Add dependency check to install script
laurikimmel opened this issue · comments
Metadata:
- Operating System: Debian 8.10
- Installation method: install.sh script
- AWS CLI Version: not sure any more, less than 1.15.2
I was not able to login over SSH with existing IAM user account. Troubleshooting revealed
aws iam list-ssh-public-keys --user-name "$UnsaveUserName" --query "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output text
in authorized_keys_command.sh
was returning error since outdated version of awscli
.
Upgrading awscli
to lates available (1.15.2) fixed the issue.
- document minimum required versions for dependencies
- add version checks to install script. Eg. check available versions and abort in case they don't meet minimum requirements
works on aws-cli/1.11.133 Python/2.7.5 Linux/3.10.0-693.el7.x86_64 botocore/1.6.0
For the record, I'm able to get it to work on legacy machines with Python 2.6.6. @michaelwittig, would you be interested in receiving a PR for the version checks?
@artburkart but I believe we first have to figure out the minimum version?
Ha, I was thinking we could just say something is the minimum until proven otherwise.
Another experience with unmet dependencies.
Started fresh EC2 instance from fairly recent Ubuntu Server 16.04 LTS (HVM) - ami-2a7d75c0
. According to https://cloud-images.ubuntu.com/query/xenial/server/released.current.txt it's release from 2018-06-27.
Installed pip
and awscli
using
sudo apt-get update
sudo apt-get install python-pip -y
sudo pip install awscli --upgrade
As recommended in awscli
user guide https://docs.aws.amazon.com/cli/latest/userguide/installing.html
Executed install script successfully using sudo ./install.sh
.
User accounts where synchronised from IAM but didn't manage to login using SSH. It turned out user nobody
was not able to execute aws
. (Don't have exact error message available any more)
Uninstalling awscli
(using pip
) + pip
and Installing awscli
using apt-get
did solve the problem.
Clearly it it issue with python
+ pip
+ awscli
setup.
OTOH easy way to end up with nonfunctional system =|
Potential solution would be to test if user nobody
can execute /opt/authorized_keys_command.sh
and abort installation on failure.
Sidenotes:
apt-get
installs quite ancient version ofawscli
aws --version
aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-1062-aws botocore/1.4.70
It's from November 2016. Latest available version is 1.15.57
- user
nobody
is configured in/etc/ssh/sshd_config
AuthorizedKeysCommand /opt/authorized_keys_command.sh
AuthorizedKeysCommandUser nobody
@laurikimmel in our test, we install apt-get install git awscli
and it works. Have you used the install.sh script for installation of aws-ec2-ssh?
in our test, we install apt-get install git awscli and it works.
It works for me too in case I install awscli
using apt-get
.
Have you used the install.sh script for installation of aws-ec2-ssh?
Yes - I used install.sh
script.
My point is - it's easy to get to the state where awscli
is not setup properly for aws-ec2-ssh
.
- started new instance
- cloned
aws-ec2-ssh
repo from GH - executed
aws-ec2-ssh/install.sh
script assudo
- it failed with message about missing
awscli
(which is good and expected) - went to
awscli
page and followed installation instructions- installed
pip
(it was missing from the system) - installed
awscli
usingpip
(as recommended inawscli
user manual)
- installed
- at this point I was able to execute
aws-ec2-ssh/install.sh
script successfully
After installation I was not able to login with SSH although user accounts where synced from IAM.
I suspect many potential aws-ec2-ssh
users might stop here.
Actual problem is - user nobody
can't execute awscli
commands while root
(via sudo
) and default user (ubuntu
in current case) can. Command
sudo -u nobody /opt/authorized_keys_command.sh xxx
fails with appropriate message.
In my opinion it would save lots of time and confusion if install.sh
would check whether dependencies are properly installed or not.