Provide a Docker image with ssm-tools (example provided) about aws-ssm-tools HOT 12 OPEN

@lostdesign ssm-tunnel needs to manipulate the network stack - create network interface, set up routes, optionally change DNS settings. This is not possible for a process contained in a docker container as far as I can tell. The reason is that docker container doesn't "own" the kernel, it's only given some resources to work with but can't request to create others.

Prove me wrong, I'd be very happy to provide an easy way to run ssm-tunnel on Mac. But as I understand it docker won't help here.

Use VirtualBox - that's a complete Linux system with its own kernel where ssm-tunnel can do all it needs to do.

Or use ssm-ssh with port forwarding, e.g. this to access your MySQL RDS

ssm-ssh ec2-user@{some-instance} -L 3306:{mysql-rds-ip}:3306

All ssh port forwarding options are supported: -L, -R, -D, etc.

from aws-ssm-tools.

Alright, I managed to get it to work inside a docker container, the only part that is necessary, is sharing /dev or just /dev/net/tun into the container with privileged access.

Which would look like docker run ... --cap--add=NET_ADMIN --device /dev/net/tun:/dev/net/tun ...

Here is an example Dockerfile, which we used to make it work. We also used SSH to connect any SQL Tool into the container which has the tunnel in order to access the AWS Resources.

FROM amazonlinux

LABEL maintainer="..."
LABEL version="0.1"
LABEL description="SSM Tunnel container for AWS Bastion Stations in MacOS/ Windows"

ENTRYPOINT ["/root/entrypoint.sh"]
EXPOSE 22
RUN install -d /root/.ssh -m 0700

# Install dependencies
RUN yum check-update && yum update -y \
    && yum install sudo jq curl unzip python3-pip net-tools iproute telnet openssh-server openssh-clients -y

RUN sed -i s/PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config \
    && sed -i s/PasswordAuthentication.*/PasswordAuthentication\ yes/ /etc/ssh/sshd_config \
    && sed -i s/#PermitUserEnvironment.*/PermitUserEnvironment\ yes/ /etc/ssh/sshd_config

COPY entrypoint.sh /root/entrypoint.sh
COPY environment /root/.ssh/environment
COPY sshconfig /root/.ssh/config

# Install AWS Cli v2.0, Session Manager Plugin and AWS SSM Tools
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
    && curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" \
    && unzip awscliv2.zip \
    && ./aws/install \
    && yum install -y session-manager-plugin.rpm \
    && pip3 install aws-ssm-tools \
    && aws --version \
    && session-manager-plugin --version

# Copy AWS local assets
COPY .aws /root/.aws
COPY tunneldb.sh /root/

# Internal tunnel script
RUN chmod +x /root/tunneldb.sh
RUN chmod +x /root/entrypoint.sh

WORKDIR /root

This defo needs some cleaning, but it should be good enough to give a starting point for this.
If there is any further interest, I wouldn't mind putting up a Demo Repo without our internal tunnel shell script.

tldr: Create a Docker image with the required dependencies, share TUN device into container with privileged access.
Hope I could help @mludvig @holyjak

from aws-ssm-tools.

That’s great, thanks for looking at it. If you want to raise a PR with a (tidy) Dockerfile and a small README-docker.md with example usage I can merge it.

from aws-ssm-tools.

This is still on my todo. Scheduled for this week :D Haven't forgotten about it.

from aws-ssm-tools.

PS: I got the tunnel working under vagrant (used a more complete ubuntu system)

from aws-ssm-tools.

I'm afraid ssm-tunnel needs too many privileges to run in Docker. It creates network devices, configures system routing, and calls external Linux commands for it.

You can run it in VirtualBox for sure as that provides a complete system, but Docker? I don't think so. Sorry.

from aws-ssm-tools.

from aws-ssm-tools.

@mludvig as far as my understanding goes, a docker container should be roughly equivalent to a normal linux box. What would I be missing here that it wouldnt be possible inside a docker container?

Currently trying to get ssm-tunnel to work for macos users, which will not be possible as far as I understand, unless we can utilize docker?

from aws-ssm-tools.

@mludvig my guess was that you could pass the host's TUN device into the container and do the changes there? Aka using that device and bridging the containers network with the host's. These are just rough speculations, haven't gotten further into it, maybe i am completely off here. I'll research a bit further in that regard and come back with solutions (https://www.reddit.com/r/docker/comments/4cw758/accessing_tuntap_device_inside_of_a_docker/).

SSH isn't an option for us as every resource we need to access (DB, Kafka) are private, so using ssm-tunnel would be the only chance on mac os, either inside docker or a vm.

But thanks for your quick reply, much appreciated!

from aws-ssm-tools.

You can assign the issue to me. Will open a PR tomorrow morning 👌

from aws-ssm-tools.

@lostdesign Any update on what your entrypoint.sh looks like trying to setup the same thing on my mac.. container get connectivity fine just now trying to bridge it.

from aws-ssm-tools.

Ended up making my own solution for the mac.. still a work in progress but gets the job done on macos.
ssm-tunneler

Utilizes sshuttle to ssh tunnel into a docker container that is ssm-tunneled into my aws host meaning no port 22 open in aws.

uses some bash magic to do what this utility does but with a mac. Windows powershell native coming soon

from aws-ssm-tools.