gitea/public_doc
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
public_doc/开发机隧道方案.md
T

208 lines
8.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# MISC
## 网络拓扑图
- A: 用户
- B: 跳板机
- C: 目标机器
连接: **A<-->B<-->C**
说明: 用户A通过跳板机B连接目标C
- 传统方案劣势: 传统跳板机B, 一般是个人使用, 从外部可以观测出只有A,C在连接B, 所以可以推断出A连接C
- 方案优势: 使用的第三方跳板机B会有非常多的连接, 因此无法从外部观测到A到C的连接
- 方案缺点: 跳板机提供商会有A到C的记录
## 连接方案
先安装vscode [官方网站](https://code.visualstudio.com/)
### A. aws ssh tunnel 连接
**需求: 配置过的IAM的`Access Key ID`,`Secret Access Key``region name`,`instance-id`**
1. 在主机上安装 AWS CLI [下载链接](https://docs.aws.amazon.com/zh_cn/cli/latest/userguide/getting-started-install.html)
以及 session-manager 插件[下载地址](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
1. 配置aws cli账号
需要配置以下4行内容, 需要关心的是 Key ID , Access Key 以及region name:`ap-east-1`.
```sh
aws configure
# 以下为输出样例
# AWS Access Key ID [****************XXXX]:
# AWS Secret Access Key [****************YYYY]:
# Default region name [ap-east-1]:
# Default output format [None]:
```
1. 配置 sshconfig [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html)
```t
# file .ssh/config
## 推荐样式
# windows
Host my-dev
ProxyCommand aws ssm start-session --target {替换为对应的instance_id} --document-name AWS-StartSSHSession --parameters portNumber=%p
IdentityFile ~/.ssh/test.pem
User ubuntu
# Linux or Mac
Host my-dev
ProxyCommand aws ssm start-session --target {替换为对应的instance_id} --document-name AWS-StartSSHSession --parameters 'portNumber=%p'
IdentityFile ~/.ssh/test.pem
User ubuntu
## 通用形势
# windows
host i-* mi-*
ProxyCommand aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p
# unix like
host i-* mi-*
ProxyCommand aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'
```
1. 安装 vscode 插件 [remote ssh](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh)
1. 可选 移除remote tunnel
因为tunnel加载很慢, 所以可以删除remote tunnel 插件来提升vscode打开速度
注意: 需要先移除所有remote系列插件, 再安装对应的插件
1. 可选 停止远程开发机上 code tunnel service
~/code tunnel service uninstall
### B. vscode server tunnel 连接
**需求: 部署了code tunnel的微软或Github账号**
1. 安装[remote - tunnel](https://marketplace.visualstudio.com/items?itemName=ms-vscode.remote-server) 插件
1. 安装完插件后, 左侧栏会出现相应的`远程资源管理器` -> `远程(隧道/SSH)` -> `Tunnels` -> `登陆到向Microsoft注册的隧道 ➡️`(点击箭头) -> 接下来跳转到网页登录账号即可
1. 登录完后, 就可以在Tunnels下,看到对应的隧道
## 部署方案
### A. 部署基于amazon session manager隧道方案
其中B为亚马逊提供
可选功能分为S3日志, 和 CloudWatch日志, 如果使用的话,则需要提前创建.
#### 0. Session Manager 配置项 [说明文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager.html)
额外配置日志, 以下对ssh连接不生效. 但是可以用来记录生产及其他敏感环境
AWS Systems Manager > Session Manager > Preferences > Edit
1. 勾选 `Enable maximum session duration`, 输入 1440, 一天.
2. 勾选 `Enable Run As support for Linux instances`, 输入 ubuntu .
3. (可选) 勾选 `CloudWatch logging`, 开启CloudWatch日志
4. (可选) 勾选 `Send session logs to S3`, 填入创建的s3 bucket name.
#### 1. 创建 IAM Role, 使得 System Manager 可以访问 EC2 资源 [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html)
ssh最小 policy for EC2
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
}
]
}
```
#### 2. 创建 IAM 用户, 并创建对应的 Policy, 指定该用户能访问的EC2 [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html)
ssh最小 policy for IAM User
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:*:*:instance/{instance_id}",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
}
]
}
```
#### 3. 安装 或者 更新 EC2 上的 SSM-agent [参考文档](https://docs.aws.amazon.com/zh_cn/systems-manager/latest/userguide/ssm-agent.html)
```bash
# 默认情况下,SSM Agent 安装在 Ubuntu Server 22.04 LTS、20.04、18.04 和 16.04 LTS 64 位 AMIs(带标识符 20180627)或更高版本上。
# 如果您需要在本地服务器上安装 SSM Agent或者需要重新安装代理,您可以使用以下脚本。您无需为下载指定 URL,因为 snap 命令会自动从 Snap 应用商店 https://snapcraft.io 下载代理。
# 安装
sudo snap install amazon-ssm-agent --classic
# 运行以下命令确定 SSM Agent是否在运行。
sudo snap list amazon-ssm-agent
# 如果上一条命令返回 amazon-ssm-agent is stopped、inactive 或 disabled,则运行以下命令将启动服务。
sudo snap start amazon-ssm-agent
# 检查代理的状态。
sudo snap services amazon-ssm-agent
```
### B. 基于vscode server的隧道方案
其中B为微软提供
1. 部署vscode server根据部署的机器选择对应的CLI [下载地址](https://code.visualstudio.com/Download)
```bash
# 开启linger 用户退出以后, 服务也不会停止
sudo loginctl enable-linger $USER
# 下载 linux x64 的 CLI
wget https://vscode.download.prss.microsoft.com/dbazure/download/stable/dc96b837cf6bb4af9cd736aa3af08cf8279f7685/vscode_cli_alpine_x64_cli.tar.gz
tar -xzf vscode_cli_alpine_x64_cli.tar.gz
./code tunnel service install
# 执行命令后, 需要选择用什么账号登录, 此次选择用Microsoft Account
## 输出如下
# ? How would you like to log in to Visual Studio Code?
# Microsoft Account
# GitHub Account
## 选择以后, 输出如下
# ✔ How would you like to log in to Visual Studio Code? · Microsoft Account
# To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code I96RAVZDD to authenticate.
## 在浏览中打开上面的链接, 输入code. 然后登录微软账号, 就可以把此隧道, 绑定到微软账号.
## 看到如下输出, 部署就成功了
# *
# * Visual Studio Code Server
# *
# * By using the software, you agree to
# * the Visual Studio Code Server License Terms (https://aka.ms/vscode-server-license) and
# * the Microsoft Privacy Statement (https://privacy.microsoft.com/en-US/privacystatement).
# *
# [2024-05-21 10:21:24] info Successfully registered service...
# [2024-05-21 10:21:24] info Successfully enabled unit files...
# [2024-05-21 10:21:24] info Tunnel service successfully started
# [2024-05-21 10:21:24] info Tip: run `sudo loginctl enable-linger $USER` to ensure the service stays running after you disconnect.
# Service successfully installed! You can use `code tunnel service log` to monitor it, and `code tunnel service uninstall` to remove it.
```
Reference in New Issue View Git Blame Copy Permalink