ssh routing between multiple linux system containers transparently
up vote
3
down vote
favorite
I have system where I run multiple containers. Each container is a linux system with a specific purpose and every container has a ssh server enabled. I want to make an entity that manage new ssh connections to the host machine and transparently route that connection to a specific container (witch have a ssh listening too) based on a criteria. I know that I can transparently route connections to a container using ProxyCommand, for example. My problem is that I want to re-route the connection to another container "on the fly" based on other criteria, for example: If the host machine detected that a connection to container A start to download a binary re-route the ssh connection transparently to container B and start download there. I want to do this in a way that the user of the system does not realize that he is in a container and the connection is routing between different containers while he is using the system.
A full example that may help to understand is: A client connect to ssh. This connection is made to the host machine which have running containers A and B. The host machine have a process that redirects this incoming ssh connection to container A by default (or based in some condition). The host machine keeps analyzing what the client is doing in container A by sniffing the packets and checking the commands passed by the client. If the host machine detect some specific command like "wget" the host machine re-route the ssh connection from container A to container B transparently, in a way that the client don't realize that the container changed and then the download start in container B.
I am using Docker and the containers that will swap the connection always have the same environment (Same OS and version).
Edit:
I want a way to do this with some kind of re-routing the connection to apply this methodology in other cases like this example: I have host X that have container A. When the client connects to host X the ssh connection is re-routed to host Y that is in the same network with a listening ssh. Like before, based on a condition, host X re-routes the ssh from Host Y to container A transparently to user.
How can I do this with routing, iptables or any other method that redirect the connection?
Edit 2:
Basically I need a way to re-route the ssh from one machine to another without a noticeable re-connection . The simplest case is one machine (A) that handle the connection from client. A client from the internet connects to this machine (A) that redirect the connection to machine (B) with ProxyCommand. Just to be simple lets imagine that we have a timer that after 5 minutes executes a script in machine(A) that do the magic. What I want is a way that I can route this ssh connection from machine (B) to machine(C). The tricky part is that I want that this change from B to C isn't noticed by the user(client). I want that the client don't notice that the connection routed and the machine that he was initially connected have changed while he was using. So for this "illusion" I imagine if there is a way to keep the original connection alive to client but route the connection in machine (A), from B to C and when the client execute the next command instead of machine (B) the machine (C) will execute that command.
linux ssh proxy route container
asked Nov 8 at 0:38
JonLord
1166
|
show 1 more comment
up vote
3
down vote
favorite
I have system where I run multiple containers. Each container is a linux system with a specific purpose and every container has a ssh server enabled. I want to make an entity that manage new ssh connections to the host machine and transparently route that connection to a specific container (witch have a ssh listening too) based on a criteria. I know that I can transparently route connections to a container using ProxyCommand, for example. My problem is that I want to re-route the connection to another container "on the fly" based on other criteria, for example: If the host machine detected that a connection to container A start to download a binary re-route the ssh connection transparently to container B and start download there. I want to do this in a way that the user of the system does not realize that he is in a container and the connection is routing between different containers while he is using the system.
A full example that may help to understand is: A client connect to ssh. This connection is made to the host machine which have running containers A and B. The host machine have a process that redirects this incoming ssh connection to container A by default (or based in some condition). The host machine keeps analyzing what the client is doing in container A by sniffing the packets and checking the commands passed by the client. If the host machine detect some specific command like "wget" the host machine re-route the ssh connection from container A to container B transparently, in a way that the client don't realize that the container changed and then the download start in container B.
I am using Docker and the containers that will swap the connection always have the same environment (Same OS and version).
Edit:
I want a way to do this with some kind of re-routing the connection to apply this methodology in other cases like this example: I have host X that have container A. When the client connects to host X the ssh connection is re-routed to host Y that is in the same network with a listening ssh. Like before, based on a condition, host X re-routes the ssh from Host Y to container A transparently to user.
How can I do this with routing, iptables or any other method that redirect the connection?
