Help:Accessing Cloud VPS instances: Difference between revisions

From Wikitech
Browse history interactively
← Older edit
Content deleted Content added
VisualWikitext
β†’β€ŽWhat you'll need: Add link to phab task for improvements to "What you'll need" section
Β 
(211 intermediate revisions by 76 users not shown)
Line 1: Line 1:
{{Cloud VPS nav}}
{{DocumentationPage}}
This page explains how to gain access to <code>labsconsole</code> (this wiki) and our git repository, which is located at http://gerrit.wikimedia.org/.


== Overview ==
== <span id="Initial_login_and_password_change">Initial log in and password change</span> ==


This page explains how to gain access to [[Portal:Cloud VPS|Cloud VPS]] using SSH.
If someone has made an account for you, you'll need to do the following for initial log in, or if you want to change your Labs (labsconsole) and gerrit password.


== What you'll need ==
# Go to the [[Special:UserLogin|login page]].
{{tracked|T347637}}
# Enter your wiki username.
# Check your mail, log in with your new temporary password, and set a permanent password.
# After logging in, you should [[mw:Git/Tutorial#Set_Up_SSH_Keys_in_Gerrit|set up an SSH key]] if you do not already have one, then [[Special:NovaKey|upload your ssh key to Labs]].
# Now log into [https://gerrit.wikimedia.org gerrit] using the same username and password. It'll ask you to upload an ssh key. Upload your public key here as well.


=== Required accounts ===
Basic instructions for what to do next: [[mw:Git/Workflow|Git workflow]], [[Help:Getting_Started|getting started on Labs]].


{{Account_setup}}
== Accessing public and private instances ==


=== Set up and upload SSH keys ===
In order to access [[Help:Instances|instances]] (see [[Help:Terminology]]) you will need to be a member of the 'bastion' project. If you specifically requested a labs account then you may already be a member; otherwise you'll need to make an appearance on {{IRC|wikimedia-labs}} IRC channel and ask [[Help:Access#Access_FAQ|someone]] to add you.
# [[Generate an SSH Key]]
# [[Special:Preferences#mw-prefsection-openstack|Upload your public SSH key to Wikitech]]
# [https://gerrit.wikimedia.org Upload your public SSH key Gerrit]


=== Which bastion do I use? ===
=== Be a member of a Cloud VPS project ===


In order to SSH into instances of a particular Cloud VPS project, you must be a member of that project.
Unless you are ops, use '''bastion.wmflabs.org'''. If you are a member of the ops team, then use '''bastion-restricted.wmflabs.org'''.
In order to SSH even into a bastion, you need to be a member of at least one project (then the <code>project-bastion</code> LDAP group will be added automatically).
[[Help:Cloud VPS project#Request a new Cloud VPS project|Request a new Cloud VPS project]], or ask someone to add you to their existing project.


== SSH Recommendations ==
=== Using agent forwarding ===


=== Linux or macOS ===
Labs has a bastion instance that can be used to access all other instances called ''bastion.wmflabs.org''. To reach nodes from the bastion instance, you'll need to use an SSH agent, and forward that agent when connecting to the bastion instance. For example:
* Natively support SSH. You should be able to SSH from the terminal.


=== Windows 10 ===
* On your local system:
* Windows 10 (Spring 2018 Creators update or higher) has a built in SSH client.
eval `ssh-agent`
** If the OpenSSH client is not already enabled, you can do this by following <code>Settings</code> '''->''' <code>Apps & features </code> '''->''' <code>Optional features</code> '''->''' <code>Add a feature</code>. Scroll down and enable the SSH Client.
ssh-add ~/.ssh/''your_key_file_for_labs''
** Access the SSH client via Windows Powershell using the <code>ssh</code> directive.
ssh -A <username>@bastion.wmflabs.org
** To use an SSH agent, you will need to enable it.
* On bastion:
*** Type into your search bar <code>services.msc</code> and open the Services program
ssh <your-instance>.pmtpa.wmflabs
*** Find OpenSSH Authentication Agent and set that service to "Automatic" and start it if it is disabled.


=== Older versions of Windows ===
The above would let you ssh into your instance. Notice that FQDN isn't completely necessary. You can also just use "ssh <your-instance>".
It is recommended that you run the most current version of Windows. However, if you choose to run an older version, you will need an SSH client. [https://www.putty.org/ PuTTY] / [http://kitty.9bis.net/ KiTTY] is often recommended.


