nubisproject / nubis-jumphost Goto Github PK
View Code? Open in Web Editor NEWCreates an ec2 instance that serves as a jumphost
License: Mozilla Public License 2.0
nubis-jumphost's People
Contributors
Stargazers
Watchers
nubis-jumphost's Issues
Get rid of CloudFormation in startup scripts
use the new EC2 Role argument instead of IAMInstanceProfile
SubnetLocation should probably default to public or be removed entirely
Starting up a jumphost in the private subnet doesn't make much sense, as it
will never be reacheable.
Install packages a build time not boot time
In cloud-init.s a package is installed. This causes it to be installed (and have package dependencies evaluated) on boot. This needs to be moved to be installed at instance build time.
Add StacksVersion to lambda calls, to allow for graceful forward upgrades
See Nubisproject/stacks#172
Tag release
Tag a release of the nubis-jumphost repository for the release of the Nubis project.
Tag v1.4.0 release
Tag a release of the nubis-jumphost repository for the v1.4.0 release of the Nubis project.
[consul] Expose ssh/jumphost service
Bump StacksVersion in parameters.json-dist
Needs to be bumped to v1.0.0
Use the Credstash Policy to be able to discover the Platform Consul ACL token
Tag v1.0.0 release
Create a terraform module
Add security group for ssh
Now that SSH access is restricted by nubis-stcks/96 we need a custom security group to allow inbound ssh access to the jumphosts.
Update stack url to new location
https://github.com/Nubisproject/nubis-jumphost/blob/master/nubis/cloudformation/main.json#L103
Still pointing to the old location, should be using nubis-stacks instead
Disable detailled monitoring
Should pin StackVersion to a known version (v0.9.0) as master is unstable
Consider using nubis-terraform/worker for jumphost
We already have it as a module perhaps we should consider using that to create a worker node.
[improvement] publish ssh host keys in DNS
Could add a layer of verifiable security
Tag v1.2.2 release
Tag a release of the nubis-jumphost repository for the v1.2.2 release of the Nubis project.
Update purpose
Right now it says "Web server" we should change that
IAM policy too broad
Over at line: https://github.com/Nubisproject/nubis-jumphost/blob/master/nubis/cloudformation/main.json#L203
We shouldn't be using * instead we should be a little bit more specific and use the stackname or something
Include fail2ban for increased SSH security
Sounds like a simple thing to do with the help of https://github.com/dhoppe/puppet-fail2ban
Look at user-data for our EIP as well
Tag v1.3.0 release
Tag a release of the nubis-jumphost repository for the v1.3.0 release of the Nubis project.
Tag v1.2.1 release
Tag a release of the nubis-jumphost repository for the v1.2.1 release of the Nubis project.
Use eip stack
We should be using the eip nested stack since we have support for that now
Hardcoded A record
https://github.com/Nubisproject/nubis-jumphost/blob/master/nubis/cloudformation/main.json#L241
We should use the service name there instead
Add an MPL LICENSE file
Cleanup cruft
Update parameters.json-dist
parameters.json-dist file is using an old parameter, should update it to reflect the current parameter. The parameter that I'm referring to is SSHKeyName
Start the v1.0.2-dev train
Remove elb from nubis-jumphost
Now that PR tinnightcap/nubis-stacks@596d5e7 is merged we should remove the ELB stack from our cloudformation template
Tag v1.2.3 release
Tag a release of the nubis-jumphost repository for the v1.2.3 release of the Nubis project.
Tag v1.1.0 release
Tag v1.1.0 release
Tag a release of the nubis-jumphost repository for the v1.1.0 release of the Nubis project.
[centos] Support CentOS as a possible platform
Tag v1.2.0 release
Tag a release of the nubis-jumphost repository for the v1.2.0 release of the Nubis project.
Discover our EIP via CF DescribeStacks instead of Consul, so we can deploy jumphosts
successfully without Consul
Before we peek at the CF Outputs, we need to make sure the stack is done
churning. Otherwise, we don't have access to its outputs.
So right now, this is a timing problem when launching a new jumphost stack,
as we usually boot faster than it takes to complete creating the Route53
record...
Simple fix is to just inspect the status of our stack and loop around until its
in a state we can get outputs from it.
migrate: ERROR: Unable to associate elastic IP
Stumbled on a jumphost that had failed to acquire it's EIP just now
Nov 16 18:39:24 ip-10-164-34-4 migrate: ERROR: Unable to associate elastic IP eipalloc-50a12837 to instance i-0b74f9202fd4e65c2
Nov 16 18:39:24 ip-10-164-34-4 nubis-startup: /etc/nubis.d/migrate:
Nov 16 18:39:24 ip-10-164-34-4 nubis-startup: migrate: ERROR: Unable to associate elastic IP eipalloc-50a12837 to instance i-0b74f9202fd4e65c2
Default subnet location should be public
It's private ATM, which is a wrong default value
#bastionsshkeys - bastion host ssh keys are managed manually
Imported from risk record
Bastion host ssh keys are managed manually
Management of SSH keys on bastion hosts is done manually. NetOps manually adds the dev automation team members ssh keys to the bastion hosts. The dev automation team then manually puts other users' ssh keys onto the bastion hosts.
https://wiki.mozilla.org/Security/Fundamentals#decentralized-user-account-management
Recommendation
Establish centralized configuration management control of user accounts on bastion hosts
Proposed mitigation from Nubis team
Bastion hosts will be temporary for 3 of the first 4 apps (bugzilla remaining as the devs need access) - Manual process for account management (ssh keys) will be documented at: https://github.com/Nubisproject/nubis-jumphost/blob/master/ssh-keys.md
Convert over to using nubis::eip puppet module
Using wrong lambda function
We should be using the LookupNestedStackOutput lambda function
Update DNS naming to match existing convention
...nubis.allizom.org
Userdata input bubbling up
In order to drive user management for the jumphost we need to inject some user data into the node which will then allow puppet to look at consul and then generate a template for confd
Include puppet augeasproviders_ssh module
Include this module so that we can manage sshd configs
https://forge.puppetlabs.com/herculesteam/augeasproviders_ssh
Tag v1.0.1 release
Tag a release of the nubis-jumphost repository for the v1.0.1 release of the Nubis project.
[ssh] Persist ssh host-key across instances
This way, we'd avoid the ssh warnings
consul-get-or-set could come in handy here
Install duo and configure via confd
Need to get duo_unix package installed on the jumphost and have it configured via confd
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.