LinuxインスタンスのSSM Agentで設定した環境変数はSSMセッションマネージャーの接続に引き継がれる件
SSMセッションマネージャーの理解がちょっとだけ進んだ気がする
気づいたら curl で到達できなくなったぞ
こんにちは、のんピ(@non____97)です。
皆さんは「気づいたらcurlの実行結果が変わっていた」という経験はありますか? 私はあります。
いつものようにcurlで疎通確認をすると接続できない事象に遭遇しました。
今思うと、少し前にSSM Agentでプロキシ設定をしていました。LinuxインスタンスにおけるSSM Agentのプロキシ設定は以下ドキュメントに記載があります。
実際に送信先のサーバーにてログを確認すると、プロキシサーバーのIPが記録されていました。
ただし、プロキシ設定をしてからすぐにcurlを叩いた際にはプロキシを経由していませんでした。
どのタイミングからこのような動きになったのか、なぜこのような挙動をするのか非常に気になったので紹介します。
いきなりまとめ
- LinuxインスタンスのSSM Agentで設定した環境変数はSSMセッションマネージャーの接続に引き継がれる
- SSMセッションマネージャーの接続は
ssm-session-workerの子プロセスで動作する ssm-session-workerはSSMセッションマネージャーのセッション毎に作成される- SSM Agent再起動時にセッションが残っている場合は再接続される。そのセッションではSSM Agentで設定した環境変数の影響を受けない
- SSMセッションマネージャーの接続は
- EC2 Instance ConnectなどSSMセッションマネージャーで接続をしない場合は影響を受けない
やってみた
検証環境
検証環境は以下の通りです。
EC2インスタンス内にSquidをインストールし、プロキシサーバーとして動作させます。そしてSSM Agentのプロキシ設定でプロキシサーバーとして自ホストを指定します。
また、EC2 Instance Connect Endpointを作成して、EC2 Instance Connectでも接続できるようにしておきます。
検証環境はAWS CDKでデプロイしました。使用したコードは以下リポジトリに保存しています。
SSM Agentのプロキシ設定前
まず、プロキシの指定の有無でのcurlの実行結果が変わるのか確認します。
マネジメントコンソールからSSMセッションマネージャーで接続して操作します。
# ログインしているユーザーの確認 $ whoami ec2-user # プロキシを指定しない $ curl http://dev.classmethod.jp -I HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 10 Oct 2023 04:32:08 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Location: https://dev.classmethod.jp/ X-Cache: Redirect from cloudfront Via: 1.1 a5f3f63e5cb1bdf37811b61ad2c25cbc.cloudfront.net (CloudFront) X-Amz-Cf-Pop: IAD55-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: 8FIxgBig9niVt0fNEUEx987Jx3vQOVdOcszUZrrglEgyVPXJOr7NGw== Cache-Control: max-age=45, stale-if-error=21600 # プロキシを指定する $ curl http://dev.classmethod.jp -I -x http://localhost:3128 HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 10 Oct 2023 04:32:19 GMT Content-Type: text/html Content-Length: 167 Location: https://dev.classmethod.jp/ X-Cache: Redirect from cloudfront X-Amz-Cf-Pop: IAD55-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: s-A8O5w-ZtmTHJ7nMt6BEwrLVnyRFza1k7JECZe026NzjLmMgiIDJw== Cache-Control: max-age=45, stale-if-error=21600 X-Cache: MISS from ip-10-10-10-14.ec2.internal X-Cache-Lookup: MISS from ip-10-10-10-14.ec2.internal:3128 Via: 1.1 ddd3d8441374ce62d11d031216138152.cloudfront.net (CloudFront), 1.1 ip-10-10-10-14.ec2.internal (squid/5.8)
プロキシを経由する場合はViaヘッダーにSquidの情報が追加されていることが分かります。
SSM Agentのプロキシ設定
それではSSM Agentでプロキシ設定をします。
# SSM AgentのUnitファイルにてプロキシの環境変数を指定
$ sudo systemctl edit amazon-ssm-agent
# 設定変更した内容を確認
$ cat /etc/systemd/system/amazon-ssm-agent.service.d/override.conf
[Service]
Environment="http_proxy=http://localhost:3128"
Environment="https_proxy=http://localhost:3128"
Environment="no_proxy=169.254.169.254"
# SSM Agnetの再起動
$ sudo systemctl daemon-reload && sudo systemctl restart amazon-ssm-agent
# プロキシサーバーを使用して起動していることを確認
$ sudo tail -n 150 /var/log/amazon/ssm/amazon-ssm-agent.log
2023-10-10 04:39:23 INFO [CredentialRefresher] Sending credential refresher stop signal
2023-10-10 04:39:23 INFO [Registrar] Registrar is already stopped
2023-10-10 04:39:23 INFO [amazon-ssm-agent] Bye.
