Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🧹 aws fixes; make aws ec2 instance-connect and aws ec2 ssm work #1707

Merged
merged 6 commits into from
Sep 22, 2023

Conversation

vjeffrey
Copy link
Contributor

DEBUG=1 go run apps/cnquery/cnquery.go shell aws ec2 instance-connect ec2-user@i-01cbf9d3b50b96946 --profile home --region us-east-1

DEBUG=1 go run apps/cnquery/cnquery.go shell aws ec2 ssm ec2-user@i-01cbf9d3b50b96946 --profile home --region us-east-1

i transferred the ebs stuff over but it's not all hooked up yet, that's coming in the next pr

@vjeffrey vjeffrey force-pushed the vj/aws-ec2 branch 3 times, most recently from 652ef18 to e7264de Compare September 14, 2023 07:05
@vjeffrey
Copy link
Contributor Author

the ebs connection is hooked up in here and technically functional but in my testing the setup is being called too many times. i'll work on that today

@chris-rock chris-rock added this to the v9 milestone Sep 18, 2023
@vjeffrey
Copy link
Contributor Author

DEBUG=1 go run apps/cnquery/cnquery.go run aws ec2 instance-connect ec2-user@INSTANCEID --profile home --region us-east-1 -c 'asset.name'

DEBUG=1 go run apps/cnquery/cnquery.go run aws ec2 ssm ec2-user@INSTANCEID --profile home --region us-east-1 -c 'asset.name'

scp the built cnquery to a machine in ec2,
[root@ip-172-31-38-240 ec2-user]# DEBUG=1 ./cnquery shell aws ec2 ebs i-01cbf9d3b50b96946 --log-level debug

@czunker
Copy link
Contributor

czunker commented Sep 20, 2023

instance-connect is working, but the name is missing:

cnquery run aws ec2 instance-connect ec2-user@i-0ce9fbb81409b89a5 --region eu-central-1 -c 'asset{ name title ids platform }' --verbose
! CLI pre-processing encountered an issue error="unknown flag: --region"
DBG using provider aws with connector aws
DBG no need to update provider last-refresh=27.940711354s provider=aws
DBG running provider plugin path=/home/christian/.config/mondoo/providers/aws/aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
DBG running provider plugin path=/home/christian/.config/mondoo/providers/os/os
! your platform is not supported for hostname detection
DBG starting query execution qrid=TeZjrXq1BCc=
DBG finished query execution qrid=TeZjrXq1BCc=
DBG zUgch8DMejOrxRGPjbYldKd/Un7AzdxhRcUBhfakytdaBNEb+B4qS65wszSYcauK7tCOYM6rLbRCtClxW6q50w== finished
DBG graph has received all datapoints
asset: {
  title: "Amazon Web Services"
  platform: "aws"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/ssh/hostkey/SHA256-tMJYn/RJDDE/UEfribgU81UzO2ALX22cWdy2z0YrJKw"
  ]
  name: ""
}

Perhaps, because of:

! your platform is not supported for hostname detection

My EC2 instance is running an AL2023 image.

@vjeffrey
Copy link
Contributor Author

hmm, that looks like the wrong platform info..

@czunker
Copy link
Contributor

czunker commented Sep 20, 2023

I get the same for ssm connect:

cnquery run aws ec2 ssm ec2-user@i-0ce9fbb81409b89a5 --profile AdministratorAccess-735798807192 --region eu-central-1 -c 'asset{ name title ids platform }' --verbose     ✔ │ 7s │ 16:36:29 
! CLI pre-processing encountered an issue error="unknown flag: --profile"
DBG using provider aws with connector aws
DBG no need to update provider last-refresh=30m29.384587524s provider=aws
DBG running provider plugin path=/home/christian/.config/mondoo/providers/aws/aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
DBG running provider plugin path=/home/christian/.config/mondoo/providers/os/os
! your platform is not supported for hostname detection
DBG starting query execution qrid=TeZjrXq1BCc=
DBG finished query execution qrid=TeZjrXq1BCc=
DBG zUgch8DMejOrxRGPjbYldKd/Un7AzdxhRcUBhfakytdaBNEb+B4qS65wszSYcauK7tCOYM6rLbRCtClxW6q50w== finished
DBG graph has received all datapoints
asset: {
  title: "Amazon Web Services"
  platform: "aws"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/ssh/hostkey/SHA256-tMJYn/RJDDE/UEfribgU81UzO2ALX22cWdy2z0YrJKw"
  ]
  name: ""
}

