You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Difference between revisions of "Help:Accessing Cloud VPS instances"
Jump to navigation
Jump to search
imported>Krinkle (→Set default configuration: include "*.wmflabs.org" in the bastion line, to make tools-login.wmflabs.org work) |
imported>BryanDavis (Undo revision 1932871 by C. Scott Ananian (talk) -- introducing the concept of multiple key management without additional explanation is confusing for the typical VPS user who does not have multiple keys) |
||
| (7 intermediate revisions by 6 users not shown) | |||
| Line 22: | Line 22: | ||
# [[Special:Preferences#mw-prefsection-openstack|Upload your public SSH key to Wikitech]] | # [[Special:Preferences#mw-prefsection-openstack|Upload your public SSH key to Wikitech]] | ||
# [https://gerrit.wikimedia.org Upload your public SSH key Gerrit] | # [https://gerrit.wikimedia.org Upload your public SSH key Gerrit] | ||
=== Be a member of a Cloud VPS project === | |||
In order to SSH into instances of a particular Cloud VPS project, you must be a member of that project. | |||
In order to SSH even into a bastion, you need to be a member of at least one project (then the <code>project-bastion</code> LDAP group will be added automatically). | |||
[[Help:Cloud VPS project#Request a new Cloud VPS project|Request a new Cloud VPS project]], or ask someone to add you to their existing project. | |||
== SSH Recommendations == | == SSH Recommendations == | ||
=== Linux or macOS === | === Linux or macOS === | ||
* Natively | * Natively support SSH. You should be able to SSH from the terminal. | ||
=== Windows 10 === | === Windows 10 === | ||
| Line 41: | Line 47: | ||
== Accessing Cloud VPS instances == | == Accessing Cloud VPS instances == | ||
=== Setup === | |||
You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances. | You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances. | ||
| Line 49: | Line 57: | ||
|- | |- | ||
|A member of Wikimedia SRE Team | |A member of Wikimedia SRE Team | ||
|restricted.bastion. | |<code>restricted.bastion.wmcloud.org</code> | ||
|- | |- | ||
|Everyone else ( | |Everyone else (including volunteers and Wikimedia Foundation staff) | ||
|primary.bastion. | |<code>primary.bastion.wmcloud.org</code><br/><code>bastion.wmcloud.org</code> (alias) | ||
|} | |} | ||
== ProxyJump (recommended) == | {{Note|The [[Portal:Toolforge|Toolforge]] Cloud VPS project has [[Portal:Toolforge/About_Toolforge#Bastion_hosts|its own bastions]] and does not require any proxy to access them.}} | ||
==== ProxyJump (recommended) ==== | |||
Use this directive if you are using OpenSSH version 7.3 or higher | Use this directive if you are using OpenSSH version 7.3 or higher | ||
<syntaxhighlight lang="shell-session"> | <syntaxhighlight lang="shell-session"> | ||
$ ssh -J <your-shell-name>@ | $ ssh -J <your-shell-name>@bastion.wmcloud.org <your-shell-name>@<your-instance>.<your-project>.eqiad1.wikimedia.cloud | ||
</syntaxhighlight> | </syntaxhighlight> | ||
To save time, you can configure your <code>$HOME/.ssh/config</code> file to instruct SSH to use ''bastion.wmcloud.org'' as a jump host when connecting to ''wikimedia.cloud'' instances. | |||
To save time, you can configure | |||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
Host | Host *.wmflabs.org *.wmcloud.org *.toolforge.org | ||
User <your-shell-name> | User <your-shell-name> | ||
Host *.wmflabs *.wikimedia.cloud | Host *.wmflabs *.wikimedia.cloud | ||
User <your-shell-name> | User <your-shell-name> | ||
ProxyJump bastion. | ProxyJump bastion.wmcloud.org:22 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== {{Anchor|ProxyCommand}}ProxyCommand (older ssh clients) == | ==== {{Anchor|ProxyCommand}}ProxyCommand (older ssh clients) ==== | ||
Use this directive if you are using OpenSSH 7.2 or older | Use this directive if you are using OpenSSH 7.2 or older | ||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
Host *.wmflabs.org *.wmcloud.org *.toolforge.org | |||
User <your-shell-name> | |||
Host *.wmflabs *.wikimedia.cloud | Host *.wmflabs *.wikimedia.cloud | ||
ProxyCommand ssh -a -W %h:%p <your-shell-name>@ | ProxyCommand ssh -a -W %h:%p <your-shell-name>@bastion.wmcloud.org | ||
User <your-shell-name> | User <your-shell-name> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Logging in === | |||
Run the following from your local computer, substituting the instance and project names as appropriate: | Run the following from your local computer, substituting the instance and project names as appropriate: | ||
