Provide a Docker image with ssm-tools (example provided)

[holyjak]

It would be awesome to be able to run ssm-tools in a docker image for us on OSX and those that prefer to keep tools off their system. This is what I tried, and it runs ssm-session:

FROM ubuntu:bionic

RUN apt-get update -qq && \
    apt-get install -y python3-pip

RUN pip3 install awscli --upgrade
# See https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-debian
ADD https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb session-manager-plugin.deb
RUN dpkg -i session-manager-plugin.deb
RUN pip3 install aws-ssm-tools

# ssm-tunnel prerequisities:
RUN apt-get update -qq && \
    apt-get install -y sudo iproute2

ENTRYPOINT ["/bin/bash"]

however ssm-tunnel <instance> fails without any clear indication of why:

root@eb4429e01043:/# ssm-tunnel --verbose --debug i-xxxxxx
[ssm-tunnel] DEBUG: Logging level set to DEBUG
[ssm-tunnel] DEBUG: Spawning: aws  ssm start-session --target i-xxxxxx
[ssm-tunnel] DEBUG: PID: 241
[ssm-tunnel] DEBUG: Starting session with SessionId: john.snow@43213109573-019fead4f60ee2455

[ssm-tunnel] DEBUG: Creating tunnel
[ssm-tunnel] DEBUG: # Agent device tunSSM.122.45 is ready
[ssm-tunnel] DEBUG: command: sudo ip tuntap add tunSSM.122.44 mode tun user 0
open: No such file or directory
[ssm-tunnel] DEBUG: command: sudo ip link set tunSSM.122.44 down
Cannot find device "tunSSM.122.44"
[ssm-tunnel] DEBUG: command: sudo ip tuntap del tunSSM.122.44 mode tun
open: No such file or directory
[ssm-tunnel] INFO: Closing tunnel, please wait...
[ssm-tunnel] DEBUG: Closing session

[holyjak]

PS: I got the tunnel working under vagrant (used a more complete ubuntu system)

[mludvig]

I'm afraid ssm-tunnel needs too many privileges to run in Docker. It creates network devices, configures system routing, and calls external Linux commands for it.

You can run it in VirtualBox for sure as that provides a complete system, but Docker? I don't think so. Sorry.

[holyjak]

Ok, thank you.

…

On Mon, 3 Feb 2020, 01:06 Michael Ludvig, ***@***.***> wrote: Closed #5 <#5>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5?email_source=notifications&email_token=AAEYSPTTKK46L23564WLSNTRA5NY7A5CNFSM4JYIOKWKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOWLLKRBY#event-3000412295>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEYSPSGVQZHJ6WXIZRJWCTRA5NY7ANCNFSM4JYIOKWA> .

[lostdesign]

@mludvig as far as my understanding goes, a docker container should be roughly equivalent to a normal linux box. What would I be missing here that it wouldnt be possible inside a docker container?

Currently trying to get ssm-tunnel to work for macos users, which will not be possible as far as I understand, unless we can utilize docker?

[mludvig]

@lostdesign ssm-tunnel needs to manipulate the network stack - create network interface, set up routes, optionally change DNS settings. This is not possible for a process contained in a docker container as far as I can tell. The reason is that docker container doesn't "own" the kernel, it's only given some resources to work with but can't request to create others.

Prove me wrong, I'd be very happy to provide an easy way to run ssm-tunnel on Mac. But as I understand it docker won't help here.

Use VirtualBox - that's a complete Linux system with its own kernel where ssm-tunnel can do all it needs to do.

Or use ssm-ssh with port forwarding, e.g. this to access your MySQL RDS

ssm-ssh ec2-user@{some-instance} -L 3306:{mysql-rds-ip}:3306

All ssh port forwarding options are supported: -L, -R, -D, etc.

[lostdesign]

@mludvig my guess was that you could pass the host's TUN device into the container and do the changes there? Aka using that device and bridging the containers network with the host's. These are just rough speculations, haven't gotten further into it, maybe i am completely off here. I'll research a bit further in that regard and come back with solutions (https://www.reddit.com/r/docker/comments/4cw758/accessing_tuntap_device_inside_of_a_docker/).

SSH isn't an option for us as every resource we need to access (DB, Kafka) are private, so using ssm-tunnel would be the only chance on mac os, either inside docker or a vm.

But thanks for your quick reply, much appreciated!

[lostdesign]

Alright, I managed to get it to work inside a docker container, the only part that is necessary, is sharing /dev or just /dev/net/tun into the container with privileged access.

Which would look like docker run ... --cap--add=NET_ADMIN --device /dev/net/tun:/dev/net/tun ...

Here is an example Dockerfile, which we used to make it work. We also used SSH to connect any SQL Tool into the container which has the tunnel in order to access the AWS Resources.

FROM amazonlinux

LABEL maintainer="..."
LABEL version="0.1"
LABEL description="SSM Tunnel container for AWS Bastion Stations in MacOS/ Windows"

ENTRYPOINT ["/root/entrypoint.sh"]
EXPOSE 22
RUN install -d /root/.ssh -m 0700

# Install dependencies
RUN yum check-update && yum update -y \
    && yum install sudo jq curl unzip python3-pip net-tools iproute telnet openssh-server openssh-clients -y

RUN sed -i s/PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config \
    && sed -i s/PasswordAuthentication.*/PasswordAuthentication\ yes/ /etc/ssh/sshd_config \
    && sed -i s/#PermitUserEnvironment.*/PermitUserEnvironment\ yes/ /etc/ssh/sshd_config

COPY entrypoint.sh /root/entrypoint.sh
COPY environment /root/.ssh/environment
COPY sshconfig /root/.ssh/config

# Install AWS Cli v2.0, Session Manager Plugin and AWS SSM Tools
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
    && curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" \
    && unzip awscliv2.zip \
    && ./aws/install \
    && yum install -y session-manager-plugin.rpm \
    && pip3 install aws-ssm-tools \
    && aws --version \
    && session-manager-plugin --version

# Copy AWS local assets
COPY .aws /root/.aws
COPY tunneldb.sh /root/

# Internal tunnel script
RUN chmod +x /root/tunneldb.sh
RUN chmod +x /root/entrypoint.sh

WORKDIR /root

This defo needs some cleaning, but it should be good enough to give a starting point for this.
If there is any further interest, I wouldn't mind putting up a Demo Repo without our internal tunnel shell script.

tldr: Create a Docker image with the required dependencies, share TUN device into container with privileged access.
Hope I could help @mludvig @holyjak

[mludvig]

That’s great, thanks for looking at it. If you want to raise a PR with a (tidy) Dockerfile and a small README-docker.md with example usage I can merge it.

[lostdesign]

You can assign the issue to me. Will open a PR tomorrow morning 👌

[lostdesign]

This is still on my todo. Scheduled for this week :D Haven't forgotten about it.

[animaxcg]

@lostdesign Any update on what your entrypoint.sh looks like trying to setup the same thing on my mac.. container get connectivity fine just now trying to bridge it.

[animaxcg]

Ended up making my own solution for the mac.. still a work in progress but gets the job done on macos.
ssm-tunneler

Utilizes sshuttle to ssh tunnel into a docker container that is ssm-tunneled into my aws host meaning no port 22 open in aws.

uses some bash magic to do what this utility does but with a mac. Windows powershell native coming soon