#bastion (2019-03)

https://github.com/cloudposse/bastion

Discuss cloudposse/bastion

2019-03-20

Tim Malone avatar
Tim Malone
11:11:48 PM

@Tim Malone has joined the channel

2019-03-19

xluffy avatar
xluffy
03:37:44 PM

@xluffy has joined the channel

2019-03-18

Mike Nock avatar
Mike Nock
06:53:26 PM

@Mike Nock has joined the channel

2019-03-15

Leo Starcevic avatar
Leo Starcevic
10:27:10 AM

@Leo Starcevic has joined the channel

Leo Starcevic avatar
Leo Starcevic

Hey guys!! Awesome work with the bastion container, but I have one issue, when building the image myself it won’t run, I get

Initializing ssh-audit
- Enabling SSH Audit Logs
Password: chsh: PAM: Authentication token manipulation error
FATAL: Failed to initializeInitializing ssh-audit
- Enabling SSH Audit Logs
Password: chsh: PAM: Authentication token manipulation error
FATAL: Failed to initialize

Using the image from docker hub works fine though, any idea what could be wrong?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hrmmm… not sure off the top of my head

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Seems to be passwd related which is why the chsh error is emitted

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Where are you running the container?

Leo Starcevic avatar
Leo Starcevic

aws, but I tried locally on my ubuntu machine as well, same error

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

How are you invoking it?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

When you use our version, how are you referencing the image? With a release tag or latest?

Leo Starcevic avatar
Leo Starcevic
docker run -p 1234:22 -d --name bastion \
     -e MFA_PROVIDER=google-authenticator \
     -v ~/.ssh/authorized_keys:/root/.ssh/authorized_keys \
     bastion
Leo Starcevic avatar
Leo Starcevic

bastion is the one I built, cloudposse/bastion works fine though

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Can you confirm it still works if you pin to the latest release?

Leo Starcevic avatar
Leo Starcevic

what do you mean? that is the latest?!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

My concern is “latest” might be stale or something… maybe Travis didn’t tag latest

Leo Starcevic avatar
Leo Starcevic

ah ok, so cloudposse/bastion:0.4.4-228 ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Though I think without the -228

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s been a while since I looked at Travis for that project

Leo Starcevic avatar
Leo Starcevic

0.4.4 from docker hub works fine as well

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ok very odd indeed

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I am afk, but will test when I get to the office

Leo Starcevic avatar
Leo Starcevic

could it be something gets a later version when I run the docker build today, 0.4.4 was built like a month ago

Leo Starcevic avatar
Leo Starcevic

thanks, no rush!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Possibly - we try to pin most things down to a version

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But not down to the package level

2019-03-11

Juan Cruz Diaz avatar
Juan Cruz Diaz
03:10:25 PM

@Juan Cruz Diaz has joined the channel

2019-03-06

monsoon.anmol.nagpal avatar
monsoon.anmol.nagpal
11:25:29 AM

@monsoon.anmol.nagpal has joined the channel

2019-03-04

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
04:05:28 PM

@Erik Osterman (Cloud Posse) has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
04:05:28 PM

@Erik Osterman (Cloud Posse) set the channel purpose: Discuss cloudposse/bastion

hairyhenderson avatar
hairyhenderson
04:05:35 PM

@hairyhenderson has joined the channel

hairyhenderson avatar
hairyhenderson

w00t

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What’s your challenge?

hairyhenderson avatar
hairyhenderson

so I’m having a lot less trouble than I was

hairyhenderson avatar
hairyhenderson

the helm chart is… rusty

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Haha yes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We are using teleport with our customers now

hairyhenderson avatar
hairyhenderson

oh really!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But we maybe able to address/fix problems in bastion

hairyhenderson avatar
hairyhenderson

I’d looked at that, but bastion seems so much simpler

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
04:07:44 PM

@Andriy Knysh (Cloud Posse) has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes teleport is much more complicated, but also more feature rich

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Bastion is quite simple by comparison

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

How far did you get and what’s the current problem?

hairyhenderson avatar
hairyhenderson

sec - got pulled into a call

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

No worries! Just post back here when you are free. I will also be jumping on a call shortly.

hairyhenderson avatar
hairyhenderson

ok so… the initial problem was I was constantly getting Connection closed by authenticating user hairyhenderson 127.0.0.1 port 49698 [preauth] errors, and I couldn’t see github-authorized-keys being called, but it turns out the commented-out env vars in the values.yaml aren’t all the default values - specifically SSH_AUTHORIZED_KEYS_COMMAND: "/usr/bin/github-authorized-keys" is super-important to uncomment

hairyhenderson avatar
hairyhenderson

I’ll probably issue a PR with a bunch of updates once I’m through the learning curve

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Certainly - we’ll get that approved quickly

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

ping me here, if you’re blocked

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

the helm chart was a bit complicated as I recall due to the need for initializing a shared volume in /etc/ and running github-authorized-keys as a sidecar

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:12:55 PM

@Erik Osterman (Cloud Posse) set the channel topic: https://github.com/cloudposse/bastion

pecigonzalo avatar
pecigonzalo
05:30:41 PM

@pecigonzalo has joined the channel

tamsky avatar
tamsky
09:58:32 PM

@tamsky has joined the channel

    keyboard_arrow_up