Edit 2:
Basically I need a way to re-route the ssh from one machine to another without a noticeable re-connection . The simplest case is one machine (A) that handle the connection from client. A client from the internet connects to this machine (A) that redirect the connection to machine (B) with ProxyCommand. Just to be simple lets imagine that we have a timer that after 5 minutes executes a script in machine(A) that do the magic. What I want is a way that I can route this ssh connection from machine (B) to machine(C). The tricky part is that I want that this change from B to C isn't noticed by the user(client). I want that the client don't notice that the connection routed and the machine that he was initially connected have changed while he was using. So for this "illusion" I imagine if there is a way to keep the original connection alive to client but route the connection in machine (A), from B to C and when the client execute the next command instead of machine (B) the machine (C) will execute that command.
linux ssh proxy route container
asked Nov 8 at 0:38
JonLord
1166
2
To clarify: You want to transparently re-route an existing ssh-connection from container A to container B, based on what the user is doing in container A using this connection? In other words, the shell he is connected to should be moved as well? If yes, this is going to be very difficult. What kind of containers? Docker? Can the shell even expect the same environment in container B?
– dirkt
Nov 8 at 7:04
Hi dirkt, thank you for the reply. You are right, the base idea is to re-route the connection from container A to container B based on a condition. I am using Docker for Raspbian (a Debian version for raspberry pi) and the containers that will swap the connection always have the same environment. About the shell, my objective is to make that the user doesn't realize that the connection is routed so, if it is possible to move the shell it would be great, but I accept suggestions.
– JonLord
Nov 8 at 17:59
It sounds like you want some kind of load balancer. Have you looked at docs.docker.com/docker-cloud/apps/load-balance-hello-world to see if this could be applied to your ssh need?
– Lewis M
Nov 8 at 19:57
1
In principle, you can move processes between docker namespaces, but the details are going to be hairy. There are multiple ways of re-routing the connection (pure routing, iptables, probably others), but again, integration with docker will require work. Not an easy thing.
– dirkt
Nov 9 at 6:36
You have already 3 reopen votes, it seems you will win.
– peterh
Nov 9 at 9:33
|
show 1 more comment
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I have system where I run multiple containers. Each container is a linux system with a specific purpose and every container has a ssh server enabled. I want to make an entity that manage new ssh connections to the host machine and transparently route that connection to a specific container (witch have a ssh listening too) based on a criteria. I know that I can transparently route connections to a container using ProxyCommand, for example. My problem is that I want to re-route the connection to another container "on the fly" based on other criteria, for example: If the host machine detected that a connection to container A start to download a binary re-route the ssh connection transparently to container B and start download there. I want to do this in a way that the user of the system does not realize that he is in a container and the connection is routing between different containers while he is using the system.
A full example that may help to understand is: A client connect to ssh. This connection is made to the host machine which have running containers A and B. The host machine have a process that redirects this incoming ssh connection to container A by default (or based in some condition). The host machine keeps analyzing what the client is doing in container A by sniffing the packets and checking the commands passed by the client. If the host machine detect some specific command like "wget" the host machine re-route the ssh connection from container A to container B transparently, in a way that the client don't realize that the container changed and then the download start in container B.
I am using Docker and the containers that will swap the connection always have the same environment (Same OS and version).
Edit:
I want a way to do this with some kind of re-routing the connection to apply this methodology in other cases like this example: I have host X that have container A. When the client connects to host X the ssh connection is re-routed to host Y that is in the same network with a listening ssh. Like before, based on a condition, host X re-routes the ssh from Host Y to container A transparently to user.
How can I do this with routing, iptables or any other method that redirect the connection?