2023-10-10 04:39:23 INFO [CredentialRefresher] Stopping credentials refresher
2023-10-10 04:39:23 INFO Proxy environment variables:
2023-10-10 04:39:23 INFO https_proxy: http://localhost:3128
2023-10-10 04:39:23 INFO http_proxy: http://localhost:3128
2023-10-10 04:39:23 INFO no_proxy: 169.254.169.254
2023-10-10 04:39:23 INFO Checking if agent identity type OnPrem can be assumed
2023-10-10 04:39:23 INFO Checking if agent identity type EC2 can be assumed
2023-10-10 04:39:23 INFO Agent will take identity from EC2
2023-10-10 04:39:23 INFO [amazon-ssm-agent] using named pipe channel for IPC
2023-10-10 04:39:23 INFO [amazon-ssm-agent] using named pipe channel for IPC
2023-10-10 04:39:23 INFO [amazon-ssm-agent] using named pipe channel for IPC
2023-10-10 04:39:23 INFO [amazon-ssm-agent] amazon-ssm-agent - v3.2.1630.0
2023-10-10 04:39:23 INFO [amazon-ssm-agent] OS: linux, Arch: amd64
2023-10-10 04:39:23 INFO [amazon-ssm-agent] Starting Core Agent
2023-10-10 04:39:23 INFO [amazon-ssm-agent] Registrar detected. Attempting registration
2023-10-10 04:39:23 INFO [Registrar] Starting registrar module
2023-10-10 04:39:23 INFO [EC2Identity] Checking disk for registration info
2023-10-10 04:39:23 INFO [EC2Identity] Registration info found for ec2 instance
2023-10-10 04:39:23 INFO [amazon-ssm-agent] Registration attempted. Resuming core agent startup.
2023-10-10 04:39:23 INFO [CredentialRefresher] credentialRefresher has started
2023-10-10 04:39:23 INFO [CredentialRefresher] Credentials ready
2023-10-10 04:39:23 INFO [CredentialRefresher] Starting credentials refresher loop
2023-10-10 04:39:23 INFO [CredentialRefresher] Next credential rotation will be in 21.920998434933335 minutes
2023-10-10 04:39:24 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker is not running, starting worker process
2023-10-10 04:39:24 INFO [ssm-agent-worker] Checking if agent identity type OnPrem can be assumed
2023-10-10 04:39:24 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] [WorkerProvider] Worker ssm-agent-worker (pid:25825) started
2023-10-10 04:39:24 INFO [ssm-agent-worker] Checking if agent identity type EC2 can be assumed
2023-10-10 04:39:24 INFO [ssm-agent-worker] Agent will take identity from EC2
2023-10-10 04:39:24 INFO [ssm-agent-worker] using named pipe channel for IPC
2023-10-10 04:39:24 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel
2023-10-10 04:39:24 INFO [ssm-agent-worker] using named pipe channel for IPC
2023-10-10 04:39:24 INFO [ssm-agent-worker] Dial to Core Agent broadcast channel
2023-10-10 04:39:24 INFO [ssm-agent-worker] using named pipe channel for IPC
2023-10-10 04:39:24 INFO [ssm-agent-worker] Create new startup processor
2023-10-10 04:39:24 INFO [ssm-agent-worker] Start to listen to Core Agent termination channel
2023-10-10 04:39:24 INFO [ssm-agent-worker] Start to listen to Core Agent health channel
2023-10-10 04:39:24 INFO [ssm-agent-worker] [StartupProcessor] Executing startup processor tasks
2023-10-10 04:39:24 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: Amazon SSM Agent v3.2.1630.0 is running
2023-10-10 04:39:24 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsProductName: Amazon Linux
2023-10-10 04:39:24 INFO [ssm-agent-worker] [StartupProcessor] Write to serial port: OsVersion: 2023
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] Appending MGSInteractor to MessageService interactors
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] Appending MDSInteractor to MessageService interactors
2023-10-10 04:39:24 INFO [ssm-agent-worker] [LongRunningPluginsManager] registered plugins: {}
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing bookkeeping folders
2023-10-10 04:39:24 INFO [ssm-agent-worker] removing the completed state files
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing bookkeeping folders for long running plugins
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing replies folder for MDS reply requests that couldn't reach the service
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing replies folder for MGS reply requests that couldn't reach the service
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing healthcheck folders for long running plugins
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing locations for inventory plugin
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing default location for custom inventory
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing default location for file inventory
2023-10-10 04:39:24 INFO [ssm-agent-worker] Initializing default location for role inventory
2023-10-10 04:39:24 INFO [ssm-agent-worker] Init the cloudwatchlogs publisher
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:runDockerAction
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:downloadContent
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:softwareInventory
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:runPowerShellScript
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:updateSsmAgent
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:configureDocker
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:refreshAssociation
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:configurePackage
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform independent plugin aws:runDocument
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform dependent plugin aws:domainJoin
2023-10-10 04:39:24 INFO [ssm-agent-worker] [instanceID=i-0dd3c23fe7bbc09d5] Successfully loaded platform dependent plugin aws:runShellScript
2023-10-10 04:39:24 INFO [ssm-agent-worker] ssm-agent-worker - v3.2.1630.0
2023-10-10 04:39:24 INFO [ssm-agent-worker] OS: linux, Arch: amd64
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] starting MessageService
2023-10-10 04:39:24 INFO [amazon-ssm-agent] [LongRunningWorkerContainer] Monitor long running worker health every 60 seconds
2023-10-10 04:39:24 INFO [ssm-session-worker] [<IAMユーザー名>-0d42f5ae2839cb650] [DataBackend] received plugin config message
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MessageHandler] initializing message handler
