Skip to content
Snippets Groups Projects

Add blocked access part

Merged Add blocked access part
blocked-cloud-access-faq into master
Merged Josef Němec requested to merge blocked-cloud-access-faq into master
Compare
and
1 file
+ 48
1
Compare changes
  • Side-by-side
  • Inline
content/cloud/faq/index.md
+ 48
1
@@ -111,4 +111,51 @@ All the data is protected against disk failures. We are not responsible for any
What can I do?
- Use OpenStack Snapshots for local backup.
- Use backup software like Borg or Restic to create an offsite incremental backup.
- Use backup/data storage services provided by MUNI or CESNET (e. g. https://it.muni.cz/sluzby/zalohovani-bacula ).
\ No newline at end of file
- Use backup/data storage services provided by MUNI or CESNET (e. g. https://it.muni.cz/sluzby/zalohovani-bacula ).
## Blocked Access to Cloud Resources
Access to the MetaCentrum cloud is protected by security teams [CSIRT-MU] (https://csirt.muni.cz/?lang=en) and [CSIRT-CESNET] (https://csirt.cesnet.cz/en/index).
Some interactions with virtual servers can block access to the allocated cloud resources. This is caused by the fact, that legal SSH access to a virtual machine can be similar to brute-force SSH access (both respond with: Nx ssh connect timeout, Mx ssh connect refused, or ssh connect passed).
### How to access cloud resources without getting blocked
As an example, consider a group of virtual machines, where at least one has access to the internet using an IPv4 or IPv6 public address, and they are connected by an internal network (e.g. 10.0.0.0/24).
To access the machine with a public address:
* Wait for the machine to enter ACTIVE state (Openstack API: `openstack server show <id> -f json | jq -r .status`)
* After a short while (cca 10s), try to see, if the machine reacts to SSH (or another open port)
To access machines on the internal network:
* The recommended method is to create an SSH VPN using sshuttle with `sshuttle -r user@<public-ip> 10.0.0.0/24`
* Address all internal virtual servers with their internal address (CIDR 10.0.0.0/24) and use the machine with the public address as an entry point for traffic
* Use the steps above to connect: wait for ACTIVE and try a port connection
### How to check, if resources are blocked
Run the following bash script from two different IP addresses:
```sh
# Test Cloud Accessibility
#
# Execution example: test_cloud_access 178.128.250.99 22
function test_cloud_access() {
local basion_vm_public_ip="$1"
local basion_vm_public_port="${2:-22}"
local cloud_identity_host=${3:-identity.cloud.muni.cz}
local timeout=60
set -x
cmds=("ip a" "ip -4 r l" "ip -6 r l")
for i_cmd in "${cmds[@]}"; do
${i_cmd}; echo "ecode:$?";
done
for i_cmd in host tracepath traceroute ping ; do
timeout --signal=2 ${timeout} ${i_cmd} "${cloud_identity_host}"
echo "ecode:$?"
done
timeout --signal=2 ${timeout} curl -v "https://${cloud_identity_host}"
echo "ecode:$?"
timeout --signal=2 ${timeout} ncat -z "${basion_vm_public_ip}" "${basion_vm_public_port}"
echo "ecode:$?"
set +x
}
```
Unblocking access can be requested by contacting cloud@metacentrum.cz with the respective assumption and output of the bash function `test_cloud_access()` above.