bosh-init icon indicating copy to clipboard operation
bosh-init copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry-attic

Not able to use a "jumpbox" to create SSH tunnels due hardcoded agent registry

Open keymon opened this issue 9 years ago • 2 comments

I am trying to deploy a microbosh instance using bosh-init in a VPC without a public IP, but using instead a SSH jumpbox.

In theory this would be technically possible using the SSH tunnel feature, so that bosh-init creates SSH tunnels to the jumpbox and the agent of deployed VM connects to the exposed port in the internal IP of the bosh VM.

But in practice I was not able to do it, and I think the blocker I his was this commit which replaces the IP of the registry which the agent connects to to 127.0.0.1 when SSH tunnel is setup.

Is there any reason to force this config?

Am I right thinking that if we fix this code the agent will connect to the registry served as a ssh-tunnel in the jumpbox?

As a workaround, I guess the approach would be create the SSH tunnel manually outside of the bosh-init tool, so bosh-init won't override the registry values.

keymon avatar Dec 14 '15 15:12 keymon

The ssh_tunnel configuration is used by bosh-init to reverse tunnel registry-access from the VM to come back to the local bosh-init process (docs). This is why the registry connection is hard-coded to 127.0.0.1:6901 and ssh_tunnel.ip is supposed to be an accessible IP that your bosh-init can SSH to (either by LAN, VPN, or WAN).

When using a jumpbox it gets a bit more difficult since, as you suggest, you need to manually set up an SSH tunnel and forward the ports that bosh-init and the VM agent care about. For example, if MICROBOSH_IP is your instance without a public IP and JUMPBOX_IP is your publicly-accessible jumpbox IP...

Before running bosh-init, create local, forwarding ports for SSH and mbus so bosh-init can communicate with the VM it'll create...

ssh -L 33322:$MICROBOSH_IP:22 -L 36868:$MICROBOSH_IP:6868 $JUMPBOX_IP

Then you'll need to modify your bosh-init.yml so it talks directly to those local ports that you're forwarding...

cloud_provider:
  ssh_tunnel:
    host: 127.0.0.1
    port: 33322
    ...
mbus: "https://mbus:[email protected]:36868"
...

Something like that should work for jumpbox-ing.

dpb587-pivotal avatar Dec 15 '15 17:12 dpb587-pivotal

Yes, the idea would be additionally set the reverse proxy of the registry

ssh -R 6901:localhost:6901 -L 33322:$MICROBOSH_IP:22 -L 36868:$MICROBOSH_IP:6868 $JUMPBOX_IP

And the client would use the private ip of the jumpbox:

registry:
  host: (( jumpbox_private_ip ))

Indeed this can be implemented by creating the SSH tunnel before running bosh-init, as the jumpbox exists already.

But I wonder if:

  • Shall we allow bosh-init to create the SSH tunnel to the jumpbox for you? I think the only thing required is remove the code that overrides the registry to 127.0.0.1.
  • If not: Shall we update the documentation to explain this?

Thank you.

keymon avatar Dec 18 '15 09:12 keymon