• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..19-Feb-2019-

aws/H19-Feb-2019-5043

azure/H19-Feb-2019-6254

gcp/H19-Feb-2019-4841

openstack/H19-Feb-2019-5245

vsphere/H19-Feb-2019-5447

.gitignoreH A D19-Feb-20197 21

README.mdH A D19-Feb-20192.3 KiB8057

jumpbox.ymlH A D19-Feb-20191.3 KiB6558

no-external-ip-registry.ymlH A D19-Feb-2019273 118

no-external-ip.ymlH A D19-Feb-2019191 75

test.shH A D19-Feb-20192 KiB9280

README.md

1# jumpbox-deployment
2
3Deploy single vanilla jumpbox machine. Works well with BOSH CLI SOCKS5 proxying.
4
5IMPORTANT: Make sure to configure security group to allow only necessary traffic! Better yet drop all incoming traffic when jumpbox is not being used.
6
7## Planned
8
9- Apply iptables rule to block all incoming traffic
10  - in addition to relying on IaaS security groups configuration
11- Stop all software aside from SSH after deploy is finished
12- Add `--vars-store /dev/null` CLI support?
13
14## Example on AWS
15
16Requires new [BOSH CLI v0.0.146+](https://github.com/cloudfoundry/bosh-cli).
17
18```
19$ git clone https://github.com/cloudfoundry/jumpbox-deployment ~/jumpbox-deployment
20
21$ mkdir -p ~/deployments/jumpbox-1
22
23$ cd ~/deployments/jumpbox-1
24
25# Deploy a jumpbox -- ./creds.yml is generated automatically
26$ bosh create-env ~/jumpbox-deployment/jumpbox.yml \
27  --state ./state.json \
28  -o ~/jumpbox-deployment/aws/cpi.yml \
29  --vars-store ./creds.yml \
30  -v access_key_id=... \
31  -v secret_access_key=... \
32  -v region=us-east-1 \
33  -v az=us-east-1b \
34  -v default_key_name=jumpbox \
35  -v default_security_groups=[jumpbox] \
36  -v subnet_id=subnet-... \
37  -v internal_cidr=10.0.0.0/24 \
38  -v internal_gw=10.0.0.1 \
39  -v internal_ip=10.0.0.5 \
40  -v external_ip=... \
41  --var-file private_key=...
42
43# Currently, none of the generated credentials are necessary to persist
44# (possibly except for generated SSH private key)
45$ rm ./creds.yml
46```
47
48Above command requires only two ports open:
49
50```
51Type            Protocol Port Range  Source          Purpose
52SSH             TCP      22          <BOSH CLI's IP> SSH for bootstrapping & final access
53Custom TCP Rule TCP      6868        <BOSH CLI's IP> Agent for bootstrapping
54```
55
56## SSH into jumpbox
57
58By default `jumpbox` user is added via `user_add` job. Unique SSH private key is generated.
59
60```
61$ bosh int ./creds.yml --path /jumpbox_ssh/private_key > jumpbox.key && chmod 600 jumpbox.key
62
63$ ssh jumpbox@... -i jumpbox.key
64```
65
66## Consider using SOCKS5 proxying
67
68Instead of running CLI *from* the jumpbox VM, you can use it as a proxy.
69
70```
71# Start SOCKS5 proxy on your machine
72$ ssh -N -D 9999 jumpbox@... -i jumpbox.key -f
73
74# Let CLI know about it
75$ export BOSH_ALL_PROXY=socks5://localhost:9999
76
77# Access Director *thru* jumpbox (instead of being on the jumpbox)
78$ bosh -e bosh-1 env
79```
80