2023-10-10 04:39:24 INFO [ssm-session-worker] [<IAMユーザー名>-0d42f5ae2839cb650] [DataBackend] {"DocumentInformation":{"DocumentID":"<IAMユーザー名>-0d42f5ae2839cb650","CommandID":"<IAMユーザー名>-0d42f5ae2839cb650","AssociationID":"","InstanceID":"i-0dd3c23fe7bbc09d5","MessageID":"<IAMユーザー名>-0d42f5ae2839cb650","RunID":"2023-10-10T04-31-50.686Z","CreatedDate":"55743-01-04 18:44:42 +0000 UTC","DocumentName":"","DocumentVersion":"","DocumentStatus":"InProgress","RunCount":1,"ProcInfo":{"Pid":10130,"StartTime":"2023-10-10T04:31:50.688647915Z"},"ClientId":"","RunAsUser":"","SessionOwner":"arn:aws:sts::<AWSアカウントID>:assumed-role/<IAMユーザー名>/<IAMユーザー名>"},"DocumentType":"StartSession","SchemaVersion":"1.0","InstancePluginsInformation":[{"Configuration":{"Settings":null,"Properties":null,"OutputS3KeyPrefix":"","OutputS3BucketName":"","S3EncryptionEnabled":true,"CloudWatchLogGroup":"/aws/ssm/session-manager","CloudWatchEncryptionEnabled":false,"CloudWatchStreamingEnabled":true,"OrchestrationDirectory":"/var/lib/amazon/ssm/i-0dd3c23fe7bbc09d5/session/orchestration/<IAMユーザー名>-0d42f5ae2839cb650/Standard_Stream","MessageId":"<IAMユーザー名>-0d42f5ae2839cb650","BookKeepingFileName":"<IAMユーザー名>-0d42f5ae2839cb650","PluginName":"Standard_Stream","PluginID":"Standard_Stream","DefaultWorkingDirectory":"","Preconditions":null,"IsPreconditionEnabled":false,"CurrentAssociations":null,"SessionId":"<IAMユーザー名>-0d42f5ae2839cb650","ClientId":"","KmsKeyId":"","RunAsEnabled":true,"RunAsUser":"ec2-user","ShellProfile":{"windows":"","linux":"/bin/bash\ncd /home/ec2-user"},"SessionOwner":"arn:aws:sts::<AWSアカウントID>:assumed-role/<IAMユーザー名>/<IAMユーザー名>","UpstreamServiceName":""},"Name":"Standard_Stream","Result":{"pluginID":"","pluginName":"","status":"","code":0,"output":null,"startDateTime":"0001-01-01T00:00:00Z","endDateTime":"0001-01-01T00:00:00Z","outputS3BucketName":"","outputS3KeyPrefix":"","stepName":"","error":"","standardOutput":"","standardError":""},"Id":"Standard_Stream"}],"CancelInformation":{"CancelMessageID":"","CancelCommandID":"","Payload":"","DebugInfo":""},"IOConfig":{"OrchestrationDirectory":"/var/lib/amazon/ssm/i-0dd3c23fe7bbc09d5/session/orchestration/<IAMユーザー名>-0d42f5ae2839cb650","OutputS3BucketName":"","OutputS3KeyPrefix":"","CloudWatchConfig":{"LogGroupName":"","LogStreamPrefix":"","LogGroupEncryptionEnabled":false}},"UpstreamServiceName":"MessageGatewayService"}
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] MDSInteractor initialization started
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MDSInteractor] Starting message polling
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MDSInteractor] Starting send failed replies to MDS
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] supported workers for the interactor MDSInteractor: [ssm-document-worker]
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] processor initialization started for worker ssm-document-worker belonging to MDSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [OfflineService] Starting document processing engine...
2023-10-10 04:39:24 INFO [ssm-agent-worker] [OfflineService] [EngineProcessor] Starting
2023-10-10 04:39:24 INFO [ssm-agent-worker] [OfflineService] [EngineProcessor] Initial processing
2023-10-10 04:39:24 INFO [ssm-agent-worker] [OfflineService] [EngineProcessor] Found in-progress document - <IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] empty worker type assigned, assigning random doc type
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] registering processor CommandProcessor for the interactor: MDSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Starting
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Initial processing
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Found in-progress document - <IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] Starting association polling
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] [EngineProcessor] Starting
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] Launching response handler
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] [EngineProcessor] Initial processing
2023-10-10 04:39:24 INFO [ssm-agent-worker] [OfflineService] Scheduling message polling
2023-10-10 04:39:24 INFO [ssm-agent-worker] [OfflineService] Starting send replies to MDS
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] [EngineProcessor] Found in-progress document - <IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:24 INFO [ssm-agent-worker] [LongRunningPluginsManager] starting long running plugin manager
2023-10-10 04:39:24 INFO [ssm-agent-worker] [LongRunningPluginsManager] there aren't any long running plugin to execute
2023-10-10 04:39:24 INFO [ssm-agent-worker] [LongRunningPluginsManager] There are no long running plugins currently getting executed - skipping their healthcheck
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MDSInteractor] listen reply thread started
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] MGSInteractor initialization started
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] SSM Agent is trying to setup control channel for MGSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] Initializing association scheduling service
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] Association scheduling service initialized
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] processor initialization completed for worker ssm-document-worker belonging to MDSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] MDSInteractor initialization completed
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [CommandProcessorWrapper] started listening command reply thread
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] agent telemetry cloudwatch metrics disabled
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Setting up websocket for controlchannel for instance: i-0dd3c23fe7bbc09d5, requestId: 7405b982-2152-4121-a9d0-91a28ee62f43
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] listen incoming messages thread in MGS interactor started
2023-10-10 04:39:24 INFO [ssm-agent-worker] [HealthCheck] HealthCheck reporting agent health.
