Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for SSH jump hosts #1162

Closed
wants to merge 1 commit into from
Closed

Conversation

Nekroze
Copy link

@Nekroze Nekroze commented Jun 10, 2019

Adds a new option deployment.jumpHost that can be used with any backend to tunnel SSH connections through a bastion/jump host. Tested with the newly created example network using libvirtd backend.

Also fixes a bug I encountered in ssh_util.py where the flags from MachineState.get_ssh_flag where included twice.

Closes #1150

@Nekroze
Copy link
Author

Nekroze commented Jun 17, 2019

Seems there might still be some issues with this in more realistic deployments. Waiting for SSH when bootstrapping or rebooting a machine will always fail as it tries TCP checks on the hosts SSH interface which may be private. Additionally it seems when deploying the new deployment.jumpHost value is evaluated before the machines physical attributes (as shown by nixops show-physical and includes things you need like networking.publicIPv4) so it cannot construct a dynamic jump host target.

@Nekroze
Copy link
Author

Nekroze commented Jun 30, 2019

Anyone know how I might be able to get deployment.jumpHost to evaluate earlier so it is not empty/default when nixops evaluates it. It appears to only get evaluated at the moment when the machine profile itself is being built.

@shmish111
Copy link

@Nekroze did you manage to get any further with this? I have infrastructure built with terraform, would your current changes work in that scenario?

@Nekroze
Copy link
Author

Nekroze commented Oct 15, 2019

@shmish111 That is one of my primary use cases so I hope so :) Actually that is the one use case that would work so far.

It is the scenario in which the jumpbox is created at the same time as the machines that sit behind it that does not work due to the options not existing that early in the build process.

@grahamc
Copy link
Member

grahamc commented Mar 26, 2020

Hello!

Thank you for this PR.

In the past several months, some major changes have taken place in
NixOps:

  1. Backends have been removed, preferring a plugin-based architecture.
    Here are some of them:

  2. NixOps Core has been updated to be Python 3 only, and at the
    same time, MyPy type hints have been added and are now strictly
    required during CI.

This is all accumulating in to what I hope will be a NixOps 2.0
release
. There is a tracking issue for that:
#1242 . It is possible that
more core changes will be made to NixOps for this release, with a
focus on simplifying NixOps core and making it easier to use and work
on.

My hope is that by adding types and more thorough automated testing,
it will be easier for contributors to make improvements, and for
contributions like this one to merge in the future.

However, because of the major changes, it has become likely that this
PR cannot merge right now as it is. The backlog of now-unmergable PRs
makes it hard to see which ones are being kept up to date.

If you would like to see this merge, please bring it up to date with
master and reopen it
. If the or mypy type checking fails, please
correct any issues and then reopen it. I will be looking primarily at
open PRs whose tests are all green.

Thank you again for the work you've done here, I am sorry to be
closing it now.

Graham

@grahamc grahamc closed this Mar 26, 2020
@Nekroze
Copy link
Author

Nekroze commented Mar 26, 2020

Hello, I have since started utilizing a nix terraform provider to do this instead and have been migrating away from NixOps as it showed its age and fragility especially related to complex AWS deployments.

I still dream about one day replacing Terraform's horrid HCL with Nix though so I am really happy to hear this project is moving forward and hope to get amongst it and where possible contribute to the core or perhaps some of these new plugins which I think is a great idea!

Really excited to see how this progresses now, you have made my day with this news!

@Nekroze Nekroze deleted the jumphost-support branch March 26, 2020 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bastion/Jump host support
3 participants