Comments (12)
@lostdesign ssm-tunnel
needs to manipulate the network stack - create network interface, set up routes, optionally change DNS settings. This is not possible for a process contained in a docker container as far as I can tell. The reason is that docker container doesn't "own" the kernel, it's only given some resources to work with but can't request to create others.
Prove me wrong, I'd be very happy to provide an easy way to run ssm-tunnel
on Mac. But as I understand it docker won't help here.
Use VirtualBox - that's a complete Linux system with its own kernel where ssm-tunnel
can do all it needs to do.
Or use ssm-ssh
with port forwarding, e.g. this to access your MySQL RDS
ssm-ssh ec2-user@{some-instance} -L 3306:{mysql-rds-ip}:3306
All ssh
port forwarding options are supported: -L
, -R
, -D
, etc.
from aws-ssm-tools.
Alright, I managed to get it to work inside a docker container, the only part that is necessary, is sharing /dev
or just /dev/net/tun
into the container with privileged access.
Which would look like docker run ... --cap--add=NET_ADMIN --device /dev/net/tun:/dev/net/tun ...
Here is an example Dockerfile, which we used to make it work. We also used SSH to connect any SQL Tool into the container which has the tunnel in order to access the AWS Resources.
FROM amazonlinux
LABEL maintainer="..."
LABEL version="0.1"
LABEL description="SSM Tunnel container for AWS Bastion Stations in MacOS/ Windows"
ENTRYPOINT ["/root/entrypoint.sh"]
EXPOSE 22
RUN install -d /root/.ssh -m 0700
# Install dependencies
RUN yum check-update && yum update -y \
&& yum install sudo jq curl unzip python3-pip net-tools iproute telnet openssh-server openssh-clients -y
RUN sed -i s/PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config \
&& sed -i s/PasswordAuthentication.*/PasswordAuthentication\ yes/ /etc/ssh/sshd_config \
&& sed -i s/#PermitUserEnvironment.*/PermitUserEnvironment\ yes/ /etc/ssh/sshd_config
COPY entrypoint.sh /root/entrypoint.sh
COPY environment /root/.ssh/environment
COPY sshconfig /root/.ssh/config
# Install AWS Cli v2.0, Session Manager Plugin and AWS SSM Tools
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" \
&& unzip awscliv2.zip \
&& ./aws/install \
&& yum install -y session-manager-plugin.rpm \
&& pip3 install aws-ssm-tools \
&& aws --version \
&& session-manager-plugin --version
# Copy AWS local assets
COPY .aws /root/.aws
COPY tunneldb.sh /root/
# Internal tunnel script
RUN chmod +x /root/tunneldb.sh
RUN chmod +x /root/entrypoint.sh
WORKDIR /root
This defo needs some cleaning, but it should be good enough to give a starting point for this.
If there is any further interest, I wouldn't mind putting up a Demo Repo without our internal tunnel shell script.
tldr: Create a Docker image with the required dependencies, share TUN device into container with privileged access.
Hope I could help @mludvig @holyjak
from aws-ssm-tools.
Thatβs great, thanks for looking at it. If you want to raise a PR with a (tidy) Dockerfile
and a small README-docker.md
with example usage I can merge it.
from aws-ssm-tools.
This is still on my todo. Scheduled for this week :D Haven't forgotten about it.
from aws-ssm-tools.
PS: I got the tunnel working under vagrant (used a more complete ubuntu system)
from aws-ssm-tools.
I'm afraid ssm-tunnel
needs too many privileges to run in Docker. It creates network devices, configures system routing, and calls external Linux commands for it.
You can run it in VirtualBox for sure as that provides a complete system, but Docker? I don't think so. Sorry.
from aws-ssm-tools.
from aws-ssm-tools.
@mludvig as far as my understanding goes, a docker container should be roughly equivalent to a normal linux box. What would I be missing here that it wouldnt be possible inside a docker container?
Currently trying to get ssm-tunnel to work for macos users, which will not be possible as far as I understand, unless we can utilize docker?
from aws-ssm-tools.
@mludvig my guess was that you could pass the host's TUN device into the container and do the changes there? Aka using that device and bridging the containers network with the host's. These are just rough speculations, haven't gotten further into it, maybe i am completely off here. I'll research a bit further in that regard and come back with solutions (https://www.reddit.com/r/docker/comments/4cw758/accessing_tuntap_device_inside_of_a_docker/).
SSH isn't an option for us as every resource we need to access (DB, Kafka) are private, so using ssm-tunnel
would be the only chance on mac os, either inside docker or a vm.
But thanks for your quick reply, much appreciated!
from aws-ssm-tools.
You can assign the issue to me. Will open a PR tomorrow morning π
from aws-ssm-tools.
@lostdesign Any update on what your entrypoint.sh looks like trying to setup the same thing on my mac.. container get connectivity fine just now trying to bridge it.
from aws-ssm-tools.
Ended up making my own solution for the mac.. still a work in progress but gets the job done on macos.
ssm-tunneler
Utilizes sshuttle to ssh tunnel into a docker container that is ssm-tunneled into my aws host meaning no port 22 open in aws.
uses some bash magic to do what this utility does but with a mac. Windows powershell native coming soon
from aws-ssm-tools.
Related Issues (20)
- Use access key environment variables instead of profile? HOT 1
- Alignment not allowed error when running ssm-session --list HOT 1
- ssm-tools is not working for managed instances(Instance ID starting with mi-) HOT 1
- ssm-ssh does not work on Windows 10
- Feature Request: Ignore CTRL+Z (signal.SIGSTP) HOT 1
- ssh with proxycommand doesn't work HOT 1
- [feat] Add shortcut to run command via ssm-session HOT 2
- KeyError: 'Tags' when an instance without tags is present HOT 1
- ssm-session can list but cannot resolve Instance ID of Managed Instances
- No Licence File HOT 1
- Getting timeout on establishing a tunnel HOT 4
- Warning lines for instances not in inventory HOT 2
- Argument parsing is incorrect and causes rsync not to work HOT 2
- Can't login to ECS task HOT 1
- Getting thousands of warnings about "SSM inventory entity not recognised" HOT 2
- not working in windows os HOT 1
- ecs-session list fails if one ECS cluster has no tasks HOT 1
- ec2-session stuck after executing command
- `ec2-ssh` fails against non-EC2 managed instances
- Listing fails on missing InstanceName and/or Address HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-ssm-tools.