== Accessing Cloud VPS instances ==
If you already use an ssh agent to connect to other hosts, you should consider [[Managing Multiple SSH Agents|using a separate agent for your labs key]] to avoid exposing your other keys to the labs hosts.


=== Using ProxyCommand ssh option ===
=== Key concepts ===


; {{anchor|Bastion host}} [[w:Bastion host|Bastion host]]: An instance you use to access other instances. Most instances do not have floating IP addresses assigned, due to our shortage of public IPs. To access them, it's necessary to go through a bastion host as an intermediary. For example <tt>bastion.wmcloud.org</tt> is accessible by every Cloud VPS account holder who has been added to the [[Nova Resource:Bastion|bastion project]]. There are other bastion hosts, e.g. to access Toolforge. See also [[Bastion]].
Using this configuration, it's possible to directly connect to your instances.


; {{anchor|Bastion Instance}} Bastion instance: For security purposes most Cloud VPS instances cannot be directly accessed from the Internet. A bastion instance is used to gain ssh access to other instances. The Cloud VPS bastion (bastion.wmcloud.org) is accessible by every Wikimedia developer account holder who is a member of a Cloud VPS project. Toolforge members are not automatically granted access to the shared Cloud VPS bastion as Toolforge has its own bastion servers (for example: login.toolforge.org).
Add this to the bottom of your ~/.ssh/config on your local system:
<pre>
Host bastion1.pmtpa.wmflabs
Hostname bastion.wmflabs.org
ProxyCommand none


=== Setup ===
Host bastion1.eqiad.wmflabs
{{Note|[[Portal:Toolforge|Toolforge]] has [[Portal:Toolforge/About_Toolforge#Bastion_hosts|its own bastions]] and does not require the below configuration.}}
Hostname bastion2.wmflabs.org
You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances.
ProxyCommand none


{| class="wikitable"
Host *.pmtpa.wmflabs
|+How should you proxy?
ProxyCommand ssh -a -W %h:%p bastion1.pmtpa.wmflabs
!Your role
!Use
|-
|A member of Wikimedia SRE Team
|<code>restricted.bastion.wmcloud.org</code>
|-
|Everyone else (including volunteers and Wikimedia Foundation staff)
|<code>primary.bastion.wmcloud.org</code><br/><code>bastion.wmcloud.org</code> (alias)
|}


Configure your <code>$HOME/.ssh/config</code> file to instruct SSH to use <code>bastion.wmcloud.org</code> as a jump host when connecting to <code>*.wikimedia.cloud</code> instances:
Host *.eqiad.wmflabs
ProxyCommand ssh -a -W %h:%p bastion1.eqiad.wmflabs


<syntaxhighlight lang="apache">
Host *.wmflabs
Host *.wmflabs.org *.wmcloud.org *.toolforge.org
User <labs-shell-name>
User <your-shell-name>
</pre>


Host *.wmflabs *.wikimedia.cloud
If you are using a non-default key, you should uncomment the next two lines, and enter your key's filename
User <your-shell-name>
<pre>
ProxyJump bastion.wmcloud.org:22
IdentityFile <key-filename>
</syntaxhighlight>
IdentitiesOnly yes
</pre>


With the above config you can use <code>ssh <your-instance>.<your-project>.eqiad1.wikimedia.cloud</code> to connect to an instance.
The ssh proxy command use <tt>-a</tt> to make sure you are never going to forward your ssh keys to the WMF labs. That is a security safeguard.


Now you should be able to run the following directly from your local system (even without agent forwarding):
If you can't or prefer to not alter SSH config files, you can also use the following command to specify the settings all in a longer ssh command:
<syntaxhighlight lang="shell-session">
$ ssh -J <your-shell-name>@bastion.wmcloud.org <your-shell-name>@<your-instance>.<your-project>.eqiad1.wikimedia.cloud
</syntaxhighlight>


=== Logging in ===
ssh <your-instance>.pmtpa.wmflabs
Run the following from your local computer, substituting the instance and project names as appropriate:

ssh ''your-instance''.''your-project''.eqiad1.wikimedia.cloud
=== Accessing services using port forwarding ===

If your instance doesn't have a public IP address, but you need to access a service on it, you can use port forwarding. For instance, here's how you would access a web service:

* On your local system:
ssh <username>@bastion.wmflabs.org -L 8080:<your-instance>:80

You can then connect to it via ''http://localhost:8080''.

=== Accessing web services using a SOCKS proxy ===
==== Setting up the proxy ====
If you only need to access web services on an instance that doesn't have a public IP address, it's easiest to use a SOCKS proxy:

# On your local system: <br/><pre>ssh <username>@bastion.wmflabs.org -D 8080</pre>
# After doing so, you have set configuration so your browser will use localhost:8080 as a SOCKS proxy (which makes it possible to connect directly to your node from the addressbar, e.g. '<nowiki>'http://<your-instance>.pmtpa.wmflabs</nowiki>''.<br/>You can configure this in a few different ways (whichever fits you best):
#* On a Mac, in the System Preferences > Network > Advanced > Proxies. Tick "Socks Proxy" and enter 'localhost' and '8080'. After saving and applying this you can use <nowiki>'http://<your-instance>.pmtpa.wmflabs:8080</nowiki> in the browser.
#* If you use [http://getfoxyproxy.org/index.html foxy proxy] (a Firefox, IE or Chrome add-on), you can use the pre-defined url pattern defined [https://labsconsole.wikimedia.org/wiki/MediaWiki:Foxy-proxy-labs?action=raw here].

==== Troubleshooting the proxy ====
Test to see if the proxy is working:
* load http://whatismyipaddress.com/. If you see your own IP address, your browser is not sending traffic through the proxy. If you see 208.80.153.207, the browse is correctly sending traffic through the proxy.
* If you see a '''Server Not Found''' error when you browse to <nowiki>http://<your-instance>.pmtpa.wmflabs</nowiki> you may need to tell your browser to use remote DNS instead of local.
** To do this on Firefox, point your browser at '''about:config''' and search for '''network.proxy.socks_remote_dns'''. If it is set to '''false''' double click on the row to set it to '''true'''.

== Rights ==

=== Anonymous users ===

You'll need to have an account created for you. If you currently have SVN access, then you have an account, but need to have it linked to Labs (how-to for admins: !add-labs-user). We are still working out the account activation process, but hope to have it done soon.

=== Logged-in users ===

After creating an account, you can:

* [[Special:NovaKey|Add and manage your public SSH keys]]

Once you add a key, you'll be able to log into the instance of any project you are a member of. Have a current project member, or an admin user add you to a project.

To create instances within a project, you'll need to have a sysadmin on the project, or an admin add you to the sysadmin role for that project.

You can make [[Resource query examples|queries]] for nova resources; currently only Nova instances have semantic properties enabled.

After logging in, you can also access [https://gerrit.wikimedia.org Gerrit]; if you wish to do git checkouts of the puppet repositories, you'll need to log into [https://gerrit.wikimedia.org Gerrit], and add your SSH key there as well. Note: it would be nice if Gerrit could use LDAP for its SSH keystore, instead of its database; I've opened a [http://code.google.com/p/gerrit/issues/detail?id=1124 bug for this], if you'd like to help, please add that feature to Gerrit!

=== Admins ===

==== Wiki Admin ====

If you are a wiki admin, you can:

* [[Special:NovaProject|Create/delete Nova projects and manage project and project role membership]]
* [[Special:NovaRole|Manage global role membership]].
* [[Special:NovaSudoer|Manage sudo policies]].

==== Net Admins ====

If you are a NetAdmin, you can:

* [[Special:NovaAddress|Allocate and associate public IP addresses, and add public DNS entries to instances]]
* [[Special:NovaSecurityGroup|Manage security groups and rules]].

==== Sys Admins ====

If you are a sysadmin, you can:

* [[Special:NovaInstance|Create or manage instances]].
* [[Special:NovaVolume|Create or manage volumes]].

After creating an instance, you'll get an email notifying you that it is ready to be logged into.

==== Cloud Admins ====

In addition to all actions that sysadmins and netadmins, you can:

* [[Special:NovaDomain|Create or manage DNS domains]].

== Puppet ==

Labs instance run from the operations/puppet repository and branch 'production'.

To trigger a puppet update, run: <tt>sudo puppetd -tv</tt>

The cron job that updates the master puppet repo in the labs cluster runs every minute. So your change got merged in, you will have to wait a bit.

== Access FAQ ==

;'''Q:''' Who can give out Labsconsole accounts, and how do they do it?: '''A:''' User accounts on the wiki (which is also shared credentials for gerrit and nova) can be created by a wiki admin. Requests for access can be made via [https://www.mediawiki.org/wiki/Developer_access leaving a request on this page (MediaWiki.org) (this is recommended)] or by asking one of these people:
:{|
! User name
! IRC user name
! MediaWiki.org talk page
|-
| Ryan Lane
| (<tt>Ryan_Lane</tt>)
| ([[mediawikiwiki:User_talk:Ryan_lane|talk page]])
|-
| Sara Smollett
| (<tt>ssmollett</tt>)
|-
| Andrew Bogott
| (<tt>andrewbogott</tt>)
|-
| Sumana Harihareswara
| (<tt>sumanah</tt>)
|([[mediawikiwiki:User_talk:Sumanah|talk page]])*
|-
| Chad Horohoe
| (<tt>^demon</tt>)
| ([[mediawikiwiki:User_talk:^demon|talk page]])
|-
| Rob Lanphier
|(<tt>robla</tt>)
|-
| Sam Reed
| (<tt>Reedy</tt>)
| ([[mediawikiwiki:User_talk:Reedy|talk page]])*
|-
| Tim Starling
| (<tt>TimStarling</tt>)
| ([[mediawikiwiki:User_talk:Tim_Starling|talk page]])
|-
| Daniel Zahn
| (<tt>mutante</tt>)
|-
| Faidon Liambotis
| (<tt>paravoid</tt>)
|}
:(* = recommended contactee)
:and anyone in Wikimedia Foundation's Technical Operations group. They will say yes to everyone who asks, except for [[wikipedia:Osama_bin_Laden|known malicious persons]]. There is no other publicly available list that's better, so this is the list of people newbies can ping to ask for accounts. If you want to contact them, you may want to try the IRC channels #mediawiki or #wikimedia-dev.


==== SSH fingerprints ====
:If you are applying for access, you should give them the following information:
See [[Help:SSH Fingerprints]] for host key fingerprints which can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server. It is good practice to verify the SSH fingerprint of the bastions you use in order to reduce the likelihood of a [[:en:Man-in-the-middle_attack|MITM attack]].
:* Your preferred wiki username - also your git username
:* Your preferred email address
:* Your svn account name
:'''Do not give them your password! They don't need it and you'll set your own password up anyway.''' If you do, it will not be a pretty sight and you will have to flock to local Oversights and Special:PasswordReset.


SSH fingerprints of non-bastion servers are usually not listed there; if you can't find a way to get their fingerprint from elsewhere (e.g., it might be printed to the log on first boot, which you can see in Horizon if the instance was newly created), then it's probably fine to accept the host key you connect to it (trust on first use), since the risk of a MITM attack between the instance and the bastion should be lower than between the bastion and your client.
;'''Q:''' I just want git access; I don't care about labsconsole. How do I get Git access?: '''A:''' You should care about labsconsole! However, that doesn't matter. Labsconsole access and Git access are currently given using the same mechanism, therefore it is a unified login.


== File managers ==
;'''Q:''' I was added to a group that gives me access to something in git, but it isn't working, what's wrong?: '''A:''' Once you have been added to the group, you need to log out of gerrit, then back in. Gerrit pulls its groups from LDAP, but caches them. Logging out, then back in re-synchronizes your groups, and thus clears the cache.
You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below.


'''Note:''' The following options are maintained by third parties. Please see the technical documentation or readme on the software's website to determine the best method of connection.
==== Giving users Labs access, if they already have an SVN account ====
Collect the following information from the user:


=== Options ===
* Preferred wiki username. This will also be the user's git username, so legal name would be reasonable
* Preferred email address
* Their svn account name


'''Windows'''
On formey, run the following command:
* [https://www.putty.org/ PuTTY]


'''Linux'''
add-labs-user --wikiname="<wikiusername>" --mail="<email address>" <svnusername>
* Gnome: ([https://wiki.gnome.org/Apps/Files Files, formerly Nautilus]),
* KDE: [https://kde.org/applications/system/org.kde.dolphin Dolphin],
* FUSE: [https://github.com/libfuse/libfuse libfuse on GitHub]


'''Mac'''
If the user specifically requests Labs access, also go to [https://labsconsole.wikimedia.org/wiki/Special:NovaProject Special:NovaProject] and add the user, by wiki username, to the bastion project. But if they just need an account so they can log into Gerrit etc. then you don't need to do this.
* [https://github.com/libfuse/sshfs SSHFS]


== Troubleshooting ==
Then the user must do the following:
In general, adding SSH option -v, -vv, or -vvv may help identify possible issues.


=== Into Bastion ===
# Go to the [https://labsconsole.wikimedia.org/wiki/Special:PasswordReset password reset form at labs console]
# Use the temporary password to set a password
# Log into [https://gerrit.wikimedia.org gerrit]
# Add their SSH key


===== Permission denied (publickey) =====
Then, if they are an ops team member, add them to the ops group:
# Make sure you have uploaded the correct SSH key to [[Special:Preferences#mw-prefsection-openstack|your preferences]]
# Use lowercase letters for your username
# Your SSH user name is your '''instance shell account name''' name (see [[Special:Preferences|User Profile]] > Basic Information in your Wikitech account's Preferences page). It is not necessarily the same as your account's '''username'''


===== Connection closed by remote host =====
sudo modify-ldap-group --addmembers=<svnusername> ops
* Make sure you have uploaded the correct SSH key to [[Special:Preferences#mw-prefsection-openstack|your preferences]]
* If you have access to other SSH servers, can you connect to them? If not, then there may be an issue with your SSH client.
* If you use Windows, is Pageant (PuTTY authentication agent) set up with correct keys and running?


===== Blocking connection on OS X with no error message =====
If they are WMF staff, add them to the wmf group:


If you are running OS X and your SSH connection blocks without any error message (while pinging the server works), try
sudo modify-ldap-group --addmembers=<svnusername> wmf
<code>unset SSH_AUTH_SOCK</code>, and then SSH again. This will unset the socket to ssh-agent.


=== Into ''your-instance'' ===
==== Giving users Labs access, if they don't already have SVN access ====
Ask for:


===== Permission denied (publickey) =====
* Preferred wiki username. This will also be the user's git username, so legal name would be reasonable
* Make sure the instance build has completed.
* Preferred email address
* Search in the console output for ''β€œFinished puppet run”'', ''BEGIN SSH HOST KEY FINGERPRINTS'', and ''BEGIN SSH HOST KEY KEYS''.
* Their preferred shell account name (1 to 17 numbers and lower case [[wikipedia:ASCII|ASCII]] letters, as well as the <tt>.</tt>&nbsp;([[wikipedia:Full stop#Computing_use|full stop]]), <tt>-</tt>&nbsp;([[wikipedia:Hyphen-minus|hyphen-minus]]) and <tt>_</tt>&nbsp;([[wikipedia:Low line|low line]]) characters)


{{:Help:Cloud Services communication}}
Then either:


[[Category:Cloud VPS]]
* Recommended: just get the accountcreators power from Ryan Lane, Sara Smollett or Daniel Zahn (Mutante) and then create the user's account using [[Special:CreateAccount]] and choose "By email" to send the user a password
* [http://wikitech.wikimedia.org/view/Svn.wikimedia.org#Add_users Make an LDAP user on formey] and then follow the instructions for people who have SVN accounts (above)

Latest revision as of 21:28, 28 September 2023

Overview

This page explains how to gain access to Cloud VPS using SSH.

What you'll need

Tracked in Phabricator
Task T347637

Required accounts

To access Toolforge, Cloud VPS, or other Wikimedia developer tools, you need the following two types of accounts:

Account Type Description Where to sign up
Wikimedia account Also known as "Wikimedia single user login (SUL)" account. Allows you to log into general wikis like Wikipedia, MediaWiki, and MetaWiki. Create Wikimedia account
Wikimedia developer account Username (also called LDAP username) is used to log in on Wikitech (this wiki), Gerrit, and the Toolforge admin console. In GitLab it is your displayed name, so you may want it to be your full name. You will not be able to change this later!

Shell username is used to log into Toolforge, other Wikimedia VPS or Wikimedia production hosts using SSH.

Create Wikimedia developer account

Set up and upload SSH keys

  1. Generate an SSH Key
  2. Upload your public SSH key to Wikitech
  3. Upload your public SSH key Gerrit

Be a member of a Cloud VPS project

In order to SSH into instances of a particular Cloud VPS project, you must be a member of that project. In order to SSH even into a bastion, you need to be a member of at least one project (then the project-bastion LDAP group will be added automatically). Request a new Cloud VPS project, or ask someone to add you to their existing project.

SSH Recommendations

Linux or macOS

  • Natively support SSH. You should be able to SSH from the terminal.

Windows 10

  • Windows 10 (Spring 2018 Creators update or higher) has a built in SSH client.
    • If the OpenSSH client is not already enabled, you can do this by following Settings -> Apps & features -> Optional features -> Add a feature. Scroll down and enable the SSH Client.
    • Access the SSH client via Windows Powershell using the ssh directive.
    • To use an SSH agent, you will need to enable it.
      • Type into your search bar services.msc and open the Services program
      • Find OpenSSH Authentication Agent and set that service to "Automatic" and start it if it is disabled.

