nubisproject / nubis-jumphost Goto Github PK
View Code? Open in Web Editor NEWCreates an ec2 instance that serves as a jumphost
License: Mozilla Public License 2.0
Creates an ec2 instance that serves as a jumphost
License: Mozilla Public License 2.0
Starting up a jumphost in the private subnet doesn't make much sense, as it
will never be reacheable.
In cloud-init.s a package is installed. This causes it to be installed (and have package dependencies evaluated) on boot. This needs to be moved to be installed at instance build time.
See Nubisproject/stacks#172
Tag a release of the nubis-jumphost repository for the release of the Nubis project.
Tag a release of the nubis-jumphost repository for the v1.4.0 release of the Nubis project.
Needs to be bumped to v1.0.0
Now that SSH access is restricted by nubis-stcks/96 we need a custom security group to allow inbound ssh access to the jumphosts.
https://github.com/Nubisproject/nubis-jumphost/blob/master/nubis/cloudformation/main.json#L103
Still pointing to the old location, should be using nubis-stacks
instead
We already have it as a module perhaps we should consider using that to create a worker node.
Could add a layer of verifiable security
Tag a release of the nubis-jumphost repository for the v1.2.2 release of the Nubis project.
Right now it says "Web server" we should change that
Over at line: https://github.com/Nubisproject/nubis-jumphost/blob/master/nubis/cloudformation/main.json#L203
We shouldn't be using *
instead we should be a little bit more specific and use the stackname or something
Sounds like a simple thing to do with the help of https://github.com/dhoppe/puppet-fail2ban
Tag a release of the nubis-jumphost repository for the v1.3.0 release of the Nubis project.
Tag a release of the nubis-jumphost repository for the v1.2.1 release of the Nubis project.
We should be using the eip nested stack since we have support for that now
https://github.com/Nubisproject/nubis-jumphost/blob/master/nubis/cloudformation/main.json#L241
We should use the service name there instead
parameters.json-dist
file is using an old parameter, should update it to reflect the current parameter. The parameter that I'm referring to is SSHKeyName
Now that PR tinnightcap/nubis-stacks@596d5e7 is merged we should remove the ELB stack from our cloudformation template
Tag a release of the nubis-jumphost repository for the v1.2.3 release of the Nubis project.
Tag a release of the nubis-jumphost repository for the v1.1.0 release of the Nubis project.
Tag a release of the nubis-jumphost repository for the v1.2.0 release of the Nubis project.
successfully without Consul
churning. Otherwise, we don't have access to its outputs.
So right now, this is a timing problem when launching a new jumphost stack,
as we usually boot faster than it takes to complete creating the Route53
record...
Simple fix is to just inspect the status of our stack and loop around until its
in a state we can get outputs from it.
Stumbled on a jumphost that had failed to acquire it's EIP just now
Nov 16 18:39:24 ip-10-164-34-4 migrate: ERROR: Unable to associate elastic IP eipalloc-50a12837 to instance i-0b74f9202fd4e65c2
Nov 16 18:39:24 ip-10-164-34-4 nubis-startup: /etc/nubis.d/migrate:
Nov 16 18:39:24 ip-10-164-34-4 nubis-startup: migrate: ERROR: Unable to associate elastic IP eipalloc-50a12837 to instance i-0b74f9202fd4e65c2
It's private ATM, which is a wrong default value
Bastion host ssh keys are managed manually
Management of SSH keys on bastion hosts is done manually. NetOps manually adds the dev automation team members ssh keys to the bastion hosts. The dev automation team then manually puts other users' ssh keys onto the bastion hosts.
https://wiki.mozilla.org/Security/Fundamentals#decentralized-user-account-management
Establish centralized configuration management control of user accounts on bastion hosts
Bastion hosts will be temporary for 3 of the first 4 apps (bugzilla remaining as the devs need access) - Manual process for account management (ssh keys) will be documented at: https://github.com/Nubisproject/nubis-jumphost/blob/master/ssh-keys.md
We should be using the LookupNestedStackOutput lambda function
...nubis.allizom.org
In order to drive user management for the jumphost we need to inject some user data into the node which will then allow puppet to look at consul and then generate a template for confd
Include this module so that we can manage sshd configs
https://forge.puppetlabs.com/herculesteam/augeasproviders_ssh
Tag a release of the nubis-jumphost repository for the v1.0.1 release of the Nubis project.
This way, we'd avoid the ssh warnings
consul-get-or-set could come in handy here
Need to get duo_unix package installed on the jumphost and have it configured via confd
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.