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] started reply processing queue
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] listen reply thread in MGS interactor started
2023-10-10 04:39:24 INFO [ECSIdentity] Agent not taking ECS identity: Could not fetch metadata endpoint
2023-10-10 04:39:24 INFO [ssm-agent-worker] [HealthCheck] got SSM connection channel value:
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Opening websocket connection to: wss://ssmmessages.us-east-1.amazonaws.com/v1/control-channel/i-0dd3c23fe7bbc09d5?role=subscribe&stream=input
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Successfully opened websocket connection to: wss://ssmmessages.us-east-1.amazonaws.com/v1/control-channel/i-0dd3c23fe7bbc09d5?role=subscribe&stream=input
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Starting websocket pinger
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Starting websocket listener
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel 32da66ea-3e6c-4010-b51d-18c5383eae77, message type: control_channel_ready
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Control channel ready message received: true
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Setting up agent telemetry scheduler
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Set up control channel successfully
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] supported workers for the interactor MGSInteractor: [ssm-document-worker ssm-session-worker]
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] processor initialization started for worker ssm-document-worker belonging to MGSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] processor initialization started for worker ssm-session-worker belonging to MGSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] registering processor SessionProcessor for the interactor: MGSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Starting
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Initial processing
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Found in-progress document - <IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [Association] empty worker type assigned, assigning random doc type
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] registering processor CommandProcessor for the interactor: MGSInteractor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [CommandProcessorWrapper] processor already initialized CommandProcessor
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Starting MGS update reply file watcher
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Processing in-progress document <IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Processing document <IAMユーザー名>-0d42f5ae2839cb650 from state dir current
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] document <IAMユーザー名>-0d42f5ae2839cb650 submission started
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] document <IAMユーザー名>-0d42f5ae2839cb650 submission ended
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [SessionProcessorWrapper] listening session reply.
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Got job <IAMユーザー名>-0d42f5ae2839cb650, starting worker
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [<IAMユーザー名>-0d42f5ae2839cb650] channel: <IAMユーザー名>-0d42f5ae2839cb650 found
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [<IAMユーザー名>-0d42f5ae2839cb650] discovered old channel object, trying to find detached process...
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [<IAMユーザー名>-0d42f5ae2839cb650] master listener started on path: /var/lib/amazon/ssm/i-0dd3c23fe7bbc09d5/channels/<IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [<IAMユーザー名>-0d42f5ae2839cb650] found orphan process: 10130, start time: 2023-10-10 04:31:50.688647915 +0000 UTC
2023-10-10 04:39:24 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [<IAMユーザー名>-0d42f5ae2839cb650] inter process communication started at /var/lib/amazon/ssm/i-0dd3c23fe7bbc09d5/channels/<IAMユーザー名>-0d42f5ae2839cb650
2023-10-10 04:39:26 INFO [ssm-agent-worker] [MessageService] processor initialization completed for worker ssm-session-worker belonging to MGSInteractor
2023-10-10 04:39:26 INFO [ssm-agent-worker] [MessageService] processor initialization completed for worker ssm-document-worker belonging to MGSInteractor
2023-10-10 04:39:26 INFO [ssm-agent-worker] [MessageService] MGSInteractor initialization completed