Edit 2:
Basically I need a way to re-route the ssh from one machine to another without a noticeable re-connection . The simplest case is one machine (A) that handle the connection from client. A client from the internet connects to this machine (A) that redirect the connection to machine (B) with ProxyCommand. Just to be simple lets imagine that we have a timer that after 5 minutes executes a script in machine(A) that do the magic. What I want is a way that I can route this ssh connection from machine (B) to machine(C). The tricky part is that I want that this change from B to C isn't noticed by the user(client). I want that the client don't notice that the connection routed and the machine that he was initially connected have changed while he was using. So for this "illusion" I imagine if there is a way to keep the original connection alive to client but route the connection in machine (A), from B to C and when the client execute the next command instead of machine (B) the machine (C) will execute that command.
linux ssh proxy route container
asked Nov 8 at 0:38
JonLord
1166
I have system where I run multiple containers. Each container is a linux system with a specific purpose and every container has a ssh server enabled. I want to make an entity that manage new ssh connections to the host machine and transparently route that connection to a specific container (witch have a ssh listening too) based on a criteria. I know that I can transparently route connections to a container using ProxyCommand, for example. My problem is that I want to re-route the connection to another container "on the fly" based on other criteria, for example: If the host machine detected that a connection to container A start to download a binary re-route the ssh connection transparently to container B and start download there. I want to do this in a way that the user of the system does not realize that he is in a container and the connection is routing between different containers while he is using the system.
A full example that may help to understand is: A client connect to ssh. This connection is made to the host machine which have running containers A and B. The host machine have a process that redirects this incoming ssh connection to container A by default (or based in some condition). The host machine keeps analyzing what the client is doing in container A by sniffing the packets and checking the commands passed by the client. If the host machine detect some specific command like "wget" the host machine re-route the ssh connection from container A to container B transparently, in a way that the client don't realize that the container changed and then the download start in container B.
I am using Docker and the containers that will swap the connection always have the same environment (Same OS and version).
Edit:
I want a way to do this with some kind of re-routing the connection to apply this methodology in other cases like this example: I have host X that have container A. When the client connects to host X the ssh connection is re-routed to host Y that is in the same network with a listening ssh. Like before, based on a condition, host X re-routes the ssh from Host Y to container A transparently to user.
How can I do this with routing, iptables or any other method that redirect the connection?
Edit 2:
Basically I need a way to re-route the ssh from one machine to another without a noticeable re-connection . The simplest case is one machine (A) that handle the connection from client. A client from the internet connects to this machine (A) that redirect the connection to machine (B) with ProxyCommand. Just to be simple lets imagine that we have a timer that after 5 minutes executes a script in machine(A) that do the magic. What I want is a way that I can route this ssh connection from machine (B) to machine(C). The tricky part is that I want that this change from B to C isn't noticed by the user(client). I want that the client don't notice that the connection routed and the machine that he was initially connected have changed while he was using. So for this "illusion" I imagine if there is a way to keep the original connection alive to client but route the connection in machine (A), from B to C and when the client execute the next command instead of machine (B) the machine (C) will execute that command.
linux ssh proxy route container
linux ssh proxy route container
asked Nov 8 at 0:38
JonLord
1166
asked Nov 8 at 0:38
JonLord
1166
edited Nov 20 at 12:17
asked Nov 8 at 0:38
JonLord
1166
asked Nov 8 at 0:38
JonLord
1166
asked Nov 8 at 0:38
JonLord
1166
1166
2
To clarify: You want to transparently re-route an existing ssh-connection from container A to container B, based on what the user is doing in container A using this connection? In other words, the shell he is connected to should be moved as well? If yes, this is going to be very difficult. What kind of containers? Docker? Can the shell even expect the same environment in container B?
– dirkt
Nov 8 at 7:04
Hi dirkt, thank you for the reply. You are right, the base idea is to re-route the connection from container A to container B based on a condition. I am using Docker for Raspbian (a Debian version for raspberry pi) and the containers that will swap the connection always have the same environment. About the shell, my objective is to make that the user doesn't realize that the connection is routed so, if it is possible to move the shell it would be great, but I accept suggestions.
– JonLord
Nov 8 at 17:59
It sounds like you want some kind of load balancer. Have you looked at docs.docker.com/docker-cloud/apps/load-balance-hello-world to see if this could be applied to your ssh need?
– Lewis M
Nov 8 at 19:57
1
In principle, you can move processes between docker namespaces, but the details are going to be hairy. There are multiple ways of re-routing the connection (pure routing, iptables, probably others), but again, integration with docker will require work. Not an easy thing.
