-
Notifications
You must be signed in to change notification settings - Fork 49
Conversation
69fd5ad
to
b1432ab
Compare
/unassign |
b1432ab
to
3d389be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I mentioned my concerns with replacing ssh through a command in the catch-up call:
tarmak cluster ssh
might be used in ways we never planned for. It is actually quite debug-able by the average Linux admin (-vvv
, change config,. ..). While if a library fails you are lost. I think using golang's library is fine and fair enough for the terraform provider, tunneling use cases.
I am suggesting:
- We offer an option to run
tarmak cluster ssh
via golang package, but by default we still are using ssh passthrough - All programmatic access/use of ssh is used through golang package
- We have to write a proposal how we fix the public key issue. Not checking at all is worse what we used to do
- We should keep the bastion connetion open all the time and use a connection multiple to tunnel to Kube/Vault APIs and SSH of nodes
/assign @JoshVanL
/unassign
3328a04
to
c9f3d8a
Compare
4c487ef
to
791d421
Compare
I struggle to build a working cluster from this: I am getting those errors:
And apply gets stuck here:
My ssh-known-hosts was empty before and now looks like that:
|
cmd/tarmak/cmd/cluster_ssh.go
Outdated
Run: func(cmd *cobra.Command, args []string) { | ||
t := tarmak.New(globalFlags) | ||
defer t.Cleanup() | ||
t.SSHPassThrough(args) | ||
t.Perform(t.SSHPassThrough(args[0], args[1:])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still ssh CLI powered instead of golang native SSH package.
The following seems to break (Which is really useful for debugging):
tarmak-0.5.2 cluster ssh bastion -vvv
OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/christian/.tarmak-dev/csire-cluster/ssh_config
debug2: resolving "bastion" port 22
ssh: Could not resolve hostname bastion: No address associated with hostname
FATA[0000] exit status 255
On master this looks like:
./tarmak_linux_amd64 cluster ssh bastion -vvv
ssh: Could not resolve hostname bastion: No address associated with hostname
FATA[0000] exit status 255
I suspect we want to store all host keys per instance in the known hosts file, instead of only a signle random one. That might also cause my issues /assign @JoshVanL |
pkg/tarmak/ssh/ssh.go
Outdated
for _, host := range hosts { | ||
// TODO: do the strict checking settings |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JoshVanL can you take a look at that as well
Ok I have pushed my changes now. I think we need to make Vault Create Cluster fail hard once all three vault are not reachable:
And obviously try to connect more often with longer timeouts. I am also not happy seeing a lot of expected warning and errors for unreachable bastion and failed vault tunnels. We should not show them at all as long as we get the connection at some point |
Over to you now @JoshVanL |
7b236e8
to
6303b9e
Compare
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: Christian Simon <simon@swine.de>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
d9f30ad
to
778ec89
Compare
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
ce177d7
to
4d7e191
Compare
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
/unassign |
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
de016d5
to
6e2fa45
Compare
Thank you, this is quite stable for me /lgtm |
Use a ssh package to replace exec for all ssh connections including tunnel.
Has fully featured ssh shell.
Tunneling for commands and interactive shell.
New hidden sub-command
tarmak tunnel
that opens a tunnel to a specified destination+port and local port that exits after 10 mins.Persistent tunnel through an exec of
tarmak tunnel
which is orphaned.fixes #634
rebased on top of #664