Transport error, can't connect to 'ssh' backend: SSH session could not be established

Question

Transport error, can't connect to 'ssh' backend: SSH session could not be established

micmicsuarez opened this issue 8 years ago · comments

Michael commented 8 years ago

Cookbook version

iptables version 3.0.1

Chef-client version

chef-client version: 12.14.89

Platform Details

CentOs 7.2

Scenario:

Run the kitchen test command inside the cookbook.

Steps to Reproduce:

Use vagrant as the driver in .kitchen.yml.
Use CentOs 7.2 as a platform in .kitchen.yml.
Add depends 'iptables', '~> 3.0.1' in metadata.rb.
Add these following codes in the default recipe.

include_recipe 'iptables'
iptables_rule "new_rule" do
    lines '-A INPUT -j FWR'
end

Execute kitchen test.

This is my kitchen test.

control "my-iptables-rules-1.0" do
    impact 1.0
    title "my iptables base rules"
    desc "base iptables rules for server"

    describe iptables(table: 'filter', chain: 'INPUT') do
        it { should have_rule('-A INPUT -j FWR')}
    end
end

Expected Result:

It must successfully add the new rule.

Actual Result:

These are the error logs after the execution of kitchen test command.

>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Failed to complete #verify action: [Transport error, can't connect to 'ssh' backend: SSH session could not be established] on default-centos-72
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

Lamont Granquist · Answer 1 · Tue Oct 25 2016 02:53:09 GMT+0800 (China Standard Time)

pretty certain you need to add a rule for port 22 or else you filter traffic to the virtual host and kitchen dies.

Michael · Answer 2 · Tue Oct 25 2016 04:43:55 GMT+0800 (China Standard Time)

Hi @lamont-granquist

I added a rule for port 22 and this is the config in default attribute.

default['iptables']['prefix'] = [
    '-A FWR -i lo -j ACCEPT', 
    '-A FWR -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT',
    '-A INPUT -j FWR'
    ]

Code for the default recipe.

include_recipe 'iptables'

iptables_rule "new_rule" do
    lines '-A INPUT -j FWR'
end

iptables_rule 'prefix' do
    lines node['iptables']['prefix'].flatten.join("\n")
end

I found out the cause of this issue, when I executed the kitchen test command. It can't find the eth0 interface.

-A FWR -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT'

I sshed to the virtual machine and executed "ip link show` command. Here are the results:

[vagrant@default-centos-72 ~]$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:0c:4e:dc brd ff:ff:ff:ff:ff:ff

It seems that there are only two interfaces, lo and enp0s3.

Maybe I need to add an attribute in the .kitchen.yml just to override the value of ['iptables']['prefix'] node. What do you think?

Thanks,
Micmic

Michael · Answer 3 · Tue Oct 25 2016 10:00:46 GMT+0800 (China Standard Time)

my fixed works and will close this issue. Thanks @lamont-granquist