Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

fix (VPC-only?) bug when ssh permissions conflict with default open-ssh-to-world step of cluster setup #356

Closed
wants to merge 1 commit into from

2 participants

@ypwais

I recently got a new AWS account which is now tied to VPC services. (As Amazon notes, all new accounts going forward will only be able to use VPC and not EC2 Classic). For whatever reason, my use of security group permissions causes starcluster to crash using this new account.

My config contains a rule to restrict SSH to a specific cidr:
[permission ssh]
PROTOCOL = tcp
FROM_PORT = 22
TO_PORT = 22
CIDR_IP = XXX.XXX.XXX.XXX/0

When I start a cluster with this config and the new VPC-only account, I get an error about duplicate permissions:

!!! ERROR - InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, TCP, from port: 22, to port: 22, ALLOW" already exists

I believe the error is because starcluster opens SSH to the world by default with creating a security group, and for whatever reason my new VPC-only account errors out because my ssh permission spec overlaps with the rule that starcluster sets up by default. I've tried monkeying with my default security group in the EC2 console but that doesn't seem to help.

What works is making starcluster simply not open SSH to the world if there are permissions for ssh set up later. The below patch seems to fix my bug, though I note that _add_permissions_to_sg() seems to do something similar to revoke world ssh.... let me know if you see a cleaner way to fix this bug and I'll change my patch.

@ypwais

Oops, it turns out my CIDR was broken-- I didn't mean to use a range of /0 . I guess EC2 considers a /0 cidr to mean "close to all ips" which conflicts with the "open to world" rule in an unexpected way.

Please consider this pull request rescinded for now.

@ypwais ypwais closed this
@jtriley jtriley reopened this
@jtriley
Owner

This happens because StarCluster creates the group, applies default SSH permissions, and then returns the original security group object without refetching it which means the object is missing the latest applied rules/grants. I'm working on a patch now that should fix this.

@ypwais

Ya, I did notice something wonky but couldn't get a solid repro and things worked after I fixed my CIDR. Thanks for attacking this!

@jtriley
Owner

@ypwais Yea this confused me at first because StarCluster specifically handles the case of the user wanting to customize the SSH permissions. That code wasn't being invoked properly though due to the missing security group rules. Turns out the fix is relatively simple. Will merge it soon...

@jtriley jtriley closed this in 4ee8f76
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 10, 2014
  1. @ypwais
This page is out of date. Refresh to see the latest.
Showing with 3 additions and 1 deletion.
  1. +3 −1 starcluster/cluster.py
View
4 starcluster/cluster.py
@@ -656,9 +656,11 @@ def cluster_group(self):
desc = 'StarCluster-%s' % static.VERSION.replace('.', '_')
if self.vpc_id:
desc += ' VPC'
+ # Don't open SSH if we'll only re-define permissions for it later
+ perms_has_ssh = 'ssh' in self.permissions
sg = self.ec2.create_group(self._security_group,
description=desc,
- auth_ssh=True,
+ auth_ssh=perms_has_ssh,
auth_group_traffic=True,
vpc_id=self.vpc_id)
self._add_tags_to_sg(sg)
Something went wrong with that request. Please try again.