– dirkt
Nov 9 at 6:36
You have already 3 reopen votes, it seems you will win.
– peterh
Nov 9 at 9:33
|
show 1 more comment
2
To clarify: You want to transparently re-route an existing ssh-connection from container A to container B, based on what the user is doing in container A using this connection? In other words, the shell he is connected to should be moved as well? If yes, this is going to be very difficult. What kind of containers? Docker? Can the shell even expect the same environment in container B?
– dirkt
Nov 8 at 7:04
Hi dirkt, thank you for the reply. You are right, the base idea is to re-route the connection from container A to container B based on a condition. I am using Docker for Raspbian (a Debian version for raspberry pi) and the containers that will swap the connection always have the same environment. About the shell, my objective is to make that the user doesn't realize that the connection is routed so, if it is possible to move the shell it would be great, but I accept suggestions.
– JonLord
Nov 8 at 17:59
It sounds like you want some kind of load balancer. Have you looked at docs.docker.com/docker-cloud/apps/load-balance-hello-world to see if this could be applied to your ssh need?
– Lewis M
Nov 8 at 19:57
1
In principle, you can move processes between docker namespaces, but the details are going to be hairy. There are multiple ways of re-routing the connection (pure routing, iptables, probably others), but again, integration with docker will require work. Not an easy thing.
– dirkt
Nov 9 at 6:36
You have already 3 reopen votes, it seems you will win.
– peterh
Nov 9 at 9:33
2
2
To clarify: You want to transparently re-route an existing ssh-connection from container A to container B, based on what the user is doing in container A using this connection? In other words, the shell he is connected to should be moved as well? If yes, this is going to be very difficult. What kind of containers? Docker? Can the shell even expect the same environment in container B?
– dirkt
Nov 8 at 7:04
To clarify: You want to transparently re-route an existing ssh-connection from container A to container B, based on what the user is doing in container A using this connection? In other words, the shell he is connected to should be moved as well? If yes, this is going to be very difficult. What kind of containers? Docker? Can the shell even expect the same environment in container B?
– dirkt
Nov 8 at 7:04
Hi dirkt, thank you for the reply. You are right, the base idea is to re-route the connection from container A to container B based on a condition. I am using Docker for Raspbian (a Debian version for raspberry pi) and the containers that will swap the connection always have the same environment. About the shell, my objective is to make that the user doesn't realize that the connection is routed so, if it is possible to move the shell it would be great, but I accept suggestions.
– JonLord
Nov 8 at 17:59
Hi dirkt, thank you for the reply. You are right, the base idea is to re-route the connection from container A to container B based on a condition. I am using Docker for Raspbian (a Debian version for raspberry pi) and the containers that will swap the connection always have the same environment. About the shell, my objective is to make that the user doesn't realize that the connection is routed so, if it is possible to move the shell it would be great, but I accept suggestions.
– JonLord
Nov 8 at 17:59
It sounds like you want some kind of load balancer. Have you looked at docs.docker.com/docker-cloud/apps/load-balance-hello-world to see if this could be applied to your ssh need?
– Lewis M
Nov 8 at 19:57
It sounds like you want some kind of load balancer. Have you looked at docs.docker.com/docker-cloud/apps/load-balance-hello-world to see if this could be applied to your ssh need?
– Lewis M
Nov 8 at 19:57
1
1
In principle, you can move processes between docker namespaces, but the details are going to be hairy. There are multiple ways of re-routing the connection (pure routing, iptables, probably others), but again, integration with docker will require work. Not an easy thing.
– dirkt
Nov 9 at 6:36
In principle, you can move processes between docker namespaces, but the details are going to be hairy. There are multiple ways of re-routing the connection (pure routing, iptables, probably others), but again, integration with docker will require work. Not an easy thing.
– dirkt
Nov 9 at 6:36
You have already 3 reopen votes, it seems you will win.
– peterh
Nov 9 at 9:33
You have already 3 reopen votes, it seems you will win.