2023-10-10 04:39:26 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] send failed reply thread started
2023-10-10 04:39:26 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] send failed reply thread done
SSM Agent起動時にプロキシサーバーの環境変数を読み込んでいることを確認できました。
また、切断されていないセッションがある場合は再接続しに行くことも分かります。
SSM Agentのプロキシ設定後の動作確認
SSM Agentのプロキシ設定後の動作確認を行います。
# SSM Agentのプロキシ設定で使用した環境変数の確認 $ echo $http_proxy # プロキシを経由しているか確認 $ curl http://dev.classmethod.jp -I HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 10 Oct 2023 04:40:06 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Location: https://dev.classmethod.jp/ X-Cache: Redirect from cloudfront Via: 1.1 e7803a00a023f1e04faef1ed4f572ace.cloudfront.net (CloudFront) X-Amz-Cf-Pop: IAD55-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: u-WuQesm8Y2sl9IPi3nKPI0WNfrO1VNsfDlOVE61boYieVbztmh4qg== Cache-Control: max-age=45, stale-if-error=21600
この時点ではまだプロキシサーバーを経由していないですね。
SSMセッションマネージャーの別セッションで接続します。
# プロキシを経由しているか確認 $ curl http://dev.classmethod.jp -I HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 10 Oct 2023 04:42:29 GMT Content-Type: text/html Content-Length: 167 Location: https://dev.classmethod.jp/ X-Cache: Redirect from cloudfront X-Amz-Cf-Pop: IAD55-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: S9oX6nQUG8TNJpJBf3gYU3CgUU0DWi66IlyayJmxKp21H5egDid9xQ== Cache-Control: max-age=45, stale-if-error=21600 X-Cache: MISS from ip-10-10-10-14.ec2.internal X-Cache-Lookup: HIT from ip-10-10-10-14.ec2.internal:3128 Via: 1.1 0af050b863ec46156a524df4e5d86692.cloudfront.net (CloudFront), 1.1 ip-10-10-10-14.ec2.internal (squid/5.8) Connection: keep-alive # SSM Agentのプロキシ設定で使用した環境変数の確認 $ echo $http_proxy http://localhost:3128 $ echo $https_proxy http://localhost:3128 $ echo $no_proxy 169.254.169.254
別セッションだとSSM Agentで設定したプロキシの環境変数がセットされており、curlがその影響を受けていることが分かりました。
これはSSMセッションマネージャーで操作するときは注意が必要そうですね。
curlにおいてはプロキシを経由させたくない場合、オプションで--noproxy *を指定すると良いでしょう。
$ curl http://dev.classmethod.jp -I --noproxy * HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 10 Oct 2023 04:44:26 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Location: https://dev.classmethod.jp/ X-Cache: Redirect from cloudfront Via: 1.1 6d5b0fa46ef77b2ff227bdbcee6603ee.cloudfront.net (CloudFront) X-Amz-Cf-Pop: IAD55-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: 0nS43FyA_tuZ6oA2Fh8yFCqWn77UpuW92wttAgNUa7NnuK9WIv169Q== Cache-Control: max-age=45, stale-if-error=21600
SSMセッションマネージャーのプロセスの確認
SSMセッションマネージャーのプロセスを確認してみましょう。
SSM Agentのサービスに複数の子プロセスがあることが分かります。
$ systemctl status amazon-ssm-agent
● amazon-ssm-agent.service - amazon-ssm-agent
Loaded: loaded (/usr/lib/systemd/system/amazon-ssm-agent.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/amazon-ssm-agent.service.d
└─override.conf
Active: active (running) since Tue 2023-10-10 04:39:23 UTC; 5min ago
Main PID: 25815 (amazon-ssm-agen)
Tasks: 47 (limit: 1061)
Memory: 263.8M
CPU: 1.484s
CGroup: /system.slice/amazon-ssm-agent.service
├─10130 /usr/bin/ssm-session-worker <IAMユーザー名>-0d42f5ae2839cb650
├─10526 sh
├─10536 /bin/bash
├─25815 /usr/bin/amazon-ssm-agent
├─25825 /usr/bin/ssm-agent-worker
├─26014 /usr/bin/ssm-session-worker <IAMユーザー名>-02b0260ef04e02e64
├─26030 sh
├─26031 /bin/bash
├─26141 systemctl status amazon-ssm-agent
└─26142 less
Oct 10 04:39:23 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:23 INFO [EC2Identity] Registration info found for ec2 >
Oct 10 04:39:23 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:23 INFO [amazon-ssm-agent] Registration attempted. Res>
Oct 10 04:39:23 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:23 INFO [CredentialRefresher] credentialRefresher has >
Oct 10 04:39:23 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:23 INFO [CredentialRefresher] Credentials ready
Oct 10 04:39:23 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:23 INFO [CredentialRefresher] Starting credentials ref>
Oct 10 04:39:23 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:23 INFO [CredentialRefresher] Next credential rotation>
Oct 10 04:39:24 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:24 INFO [amazon-ssm-agent] [LongRunningWorkerContainer>
Oct 10 04:39:24 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:24 INFO [amazon-ssm-agent] [LongRunningWorkerContainer>
Oct 10 04:39:24 ip-10-10-10-14.ec2.internal amazon-ssm-agent[25815]: 2023-10-10 04:39:24 INFO [amazon-ssm-agent] [LongRunningWorkerContainer>
Oct 10 04:39:35 ip-10-10-10-14.ec2.internal sudo[25838]: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/usr/bin/tail -n 150>
SSMセッションマネージャーのセッション毎にssm-session-workerのプロセスを生成します。
ssm-session-workerのプロセスである、pidが26014を確認します。
$ sudo ps auf -p 26014 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 26014 0.2 2.3 727748 22028 ? Sl 04:42 0:01 /usr/bin/ssm-session-worker <IAMユーザー名>-02b0260ef04e02e64 ec2-user 26030 0.0 0.4 232300 4036 pts/1 Ss 04:42 0:00 \_ sh ec2-user 26031 0.0 0.5 233064 5104 pts/1 S 04:42 0:00 \_ /bin/bash root 26563 0.0 0.9 260304 8444 pts/1 S+ 04:50 0:00 \_ sudo ps auf -p 26014 root 26565 0.0 0.3 232520 2856 pts/1 R+ 04:50 0:00 \_ ps auf -p 26014 ec2-user 10526 0.0 0.4 232300 4012 pts/0 Ss 04:31 0:00 sh ec2-user 10536 0.0 0.5 233064 5060 pts/0 S+ 04:31 0:00 \_ /bin/bash root 1657 0.0 0.1 221388 1068 ttyS0 Ss+ 04:31 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - vt220 root 1655 0.0 0.1 221344 1068 tty1 Ss+ 04:31 0:00 /sbin/agetty -o -p -- \u --noclear - linux
プロセス確認のために実行したsudo ps auf -p 26014の親プロセスがssm-session-workerであることが分かります。
ssm-session-workerと、その子プロセスの環境変数を確認します。
$ sudo ps aufe USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND ec2-user 27409 0.0 0.4 232300 4048 pts/3 Ss 04:56 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 JOURNAL_STREAM=8:44903 SYSTEMD_EXEC_PID=25815 http_proxy=http://localhost:3128 https_proxy=http://localhost:3128 no_proxy=169.254.169.254 TERM=xterm-256color HOME=/home/ec2-user ec2-user 27410 0.0 0.5 233064 5080 pts/3 S 04:56 0:00 \_ /bin/bash no_proxy=169.254.169.254 PWD=/usr/bin SYSTEMD_EXEC_PID=25815 HOME=/home/ec2-user LANG=C.UTF-8 https_proxy=http://localhost:3128 INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 TERM=xterm-256color SHLVL=1 http_proxy=http://localhost:3128 JOURNAL_STREAM=8:44903 PATH=/usr/local/sbin:/usr/local/ root 27743 1.0 0.9 260304 8404 pts/3 S+ 05:00 0:00 \_ sudo ps aufe no_proxy=169.254.169.254 SYSTEMD_COLORS=false PWD=/home/ec2-user SYSTEMD_EXEC_PID=25815 HOME=/home/ec2-user LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=3 root 27755 0.0 0.3 232520 2856 pts/3 R+ 05:00 0:00 \_ ps aufe LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31 ec2-user 26987 0.0 0.5 233060 5068 pts/2 Ss+ 04:51 0:00 -bash USER=ec2-user LOGNAME=ec2-user HOME=/home/ec2-user PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin SHELL=/bin/bash TERM=xterm SELINUX_ROLE_REQUESTED= SELINUX_LEVEL_REQUESTED= SELINUX_USE_CURRENT_RANGE= MOTD_SHOWN=pam XDG_SESSION_ID=11 XDG_RUNTIME_DIR=/run/user/1000 DBUS_SESSION_BUS_ADDRESS=u ec2-user 26030 0.0 0.4 232300 4036 pts/1 Ss 04:42 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 JOURNAL_STREAM=8:44903 SYSTEMD_EXEC_PID=25815 http_proxy=http://localhost:3128 https_proxy=http://localhost:3128 no_proxy=169.254.169.254 TERM=xterm-256color HOME=/home/ec2-user ec2-user 26031 0.0 0.5 233064 5104 pts/1 S+ 04:42 0:00 \_ /bin/bash no_proxy=169.254.169.254 PWD=/usr/bin SYSTEMD_EXEC_PID=25815 HOME=/home/ec2-user LANG=C.UTF-8 https_proxy=http://localhost:3128 INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 TERM=xterm-256color SHLVL=1 http_proxy=http://localhost:3128 JOURNAL_STREAM=8:44903 PATH=/usr/local/sbin:/usr/local/ ec2-user 10526 0.0 0.4 232300 4012 pts/0 Ss 04:31 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=320b62fc18e24351b44bc3cda39792bc JOURNAL_STREAM=8:17425 SYSTEMD_EXEC_PID=1639 TERM=xterm-256color HOME=/home/ec2-user ec2-user 10536 0.0 0.5 233064 5060 pts/0 S+ 04:31 0:00 \_ /bin/bash PWD=/usr/bin SYSTEMD_EXEC_PID=1639 HOME=/home/ec2-user LANG=C.UTF-8 INVOCATION_ID=320b62fc18e24351b44bc3cda39792bc TERM=xterm-256color SHLVL=1 JOURNAL_STREAM=8:17425 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin _=/bin/bash root 1657 0.0 0.1 221388 1068 ttyS0 Ss+ 04:31 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - vt220 LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=fc09d7ea98d94541a7e41ff109ac782c TERM=vt220 SYSTEMD_EXEC_PID=1657 root 1655 0.0 0.1 221344 1068 tty1 Ss+ 04:31 0:00 /sbin/agetty -o -p -- \u --noclear - linux PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=15c5824e3a4541ef9526d719d7641254 TERM=linux SYSTEMD_EXEC_PID=1655
親プロセスであるssm-session-workerからSSM Agentで設定したプロキシの環境変数`http_proxy=http://localhost:3128`がセットされていることが分かります。
ちょっと見づらいので環境変数一覧も確認しておきます。
$ printenv
no_proxy=169.254.169.254
SYSTEMD_COLORS=false
PWD=/home/ec2-user
SYSTEMD_EXEC_PID=25815
HOME=/home/ec2-user
LANG=C.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
https_proxy=http://localhost:3128
INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
SHLVL=2
http_proxy=http://localhost:3128
S_COLORS=auto
