Skip to content
Snippets Groups Projects

Add blocked access part

Merged Add blocked access part
blocked-cloud-access-faq into master
Merged Josef Němec requested to merge blocked-cloud-access-faq into master
Compare
and
1 file
+ 50
1
Compare changes
  • Side-by-side
  • Inline
content/cloud/faq/index.md
+ 50
1
@@ -111,4 +111,53 @@ All the data is protected against disk failures. We are not responsible for any
@@ -111,4 +111,53 @@ All the data is protected against disk failures. We are not responsible for any
What can I do?
What can I do?
- Use OpenStack Snapshots for local backup.
- Use OpenStack Snapshots for local backup.
- Use backup software like Borg or Restic to create an offsite incremental backup.
- Use backup software like Borg or Restic to create an offsite incremental backup.
- Use backup/data storage services provided by MUNI or CESNET (e. g. https://it.muni.cz/sluzby/zalohovani-bacula ).
- Use backup/data storage services provided by MUNI or CESNET (e. g. https://it.muni.cz/sluzby/zalohovani-bacula ).
\ No newline at end of file
 
## Blocked Access to Cloud Resources
 
Access to the MetaCentrum cloud is protected by security teams [CSIRT-MU] (https://csirt.muni.cz/?lang=en) and [CSIRT-CESNET] (https://csirt.cesnet.cz/en/index).
 
 
Some interactions with virtual servers can block access to the allocated cloud resources. This is caused by the fact, that legal SSH access to a virtual machine can be similar to brute-force SSH access (both respond with: Nx ssh connect timeout, Mx ssh connect refused, or ssh connect passed).
 
 
### How to access cloud resources without getting blocked
 
As an example, consider a group of virtual machines, where at least one has access to the internet using an IPv4 or IPv6 public address, and they are connected by an internal network (e.g. 10.0.0.0/24).
 
 
To access the machine with a public address:
 
* Wait for the machine to enter ACTIVE state (Openstack API: `openstack server show <id> -f json | jq -r .status`)
 
* After a short while (cca 10s), try to see, if the machine reacts to SSH (or another open port)
 
 
To access machines on the internal network:
 
* The recommended method is to create an SSH VPN using sshuttle with `sshuttle -r user@<public-ip> 10.0.0.0/24`
 
* Address all internal virtual servers with their internal address (CIDR 10.0.0.0/24) and use the machine with the public address as an entry point for traffic
 
* Use the steps above to connect: wait for ACTIVE and try a port connection
 
 
### How to check, if resources are blocked
 
Run the following bash script from two different IP addresses:
 
 
```sh
 
# Test Cloud Accessibility
 
#
 
# Execution example: test_cloud_access 178.128.250.99 22
 
 
function test_cloud_access() {
 
local basion_vm_public_ip="$1"
 
local basion_vm_public_port="${2:-22}"
 
local cloud_identity_host=${3:-identity.cloud.muni.cz}
 
local timeout=60
 
set -x
 
cmds=("ip a" "ip -4 r l" "ip -6 r l")
 
for i_cmd in "${cmds[@]}"; do
 
${i_cmd}; echo "ecode:$?";
 
done
 
for i_cmd in host tracepath traceroute ping ; do
 
timeout --signal=2 ${timeout} ${i_cmd} "${cloud_identity_host}"
 
echo "ecode:$?"
 
done
 
timeout --signal=2 ${timeout} curl -v "https://${cloud_identity_host}"
 
echo "ecode:$?"
 
timeout --signal=2 ${timeout} ncat -z "${basion_vm_public_ip}" "${basion_vm_public_port}"
 
echo "ecode:$?"
 
set +x
 
}
 
```
 
 
Unblocking access can be requested by contacting cloud@metacentrum.cz with the respective assumption and output of the bash function `test_cloud_access()` above.