ssh ''your-instance''.''your-project''.eqiad1.wikimedia.cloud | |||
==== SSH fingerprints ==== | |||
See [[Help:SSH Fingerprints]] for host key fingerprints which can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server. It is good practice to verify the SSH fingerprint of the bastions you use in order to reduce the likelihood of a [[:en:Man-in-the-middle_attack|MITM attack]]. | |||
== File managers == | == File managers == | ||
You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below. | You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below. | ||
''Note:''' The following options are maintained by third parties. Please see the technical documentation or ReadMe on the software's website to determine the best method of connection. | '''Note:''' The following options are maintained by third parties. Please see the technical documentation or ReadMe on the software's website to determine the best method of connection. | ||
=== Options === | === Options === | ||
| Line 101: | Line 115: | ||
* Gnome: ([https://wiki.gnome.org/Apps/Files Files, formerly Nautilus]), | * Gnome: ([https://wiki.gnome.org/Apps/Files Files, formerly Nautilus]), | ||
* KDE: [https://kde.org/applications/system/org.kde.dolphin Dolphin], | * KDE: [https://kde.org/applications/system/org.kde.dolphin Dolphin], | ||
* FUSE: [https://github.com/libfuse/libfuse libfuse on | * FUSE: [https://github.com/libfuse/libfuse libfuse on GitHub] | ||
'''Mac''' | '''Mac''' | ||
| Line 109: | Line 123: | ||
In general, adding SSH option -v, -vv, or -vvv may help identify possible issues. | In general, adding SSH option -v, -vv, or -vvv may help identify possible issues. | ||
#when using ProxyCommand | #when using ProxyCommand | ||
ssh -v ''your-instance''.''your-project''. | ssh -v ''your-instance''.''your-project''.eqiad1.wikimedia.cloud | ||
=== Into Bastion === | === Into Bastion === | ||
| Line 116: | Line 130: | ||
# Make sure you have uploaded the correct SSH key to [[Special:Preferences#mw-prefsection-openstack|your preferences]] | # Make sure you have uploaded the correct SSH key to [[Special:Preferences#mw-prefsection-openstack|your preferences]] | ||
# Use lowercase letters for your username | # Use lowercase letters for your username | ||
# Your SSH user name is your '''instance shell account name''' name (see [[Special:Preferences|User Profile]] > Basic Information in your | # Your SSH user name is your '''instance shell account name''' name (see [[Special:Preferences|User Profile]] > Basic Information in your Wikitech account's Preferences page). It is not necessarily the same as your account's '''username''' | ||
===== Connection closed by remote host ===== | ===== Connection closed by remote host ===== | ||
Latest revision as of 17:22, 17 November 2021
| Cloud VPS |
|---|
 |
|
|
|
|
|
Overview
This page explains how to gain access to Cloud VPS using SSH.
What you'll need
Required accounts
| Account Type | Description | Where to sign up |
|---|---|---|
| Wikimedia account | Wikimedia single user login (SUL) account allows you to log into general wikis like Wikipedia, MediaWiki, and MetaWiki | Create Wikimedia account |
| Wikimedia developer account | Wikimedia developer account allows you to log into Wikitech, Phabricator, Gerrit and other developer tools. | Create Wikimedia developer account |
Set up and upload SSH keys
Be a member of a Cloud VPS project
In order to SSH into instances of a particular Cloud VPS project, you must be a member of that project.
In order to SSH even into a bastion, you need to be a member of at least one project (then the project-bastion LDAP group will be added automatically).
Request a new Cloud VPS project, or ask someone to add you to their existing project.
SSH Recommendations
Linux or macOS
- Natively support SSH. You should be able to SSH from the terminal.
Windows 10
- Windows 10 (Spring 2018 Creators update or higher) has a built in SSH client.
- If the OpenSSH client is not already enabled, you can do this by following
Settings->Apps & features->Optional features->Add a feature. Scroll down and enable the SSH Client. - Access the SSH client via Windows Powershell using the
sshdirective. - To use an SSH agent, you will need to enable it.
- Type into your search bar
services.mscand open the Services program - Find OpenSSH Authentication Agent and set that service to "Automatic" and start it if it is disabled.
