Home

Awesome

jumpbox-deployment

Deploy single vanilla jumpbox machine. Works well with BOSH CLI SOCKS5 proxying.

IMPORTANT: Make sure to configure security group to allow only necessary traffic! Better yet drop all incoming traffic when jumpbox is not being used.

Planned

Example on AWS

Requires new BOSH CLI v0.0.146+.

$ git clone https://github.com/cloudfoundry/jumpbox-deployment ~/jumpbox-deployment

$ mkdir -p ~/deployments/jumpbox-1

$ cd ~/deployments/jumpbox-1

# Deploy a jumpbox -- ./creds.yml is generated automatically
$ bosh create-env ~/jumpbox-deployment/jumpbox.yml \
  --state ./state.json \
  -o ~/jumpbox-deployment/aws/cpi.yml \
  --vars-store ./creds.yml \
  -v access_key_id=... \
  -v secret_access_key=... \
  -v region=us-east-1 \
  -v az=us-east-1b \
  -v default_key_name=jumpbox \
  -v default_security_groups=[jumpbox] \
  -v subnet_id=subnet-... \
  -v internal_cidr=10.0.0.0/24 \
  -v internal_gw=10.0.0.1 \
  -v internal_ip=10.0.0.5 \
  -v external_ip=... \
  --var-file private_key=...

# Currently, none of the generated credentials are necessary to persist
# (possibly except for generated SSH private key)
$ rm ./creds.yml

Above command requires only two ports open:

Type            Protocol Port Range  Source          Purpose
SSH             TCP      22          <BOSH CLI's IP> SSH for bootstrapping & final access
Custom TCP Rule TCP      6868        <BOSH CLI's IP> Agent for bootstrapping

SSH into jumpbox

By default jumpbox user is added via user_add job. Unique SSH private key is generated.

$ bosh int ./creds.yml --path /jumpbox_ssh/private_key > jumpbox.key && chmod 600 jumpbox.key

$ ssh jumpbox@... -i jumpbox.key

Consider using SOCKS5 proxying

Instead of running CLI from the jumpbox VM, you can use it as a proxy.

# Start SOCKS5 proxy on your machine
$ ssh -N -D 9999 jumpbox@... -i jumpbox.key -f

# Let CLI know about it
$ export BOSH_ALL_PROXY=socks5://localhost:9999

# Access Director *thru* jumpbox (instead of being on the jumpbox)
$ bosh -e bosh-1 env