With the above, I can use ssh based commands by just referencing
the "osgeo-secure" host, like:
ssh osgeo-secure
Note that the above configuration is based on hard-coded IP
for the "secure" machine, this is not good I suppose, as we
might not have static IPs assigned to LXC containers.
Also, the above only works when sshd is running in the container
(it is the case for the "new-secure" container).
If you have suggestions to improve the configuration (maybe using
also a wildcard for "osgeo-vm-*") I'd love to read about it.
It would be useful to have such instructions in a SAC member handbook
somewhere...
Download container can see new-secure fine since all the containers are on
the same network.
It's just the host that is on a different network, and I don't really think
we want people going thru via the host.
-----Original Message-----
From: strk@kbt.io [mailto:strk@kbt.io]
Sent: Wednesday, June 5, 2019 6:39 AM
To: sac@lists.osgeo.org
Cc: Regina Obe <lr@pcorp.us>; Chris Giorgi <chrisgiorgi@gmail.com>
Subject: ssh config to connect to LXC containers
I've spent some time figuring this out, so here it is, for sharing, what I
put in my .ssh/config file:
With the above, I can use ssh based commands by just referencing the
"osgeo-secure" host, like:
ssh osgeo-secure
Note that the above configuration is based on hard-coded IP for the "secure"
machine, this is not good I suppose, as we might not have static IPs
assigned to LXC containers.
Also, the above only works when sshd is running in the container (it is the
case for the "new-secure" container).
If you have suggestions to improve the configuration (maybe using also a
wildcard for "osgeo-vm-*") I'd love to read about it.
It would be useful to have such instructions in a SAC member handbook
somewhere...
On Wed, Jun 05, 2019 at 11:46:09AM -0400, Regina Obe wrote:
Why aren't you going thru download (port 22)
Download container can see new-secure fine since all the containers are on
the same network.
It's just the host that is on a different network, and I don't really think
we want people going thru via the host.
Uhm, why don't we want people to go thru host ?
If a container ("download") goes down for any reason we cannot reach
other running containers anymore, by using that container as a "jump
host". Also it doesn't sound "clean" to use a "download" container
for this work. If there's a good reason not to use the host should
we maybe have an on-purpose "jump.osgeo.org"?
On Wed, Jun 05, 2019 at 11:46:09AM -0400, Regina Obe wrote:
Why aren't you going thru download (port 22)
Download container can see new-secure fine since all the containers are on
the same network.
It's just the host that is on a different network, and I don't really think
we want people going thru via the host.
Uhm, why don't we want people to go thru host ?
If a container ("download") goes down for any reason we cannot reach
other running containers anymore, by using that container as a "jump
host". Also it doesn't sound "clean" to use a "download" container
for this work. If there's a good reason not to use the host should
we maybe have an on-purpose "jump.osgeo.org"?
--strk;
Yes an intermediate host was the long term plan. Download was used
initially, and because it required port 22 became the defacto
intermediate. The "jump" host will need it's own external IP address.
SAC people can always remote to the host (on 2222), but non-SAC people
given access to various containers should not be able to remote to the
host directly.
On Wed, Jun 05, 2019 at 11:46:09AM -0400, Regina Obe wrote:
Why aren't you going thru download (port 22)
I've just setup my way into download (although I don't fully like it),
but:
Download container can see new-secure fine since all the containers are on
the same network.
It's just the host that is on a different network, and I don't really think
we want people going thru via the host.
This is not a matter of being or not on the same network, but rather
the ability to resolve a name. Not sure I agree about the policy of
not going thru the host but will accept it
The .ssh/config entry reduced to this:
Host *.lxd
User root
ProxyCommand ssh download.osgeo.org -W %h:%p
I'd still like ot have an "osgeo-lxd-" prefix to the hostname to be
used by `ssh <hostnamehere>`, in case you have suggestions I'm happy
to hear them