Something for a follow-up: #1812

@vjeffrey
Copy link
Contributor Author

ah, i think im missing some logic in the detect, looking now

@vjeffrey
Copy link
Contributor Author

asset: {
  version: "2023"
  platform: "amazonlinux"
  name: "ip-172-31-39-53.ec2.internal"
}

ill push up the change in a sec

@czunker
Copy link
Contributor

czunker commented Sep 20, 2023

Got EBS scanning working:

sudo ./cnquery run aws ec2 ebs i-0ce9fbb81409b89a5 --verbose --region eu-central-1 -c "asset{ name title ids }"
! can't find any paths for providers, none are configured system-path=/opt/mondoo/providers
! CLI pre-processing encountered an issue error="unknown flag: --verbose"
DBG using provider aws with connector aws
! using builtin provider for aws
→ no Mondoo configuration file provided, using defaults
DBG new aws ebs connection
DBG target info={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"} type=instance
→ validate state instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
DBG setup for target instance instance id=i-0ce9fbb81409b89a5
→ find volume id instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
→ found instance block devices device=/dev/xvda
→ find recent snapshot
→ found snapshot snapshot={"Account":"","Id":"snap-027d442676d1ecb08","Region":"eu-central-1"}
→ checking snapshot region scanner instance=eu-central-1 snapshot=eu-central-1
→ create volume
→ waiting for volume creation completion; sleeping 10 seconds state=creating
→ attach volume volume id=vol-01c86240855687d3a
DBG attached volume location=/dev/sdw
DBG target volume location=/dev/sdw
→ waiting for volume attachment completion state=in-use
DBG created tmp scan dir dir=/tmp/cnspec-scan246994269
DBG search for target volume
DBG get matching block entry name=/dev/sdw
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvda1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvda127"},{"fstype":"vfat","name":"xvda128","uuid":"BF44-0AE6"}] mountpoint= name=xvda
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvdf1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvdf127"},{"fstype":"vfat","name":"xvdf128","uuid":"BF44-0AE6"}] mountpoint= name=xvdf
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvdr1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvdr127"},{"fstype":"vfat","name":"xvdr128","uuid":"BF44-0AE6"}] mountpoint= name=xvdr
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvdw1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvdw127"},{"fstype":"vfat","name":"xvdw128","uuid":"BF44-0AE6"}] mountpoint= name=xvdw
DBG found match
DBG found target volume device name=/dev/xvdw1
DBG mount volume to scan dir device=/dev/xvdw1 fstype=xfs opts=nouuid scandir=/tmp/cnspec-scan246994269
DBG load filesystem path=/tmp/cnspec-scan246994269
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> cannot parse lsb config on this linux system error="open /tmp/cnspec-scan246994269/etc/lsb-release: no such file or directory"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["linux","unix","os"] platform=amazonlinux
DBG resolved 1 assets
! using builtin provider for aws
DBG new aws ebs connection
DBG target info={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"} type=instance
→ validate state instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
→ skipping setup step
→ skipping mount step
DBG load filesystem path=/tmp/cnspec-scan246994269
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> cannot parse lsb config on this linux system error="open /tmp/cnspec-scan246994269/etc/lsb-release: no such file or directory"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["linux","unix","os"] platform=amazonlinux
! using builtin provider for aws
DBG new aws ebs connection
DBG target info={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"} type=instance
→ validate state instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
→ skipping setup step
→ skipping mount step
DBG load filesystem path=/tmp/cnspec-scan246994269
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> cannot parse lsb config on this linux system error="open /tmp/cnspec-scan246994269/etc/lsb-release: no such file or directory"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["linux","unix","os"] platform=amazonlinux
DBG starting query execution qrid=yUp43Eqx7A0=
DBG finished query execution qrid=yUp43Eqx7A0=
DBG RxtxMUtWQdxr7ZJqN+Koz/D2xwlkNuB0UizzDadCyS0TgRkabiO360s5+XhGkqoxVlp0Y+XIq1CbElkcBhVYeA== finished
DBG graph has received all datapoints
asset: {
  title: "Amazon Linux 2023"
  ids: []
  name: "i-0ce9fbb81409b89a5"
}

ids is empty.

And the scan isn't cleaning up afterwards:

/dev/xvdr1 on /tmp/cnspec-scan2653270300 type xfs (rw,relatime,seclabel,nouuid,attr2,inode64,logbufs=8,logbsize=32k,sunit=1024,swidth=1024,noquota)
/dev/xvdw1 on /tmp/cnspec-scan246994269 type xfs (rw,relatime,seclabel,nouuid,attr2,inode64,logbufs=8,logbsize=32k,sunit=1024,swidth=1024,noquota)

I had the same problem with the GCP snapshot scanning. I had to call the cleanup explicitly in the Shutdown func.

