Out-of-Band Bootstrapping with Chef on AWS Systems Manager

A modern architecture avoids opening any SSH or WinRM/RDP ports to minimize the attack surface of your systems. Instead, management connections like the AWS SSM Agent should be implemented. But some tools, especially in the configuration management sector, still rely on direct access.

Chef Infra is on track to break this limitation with its new support for out-of-band (OoB) bootstrapping using Knife and arbitrary Train transports.

The mechanics in this post depend on two currently approved but not yet merged Pull requests (Chef PR #13534, Train PR #742)

Bootstrapping

“Bootstrapping” commonly relates to enrolling a system into a centralized management system. With Chef Infra, this means installing the Chef Infra agent on the system, preconfiguring it, getting certificate-based authentication set up, and doing a first run with instructions from the Chef Infra Server.

Previously, this was done via SSH or WinRM only, limiting this to systems with direct reachability. The alternative is a manual process where administrators upload the agent to the machine and set up everything by hand.

In this blog, I refer to indirect access as “out-of-band,” regardless of the connection protocol. We will use the example of an SSM-managed EC2-node to clarify the new possibilities.

Knife

As Chef leans heavily on metaphorical names for its tool, knife is the standard tool to interact with a Chef Server. It can execute many tasks, from inventory gathering to workflow management and configuration. You can even extend it with custom plugins if you need additional functionality or commands specific to your company or project. To use knife, your workstation needs to be known and authenticated to the Chef Server.

It also is responsible for the bootstrapping of new nodes:

knife bootstrap 203.0.113.17 --node-name webserver-01 --user ec2-user --sudo --bootstrap-version 18.2.7

This command will

  • determine the connection protocol: SSH (22/tcp) or WinRM (5985/tcp or 5986/tcp)
  • connect to the machine
  • check the operating system
  • download the Chef Infra agent (in this case with a fixed version of 18.2.7)
  • ask the Chef Server for a new client identity and certificate
  • check for instructions to run (classical Chef run list or assigned policy)

So after this one-line command, you have the node inside your Chef infrastructure and can manage it along with 10,000s or even 100,000s of other nodes centrally. You can read more about the internals of Chef Bootstrapping on the documentation pages.

General Knife Train Support

Until now, knife had hardcoded SSH and WinRM protocols but already used a modular framework called Train under the hood. This framework specifies an abstract interface for command execution, file transfers, and file operations. The interface then gets implemented by different Train Transports, such as train-winrm.

With the initially mentioned pull requests, this restriction will be lifted. While API-based transports (like train-aws to communicate with the AWS meta-structure) have been turned off for obvious reasons, any installed Train Transport for command execution can now be used. This change enables other protocols like train-telnet and out-of-band functionalities like train-awsssm.

Train AWSSSM

For quite a while, an AWS-specific Train Transport has been available under train-awsssm. Its primary use so far was for another project called InSpec, which does compliance checks of cloud platforms or operating systems. It is used daily to check 100,000s of EC2 instances in regulated environments with limited connectivity.

Internally, train-awsssm uses SSM Run Documents to encapsulate commands which otherwise would be sent over SSH. The SSM agent on EC2 instances will poll for instructions via HTTPS, get these documents, execute them, and return output and exit codes. While this approach is not ideal from a latency perspective, it does include an audit trail of any commands sent via this out-of-band connection.

Development of the more advanced Session Manager connectivity is ongoing in train-awsssm but is a considerable amount of work due to the WebSocket-based proprietary binary protocol involved. This added capability will speed up out-of-band access, making the wait worth it.

EC2 Prerequisites

To enable EC2 instances for SSM, you have to associate them with an EC2 Instance Profile, which has the appropriate privileges. A quick and secure way to ensure this is to use the SSMManagedInstanceCore policy. Alternatively, you can enable SSM access on a per-region basis using Default Host Management Configuration (DHMC).

If you associate an IAM Profile, you must also enable the Instance Metadata Service (IMDS); this feature is accessible via local IP 169.254.169.254, and preferably set to require version 2. The older version 1 is still supported but has an inherent risk of leaking credentials if your instance has remote file inclusion (RFI) vulnerabilities.

If you want to use EC2 tags inside your Chef cookbooks, take care also to enable passing them into IMDS (which is not default). Chef Infra will then provide them in the node['ec2']['tags_instance_*'] attributes.

To communicate with the Chef Infra server during and after bootstrapping, enable outgoing HTTPS (443/tcp) traffic to your server address.

Workstation Prerequisites

Your local administrator workstation will need to have an updated Chef Workstation installed, which includes the updates to knife and train. Also, you need to connect it to your Chef Infra server

Then, install your out-of-band Train Transport:

  • for AWS SSM: chef gem install train-awsssm
  • for VMware Guest Operations Management: chef gem install train-vsphere-gom
  • if you intend to use a console connection: chef gem install train-serial

Using OoB Bootstrapping with AWS SSM

Of course, you need to assume an AWS profile that allows you access to the account the EC2 instance in question is in. For managing your AWS credentials, the recommendations are either the traditional Awsume command or Leapp.

Then, you will need the instance’s IP address or ID to bootstrap. train-awsssm will automatically discover the instance with this information but not try to use any IP connectivity.

While knife has a legacy option to specify the connection protocol (--connection-protocol or -o), you can use Train’s under-documented URL notation instead.

This notation will use the Train Transport name as the URL’s schema, and you can even add parameters if the Transport offers them:

knife bootstrap awsssm://i-1234567890/ --node-name webserver-01 --bootstrap-version 18.2.7 --user ec2-user --sudo

# Windows needs an extended timeout for execution
knife bootstrap awsssm://i-1234567890/?execution_timeout=600 --node-name winserver1 --bootstrap-version 18.2.7

You can check those additional parameters on the respective GitHub repositories (like the parameters for train-awsssm).

Future Developments

It is possible to extend the out-of-band capabilities of Train to other Cloud Providers or Hypervisors - the plugin ecosystem makes this very easy.

Other knife functionality still relies on the non-Train connectivity options. Hence, an extension to other subcommands or unification (knife ssh vs knife winrm) is a logical next step.

Similar Posts You Might Enjoy

Assigning EKS Namespaces to Node Groups

In AWS EKS clusters, there are a couple of use cases for which all pods of a namespace should be automatically scheduled to specific nodes in Kubernetes, including: Clear allocation of data plane infrastructure (and costs) to teams in large organizations, Running critical workloads on on-demand nodes and not on spot nodes, or Using specific hardware, such as GPU, only by workloads that actually require it. In this post, we will explore how to facilitate that in EKS. - by Benjamin Wagner

Hybrid DNS resolution using Route 53 Endpoints

When implementing a hybrid cloud solution and connecting your AWS VPCs with corporate data centers, setting up proper DNS resolution across the whole network is an important step to ensure full integration and functionality. In order to accomplish this task, Route53 Inbound and Outbound endpoints can be used. In combination with forwarding rules, they allow you to forward DNS traffic between your AWS VPC and on-premises data centers. In this blog post, I would like to show you how you can leverage Route53 endpoints in combination with Terraform to establish seamless DNS query resolution across your entire hybrid network. - by Hendrik Hagen

SBOMs on AWS - what?

Like most IT professionals, you might have read the title and googled “SBOM”. Now that you know it stands for “Software Bill of Materials”, read on to see why this will be very important in the next years. And what AWS can do to help you with this concept. - by Thomas Heinen