Comments (8)
nickzelei
commented on August 29, 2024
4
Would be great to find an answer here. I've had my bastion host running for around 6+ months without issue and suddenly ran into this without any reason as to why.
edit: as a bandaid, I just terminated the ec2 instance. When the ASG rolled out a new one, all is working again.
from terraform-aws-bastion.
aarontavio
commented on August 29, 2024
I'm also experiencing the same problem with version 2.2.2. We cannot identify what changed so that we are getting the error now and not before.
If we login with the ubuntu user which has privileges to write to /var/log/bastion everything works.
I wonder if this has to do with the setfacl -Rdm other:0 /var/log/bastion command in the initialization script. But also there we didn't change anything.
Here the error message:
$ ssh [email protected]
NOTE: This SSH session will be recorded
AUDIT KEY: 2022-02-16_14-11-17_atavio
uid=1002(atavio) gid=1002(atavio) groups=1002(atavio)
script: cannot open /var/log/bastion/2022-02-16_14-11-17_atavio_5EO73WSrarUoZU21TwwC8IQikdTmsriF.data: Permission denied
Connection to jump-server.example.com closed.
And here the contents and ACLs of /var/log/bastion:
ubuntu@ip-xx-x-x-xxx:/var/log/bastion$ ls -la
total 18604
drwxrwx---+ 2 ubuntu ubuntu 4096 Feb 16 13:23 .
drwxrwxr-x 12 root syslog 4096 Feb 16 00:00 ..
-rw-rw---- 1 ubuntu ubuntu 59444 Feb 16 14:09 2022-02-16_13-23-17_ubuntu_N53Y5ptmUdOeDsW4bUsQvhjGLC.data
-rw-rw---- 1 ubuntu ubuntu 9539 Feb 16 14:09 2022-02-16_13-23-17_ubuntu_N53Y5ptmUdOeDsW4bUsQvhjGLC.time
ubuntu@ip-xx-x-x-xxx:/var/log/bastion$ getfacl /var/log/bastion
getfacl: Removing leading '/' from absolute path names
# file: var/log/bastion
# owner: ubuntu
# group: ubuntu
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---
from terraform-aws-bastion.
conterio
commented on August 29, 2024
We are having the same issue. One day things were working and the next day it was not. We didn't change anything. I suspect it has something to do with setfacl -Rdm other:0 /var/log/bastion but again we didn't change or update that in any way.
Is there a fix or solution for this, or a known cause at least?
from terraform-aws-bastion.
agent-reed
commented on August 29, 2024
Also just ran into the issue with several of my bastions.
from terraform-aws-bastion.
jnewton03
commented on August 29, 2024
same here. Going to update to version 3.0.2 and see if that resolves my issue.
from terraform-aws-bastion.
jnewton03
commented on August 29, 2024
I also had to terminate the ec2 instance. Once it recreated I could connect again.
from terraform-aws-bastion.
bbetter173
commented on August 29, 2024
This is now happening about every 24 hours - I've automated the re-provisioning of bastion hosts as a result. Would be great to see a fix.
from terraform-aws-bastion.
jirkabs
commented on August 29, 2024
I think I found it.
Bastion installs once a day at midnight security update. If new version of script (package util-linux) is installed then setuid bit on it goes away. script then runs as logged user and does not have access to log directory /var/log/bastion.
Note: This also clarifies the behavior when different bastions irregularly stop working at the same time. Last update of util-linux was yesterday.
Pull request with fix follows.
from terraform-aws-bastion.
Related Issues (20)
- Add IPv6 Support to ingress security groups
- IPv6 Support causes existing module to fail HOT 8
- Permission denied (publickey,gssapi-keyex,gssapi-with-mic) HOT 1
- sync users not running HOT 7
- attach existing security group id HOT 2
- Is the logfile in S3 empty or is it my misconfiguration? HOT 4
- Unable To Set "Instance Metadata Service Version 2" HOT 1
- [BUG] Parameter private_ssh_port not used in aws_lb_target_group HOT 1
- Issue when loging "Cannot open /var/log/bastiont..." HOT 2
- SSH Host-Key Pinning? HOT 2
- Error: error creating S3 bucket ACL "AccessControlListNotSupported" -Recent AWS change causing issues- HOT 3
- Bug - v3.0.3 fails to run HOT 2
- Bug - v3.0.4 Doesn't run when create_elb=false
- Bug - Incompatible with v5.0.0 of terraform-aws-modules/vpc/aws HOT 3
- Bug - v3.0.6 - No ingress rule when no ELB used
- Feature: Add an option to enable MFA to the bastion hosts
- When enable_http_endpoint is set to false user_data are not executed
- user_data.sh assumes AMI is Amazon Linux
- Documentation fix for bastion_host_security_group
- ValidationError: You must use a valid fully-formed launch template. he key pair 'pxxx-sxx_key_pair' does not exist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-bastion.