@vjeffrey
Copy link
Contributor Author

instance connect and ssm are now working well:

asset: {
  version: "2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/hostname/ip-172-31-39-53.ec2.internal"
  ]
  name: "ip-172-31-39-53.ec2.internal"
}

@vjeffrey
Copy link
Contributor Author

ebs scan is working, but the cleanup isn't working well yet

DBG load filesystem path=/tmp/cnspec-scan1529096487
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["debian","linux","unix","os"] platform=ubuntu
→ connected to Ubuntu 22.04.2 LTS
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> asset { platform ids version }
DBG starting query execution qrid=nqKXIz+kR5o=
DBG finished query execution qrid=nqKXIz+kR5o=
DBG EXyajUbhaeKlC5ESbsD0IQax8PdK0iWwkedbNXUYCO3F/jP4EUTvfmm0F5nFS9hAnHIV0l7PNMchq/QyeojLtQ== finished
DBG graph has received all datapoints
asset: {
  version: "22.04"
  platform: "ubuntu"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/aws/ec2/v1/accounts/367400545713/regions/us-east-1/instances/i-09739098c40b6df84"
  ]
}
cnquery> exit

ill work on the cleanup in a followup pr

@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

instance-connect is working:

cnquery run aws ec2 instance-connect ec2-user@i-08db02ceb047ea7fb --profile AdministratorAccess-1234567890 --region eu-central-1 -c 'asset{ name title ids platform }'
! CLI pre-processing encountered an issue error="unknown flag: --profile"
! using builtin provider for aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ no AWS region found, using us-east-1
! using builtin provider for os
asset: {
  title: "Amazon Linux 2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/hostname/ip-172-31-21-20.eu-central-1.compute.internal"
  ]
  name: "ip-172-31-21-20.eu-central-1.compute.internal"
}

But I had problems with the profile. I created a follow-up for this: #1846

@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

ssm connect is working:

cnquery run aws ec2 ssm ec2-user@i-055ab2729fd61ea8b --profile AdministratorAccess-1234567890 --region eu-central-1 -c 'asset{ name title ids platform }'
! CLI pre-processing encountered an issue error="unknown flag: --profile"
! using builtin provider for aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ no AWS region found, using us-east-1
! using builtin provider for os
asset: {
  title: "Amazon Linux 2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/hostname/ip-172-31-31-57.eu-central-1.compute.internal"
  ]
  name: "ip-172-31-31-57.eu-central-1.compute.internal"
}

But also affected by #1846

@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

ebs scan is working:

asset: {
  title: "Amazon Linux 2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/aws/ec2/v1/accounts/735798807192/regions/eu-central-1/instances/i-0ce9fbb81409b89a5"
  ]
  name: "i-0ce9fbb81409b89a5"
}

@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

ebs scan is working, but the cleanup isn't working well yet

DBG load filesystem path=/tmp/cnspec-scan1529096487
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["debian","linux","unix","os"] platform=ubuntu
→ connected to Ubuntu 22.04.2 LTS
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> asset { platform ids version }
DBG starting query execution qrid=nqKXIz+kR5o=
DBG finished query execution qrid=nqKXIz+kR5o=
DBG EXyajUbhaeKlC5ESbsD0IQax8PdK0iWwkedbNXUYCO3F/jP4EUTvfmm0F5nFS9hAnHIV0l7PNMchq/QyeojLtQ== finished
DBG graph has received all datapoints
asset: {
  version: "22.04"
  platform: "ubuntu"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/aws/ec2/v1/accounts/367400545713/regions/us-east-1/instances/i-09739098c40b6df84"
  ]
}
cnquery> exit

ill work on the cleanup in a followup pr

I added an issue for that, so we can track it: #1847

e := Provider{scannerRegionEc2svc: ec2svc}
found, _ := e.FindRecentSnapshotForVolume(context.Background(), VolumeId{Id: "vol-0c04d709ea3e59096", Region: "us-east-1", Account: "185972265011"})
assert.Equal(t, found, true)
// found, _ = e.FindRecentSnapshotForVolume(context.Background(), VolumeId{Id: "vol-0d5df63d656ac4d9c", Region: "us-east-1", Account: "185972265011"})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: This can be removed.

return resources.SSMConnectAsset(args, opts)
case "ebs":
return resources.EbsConnectAsset(args, opts)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we throw an error when there is something unexpected in args[1]?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, just gave it a try:

FTL failed to run query error="cannot connect to asset, no connection info provided"

LGTM.

@vjeffrey vjeffrey merged commit 0f03f86 into main Sep 22, 2023
@vjeffrey vjeffrey deleted the vj/aws-ec2 branch September 22, 2023 13:06
@github-actions github-actions bot locked and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants