From 2f42b338a8678847587a8713d60bbde363792b76 Mon Sep 17 00:00:00 2001 From: Eric Edgar Date: Mon, 9 Mar 2020 13:47:22 -0500 Subject: [PATCH 1/7] Update documentation on bastion ssh configs to use the proxycommand values --- docs/source/troubleshooting/ssh.rst | 43 ++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index f1a0193d8..3fea23d6f 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -85,7 +85,48 @@ runner boxes, and add the following configuration lines in ``/etc/st2/st2.conf`` [ssh_runner] use_ssh_config = True - ssh_config_file_path = /home/stanley/.ssh/config + ssh_config_file_path = /root/.ssh/config + +Make sure your ssh config is in the same account as user running the st2action process. If root is running +st2actions install it there. Make sure the config and identity files have proper permissions and ownership. + +.. code-block:: bash + + chown -R root:root /root/.ssh/* + chmod 600 /root/.ssh/config + chmod 600 /root/.ssh/id_rsa + +This is a sample ssh config that is known to work with bastion forwarding. + +.. code-block:: ini + + Host 10.1.* + ProxyCommand ssh -o StrictHostKeyChecking=no bastion nc %h %p + IdentityFile ~/.ssh/id_rsa + User stanley + + Host bastion + Hostname bastion.example.com + IdentityFile ~/.ssh/id_rsa + User stanley + +Example output of a successful setup that does not require the bastion_host parameter. + +.. code-block:: bash + $st2 run core.remote cmd=whoami hosts=10.1.1.2 + . + id: 5e668e4a811a07014b1c48bd + status: succeeded + parameters: + cmd: whoami + hosts: 10.1.1.2: + result: + 10.1.1.2: + failed: false + return_code: 0 + stderr: '' + stdout: stanley + succeeded: true We do not recommend running actions as arbitrary user + private_key combinations. This would require you to setup private_key for the users on |st2| action runner boxes and From 1a4c66292cc1f0234a03e576fa39b8225503b6ee Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Sat, 11 Sep 2021 15:58:49 -0500 Subject: [PATCH 2/7] Use correct code-block formatting --- docs/source/troubleshooting/ssh.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index 3fea23d6f..d8b4eceb6 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -98,7 +98,7 @@ st2actions install it there. Make sure the config and identity files have prope This is a sample ssh config that is known to work with bastion forwarding. -.. code-block:: ini +.. code-block:: ssh-config Host 10.1.* ProxyCommand ssh -o StrictHostKeyChecking=no bastion nc %h %p @@ -157,7 +157,7 @@ For the above example to work, the key file ``/home/stanley/ssh_keys/.ssh/id_rsa available on the action runner boxes. We also support ``password`` as a parameter. As of version 2.1, you can also specify custom keys for hosts via SSH config file. A sample SSH config is shown below: -.. code-block:: ini +.. code-block:: ssh-config Host st2-ssh-test001 User lakshmi From 689f88537d0b6288248b10c833898dba2b63c1d3 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Sat, 11 Sep 2021 16:01:31 -0500 Subject: [PATCH 3/7] Clean up comment about bastion forwarding example Co-authored-by: JP Bourget --- docs/source/troubleshooting/ssh.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index d8b4eceb6..18aafd6bd 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -96,6 +96,8 @@ st2actions install it there. Make sure the config and identity files have prope chmod 600 /root/.ssh/config chmod 600 /root/.ssh/id_rsa +If you are looking to do ssh bastion forwarding, while allowing SSH to resolve automatically the correct keys based on hostname (eg. to dynamically support environments where a ssh hosts are set in your ssh_config file): + This is a sample ssh config that is known to work with bastion forwarding. .. code-block:: ssh-config From 416bd7edebd77d1481b0428d9a0c3f4514a4bffe Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Sat, 11 Sep 2021 16:08:00 -0500 Subject: [PATCH 4/7] leave stanley as the default user --- docs/source/troubleshooting/ssh.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index 18aafd6bd..677ae89dc 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -85,16 +85,17 @@ runner boxes, and add the following configuration lines in ``/etc/st2/st2.conf`` [ssh_runner] use_ssh_config = True - ssh_config_file_path = /root/.ssh/config + ssh_config_file_path = /home/stanley/.ssh/config -Make sure your ssh config is in the same account as user running the st2action process. If root is running -st2actions install it there. Make sure the config and identity files have proper permissions and ownership. +Make sure your ssh config is in the same account as user running the st2actionrunner process. If root is running +st2actionrunner install it under ``/root/.ssh``. Wherever it is installed, make sure the config and identity files +have proper permissions and ownership, or ``ssh`` will refuse to read them. .. code-block:: bash - chown -R root:root /root/.ssh/* - chmod 600 /root/.ssh/config - chmod 600 /root/.ssh/id_rsa + chown -R stanley:stanley /home/stanley/.ssh/* + chmod 600 /home/stanley/.ssh/config + chmod 600 /home/stanley/.ssh/id_rsa If you are looking to do ssh bastion forwarding, while allowing SSH to resolve automatically the correct keys based on hostname (eg. to dynamically support environments where a ssh hosts are set in your ssh_config file): From c5dc1615b89711fb65680430cc5107c6845b25f2 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Sat, 11 Sep 2021 16:35:11 -0500 Subject: [PATCH 5/7] reword ssh bastion forwarding description --- docs/source/troubleshooting/ssh.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index 677ae89dc..69e326d75 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -97,9 +97,11 @@ have proper permissions and ownership, or ``ssh`` will refuse to read them. chmod 600 /home/stanley/.ssh/config chmod 600 /home/stanley/.ssh/id_rsa -If you are looking to do ssh bastion forwarding, while allowing SSH to resolve automatically the correct keys based on hostname (eg. to dynamically support environments where a ssh hosts are set in your ssh_config file): - -This is a sample ssh config that is known to work with bastion forwarding. +If you are using--or planning to use--bastion forwarding to get to target hosts in your network, then you either +need to pass the ``bastion_host`` parameter to each action, or configure ssh to automatically use bastion forwarding. +In the latter case, you to validate that your ssh config file(s) are valid and they include the appropriate +``IdentityFile`` definitions. For example, consider this ssh config file with different ssh keys for the bastion and the +target hosts (``10.1.*`` in our example). This allows SSH to resolve automatically the correct keys based on hostname. .. code-block:: ssh-config @@ -110,10 +112,10 @@ This is a sample ssh config that is known to work with bastion forwarding. Host bastion Hostname bastion.example.com - IdentityFile ~/.ssh/id_rsa + IdentityFile ~/.ssh/bastion_rsa User stanley -Example output of a successful setup that does not require the bastion_host parameter. +Example output of a successful setup that does not require the ``bastion_host`` parameter. .. code-block:: bash $st2 run core.remote cmd=whoami hosts=10.1.1.2 From d29a0c8bc530bbd21337932d7257e57ea8c7a93e Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Sat, 11 Sep 2021 16:49:39 -0500 Subject: [PATCH 6/7] fix code-block formatting --- docs/source/troubleshooting/ssh.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index 69e326d75..e52507119 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -118,6 +118,7 @@ target hosts (``10.1.*`` in our example). This allows SSH to resolve automatical Example output of a successful setup that does not require the ``bastion_host`` parameter. .. code-block:: bash + $st2 run core.remote cmd=whoami hosts=10.1.1.2 . id: 5e668e4a811a07014b1c48bd From cf3ccca8a7a0ff8145e114f62db59183b5c68af7 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 6 Oct 2021 20:11:18 -0500 Subject: [PATCH 7/7] Use ini instead of ssh-config for code blocks We are using sphinx which uses pygments. pygments does not support ssh-config format. github/linguist does, but that does not help us. --- docs/source/troubleshooting/ssh.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/troubleshooting/ssh.rst b/docs/source/troubleshooting/ssh.rst index e52507119..7cca02a09 100644 --- a/docs/source/troubleshooting/ssh.rst +++ b/docs/source/troubleshooting/ssh.rst @@ -103,7 +103,7 @@ In the latter case, you to validate that your ssh config file(s) are valid and t ``IdentityFile`` definitions. For example, consider this ssh config file with different ssh keys for the bastion and the target hosts (``10.1.*`` in our example). This allows SSH to resolve automatically the correct keys based on hostname. -.. code-block:: ssh-config +.. code-block:: ini Host 10.1.* ProxyCommand ssh -o StrictHostKeyChecking=no bastion nc %h %p @@ -163,7 +163,7 @@ For the above example to work, the key file ``/home/stanley/ssh_keys/.ssh/id_rsa available on the action runner boxes. We also support ``password`` as a parameter. As of version 2.1, you can also specify custom keys for hosts via SSH config file. A sample SSH config is shown below: -.. code-block:: ssh-config +.. code-block:: ini Host st2-ssh-test001 User lakshmi