Can someone suggest an implementation for this idea; and if its in the
scope of my skills I'll try to add it myself. [cc'ing a friend Bo Jeanes
who's been fun research and meetup talks on SSH]

[note: also documented at https://cloudfoundry.atlassian.net/browse/CF-228]

Currently, "bosh ssh NAME/INDEX" resolves NAME/INDEX to a private IP for a
VM on AWS. Outside of AWS, this IP is meaningless; as such, "bosh ssh" can
only be run from within AWS.

An automatic failover could be to use the director's VM as a sort-of
bastian host and have the SSH connection tunnel through the director's VM
into the target job VM.

What is an example "ssh" command to run on the director VM or on the local
CLI machine, to setup a tunnel through to the target private IP host?

Or would this be implemented using a ruby net-ssh library?

Nic



--
Dr Nic Williams
http://drnicwilliams.com
cell +1 (415) 860-2185

Search Discussions

  • Bo Jeanes at Jan 18, 2013 at 8:01 pm
    Try something like `ssh -o "ProxyCommand ssh <director vm ip> nc %h %p" <target VM internal IP>`. You would need be able to authenticate directly to the internal host with your private key on your local machine, though.
    On Jan 15, 2013, at 10:34 AM, Dr Nic Williams wrote:

    Can someone suggest an implementation for this idea; and if its in the scope of my skills I'll try to add it myself. [cc'ing a friend Bo Jeanes who's been fun research and meetup talks on SSH]

    [note: also documented at https://cloudfoundry.atlassian.net/browse/CF-228]

    Currently, "bosh ssh NAME/INDEX" resolves NAME/INDEX to a private IP for a VM on AWS. Outside of AWS, this IP is meaningless; as such, "bosh ssh" can only be run from within AWS.

    An automatic failover could be to use the director's VM as a sort-of bastian host and have the SSH connection tunnel through the director's VM into the target job VM.

    What is an example "ssh" command to run on the director VM or on the local CLI machine, to setup a tunnel through to the target private IP host?

    Or would this be implemented using a ruby net-ssh library?

    Nic



    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185
  • Dr Nic Williams at Jan 18, 2013 at 8:10 pm
    Nice. I'll investigate that.

    Gabi, what is the --gateway_host flag pointing at; the gateway's own SSH
    agent?

    On Fri, Jan 18, 2013 at 12:01 PM, Bo Jeanes wrote:

    Try something like `ssh -o "ProxyCommand ssh <director vm ip> nc %h %p"
    <target VM internal IP>`. You would need be able to authenticate directly
    to the internal host with your private key on your local machine, though.

    On Jan 15, 2013, at 10:34 AM, Dr Nic Williams wrote:

    Can someone suggest an implementation for this idea; and if its in the
    scope of my skills I'll try to add it myself. [cc'ing a friend Bo Jeanes
    who's been fun research and meetup talks on SSH]

    [note: also documented at https://cloudfoundry.atlassian.net/browse/CF-228
    ]

    Currently, "bosh ssh NAME/INDEX" resolves NAME/INDEX to a private IP for a
    VM on AWS. Outside of AWS, this IP is meaningless; as such, "bosh ssh" can
    only be run from within AWS.

    An automatic failover could be to use the director's VM as a sort-of
    bastian host and have the SSH connection tunnel through the director's VM
    into the target job VM.

    What is an example "ssh" command to run on the director VM or on the local
    CLI machine, to setup a tunnel through to the target private IP host?

    Or would this be implemented using a ruby net-ssh library?

    Nic



    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185


    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185
  • Gabi sweda at Jan 22, 2013 at 11:11 pm
    Yes, it uses the ssh running on the host provided.

    bosh ssh cloud_controller/0 --gateway_host myjumpbox

    Depending on the level of security you need the jumpbox could be accessible from the internet or could require you to be on a VPN before you can reach it. If you set up a key pair it has almost the same user experience as bosh ssh'ing directly.

    Getting set up so the director could take on this role should be doable, but I'm not sure you would want your director to have an external address. Depending on your goals for your cloudfoundry install you will often want access to other ports besides ssh, so it is useful to set up a more general purpose jumpbox or bastion host that has access to ssh to your CF vms and also connect to database and other service ports.

    gabi
    On Jan 18, 2013, at 12:09 PM, Dr Nic Williams wrote:

    Nice. I'll investigate that.

