Closed eecsmap closed 1 month ago
This was previously requested for VMs with --net-bridged
: https://github.com/cirruslabs/orchard/issues/123.
Ideally, it would be nice to make the Orchard Controller listen as a SSH server and thus become the SSH's JumpHost
target on its own.
This way the ssh(1)
invocation would look like this:
ssh -J orchard-controller.example.com macos-ventura-xcode14
...and work for both the standard networking and --net-bridged
. Not sure about the authentication, though, as orchard ssh vm
, as there's both a service account token and VM's credentials at play.
As for directly exposing the IP in the API, we could either:
Does (1) work for you, or do you need an always up-to-date IP of the VM?
/cc @fkorotkov
If possible, the best option will be using orchard-controller
as the jump box. Since the controller is public available to clients anyway.
Otherwise, (1) returns the VM IP and the hosting worker should be a acceptable solution for now. At least I could use these information to make up an SSH config, with the hope the VM is not going to be moved around workers and got different IPs. This solution assumes the public access of all workers though. (I need to change the firewall rules to expose them out).
(2) probably is more reliable option, but could it coexist with (1)?
My workflow should be:
BTW, right now I am using a heavy work around. I basically wrote a SSH forwarder / proxy as a dedicated server.
How likely we can have the orchard controller itself play the role of jumpbox?
Btw, I also send a commercial letter for further support :) Hope it reach you guys well.
@eecsmap could you please indicate yourself on the email thread? We have a few going on :-)
@eecsmap could you please indicate yourself on the email thread? We have a few going on :-)
I got your reply already :)
Wenyang
Any good news from the jumpbox feature :)
PoC seems to be working fine. We are slowly working on polishing edge cases and adding tests.
I also made a jumpbox implemented in python3. And I realize that when I do ssh -J jumpbox:443 vm_AbCd
It will fail since ssh client send the ssh packet for TCP connection forward with lower case hostname.
channel_connect_stdio_fwd: vm_abcd:22
And then we use this vm_abcd
to construct the websocket uri as
GET /v1/vms/vm_abcd/port-forward?port=22&wait=5 HTTP/1.1
And our API seems to be case sensitive, such websocket request therefore returns 404 not found.
I wonder how are you going to address this issue.
I am thinking about: 1) always create vm with lower case name. 2) or let orchard vm names be case insensitive?
Btw, Can I have an approximate date when your jumpbox will be available?
Probably either next week or at most the week after.
It will fail since ssh client send the ssh packet for TCP connection forward with lower case hostname.
Good point.
We'll be begin deprecating the non-[a-z0-9-]
VM names in https://github.com/cirruslabs/orchard/pull/179 and completely disable them in Orchard 1.0.0 so that the users will have some time to migrate.
Only allowing such names will avoid lowercase comparisons internally in Orchard, which could lead to subtle bugs (including security ones) and allow for DNS compatibility in the future.
Hi guys. This jumpbox works amazing now. However I currently run into a case where I still need the IP of the VM. I see you suggested above that:
For our case, simply return in the /v1/vms/ the IP address should be fine. (and yes, we use it with --net-bridged
as #123 )
The second option is nice to have but not in real need for now. I noticed in #123 @roblabla offered a patch, I think the option1 will the something similar right?
I have a use case where I need to allocate VM and provide a SSH config file with content such as:
So user can do
ssh -F mysshconfig macos-ventura-xcode14
to access this machine directly.To support this operation, I have the worker name in the /vms/{vm_name} response, except the IP address.
Can we have this IP address listed in the response too?