Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Trivial
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 0.5.8
-
Component/s: None
-
Labels:None
-
Triage Status:Triaged
Description
I noticed this when trying to launch serverB from an EC2 instance, serverA
The Problem:
-Allow port 22 access to security group for the security group (by default, instances in the same security group can't access each other, this allows them to)
-Group policy matches only the internal IP address.
-By trying to connect to the public_ip_address, the tcp connection egresses outside the firewall and then ingresses back so the security group sees serverA's public IP address and disallows access.
-Workaround, you can add serverA's public IP address to have access to port 22 in security group.
-However this is suboptimal because it causes excess management of security group acls
Proposed Solution:
-Have test_tcp_ssh method connect to the server.dns_name which because of trick in how Amazon resolves dns inside of ec2 will resolve to the private IP address
-This allows for the group policy to match and allows access
-This also allows instances launched by knife from a non-EC2 box to resolve to the public_ip_address
The bootstrap code already uses the server.dns_name so I propose the test_tcp_ssh method use the same.
This trivial change is located here,
https://github.com/butlern/knife-ec2/branches/ssh_test
I've initiated a pull request to opscode/knife-ec2 already.
Thanks,
Nate
Per my pull request (https://github.com/opscode/knife-ec2/pull/6), Brian instructed me to create a ticket.
I've implemented the proposed solution here:
https://github.com/butlern/knife-ec2/tree/ssh_test