Add Support for serial port as alternative to ssh
#336
Comments
ScheererJ
added
component/gardenctl
could you give more details? because if ssh is enabled in the shoot spec (
E.g. for aws are you referring to ec2 instance connect? https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html / https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-with-ec2-instance-connect-endpoint.html I tried it out by first creating an instance-connect-endpoint $ aws ec2 create-instance-connect-endpoint --subnet-id sg-0xxxxx`and then ssh -i $TMPDIR/my.id_rsa gardener@10.123.0.123 -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0xxxxxxxxx --max-tunnel-duration 3600'but the open-tunnel command fails because the infrastructure credential that I used currently does not have the I have not tested it out on other infrastructures yet, but certainly any infrastructure resources, like the |
|
Unfortunately, I cannot provide details why my I used https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-using-serial-console, which is fairly easy to utilise. Azure supports something similar (https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview), but @kon-angelo mentioned that it is a bit more complex to setup. I have not experimented with serial console support on AWS, but I suppose https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html is what I was looking for. It seems different from what you tried as a serial console explicitly does not need network access. Therefore, specifying a subnet seems strange. Nevertheless, it might require additional permissions. |
yes, this command requires aws ec2-instance-connect send-serial-console-ssh-public-key --instance-id i-0xxxxxxxxx --serial-port 0 --ssh-public-key file://$TMPDIR/my.id_rsaThen the following should work ssh -i $TMPDIR/my.id_rsa.pub i-0xxxxxxxxx.port0@serial-console.ec2-instance-connect.<region>.aws |
|
In general operational efforts are particularly hard in cases where machines are not able to join the cluster. This is usually caused by networking issues that also prevent SSH one way or the other (network isolation, or that cloud-config-downloader and friends can't setup proper SSH access). The current ssh/bastion command is provider agnostic by virtue of setting it's own jumphost but it doesn't help in these aforementioned cases. We can leverage some provider-specific capabilities to make our lives easier. Serial console access in particular solves the networking isolation issue so it is good to consider but we probably also need a solution for setting up the access (and CC: @MrBatschner |
gardener-robot
added
the
lifecycle/stale
What would you like to be added:
gardenctlshould provide a convenient way to connect to a virtual machine in the cluster node network.Why is this needed:
Some cluster owners may configure their networks in a way that
sshis impossible as ingress traffic may be blocked. Most infrastructures support a serial port/console as alternative means to connect to a virtual machine. As the network path goes through the infrastructure it may be able to reach into such highly isolated clusters.Serial port/console may require a bastion with a provisioned user/password. However, it does not require a virtual machine to be reachable through the internet.
The text was updated successfully, but these errors were encountered: