your goals for your cloudfoundry install you will often want access to other ports besides ssh, so it is useful to set up a more general purpose jumpbox or bastion host that has access to ssh to your CF vms and also connect to database and other service ports.
gabi
bosh ssh cloud_controller/0 --gateway_host myjumpbox
Depending on the level of security you need the jumpbox could be accessible from the internet or could require you to be on a VPN before you can reach it. If you set up a key pair it has almost the same user experience as bosh ssh'ing directly.
Getting set up so the director could take on this role should be doable, but I'm not sure you would want your director to have an external address. Depending on your goals for your cloudfoundry install you will often want access to other ports besides ssh, so it is useful to set up a more general purpose jumpbox or bastion host that has access to ssh to your CF vms and also connect to database and other service ports.
gabi
Martin Englund
Jan 22, 2013, 7:33:27 PM1/22/13
to bosh...@cloudfoundry.org
I agree with Gabi - using the director as a ssh gateway isn't a good idea. We might add a ssh job to the bosh release which can be used as ssh gateway instead of the director.
/M
Sent from my iPhone
/M
Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages