Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update documentation on bastion ssh configs to use the proxycommand values #965

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
43 changes: 42 additions & 1 deletion docs/source/troubleshooting/ssh.rst
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,48 @@ runner boxes, and add the following configuration lines in ``/etc/st2/st2.conf``

[ssh_runner]
use_ssh_config = True
ssh_config_file_path = /home/stanley/.ssh/config
ssh_config_file_path = /root/.ssh/config

Make sure your ssh config is in the same account as user running the st2action process. If root is running
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may wish to point out that for many users this will be Stanley. CC @armab

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was testing against the docker-stackstorm checkout... if prod is running the daemon than changing the owner for all files to stanley makes sense. You may want to still include that the docker all in run runs as root or keep it running as the staction command owner.

st2actions install it there. Make sure the config and identity files have proper permissions and ownership.

.. code-block:: bash

chown -R root:root /root/.ssh/*
chmod 600 /root/.ssh/config
chmod 600 /root/.ssh/id_rsa

This is a sample ssh config that is known to work with bastion forwarding.
cognifloyd marked this conversation as resolved.
Show resolved Hide resolved

.. code-block:: ini
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub's Linguist project supports syntax highlighting for SSH (client) configs, but you have to mark it as ssh-config:

Suggested change
.. code-block:: ini
.. code-block:: ssh-config

SSH (client) config coloring screenshot

And while you are at it, could you also fix this for line 160?

Leave line 84 alone though, since /etc/st2/st2.conf is just an INI file and is correctly marked as such. 👍

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just pushed a fix for this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. We can't use ssh-config because this Sphinx uses pygments, not GitHub's linguist. So ini is the way to go.


Host 10.1.*
ProxyCommand ssh -o StrictHostKeyChecking=no bastion nc %h %p
IdentityFile ~/.ssh/id_rsa
User stanley

Host bastion
Hostname bastion.example.com
IdentityFile ~/.ssh/id_rsa
User stanley

Example output of a successful setup that does not require the bastion_host parameter.

.. code-block:: bash
$st2 run core.remote cmd=whoami hosts=10.1.1.2
.
id: 5e668e4a811a07014b1c48bd
status: succeeded
parameters:
cmd: whoami
hosts: 10.1.1.2:
result:
10.1.1.2:
failed: false
return_code: 0
stderr: ''
stdout: stanley
succeeded: true

We do not recommend running actions as arbitrary user + private_key combinations. This
would require you to setup private_key for the users on |st2| action runner boxes and
Expand Down