Teleport add cluster err

fire · December 25, 2019, 12:23pm

cluster.yaml

# cluster.yaml
kind: trusted_cluster
version: v2
metadata:
  # the trusted cluster name MUST match the 'cluster_name' setting of the
  # cluster
  name: fire-202
spec:
  # this field allows to create tunnels that are disabled, but can be enabled later.
  enabled: true
  # the token expected by the "main" cluster:
  token: xxxxx
  # the address in 'host:port' form of the reverse tunnel listening port on the
  # "main" proxy server:
  tunnel_addr: teleport.test.com:3024
  # the address in 'host:port' form of the web listening port on the
  # "main" proxy server:
  web_proxy_addr: teleport.test.com:3080
  # the role mapping allows to map user roles from one cluster to another
  # (enterprise editions of Teleport only)
#  role_map
#    - remote: "admin"    # users who have "admin" role on "main"
#      local: ["auditor"] # will be assigned "auditor" role when logging into "east"

/etc/teleport.yaml

teleport:

    nodename: fire-202
    data_dir: /var/lib/teleport
    auth_token: xxxx-token-xxxx
    auth_servers:
        - 0.0.0.0:3025
    connection_limits:
        max_connections: 1000
        max_users: 250

    log:
        output: stderr
        severity: DEBUG
    ciphers:
      - aes128-ctr
      - aes192-ctr
      - aes256-ctr
      - aes128-gcm@openssh.com
    kex_algos:
      - curve25519-sha256@libssh.org
      - ecdh-sha2-nistp256
      - ecdh-sha2-nistp384
      - ecdh-sha2-nistp521
      - diffie-hellman-group14-sha1
      - diffie-hellman-group1-sha1
    mac_algos:
      - hmac-sha2-256-etm@openssh.com
      - hmac-sha2-256
      - hmac-sha1
      - hmac-sha1-96
    ciphersuites:
       - tls-rsa-with-aes-128-cbc-sha # default
       - tls-rsa-with-aes-256-cbc-sha # default
       - tls-rsa-with-aes-128-cbc-sha256
       - tls-rsa-with-aes-128-gcm-sha256
       - tls-rsa-with-aes-256-gcm-sha384
       - tls-ecdhe-ecdsa-with-aes-128-cbc-sha
       - tls-ecdhe-ecdsa-with-aes-256-cbc-sha
       - tls-ecdhe-rsa-with-aes-128-cbc-sha
       - tls-ecdhe-rsa-with-aes-256-cbc-sha
       - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256
       - tls-ecdhe-rsa-with-aes-128-cbc-sha256
       - tls-ecdhe-rsa-with-aes-128-gcm-sha256
       - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
       - tls-ecdhe-rsa-with-aes-256-gcm-sha384
       - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
       - tls-ecdhe-rsa-with-chacha20-poly1305
       - tls-ecdhe-ecdsa-with-chacha20-poly1305

auth_service:
    enabled: yes
    cluster_name: "fire-202"

    authentication:
        type: local
        second_factor: otp
        u2f:
            app_id: https://localhost:3080
            facets:
            - https://localhost:3080

    listen_addr: 0.0.0.0:3025
    tokens:
        - "proxy,node:xxxxx"
        - "auth:yyyy"
    session_recording: "node"
    client_idle_timeout: never
    disconnect_expired_cert: no
    license_file: /var/lib/teleport/license.pem
ssh_service:
    enabled: yes
    listen_addr: 0.0.0.0:3022
    labels:
        role: master
        type: postgres
    commands:
    - name: arch
      command: ['/bin/uname', '-p']
      period: 1h0m0s
    permit_user_env: false
    pam:
        enabled: no
        service_name: teleport
proxy_service:
    enabled: yes
    listen_addr: 0.0.0.0:3023
    tunnel_listen_addr: 0.0.0.0:3024
    web_listen_addr: 0.0.0.0:3080
    https_key_file: /var/lib/teleport/webproxy_key.pem
    https_cert_file: /var/lib/teleport/webproxy_cert.pem
    kubernetes:
        enabled: no
        listen_addr: 0.0.0.0:3026

journalctl -u teleport_ssh.service -f

12月 25 14:34:36 fire-202 teleport[10870]: DEBU [PROXY:AGE] transport request: teleport-transport target:teleport.test.com:3024 reversetunnel/agent.go:535
12月 25 14:34:36 fire-202 teleport[10870]: DEBU [PROXY:AGE] proxyTransport target:teleport.test.com:3024 reversetunnel/agent.go:321
12月 25 14:34:36 fire-202 teleport[10870]: DEBU [PROXY:AGE] Received out-of-band proxy transport request: [192.168.224.138:3025] target:teleport.test.com:3024 reversetunnel/agent.go:380
12月 25 14:34:36 fire-202 teleport[10870]: DEBU [PROXY:AGE] Successfully dialed to @remote-auth-server, start proxying. target:teleport.test.com:3024 reversetunnel/agent.go:407
12月 25 14:34:36 fire-202 teleport[10870]: DEBU [PROXY:AGE] ping -> proxy.ip:8080 target:teleport.test.com:3024 reversetunnel/agent.go:516
12月 25 14:34:37 fire-202 teleport[10870]: DEBU [PROXY:AGE] Received out-of-band proxy transport request: [192.168.224.138:3025] target:teleport.test.com:3024 reversetunnel/agent.go:380
12月 25 14:34:37 fire-202 teleport[10870]: DEBU [PROXY:AGE] Successfully dialed to @remote-auth-server, start proxying. target:teleport.test.com:3024 reversetunnel/agent.go:407

in the web

I dont konw where is the trouble
hope help me !

benarent · January 3, 2020, 12:34am

Hey @fire, are you using the OSS or Enterprise version. I noticed your teleport.yaml has the license.pem in the config? If you’re using the OSS version, I would recommend starting with a simple teleport.yaml config and building adding to it. We’ve some examples here https://github.com/gravitational/teleport/tree/master/examples

fire · January 6, 2020, 4:03am

thanks! I fix it ready!