    Gabi, what is the --gateway_host flag pointing at; the gateway's own SSH agent?


    On Fri, Jan 18, 2013 at 12:01 PM, Bo Jeanes wrote:
    Try something like `ssh -o "ProxyCommand ssh <director vm ip> nc %h %p" <target VM internal IP>`. You would need be able to authenticate directly to the internal host with your private key on your local machine, though.
    On Jan 15, 2013, at 10:34 AM, Dr Nic Williams wrote:

    Can someone suggest an implementation for this idea; and if its in the scope of my skills I'll try to add it myself. [cc'ing a friend Bo Jeanes who's been fun research and meetup talks on SSH]

    [note: also documented at https://cloudfoundry.atlassian.net/browse/CF-228]

    Currently, "bosh ssh NAME/INDEX" resolves NAME/INDEX to a private IP for a VM on AWS. Outside of AWS, this IP is meaningless; as such, "bosh ssh" can only be run from within AWS.

    An automatic failover could be to use the director's VM as a sort-of bastian host and have the SSH connection tunnel through the director's VM into the target job VM.

    What is an example "ssh" command to run on the director VM or on the local CLI machine, to setup a tunnel through to the target private IP host?

    Or would this be implemented using a ruby net-ssh library?

    Nic



    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185



    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185
  • Martin Englund at Jan 23, 2013 at 12:33 am
    I agree with Gabi - using the director as a ssh gateway isn't a good idea. We might add a ssh job to the bosh release which can be used as ssh gateway instead of the director.

    /M

    Sent from my iPhone
    On Jan 22, 2013, at 15:11, gabi sweda wrote:

    Yes, it uses the ssh running on the host provided.

    bosh ssh cloud_controller/0 --gateway_host myjumpbox

    Depending on the level of security you need the jumpbox could be accessible from the internet or could require you to be on a VPN before you can reach it. If you set up a key pair it has almost the same user experience as bosh ssh'ing directly.

    Getting set up so the director could take on this role should be doable, but I'm not sure you would want your director to have an external address. Depending on your goals for your cloudfoundry install you will often want access to other ports besides ssh, so it is useful to set up a more general purpose jumpbox or bastion host that has access to ssh to your CF vms and also connect to database and other service ports.

    gabi
    On Jan 18, 2013, at 12:09 PM, Dr Nic Williams wrote:

    Nice. I'll investigate that.

    Gabi, what is the --gateway_host flag pointing at; the gateway's own SSH agent?


    On Fri, Jan 18, 2013 at 12:01 PM, Bo Jeanes wrote:
    Try something like `ssh -o "ProxyCommand ssh <director vm ip> nc %h %p" <target VM internal IP>`. You would need be able to authenticate directly to the internal host with your private key on your local machine, though.
    On Jan 15, 2013, at 10:34 AM, Dr Nic Williams wrote:

    Can someone suggest an implementation for this idea; and if its in the scope of my skills I'll try to add it myself. [cc'ing a friend Bo Jeanes who's been fun research and meetup talks on SSH]

    [note: also documented at https://cloudfoundry.atlassian.net/browse/CF-228]

    Currently, "bosh ssh NAME/INDEX" resolves NAME/INDEX to a private IP for a VM on AWS. Outside of AWS, this IP is meaningless; as such, "bosh ssh" can only be run from within AWS.

    An automatic failover could be to use the director's VM as a sort-of bastian host and have the SSH connection tunnel through the director's VM into the target job VM.

    What is an example "ssh" command to run on the director VM or on the local CLI machine, to setup a tunnel through to the target private IP host?

    Or would this be implemented using a ruby net-ssh library?

    Nic



    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185



    --
    Dr Nic Williams
    http://drnicwilliams.com
    cell +1 (415) 860-2185

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupbosh-dev @
postedJan 15, '13 at 4:34p
activeJan 23, '13 at 12:33a
posts5
users4

People

Translate

site design / logo © 2021 Grokbase