Support client-side proxies for apply command #3123
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a concept implementation to support SSH proxy in `dstack apply` comand.
## Summary
- Add client-side SSH proxy configuration to dev/task/service configs
- Let `dstack apply` reuse those settings for ProxyJump, ProxyCommand, and AWS SSM
## Liimitations
- `dstack attach` still bypasses the new proxy controls, so detached runs cannot yet use them
## Next Steps
- Add cloud-specific helpers (e.g., GCP, Azure) on top of this structure
## Example configuration
```yaml
type: dev-environment
name: example
ide: vscode
attach:
proxy:
type: aws-ssm
profile: sso-profile-name
```
peterschmidt85
requested changes
Sep 22, 2025
There was a problem hiding this comment.
Thank you, @mrkn very much for the PR.
A few questions and comments:
- I assume you've tested the PR end-to-end, have you? I mean submitting runs using the
awsbackend? - I assume this won't work if
dstackdoesn't create (and reuse) the default EC2 instance profile that is granted withssmpermissions. - I personally think that
ssmshould be a setting of theawsbackend rather than a part of the user configuration. This means ifssmis enabled for the backend,dstackwould always requiressmwhen attaching. - I agree that it should be possible to configure AWS credentials on the client side. I personally think, as the first initial version, we could simply reply on the default AWS credentials. This gives the user 100% control over that when using the
dstackCLI. - Also, in my view, the attach logic cannot be outside of
run.attach. Therun.attachis the high-level API that should do anything what is required internally. Users may use it not via CLI but programmatically viadstackPython API (see examples). - You also use
ssmwith jump hosts ({run_name}-jump-host) which is only required with thekubernetesbackend (and has nothing to do with SSM). - I wonder if the PR also works under Windows (I guess not).
Please let me know if you need more assistance with it! We're actually happy to help as this functionality is definitely important.
|
Hi @mrkn! Will close the PR for now. Please feel free to re-open if you decide to get back to it! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a concept implementation to support SSH proxy in
dstack applycomand.I think this can be a part of #2562 and #2554.
Summary
dstack applyreuse those settings for ProxyJump, ProxyCommand, and AWS SSMLiimitations
dstack attachstill bypasses the new proxy controls, so detached runs cannot yet use themNext Steps
Example configuration