– peterh
Nov 9 at 9:33
|
show 1 more comment
1 Answer
1
active
oldest
votes
up vote
0
down vote
No;
It is not possible to implement this in a robust manner. Sure you could hack something up (by wrapping the shell in a script) but any non-trivial use would immediately reveal what you were doing and would break.
Additionally there is no good reason for why someone would want this.
Whatever you are ultimately trying to accomplish there is a better way.
answered Nov 12 at 2:11
user1133275
2,542414
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
No;
It is not possible to implement this in a robust manner. Sure you could hack something up (by wrapping the shell in a script) but any non-trivial use would immediately reveal what you were doing and would break.
Additionally there is no good reason for why someone would want this.
Whatever you are ultimately trying to accomplish there is a better way.
answered Nov 12 at 2:11
user1133275
2,542414
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
add a comment |
up vote
0
down vote
No;
It is not possible to implement this in a robust manner. Sure you could hack something up (by wrapping the shell in a script) but any non-trivial use would immediately reveal what you were doing and would break.
Additionally there is no good reason for why someone would want this.
Whatever you are ultimately trying to accomplish there is a better way.
answered Nov 12 at 2:11
user1133275
2,542414
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
add a comment |
up vote
0
down vote
up vote
0
down vote
No;
It is not possible to implement this in a robust manner. Sure you could hack something up (by wrapping the shell in a script) but any non-trivial use would immediately reveal what you were doing and would break.
Additionally there is no good reason for why someone would want this.
Whatever you are ultimately trying to accomplish there is a better way.
answered Nov 12 at 2:11
user1133275
2,542414
No;
It is not possible to implement this in a robust manner. Sure you could hack something up (by wrapping the shell in a script) but any non-trivial use would immediately reveal what you were doing and would break.
Additionally there is no good reason for why someone would want this.
Whatever you are ultimately trying to accomplish there is a better way.
answered Nov 12 at 2:11
user1133275
2,542414
edited Nov 12 at 11:39
answered Nov 12 at 2:11
user1133275
2,542414
answered Nov 12 at 2:11
user1133275
2,542414
answered Nov 12 at 2:11
user1133275
2,542414
2,542414
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
add a comment |
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
Thank you for your answer sir. What do you mean by "any non-trivial use"? Can you point me in some direction? Which better way?
– JonLord
Nov 12 at 18:11
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
@JonLord clarify your goals before anyone attempts a more clear answer. Like "I want network IO loads in $A and CPU loads in $B because ... "
– user1133275
Nov 13 at 14:01
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
I understand your point but what I specified In the image and examples is what I need. I will edit with another example.
– JonLord
Nov 15 at 3:17
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f480474%2fssh-routing-between-multiple-linux-system-containers-transparently%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
To clarify: You want to transparently re-route an existing ssh-connection from container A to container B, based on what the user is doing in container A using this connection? In other words, the shell he is connected to should be moved as well? If yes, this is going to be very difficult. What kind of containers? Docker? Can the shell even expect the same environment in container B?
– dirkt
Nov 8 at 7:04
Hi dirkt, thank you for the reply. You are right, the base idea is to re-route the connection from container A to container B based on a condition. I am using Docker for Raspbian (a Debian version for raspberry pi) and the containers that will swap the connection always have the same environment. About the shell, my objective is to make that the user doesn't realize that the connection is routed so, if it is possible to move the shell it would be great, but I accept suggestions.
– JonLord
Nov 8 at 17:59
It sounds like you want some kind of load balancer. Have you looked at docs.docker.com/docker-cloud/apps/load-balance-hello-world to see if this could be applied to your ssh need?
– Lewis M
Nov 8 at 19:57
1
In principle, you can move processes between docker namespaces, but the details are going to be hairy. There are multiple ways of re-routing the connection (pure routing, iptables, probably others), but again, integration with docker will require work. Not an easy thing.
– dirkt
Nov 9 at 6:36
You have already 3 reopen votes, it seems you will win.
– peterh
Nov 9 at 9:33