Comments (8)
rcj4747
commented on July 22, 2024
I have created bug #1915345 in the Ubuntu bug tracker as well.
from aws-ec2-instance-connect-config.
rcj4747
commented on July 22, 2024
And I haven't tested, but this would also fail in Wavelength zones with names in the form us-east-1-wl1-bos-wlz-1. Even if instance connect isn't supported in wavelength zones I rather not have the service fail and mark the system status as degraded.
from aws-ec2-instance-connect-config.
ohitspaul
commented on July 22, 2024
Hi @rcj4747 , thanks for bringing this to our attention. We're currently looking into this issue.
from aws-ec2-instance-connect-config.
ohitspaul
commented on July 22, 2024
This has been addressed as part of release here: https://github.com/aws/aws-ec2-instance-connect-config/releases/tag/1.1.14
OS vendors are working on shipping this change automatically with AMI updates, and publishing to package repositories to be pulled from. Will leave this issue open until package is available to be pulled from corresponding repositories.
from aws-ec2-instance-connect-config.
rcj4747
commented on July 22, 2024
@ohitspaul Do we not want host key harvesting in local/wavelength zones? Yes, the systemd unit no longer fails because the patch ignored the script failure, but does it work? The release has no changes to /usr/share/ec2-instance-connect/eic_harvest_hostkeys to match the string format for a local/wavelength zone still. So while the feature is available in local and wavelength zones (the user can try but it appears to be non-functional, see next comment) the code fails to address the underlying failure and so ec2-instance-connect still broken in those zones (just silently now). And if it were unsupported in those zones, couldn't the script be updated to still recognize the zones, print a message about not being supported and exit. This still leaves the error in journalctl --unit ec2-instance-connect.
from aws-ec2-instance-connect-config.
rcj4747
commented on July 22, 2024
I'll amend my comment. Removing the check and pushing the key to https://ec2-instance-connect.us-west-2.amazonaws.com/PutEC2HostKeys/ results in a failure {"__type":"com.amazon.coral.service#InternalFailure", so it seems that instance connect is not enabled for this zone (yet?) but the web console allows me to try. I still think you need to consider the usability of your patch. Papering over the failure by ignoring the return code still leaves the 255 exit code in the unit log file and the service is supported. So when I user has ec2-instance-connect installed (which is in the stock Ubuntu images in AWS for 20.04 and later) and attempts to attach they only get a There was a problem connecting to your instance error and are invited to wait a few minutes and retry. Looking at the service it has succeeded and looking at the log there is an error code that doesn't provide an indication that this is not supported.
My suggestion is to look for regex matches on local zones (and wavelength?) and print a message that instance-connect is not supported currently by the package. Or catch the {"__type":"com.amazon.coral.service#InternalFailure" and then print an message about support (wishing that was more specific) but that feels fragile and the rest of the code would be untested in a local zone. Either way, could you provide the end-user more breadcrumbs so they can understand what is happening when they fail to connect.
from aws-ec2-instance-connect-config.
ohitspaul
commented on July 22, 2024
@rcj4747 thank you for your feedback. Currently we do not explicitly support local/wavelength zones. We have added an item to our backlog for local zone support. We will also be adding more detailed output in each of the different components of EC2 Instance Connect in an upcoming upgrade to these on-instance scripts.
from aws-ec2-instance-connect-config.
RainaWLK
commented on July 22, 2024
I found same issue with local zones and cannot ssh login using ec2-connect.
The issue is in this script:
https://github.com/aws/aws-ec2-instance-connect-config/blob/master/src/bin/eic_curl_authorized_keys
line 105
# Validate the zone is aa-bb-#c (or aa-bb-cc-#d for special partitions like AWS GovCloud)
/bin/echo "${zone}" | /usr/bin/head -n 1 | /bin/grep -Eq "^([a-z]+-){2,3}[0-9][a-z]$" || exit 255
For example, Oregon region, Los Angeles Local zone
AZ = us-west-2-lax-1a
So it cannot pass regex check, leaves the 255 exit code.
I tried to modify that regex check in my EC2 instance:
sudo vi /usr/share/ec2-instance-connect/eic_curl_authorized_keys
......
# Validate the zone is aa-bb-#c (or aa-bb-cc-#d for special partitions like AWS GovCloud)
#/bin/echo "${zone}" | /usr/bin/head -n 1 | /bin/grep -Eq "^([a-z]+-){2,3}[0-9][a-z]$" || exit 255 # bug
/bin/echo "${zone}" | /usr/bin/head -n 1 | /bin/grep -Eq "^([a-z]+-){2,3}[0-9]([a-z]|-[a-z]+-[0-9][a-z])$" || exit 255
.......
Then EC2 connect works fine for me
Can you fix this issue?
from aws-ec2-instance-connect-config.
Related Issues (20)
- Got "Permission denied (publickey)" after "Successfully pushed the public key" HOT 3
- Please provide better documentation, preferably manpages
- Makefiles requested HOT 2
- metadata gives SHA256 for OCSP, but ec2-instance-connect only verify by SHA 1 and cause ALL connections refused HOT 2
- Permission denied (publickey) error despite public key sucessfully pushed to instance
- Secret key HOT 3
- No import users ala aws-ec2-ssh ? HOT 1
- Permission Denied after "Successfully pushed the public key" HOT 6
- Support EC2 Mac Instances
- using on host with no internet access HOT 1
- VPC endpoint support ? HOT 3
- Key trust verification fails on Ubuntu 22.04 HOT 6
- `eic_curl_authorized_keys` returns incorrect exit code in some cases
- 'make rpm' fails after the removal of host key harvesting HOT 2
- Publishing RPM packages for RedHat and CentOS? HOT 2
- Unable to connect to EC2 instance HOT 1
- RPM spec file should not build requires systemd
- Support creating users on login HOT 1
- Packaging for Debian
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-ec2-instance-connect-config.