Update documentation on bastion ssh configs to use the proxycommand values #965
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -85,7 +85,48 @@ runner boxes, and add the following configuration lines in ``/etc/st2/st2.conf`` | |||||
|
|
||||||
| [ssh_runner] | ||||||
| use_ssh_config = True | ||||||
| ssh_config_file_path = /root/.ssh/config | ||||||
|
|
||||||
| Make sure your ssh config is in the same account as user running the st2action process. If root is running | ||||||
| st2actions install it there. Make sure the config and identity files have proper permissions and ownership. | ||||||
|
|
||||||
| .. code-block:: bash | ||||||
|
|
||||||
| chown -R root:root /root/.ssh/* | ||||||
| chmod 600 /root/.ssh/config | ||||||
| chmod 600 /root/.ssh/id_rsa | ||||||
|
|
||||||
| This is a sample ssh config that is known to work with bastion forwarding. | ||||||
cognifloyd marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| .. code-block:: ini | ||||||
|
There was a problem hiding this comment. GitHub's Linguist project supports syntax highlighting for SSH (client) configs, but you have to mark it as
Suggested change
And while you are at it, could you also fix this for line 160? Leave line 84 alone though, since There was a problem hiding this comment. I just pushed a fix for this. There was a problem hiding this comment. Ah. We can't use |
||||||
|
|
||||||
| Host 10.1.* | ||||||
| ProxyCommand ssh -o StrictHostKeyChecking=no bastion nc %h %p | ||||||
| IdentityFile ~/.ssh/id_rsa | ||||||
| User stanley | ||||||
|
|
||||||
| Host bastion | ||||||
| Hostname bastion.example.com | ||||||
| IdentityFile ~/.ssh/id_rsa | ||||||
| User stanley | ||||||
|
|
||||||
| Example output of a successful setup that does not require the bastion_host parameter. | ||||||
|
|
||||||
| .. code-block:: bash | ||||||
| $st2 run core.remote cmd=whoami hosts=10.1.1.2 | ||||||
| . | ||||||
| id: 5e668e4a811a07014b1c48bd | ||||||
| status: succeeded | ||||||
| parameters: | ||||||
| cmd: whoami | ||||||
| hosts: 10.1.1.2: | ||||||
| result: | ||||||
| 10.1.1.2: | ||||||
| failed: false | ||||||
| return_code: 0 | ||||||
| stderr: '' | ||||||
| stdout: stanley | ||||||
| succeeded: true | ||||||
|
|
||||||
| We do not recommend running actions as arbitrary user + private_key combinations. This | ||||||
| would require you to setup private_key for the users on |st2| action runner boxes and | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may wish to point out that for many users this will be Stanley. CC @armab
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was testing against the docker-stackstorm checkout... if prod is running the daemon than changing the owner for all files to stanley makes sense. You may want to still include that the docker all in run runs as root or keep it running as the staction command owner.