Newbie question: How to update a multi-machine vagrant file to reflect changed ssh ports ?
361 views
Skip to first unread message
Dhananjay Nene
Oct 24, 2013, 2:25:05 AM10/24/13
to vagra...@googlegroups.com
I have basic multi-machine setup as follows :
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.provision "shell", inline: "echo Hello"
config.vm.define "lvmweb" do |web|
web.vm.box = "precise32"
web.vm.hostname = "lvmweb"
web.vm.network "private_network", ip: "192.168.111.11"
end
config.vm.define "lvmdb" do |db|
db.vm.box = "precise32"
db.vm.hostname = "lvmdb"
db.vm.network "private_network", ip: "192.168.111.12"
end
config.vm.define "lvmlog" do |log|
log.vm.box = "precise32"
log.vm.hostname = "lvmlog"
log.vm.network "private_network", ip: "192.168.111.13"
end
end
I need to change the guests to run on different SSH ports than the default 22. Thats easily managed on the guests (changing the directive on /etc/ssh/sshd_config and then restarting ssh service). However once that is done, I need to update the vagrant file so that vagrant can talk to each of the respective guests on their respective ssh ports. I was unable to do so successfully (tried changing config.ssh.port and config.ssh.guest_port using my best guess at doing it at a per guest level in the multi-machine configuration. That did not work, and I imagine I did not know how to exactly apply that change within the syntax as defined (eg. should I do config.ssh.guest_port, web.ssh.guest_port, web.vm.ssh_port etc.)
So what is the exact directive I specify at per machine level to effect the change in ssh ports on the guests?
Thanks
Dhananjay
Simon McCartney
Oct 24, 2013, 9:16:35 AM10/24/13
to vagra...@googlegroups.com
First question - why do you need to change the port SSH is listening on?
You can access from your host using "vagrant ssh lvmweb", "vagrant ssh lvmdb" & "vagrant ssh lvmlog".
You can also check the vagrant managed SSH forwarded port for a given vagrant instance:
$vagrant ssh-config percona01
Host percona01
HostName 127.0.0.1
User vagrant
Port 2222
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile "/Users/simonm/.vagrant.d/insecure_private_key"
IdentitiesOnly yes
LogLevel FATAL
As you have enabled a private network for the hosts, they can all reach each other on the standard port (22).
Do you still need to change the port ssh is listening on? (could you spin up another sshd instance listening on your desired port, and leave the default sshd listening on 22 so that vagrant remains able to communicate with the VM?)
Simon.
--
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Simon McCartney
Dhananjay Nene
Oct 24, 2013, 10:38:39 AM10/24/13
to vagra...@googlegroups.com
On Thursday, 24 October 2013 18:46:35 UTC+5:30, Simon McCartney wrote:
First question - why do you need to change the port SSH is listening on?
Its been such a long time since I did anything else, I almost always change as many port numbers I can to a non default value (except for publicly well known ports like 443 or 25 where running stuff on different ports can be real hard). In case you wonder why, it is security. And I particularly always always change the ssh port.
Local testing boxes do not need such levels of security and port changes like these could be avoided. However the first things my scripts do is start hardening the machines including setting up iptables. Which means I need ssh to be running on a predictable port (not something that vagrant can decide on the fly). I am not sure if I can run iptables to allow inbound access on 22 but not on any other port (not really sure how vagrant works, but I imagine iptables will see the traffic coming in with a destination port as 2222 or 2200 or similar and will reject it if I've kept only 22 open). Again I could skip the hardening part altogether for local testing boxes, but I would need to adjust my scripts correspondingly, and would prefer that even my local testing boxes are well hardened (since it can help detect firewall misconfiguration during development etc.).
You can access from your host using "vagrant ssh lvmweb", "vagrant ssh lvmdb" & "vagrant ssh lvmlog".You can also check the vagrant managed SSH forwarded port for a given vagrant instance:$vagrant ssh-config percona01Host percona01HostName 127.0.0.1User vagrantPort 2222UserKnownHostsFile /dev/nullStrictHostKeyChecking noPasswordAuthentication noIdentityFile "/Users/simonm/.vagrant.d/insecure_private_key"IdentitiesOnly yesLogLevel FATAL
Right. But my configuration tool is not vagrant aware to auto detect the port. I use ansible, and although it could be used from inside vagrant, so far I use it independently since that way I can consistently interact with not just vagrant based hosts but all my remote hosts as well.
I almost certainly will eventually move to building a custom box, and one of the things I will certainly want to do is to change the ssh port on the custom boxes. It would be useful to know what changes in Vagrantfile will be required at that stage as well. Even with my current setup, I had to comment out the parts of code which changed the ssh port (in order to be able to work with vagrant), so once I know how I can specify the port from the Vagrantfile, I can uncomment that as well.
As you have enabled a private network for the hosts, they can all reach each other on the standard port (22).
I confess to be a vagrant newbie. private network is what to me seemed best (and was easiest to configure) under the circumstances. Earlier I used to run virtualboxes with bridged interfaces and static ips that share the same subnet as the host machine. I still haven't quite figured out to do that yet. That would allow peer developers to directly connect to hosts on other developer's desktops and would be preferable (though running private network doesn't hurt much).
Do you still need to change the port ssh is listening on? (could you spin up another sshd instance listening on your desired port, and leave the default sshd listening on 22 so that vagrant remains able to communicate with the VM?)
I would prefer to, though could probably find a way to avoid it for vagrant alone (that would require me to change a few things of course).
Dhananjay
Dhananjay Nene
Oct 25, 2013, 4:25:22 AM10/25/13
to vagra...@googlegroups.com
Just wondering, did I ask anything strange here ? I thought this was likely to be a reasonably quick and easy answer. Would definitely like to know if this is not feasible in vagrant, then at least I can stop hunting for a solution.
Dhananjay
Simon McCartney
Oct 25, 2013, 6:14:27 AM10/25/13
to vagra...@googlegroups.com
I think you've asked for something that is out of the scope of normal usage of Vagrant, which is to "Create and configure lightweight, reproducible, and portable development environments.", most of us are interested in building something that looks like "production" and is easy to build, share & recreate.
I think you might be able to do what you want by:
1) explicitly forwarding to the new non-standard ssh port via
config.vm.network "forwarded_port", guest: 2220, host: 2222
(where your guest is listening on 2220, you have 2222 on the host forwarded to it)
2) supply an alternative communicator plugin that picks the correct port instead of the dynamically set port
Simon.
--
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages