dpb587-pivotal
commented
8 years ago The ssh_tunnel configuration is used by bosh-init to reverse tunnel registry-access from the VM to come back to the local bosh-init process (docs). This is why the registry connection is hard-coded to 127.0.0.1:6901 and ssh_tunnel.ip is supposed to be an accessible IP that your bosh-init can SSH to (either by LAN, VPN, or WAN).
When using a jumpbox it gets a bit more difficult since, as you suggest, you need to manually set up an SSH tunnel and forward the ports that bosh-init and the VM agent care about. For example, if MICROBOSH_IP is your instance without a public IP and JUMPBOX_IP is your publicly-accessible jumpbox IP...
Before running bosh-init, create local, forwarding ports for SSH and mbus so bosh-init can communicate with the VM it'll create...
ssh -L 33322:$MICROBOSH_IP:22 -L 36868:$MICROBOSH_IP:6868 $JUMPBOX_IPThen you'll need to modify your bosh-init.yml so it talks directly to those local ports that you're forwarding...
cloud_provider:
ssh_tunnel:
host: 127.0.0.1
port: 33322
...
mbus: "https://mbus:mbus-password@127.0.0.1:36868"
...Something like that should work for jumpbox-ing.
keymon
I am trying to deploy a microbosh instance using bosh-init in a VPC without a public IP, but using instead a SSH jumpbox.
In theory this would be technically possible using the SSH tunnel feature, so that bosh-init creates SSH tunnels to the jumpbox and the agent of deployed VM connects to the exposed port in the internal IP of the bosh VM.
But in practice I was not able to do it, and I think the blocker I his was this commit which replaces the IP of the registry which the agent connects to to 127.0.0.1 when SSH tunnel is setup.
Is there any reason to force this config?
Am I right thinking that if we fix this code the agent will connect to the registry served as a ssh-tunnel in the jumpbox?
As a workaround, I guess the approach would be create the SSH tunnel manually outside of the bosh-init tool, so bosh-init won't override the registry values.