Older versions of Windows

It is recommended that you run the most current version of Windows. However, if you choose to run an older version, you will need an SSH client. PuTTY / KiTTY is often recommended.

Accessing Cloud VPS instances

Key concepts

Bastion host
An instance you use to access other instances. Most instances do not have floating IP addresses assigned, due to our shortage of public IPs. To access them, it's necessary to go through a bastion host as an intermediary. For example bastion.wmcloud.org is accessible by every Cloud VPS account holder who has been added to the bastion project. There are other bastion hosts, e.g. to access Toolforge. See also Bastion.
Bastion instance
For security purposes most Cloud VPS instances cannot be directly accessed from the Internet. A bastion instance is used to gain ssh access to other instances. The Cloud VPS bastion (bastion.wmcloud.org) is accessible by every Wikimedia developer account holder who is a member of a Cloud VPS project. Toolforge members are not automatically granted access to the shared Cloud VPS bastion as Toolforge has its own bastion servers (for example: login.toolforge.org).

Setup

Toolforge has its own bastions and does not require the below configuration.

You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances.

How should you proxy?
Your role Use
A member of Wikimedia SRE Team restricted.bastion.wmcloud.org
Everyone else (including volunteers and Wikimedia Foundation staff) primary.bastion.wmcloud.org
bastion.wmcloud.org (alias)

Configure your $HOME/.ssh/config file to instruct SSH to use bastion.wmcloud.org as a jump host when connecting to *.wikimedia.cloud instances: 

Host *.wmflabs.org *.wmcloud.org *.toolforge.org
  User <your-shell-name>

Host *.wmflabs *.wikimedia.cloud
  User <your-shell-name>
  ProxyJump bastion.wmcloud.org:22

With the above config you can use ssh <your-instance>.<your-project>.eqiad1.wikimedia.cloud to connect to an instance.

If you can't or prefer to not alter SSH config files, you can also use the following command to specify the settings all in a longer ssh command: 

$ ssh -J <your-shell-name>@bastion.wmcloud.org <your-shell-name>@<your-instance>.<your-project>.eqiad1.wikimedia.cloud

Logging in

Run the following from your local computer, substituting the instance and project names as appropriate: 

ssh your-instance.your-project.eqiad1.wikimedia.cloud

SSH fingerprints

See Help:SSH Fingerprints for host key fingerprints which can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server. It is good practice to verify the SSH fingerprint of the bastions you use in order to reduce the likelihood of a MITM attack.

SSH fingerprints of non-bastion servers are usually not listed there; if you can't find a way to get their fingerprint from elsewhere (e.g., it might be printed to the log on first boot, which you can see in Horizon if the instance was newly created), then it's probably fine to accept the host key you connect to it (trust on first use), since the risk of a MITM attack between the instance and the bastion should be lower than between the bastion and your client.

File managers

You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below.

Note: The following options are maintained by third parties. Please see the technical documentation or readme on the software's website to determine the best method of connection.

Options

Windows

Linux

Mac

Troubleshooting

In general, adding SSH option -v, -vv, or -vvv may help identify possible issues.

Into Bastion

Permission denied (publickey)
  1. Make sure you have uploaded the correct SSH key to your preferences
  2. Use lowercase letters for your username
  3. Your SSH user name is your instance shell account name name (see User Profile > Basic Information in your Wikitech account's Preferences page). It is not necessarily the same as your account's username
Connection closed by remote host
  • Make sure you have uploaded the correct SSH key to your preferences
  • If you have access to other SSH servers, can you connect to them? If not, then there may be an issue with your SSH client.
  • If you use Windows, is Pageant (PuTTY authentication agent) set up with correct keys and running?
Blocking connection on OS X with no error message

If you are running OS X and your SSH connection blocks without any error message (while pinging the server works), try unset SSH_AUTH_SOCK, and then SSH again. This will unset the socket to ssh-agent.

Into your-instance

Permission denied (publickey)
  • Make sure the instance build has completed.
  • Search in the console output for β€œFinished puppet run”, BEGIN SSH HOST KEY FINGERPRINTS, and BEGIN SSH HOST KEY KEYS.

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support
Stay aware of critical changes and plans
Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Help:Accessing_Cloud_VPS_instances&oldid=2116067"