test_tcp_ssh method in ec2_server_create.rb should test server.dns_name instead of server.public_ip_address

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Trivial Trivial
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: ec2-0.5.8
  • Component/s: knife-ec2
  • Labels:
    None

Description

I noticed this when trying to launch serverB from an EC2 instance, serverA

The Problem:
-Allow port 22 access to security group for the security group (by default, instances in the same security group can't access each other, this allows them to)
-Group policy matches only the internal IP address.
-By trying to connect to the public_ip_address, the tcp connection egresses outside the firewall and then ingresses back so the security group sees serverA's public IP address and disallows access.
-Workaround, you can add serverA's public IP address to have access to port 22 in security group.
-However this is suboptimal because it causes excess management of security group acls

Proposed Solution:
-Have test_tcp_ssh method connect to the server.dns_name which because of trick in how Amazon resolves dns inside of ec2 will resolve to the private IP address
-This allows for the group policy to match and allows access
-This also allows instances launched by knife from a non-EC2 box to resolve to the public_ip_address

The bootstrap code already uses the server.dns_name so I propose the test_tcp_ssh method use the same.

This trivial change is located here,

https://github.com/butlern/knife-ec2/branches/ssh_test

I've initiated a pull request to opscode/knife-ec2 already.

Thanks,
Nate

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Nathan Butler added a comment -

Per my pull request (https://github.com/opscode/knife-ec2/pull/6), Brian instructed me to create a ticket.

I've implemented the proposed solution here:

https://github.com/butlern/knife-ec2/tree/ssh_test

Show
Nathan Butler added a comment - Per my pull request ( https://github.com/opscode/knife-ec2/pull/6 ), Brian instructed me to create a ticket. I've implemented the proposed solution here: https://github.com/butlern/knife-ec2/tree/ssh_test
Hide
Permalink
Daniel DeLeo added a comment -

Have you tested this extensively? I seem to remember hearing reports that the internal DNS in EC2 can take some time to converge, so you might not be able to resolve the DNS right away. If this is the case, we'd have to add a rescue clause for SocketError (as in SocketError: getaddrinfo: nodename nor servname provided, or not known).

Thanks.

Show
Daniel DeLeo added a comment - Have you tested this extensively? I seem to remember hearing reports that the internal DNS in EC2 can take some time to converge, so you might not be able to resolve the DNS right away. If this is the case, we'd have to add a rescue clause for SocketError (as in SocketError: getaddrinfo: nodename nor servname provided, or not known ). Thanks.
Hide
Permalink
Nathan Butler added a comment -

That's a good point. I've added that rescue clause to the branch as https://github.com/butlern/knife-ec2/commit/c6b28d6ea96f85e37cd620672b6833d3b625aa81. I've tested launching ec2 instances from both a system outside of EC2 and launching from an instance inside EC2 and they both seem to work. I've also tested when the DNS name does not resolve and the Exception is caught correctly.

Show
Nathan Butler added a comment - That's a good point. I've added that rescue clause to the branch as https://github.com/butlern/knife-ec2/commit/c6b28d6ea96f85e37cd620672b6833d3b625aa81 . I've tested launching ec2 instances from both a system outside of EC2 and launching from an instance inside EC2 and they both seem to work. I've also tested when the DNS name does not resolve and the Exception is caught correctly.
Hide
Permalink
Seth Chisamore added a comment -

Most of this ticket was already fixe...I just merged the extra SocketError fix:
https://github.com/opscode/knife-ec2/commit/a61cd015cc25ed2bc3abfc674f10a8703e5a70e0

Show
Seth Chisamore added a comment - Most of this ticket was already fixe...I just merged the extra SocketError fix: https://github.com/opscode/knife-ec2/commit/a61cd015cc25ed2bc3abfc674f10a8703e5a70e0

People

  • Assignee:
    Seth Chisamore
    Reporter:
    Bryan McLellan [Opscode]
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: