SSH Tunneling for the purpose of instances connecting back to Katello
Guests that are started in a “public” cloud and need to register with Katello in order to retrieve system updates currently have no way to contact a Katello server running inside of a corporate network. This proposal for ssh tunneling provides a path for an arbitrary number of guests in a public cloud to connect back to Katello.
In this proposal, Conductor and Katello are both running inside a corporate network. These servers are not exposed to any outside networks and only have internal and loopback IP addresses. Conductor is able to, through deltacloud, launch instances in an external cloud network (a public cloud, such as Amazon EC2).
The proposal is to setup a server in the public cloud network that can proxy all requests from public cloud guests through a reverse ssh tunnel to Katello. In addition, if the administrator is anticipating using a Config Server, the proxy server can serve double duty as both the cloud proxy and Config Server.
The configuration involves a series of steps:
- Start a new guest in the public cloud.
- Configure IP tables to forward eth0:1443 → lo:443
- iptables -t nat -A PREROUTING -p tcp —dport 1443 -j REDIRECT —to-ports 443
- On the Katello host inside the corporate network, establish a reverse ssh tunnel in the form:
- ssh -R 443:katello-host.corp-network.com:443 [email protected]
Following the flow of actions in the illustration:
- An administrator has setup Conductor and Katello inside the corporate network. An administrator has also setup a Cloud Proxy / Config Server in the public cloud network.
- A user launches a new instance from Conductor
- The new instance contacts the Config Server (port 443 of the Cloud Proxy / Config Server). These configs will contain instructions for establishing connection with Katello, including the host:port for the Cloud Proxy.
- The new instance establishes a connection with Katello by contacting the Cloud Proxy over port 1443.
- Is 443 the only port that Katello needs to listen on? Are there other ports over which guests may have to contact Katello?