- Type into your search bar
- Please note, there is a bug in how ProxyJump works, so use the instructions for ProxyCommand below unless you are sure you are not affected by https://github.com/PowerShell/Win32-OpenSSH/issues/1172
- If the OpenSSH client is not already enabled, you can do this by following
Older versions of Windows
It is recommended that you run the most current version of Windows. However, if you choose to run an older version, you will need an SSH client. PuTTY / KiTTY is often recommended.
Accessing Cloud VPS instances
Setup
You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances.
| Your role | Use |
|---|---|
| A member of Wikimedia SRE Team | restricted.bastion.wmcloud.org
|
| Everyone else (including volunteers and Wikimedia Foundation staff) | primary.bastion.wmcloud.orgbastion.wmcloud.org (alias)
|
 | The Toolforge Cloud VPS project has its own bastions and does not require any proxy to access them. |
ProxyJump (recommended)
Use this directive if you are using OpenSSH version 7.3 or higher
$ ssh -J <your-shell-name>@bastion.wmcloud.org <your-shell-name>@<your-instance>.<your-project>.eqiad1.wikimedia.cloud
To save time, you can configure your $HOME/.ssh/config file to instruct SSH to use bastion.wmcloud.org as a jump host when connecting to wikimedia.cloud instances.
Host *.wmflabs.org *.wmcloud.org *.toolforge.org
User <your-shell-name>
Host *.wmflabs *.wikimedia.cloud
User <your-shell-name>
ProxyJump bastion.wmcloud.org:22
ProxyCommand (older ssh clients)
Use this directive if you are using OpenSSH 7.2 or older
Host *.wmflabs.org *.wmcloud.org *.toolforge.org
User <your-shell-name>
Host *.wmflabs *.wikimedia.cloud
ProxyCommand ssh -a -W %h:%p <your-shell-name>@bastion.wmcloud.org
User <your-shell-name>
Logging in
Run the following from your local computer, substituting the instance and project names as appropriate:
ssh your-instance.your-project.eqiad1.wikimedia.cloud
SSH fingerprints
See Help:SSH Fingerprints for host key fingerprints which can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server. It is good practice to verify the SSH fingerprint of the bastions you use in order to reduce the likelihood of a MITM attack.
File managers
You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below.
Note: The following options are maintained by third parties. Please see the technical documentation or ReadMe on the software's website to determine the best method of connection.
Options
Windows
Linux
- Gnome: (Files, formerly Nautilus),
- KDE: Dolphin,
- FUSE: libfuse on GitHub
Mac
Troubleshooting
In general, adding SSH option -v, -vv, or -vvv may help identify possible issues.
#when using ProxyCommand ssh -v your-instance.your-project.eqiad1.wikimedia.cloud
Into Bastion
Permission denied (publickey)
- Make sure you have uploaded the correct SSH key to your preferences
- Use lowercase letters for your username
- Your SSH user name is your instance shell account name name (see User Profile > Basic Information in your Wikitech account's Preferences page). It is not necessarily the same as your account's username
Connection closed by remote host
- Make sure you have uploaded the correct SSH key to your preferences
- If you have access to other SSH servers, can you connect to them? If not, then there may be an issue with your SSH client.
- If you use Windows, is Pageant (PuTTY authentication agent) set up with correct keys and running?
Blocking connection on OS X with no error message
If you are running OS X and your SSH connection blocks without any error message (while pinging the server works), try
unset SSH_AUTH_SOCK, and then SSH again. This will unset the socket to ssh-agent.
Into your-instance
Permission denied (publickey)
- Make sure the instance build has completed.
- Search in the console output for “Finished puppet run”, BEGIN SSH HOST KEY FINGERPRINTS, and BEGIN SSH HOST KEY KEYS.
Communication and support
We communicate and provide support through several primary channels. Please reach out with questions and to join the conversation.
| Way | Connect | Best for |
|---|---|---|
| Phabricator Workboard | #Cloud-Services | Task tracking and bug reporting |
| IRC Channel | #wikimedia-cloud connect Telegram bridge mattermost bridge |
General discussion and support |
| Mailing List | cloud@ | Information about ongoing initiatives, general discussion and support |
| Announcement emails | cloud-announce@ | Information about critical changes (all messages mirrored to cloud@) |
| News wiki page | News | Information about major near-term plans |
| Cloud Services Blog | Clouds & Unicorns | Learning more details about some of our work |
| Wikimedia Technical Blog | techblog.wikimedia.org | News and stories from the Wikimedia technical movement |