search

awslabs / service-workbench-on-aws

A platform that provides researchers with one-click access to collaborative workspace environments operating across teams, universities, and datasets while enabling university IT stakeholders to manage, monitor, and control spending, apply security best practices, and comply with corporate governance.
Apache License 2.0
178 stars 119 forks source link

[Bug] EC2 Linux Boostrap script installs old version of EC2 instance connect which breaks SSH connections using instance connect #1219

Closed chriswood-cruk closed 1 year ago

chriswood-cruk commented 1 year ago

Describe the bug When trying to SSH to an EC2 Linux Workspace using the Connections button, you'll get an invalid key error from your SSH client

To Reproduce Steps to reproduce the behavior:

  1. Create an EC2 Linux Workspace
  2. Attempt to connect via SSH as described in the user guide

Expected behavior You can SSH to the instance

Versions

Additional context I think that the problem is in the version installed here, as deploying an instance with the same AMI but without the bootstrap script https://github.com/awslabs/service-workbench-on-aws/blob/343276851d74f9166c537fa5c3d5bce864aec445/main/solution/post-deployment/config/environment-files/bootstrap.sh#L108C88-L108C88 And you can see here that there have been updates based on an OpenSSL update https://github.com/aws/aws-ec2-instance-connect-config/releases When running the /opt/aws/bin/eic_run_authorized_keys command with the appropriate user and fingerprint I saw what looked like CA errors, which fits in with the changes described here https://github.com/aws/aws-ec2-instance-connect-config/blob/master/debian/changelog

chriswood-cruk commented 1 year ago

I would have submitted a PR, but I couldn't see where the files which are added to the "offline-packages" dir are defined

kpark277 commented 1 year ago

Thank you @chriswood-cruk for bringing this to our attention. We are able to reproduce the issue and are currently working on a fix.

kpark277 commented 1 year ago

Actually, the team did not run into the same issue you had mentioned @chriswood-cruk. When using the connections buttons in the UI, we are not getting an invalid key error from our SSH client and are able to successfully ssh onto the instance. The only ssh error we were able to reproduce was related to the inbound IP on the security group for SSH permissions.

Can you provide any screenshots or logs of your problem?

kpark277 commented 1 year ago

Also can you confirm if you attempted the SSH within one minute of having clicked "Use this SSH Key" in the UI? The key is only valid for one minute after pressing that button for security purposes.

chriswood-cruk commented 1 year ago

Attempting to connect using SWB key:

image

➜  ~ ssh -i tmp/chriswood3.pem ec2-user@ec2-3-8-118-108.eu-west-2.compute.amazonaws.com -vvvv
OpenSSH_8.9p1 Ubuntu-3ubuntu0.3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/chriswood/.ssh/config
debug3: /home/chriswood/.ssh/config line 6: Including file /home/chriswood/.platformsh/ssh/session.config depth 0 (parse only)
debug1: Reading configuration data /home/chriswood/.platformsh/ssh/session.config
debug3: /home/chriswood/.platformsh/ssh/session.config line 5: Including file /home/chriswood/.platformsh/.session/sess-cli-default/ssh/config depth 1 (parse only)
debug1: Reading configuration data /home/chriswood/.platformsh/.session/sess-cli-default/ssh/config
debug2: checking match for 'host "*.platform.sh" exec "platform ssh-cert:load --refresh-only --yes --quiet 2>/dev/null"' host ec2-3-8-118-108.eu-west-2.compute.amazonaws.com originally ec2-3-8-118-108.eu-west-2.compute.amazonaws.com
debug3: /home/chriswood/.platformsh/.session/sess-cli-default/ssh/config line 2: not matched 'host "ec2-3-8-118-108.eu-west-2.compute.amazonaws.com"'
debug3: /home/chriswood/.platformsh/.session/sess-cli-default/ssh/config line 2: skipped exec "platform ssh-cert:load --refresh-only --yes --quiet 2>/dev/null"
debug2: match not found
debug1: /home/chriswood/.ssh/config line 7: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/chriswood/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/chriswood/.ssh/known_hosts2'
debug2: resolving "ec2-3-8-118-108.eu-west-2.compute.amazonaws.com" port 22
debug3: resolve_host: lookup ec2-3-8-118-108.eu-west-2.compute.amazonaws.com:22
debug3: ssh_connect_direct: entering
debug1: Connecting to ec2-3-8-118-108.eu-west-2.compute.amazonaws.com [3.8.118.108] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file tmp/chriswood3.pem type -1
debug1: identity file tmp/chriswood3.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ec2-3-8-118-108.eu-west-2.compute.amazonaws.com:22 as 'ec2-user'
debug3: record_hostkey: found key type ED25519 in file /home/chriswood/.ssh/known_hosts:77
debug3: load_hostkeys_file: loaded 1 keys from ec2-3-8-118-108.eu-west-2.compute.amazonaws.com
debug1: load_hostkeys: fopen /home/chriswood/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
debug2: host key algorithms: ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:hsXiS5csd30dUGrOoRu+fTEPT1ApXtSJe+MkzQqPsOY
debug3: record_hostkey: found key type ED25519 in file /home/chriswood/.ssh/known_hosts:77
debug3: load_hostkeys_file: loaded 1 keys from ec2-3-8-118-108.eu-west-2.compute.amazonaws.com
debug1: load_hostkeys: fopen /home/chriswood/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'ec2-3-8-118-108.eu-west-2.compute.amazonaws.com' is known and matches the ED25519 host key.
debug1: Found key in /home/chriswood/.ssh/known_hosts:77
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: tmp/chriswood3.pem  explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: tmp/chriswood3.pem
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:lGPAlqOmDr7h7G+60j5AD8NnNlNsYqJZiJqPW+ZxnX4
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:lGPAlqOmDr7h7G+60j5AD8NnNlNsYqJZiJqPW+ZxnX4
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.

I made a custom workspace type which was the same as the standard ec2-linux, but I've added an SSH key to the instance configuration so I can SSH to the instance not using ec2-instance-connect

addons/addon-base-raas/packages/base-raas-post-deployment/lib/steps/create-service-catalog-portfolio.js

+  {
+    filename: 'ec2-linux-instance-withkey',
+    displayName: 'EC2 Linux With Key',
+    description: `* An EC2 Linux instance with SSH access \n* A Key Pair specified at creation time\n* Secure compute in the cloud`,
+  },

New template diff with standard ec2-linux:

$ diff addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance-withkey.cfn.yml
53a54,56
>   SshKeyPair:
>     Type: AWS::EC2::KeyPair::KeyName
>     Description: The SSH Key Pair to associate with the instance
219a223
>       KeyName: !Ref SshKeyPair

I SSH onto the instance using this keypair, show that eic_run_authorized_keys returns a non zero exit code using my key fingerprint, and the instance connect version installed:

➜  ~ ssh -i .ssh/aws-lz-testing-chriswood ec2-user@ec2-3-8-118-108.eu-west-2.compute.amazonaws.com
[ec2-user@ip-10-0-20-41 ~]$ sudo /opt/aws/bin/eic_run_authorized_keys ec2-user SHA256:lGPAlqOmDr7h7G+60j5AD8NnNlNsYqJZiJqPW+ZxnX4
[ec2-user@ip-10-0-20-41 ~]$ echo $?
22
[ec2-user@ip-10-0-20-41 ~]$ sudo rpm -qa | grep connect
ec2-instance-connect-selinux-1.1-19.amzn2023.noarch
ec2-instance-connect-1.1-14.amzn2.noarch

Then I upgrade the instance connect version, and I can SSH using the SWB managed keypair, and show that the eic_run_authorized_keys command is now working:

[ec2-user@ip-10-0-20-41 ~]$ sudo yum remove ec2-instance-connect
Dependencies resolved.
============================================================================================================================
 Package                             Architecture          Version                       Repository                    Size
============================================================================================================================
Removing:
 ec2-instance-connect                noarch                1.1-14.amzn2                  @@commandline                 31 k

Transaction Summary
============================================================================================================================
Remove  1 Package

Freed space: 31 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                    1/1
  Running scriptlet: ec2-instance-connect-1.1-14.amzn2.noarch                                                           1/1
  Erasing          : ec2-instance-connect-1.1-14.amzn2.noarch                                                           1/1
  Running scriptlet: ec2-instance-connect-1.1-14.amzn2.noarch                                                           1/1
  Verifying        : ec2-instance-connect-1.1-14.amzn2.noarch                                                           1/1
============================================================================================================================
WARNING:
  A newer release of "Amazon Linux" is available.

  Available Versions:

  Version 2023.1.20230719:
    Run the following command to upgrade to 2023.1.20230719:

      dnf upgrade --releasever=2023.1.20230719

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html

  Version 2023.1.20230725:
    Run the following command to upgrade to 2023.1.20230725:

      dnf upgrade --releasever=2023.1.20230725

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html

  Version 2023.1.20230809:
    Run the following command to upgrade to 2023.1.20230809:

      dnf upgrade --releasever=2023.1.20230809

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html

============================================================================================================================

Removed:
  ec2-instance-connect-1.1-14.amzn2.noarch

Complete!
[ec2-user@ip-10-0-20-41 ~]$ sudo yum install ec2-instance-connect
Last metadata expiration check: 0:12:56 ago on Wed Aug 16 14:15:24 2023.
Dependencies resolved.
============================================================================================================================
 Package                             Architecture          Version                         Repository                  Size
============================================================================================================================
Installing:
 ec2-instance-connect                noarch                1.1-19.amzn2023                 amazonlinux                 22 k

Transaction Summary
============================================================================================================================
Install  1 Package

Total download size: 22 k
Installed size: 23 k
Is this ok [y/N]: y
Downloading Packages:
ec2-instance-connect-1.1-19.amzn2023.noarch.rpm                                             174 kB/s |  22 kB     00:00
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                        99 kB/s |  22 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                    1/1
  Running scriptlet: ec2-instance-connect-1.1-19.amzn2023.noarch                                                        1/1
  Installing       : ec2-instance-connect-1.1-19.amzn2023.noarch                                                        1/1
  Running scriptlet: ec2-instance-connect-1.1-19.amzn2023.noarch                                                        1/1
/bin/grep: warning: stray \ before %
/bin/grep: warning: stray \ before %
/bin/grep: warning: stray \ before %
/bin/grep: warning: stray \ before %

  Verifying        : ec2-instance-connect-1.1-19.amzn2023.noarch                                                        1/1
============================================================================================================================
WARNING:
  A newer release of "Amazon Linux" is available.

  Available Versions:

  Version 2023.1.20230719:
    Run the following command to upgrade to 2023.1.20230719:

      dnf upgrade --releasever=2023.1.20230719

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html

  Version 2023.1.20230725:
    Run the following command to upgrade to 2023.1.20230725:

      dnf upgrade --releasever=2023.1.20230725

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html

  Version 2023.1.20230809:
    Run the following command to upgrade to 2023.1.20230809:

      dnf upgrade --releasever=2023.1.20230809

    Release notes:
     https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html

============================================================================================================================

Installed:
  ec2-instance-connect-1.1-19.amzn2023.noarch

Complete!
[ec2-user@ip-10-0-20-41 ~]$
logout
Connection to ec2-3-8-118-108.eu-west-2.compute.amazonaws.com closed.
➜  ~ ssh -i tmp/chriswood3.pem ec2-user@ec2-3-8-118-108.eu-west-2.compute.amazonaws.com

A newer release of "Amazon Linux" is available.
  Version 2023.1.20230719:
  Version 2023.1.20230725:
  Version 2023.1.20230809:
Run "/usr/bin/dnf check-release-update" for full release and version update info
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Wed Aug 16 14:19:24 2023 from 2.98.206.38
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    56  100    56    0     0  28411      0 --:--:-- --:--:-- --:--:-- 56000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    10  100    10    0     0   4520      0 --:--:-- --:--:-- --:--:--  5000
[ec2-user@ip-10-0-20-41 ~]$ sudo /opt/aws/bin/eic_run_authorized_keys ec2-user SHA256:lGPAlqOmDr7h7G+60j5AD8NnNlNsYqJZiJqPW+ZxnX4
[ec2-user@ip-10-0-20-41 ~]$ echo $?
0

Note that by simply not including the run of the bootstrap script in the instance metadata like below also causes the SSH connection via ec2-instance-connect to work as the Amazon Linux 2 AMI has the newer version pre installed.

231c235
<           /tmp/get_bootstrap.sh "${EnvironmentInstanceFiles}" '${S3Mounts}'
---
>           #/tmp/get_bootstrap.sh "${EnvironmentInstanceFiles}" '${S3Mounts}'

And to show the AZ and ami-id:

[ec2-user@ip-10-0-20-41 ~]$  curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placeavailability-zone-zone
eu-west-2a
[ec2-user@ip-10-0-20-41 ~]$  curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/ami-id
ami-06464c878dbe46da4
maghirardelli commented 1 year ago

We have not be able to reproduce the bug you have reported. It may be due to using a custom workspace type since we have tested the out-of-the-box EC2 Linux workspace type (both with AppStream and without AppStream).

Is AppStream enabled in your deployment? If so, that workflow does not look correct to connect to an AppStream-enabled EC2 instance. The screenshot shows what instructions to connect to an EC2 instance without AppStream enabled.

Either way, it sounds like you found a workaround to connect so I'll go ahead and close this ticket since you were able to connect.

chriswood-cruk commented 1 year ago

What AMI are you using for testing?

chriswood-cruk commented 1 year ago

This issue is with the out-of-the-box EC2 Linux workspace type, I created the custom type as a workaround so I could SSH to the instance to debug the issue

maghirardelli commented 1 year ago

I made AMIs for my deployment using the machine-images SLS plugin within the project.

Are you using AppStream within the deployment?

chriswood-cruk commented 1 year ago

Not using AppStream. You may find that the reason it works for you is that your OpenSSL version is not up to date, what version do you have installed?

maghirardelli commented 1 year ago

Okay we will investigate the OpenSSL version. What is the version you are using (so we can test using that one)?

chriswood-cruk commented 1 year ago

As stated here, it's OpenSSL version 3.0.2 that causes this issue. Really all this issue is about is upgrading the version of EC2 Instance Connect to v1.1.17 or above (latest is v1.1.19), I don't need anything to be investigated, I don't understand why you aren't willing to just do that, it should be a standard maintenance task to keep these things up to date. As I stated when I opened this issue, I would have raised a PR but I can't see where the files which are added to the "offline-packages" dir are defined.

kpark277 commented 1 year ago

Hi @chriswood-cruk, the most recent version of OpenSSL is "OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)"; this was the version used to test and it had no issues when connecting to the EC2 Linux environment. If you would like to update the version of EC2 Instance Connect in your installation of SWB, you may add the new RPM to https://github.com/awslabs/service-workbench-on-aws/tree/mainline/main/solution/post-deployment/config/environment-files/offline-packages/ec2-linux and update this line https://github.com/awslabs/service-workbench-on-aws/blob/mainline/main/solution/post-deployment/config/environment-files/bootstrap.sh#L108C1-L108C120 with the new version.

If your installation is not using AppStream, offline packages do not affect what is installed on your environment as appstream disabled Linux environments will pull from the public yum repo for the newest version of EC2-Instance-Connect (verified that non-appstream environments had EC2 Instance Connect 1.1.19 installed). We are not updating dependencies unless they impact functionality or have security vulnerabilities.