which_declare=declare -f
JOURNAL_STREAM=8:44903
PATH=/home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
OLDPWD=/usr/bin
BASH_FUNC_which%%=() { ( alias;
eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
}
_=/usr/bin/printenv
しっかりとhttp_proxyやhttps_proxy、no_proxyといった環境変数がセットされていることが分かります。
EC2 Instance Connectで接続した場合
SSM Agentで接続しない場合はどうでしょうか。
SSM AgentのUnitファイル内で設定した環境変数であるため影響を受けない認識ですが、念のため確認します。
EC2 Instance ConnectでEC2インスタンスに接続して、curlを叩いたり、環境変数を確認したりします。
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Tue Oct 10 04:51:18 2023 from 10.10.10.20
$ curl http://dev.classmethod.jp -I
HTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Tue, 10 Oct 2023 05:01:48 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://dev.classmethod.jp/
X-Cache: Redirect from cloudfront
Via: 1.1 5e85a7e9f75a591c64db206ef2e2a17c.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: IAD55-P4
Alt-Svc: h3=":443"; ma=86400
X-Amz-Cf-Id: -LTEEuJp7UV5XxZSahkHzU_PmJhztkccwMsOsfSaDw08iqAIVMT3yg==
Cache-Control: max-age=45, stale-if-error=21600
$ echo $http_proxy
$ echo $https_proxy
$ echo $no_proxy
$ sudo ps aufe
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
ec2-user 28167 0.0 0.5 233060 5100 pts/2 Ss 05:01 0:00 -bash USER=ec2-user LOGNAME=ec2-user HOME=/home/ec2-user PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin SHELL=/bin/bash TERM=xterm SELINUX_ROLE_REQUESTED= SELINUX_LEVEL_REQUESTED= SELINUX_USE_CURRENT_RANGE= MOTD_SHOWN=pam XDG_SESSION_ID=22 XDG_RUNTIME_DIR=/run/user/1000 DBUS_SESSION_BUS_ADDRESS=u
root 28204 0.0 0.9 260304 8420 pts/2 S+ 05:02 0:00 \_ sudo ps aufe SHELL=/bin/bash HISTCONTROL=ignoredups SYSTEMD_COLORS=false HISTSIZE=1000 HOSTNAME=ip-10-10-10-14.ec2.internal PWD=/home/ec2-user LOGNAME=ec2-user XDG_SESSION_TYPE=tty MOTD_SHOWN=pam HOME=/home/ec2-user LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;
root 28206 0.0 0.3 232520 2852 pts/2 R+ 05:02 0:00 \_ ps aufe HISTSIZE=1000 HOSTNAME=ip-10-10-10-14.ec2.internal LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:
ec2-user 27409 0.0 0.4 232300 4048 pts/3 Ss 04:56 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 JOURNAL_STREAM=8:44903 SYSTEMD_EXEC_PID=25815 http_proxy=http://localhost:3128 https_proxy=http://localhost:3128 no_proxy=169.254.169.254 TERM=xterm-256color HOME=/home/ec2-user
ec2-user 27410 0.0 0.5 233064 5080 pts/3 S+ 04:56 0:00 \_ /bin/bash no_proxy=169.254.169.254 PWD=/usr/bin SYSTEMD_EXEC_PID=25815 HOME=/home/ec2-user LANG=C.UTF-8 https_proxy=http://localhost:3128 INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 TERM=xterm-256color SHLVL=1 http_proxy=http://localhost:3128 JOURNAL_STREAM=8:44903 PATH=/usr/local/sbin:/usr/local/
ec2-user 26030 0.0 0.4 232300 4036 pts/1 Ss 04:42 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 JOURNAL_STREAM=8:44903 SYSTEMD_EXEC_PID=25815 http_proxy=http://localhost:3128 https_proxy=http://localhost:3128 no_proxy=169.254.169.254 TERM=xterm-256color HOME=/home/ec2-user
ec2-user 26031 0.0 0.5 233064 5104 pts/1 S+ 04:42 0:00 \_ /bin/bash no_proxy=169.254.169.254 PWD=/usr/bin SYSTEMD_EXEC_PID=25815 HOME=/home/ec2-user LANG=C.UTF-8 https_proxy=http://localhost:3128 INVOCATION_ID=2ee22573034645bbb2fca2fc02a9d532 TERM=xterm-256color SHLVL=1 http_proxy=http://localhost:3128 JOURNAL_STREAM=8:44903 PATH=/usr/local/sbin:/usr/local/
ec2-user 10526 0.0 0.4 232300 4012 pts/0 Ss 04:31 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=320b62fc18e24351b44bc3cda39792bc JOURNAL_STREAM=8:17425 SYSTEMD_EXEC_PID=1639 TERM=xterm-256color HOME=/home/ec2-user
ec2-user 10536 0.0 0.5 233064 5060 pts/0 S+ 04:31 0:00 \_ /bin/bash PWD=/usr/bin SYSTEMD_EXEC_PID=1639 HOME=/home/ec2-user LANG=C.UTF-8 INVOCATION_ID=320b62fc18e24351b44bc3cda39792bc TERM=xterm-256color SHLVL=1 JOURNAL_STREAM=8:17425 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin _=/bin/bash
root 1657 0.0 0.1 221388 1068 ttyS0 Ss+ 04:31 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - vt220 LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=fc09d7ea98d94541a7e41ff109ac782c TERM=vt220 SYSTEMD_EXEC_PID=1657
root 1655 0.0 0.1 221344 1068 tty1 Ss+ 04:31 0:00 /sbin/agetty -o -p -- \u --noclear - linux PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=15c5824e3a4541ef9526d719d7641254 TERM=linux SYSTEMD_EXEC_PID=1655
$ printenv
SHELL=/bin/bash
HISTCONTROL=ignoredups
SYSTEMD_COLORS=false
HISTSIZE=1000
HOSTNAME=ip-10-10-10-14.ec2.internal
PWD=/home/ec2-user
LOGNAME=ec2-user
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/ec2-user
