fix: use direct bastion tunnel for non-SSH app ports#968
Open
fix: use direct bastion tunnel for non-SSH app ports#968
Conversation
The old implementation always routed through SSH port 22 and layered an `ssh -N -L` forward on top, even for application ports like 8080. This two-hop approach was fragile — the SSH process frequently died as a zombie while the bastion tunnel stayed alive, leaving the user with no local listener. Changes: - Non-SSH ports now use a direct `az bastion tunnel` with `--resource-port <app_port>` — single hop, no SSH layer needed - Port 22 retains the two-hop approach (bastion→22 + SSH -L) with added ServerAliveInterval/ExitOnForwardFailure for resilience - Replace fixed 3s sleep with `wait_for_listener()` polling for reliable startup detection - Spawn `az` commands as process group leaders (setsid) so `tunnel close` kills the entire process tree (az→bash→python3) instead of leaving orphan python3 listeners - Add `kill_process_tree()` that sends SIGTERM to the process group Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
azlin tunnel open <vm> 8080failed to create a working tunnel for private (bastion-routed) VMs. The SSH-Lforward process would die as a zombie while the bastion tunnel stayed alive, leaving no local listener on port 8080.Root Cause
The old implementation always routed through SSH port 22:
az bastion tunnel --resource-port 22 --port 50200(bastion → VM:22)ssh -N -L 8080:localhost:8080 -p 50200 user@127.0.0.1(SSH forward)This two-hop approach is unnecessary and fragile for app ports. The SSH process frequently died, and
tunnel closeonly killed the parent PID, leaving orphaned python3 listeners.Fix
Non-SSH ports (e.g., 8080, 3000, 5432): Use a direct
az bastion tunnel --resource-port <app_port>— single hop, no SSH layer. Simpler, more reliable.Port 22: Retains the two-hop approach (it's the actual transport) but with added resilience (
ServerAliveInterval,ExitOnForwardFailure).Process cleanup: Spawn
azas process group leader (setsid) sotunnel closekills the entire tree (az→bash→python3).Startup detection: Replace fixed 3s sleep with
wait_for_listener()polling.Testing
Verified on a live private VM (
devy):azlin tunnel open devy 8080→ listener on localhost:8080, HTTP 303 from service ✓azlin tunnel list→ shows correct entry ✓azlin tunnel close devy→ port freed, no orphan processes ✓