LANG=C.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
SSH_CONNECTION=10.10.10.20 47203 10.10.10.14 22
XDG_SESSION_CLASS=user
SELINUX_ROLE_REQUESTED=
TERM=xterm
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=ec2-user
SELINUX_USE_CURRENT_RANGE=
SHLVL=1
XDG_SESSION_ID=22
XDG_RUNTIME_DIR=/run/user/1000
S_COLORS=auto
SSH_CLIENT=10.10.10.20 47203 22
which_declare=declare -f
PATH=/home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
SELINUX_LEVEL_REQUESTED=
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
MAIL=/var/spool/mail/ec2-user
SSH_TTY=/dev/pts/2
BASH_FUNC_which%%=() { ( alias;
eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
}
_=/usr/bin/printenv
やはり、SSMセッションマネージャーで接続していないため、SSM Agentで設定したプロキシの環境変数は読み込まれていませんでした。
sudo su - した場合
SSMセッションマネージャーで接続する場合もsudo su -などで環境変数を引き継がないようにrootユーザーにスイッチすると、SSM Agentのプロキシ設定の影響を受けません。
# rootユーザーに切り替え
$ sudo su -
# 環境変数の確認
$ printenv
SHELL=/bin/bash
HISTCONTROL=ignoredups
SYSTEMD_COLORS=false
HISTSIZE=1000
HOSTNAME=ip-10-10-10-14.ec2.internal
PWD=/root
LOGNAME=root
HOME=/root
LANG=C.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=root
SHLVL=1
S_COLORS=auto
which_declare=declare -f
PATH=/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
MAIL=/var/spool/mail/root
BASH_FUNC_which%%=() { ( alias;
eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
}
_=/usr/bin/printenv
# プロセス毎の環境変数の確認
$ ps aufe
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
ec2-user 1729 0.0 0.4 232300 3992 pts/0 Ss 08:11 0:00 sh LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=d5f4e35274db410c9406ad983746816f JOURNAL_STREAM=8:15928 SYSTEMD_EXEC_PID=1616 http_proxy=http://localhost:3128 htt
ec2-user 1730 0.0 0.5 233064 5000 pts/0 S 08:11 0:00 \_ /bin/bash no_proxy=169.254.169.254 PWD=/usr/bin SYSTEMD_EXEC_PID=1616 HOME=/home/ec2-user LANG=C.UTF-8 https_proxy=http://localhost:3128 INVOCATION_ID=d5f4e35274db410c9406ad983746816f TERM=xterm-
root 1749 0.0 0.9 260304 8440 pts/0 S 08:11 0:00 \_ sudo su - no_proxy=169.254.169.254 SYSTEMD_COLORS=false PWD=/home/ec2-user SYSTEMD_EXEC_PID=1616 HOME=/home/ec2-user LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=0
root 1765 0.0 0.5 245540 4812 pts/0 S 08:11 0:00 \_ su - LANG=C.UTF-8 LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:e
root 1766 0.0 0.5 233056 5084 pts/0 S 08:11 0:00 \_ -bash SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin HOME=/root USER=root LOGNAME=root TERM=xterm-256color
root 1952 0.0 0.3 232520 2852 pts/0 R+ 08:13 0:00 \_ ps aufe SHELL=/bin/bash HISTCONTROL=ignoredups SYSTEMD_COLORS=false HISTSIZE=1000 HOSTNAME=ip-10-10-10-14.ec2.internal PWD=/root LOGNAME=root HOME=/root LANG=C.UTF-8 LS_COLORS=rs=
root 1635 0.0 0.1 221388 1064 ttyS0 Ss+ 08:11 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - vt220 LANG=C.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=229618e15fbc48f1bb2b76d6f35b81fd TERM=vt220 SYST
root 1634 0.0 0.1 221344 1068 tty1 Ss+ 08:11 0:00 /sbin/agetty -o -p -- \u --noclear - linux PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin INVOCATION_ID=98970ca2f30046c3ac5a03968e5fd038 TERM=linux SYSTEMD_EXEC_PID=1634
# プロキシを経由せずに通信していることを確認
$ curl http://dev.classmethod.jp -I
HTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Tue, 10 Oct 2023 08:11:49 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Location: https://dev.classmethod.jp/
X-Cache: Redirect from cloudfront
Via: 1.1 b3169f8fae0104e39a0a9728b6537e08.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: IAD55-P4
Alt-Svc: h3=":443"; ma=86400
X-Amz-Cf-Id: VZ5mKrHzhrx3CyLNuervMK8LtLuEklL0qUWRrdl1yTuKOnkvYy2Ncg==
Cache-Control: max-age=45, stale-if-error=21600
任意の環境変数を設定してみる
SSM AgentのUnitファイルに任意の環境変数を設定して、SSMセッションマネージャー接続時に参照できるか確認します。
# SSM AgentのUnitファイルにてプロキシの環境変数を指定 $ systemctl edit amazon-ssm-agent # 設定変更した内容を確認 $ cat /etc/systemd/system/amazon-ssm-agent.service.d/override.conf [Service] Environment="http_proxy=http://localhost:3128" Environment="https_proxy=http://localhost:3128" Environment="no_proxy=169.254.169.254" Environment="test_env=non-97" # SSM Agnetの再起動 $ sudo systemctl daemon-reload && sudo systemctl restart amazon-ssm-agent
別セッションで接続します。
$ echo $test_env non-97
SSMセッションマネージャー接続すると、SSM AgentのUnitファイルに設定した環境変数を表示できました。
SSMセッションマネージャーで接続した際に利用したい環境変数があれば、ここで設定しておくと良さそうです。
SSMセッションマネージャーの理解がちょっとだけ進んだ気がする
LinuxインスタンスのSSM Agentで設定した環境変数はSSMセッションマネージャーの接続に引き継がれることを紹介しました。
SSMセッションマネージャーの理解がちょっとだけ進んだ気がします。
この記事が誰かの助けになれば幸いです。
以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!
