Jump to content

Help:Accessing Cloud VPS instances

From Wikitech


This page explains how to gain access to Cloud VPS using SSH.

What you'll need

Required accounts

To access Toolforge, Cloud VPS, or other Wikimedia developer tools, you need the following two types of accounts:

Account Type Description Where to sign up
Wikimedia account Also known as "Wikimedia single user login (SUL)" account. Allows you to log into general wikis like Wikipedia, MediaWiki, and MetaWiki. Create Wikimedia account
Wikimedia developer account Username (also called LDAP username) is used to log in on Wikitech (this wiki), Gerrit, and the Toolforge admin console. In GitLab it is your displayed name, so you may want it to be your full name. You will not be able to change this later!

Shell username is used to log into Toolforge, other Wikimedia VPS or Wikimedia production hosts using SSH.

Create Wikimedia developer account

Set up and upload SSH keys

  1. Generate an SSH Key
  2. Upload your public SSH key to idm.wikimedia.org
  3. Upload your public SSH key Gerrit

Be a member of a Cloud VPS project

In order to SSH into instances of a particular Cloud VPS project, you must be a member of that project. In order to SSH even into a bastion, you need to be a member of at least one project (then the project-bastion LDAP group will be added automatically). Request a new Cloud VPS project, or ask someone to add you to their existing project.

SSH Recommendations

Linux or macOS

  • Natively support SSH. You should be able to SSH from the terminal.

Windows 10

  • Windows 10 (Spring 2018 Creators update or higher) has a built in SSH client.
    • If the OpenSSH client is not already enabled, you can do this by following Settings -> Apps & features -> Optional features -> Add a feature. Scroll down and enable the SSH Client.
    • Access the SSH client via Windows Powershell using the ssh directive.
    • To use an SSH agent, you will need to enable it.
      • Type into your search bar services.msc and open the Services program
      • Find OpenSSH Authentication Agent and set that service to "Automatic" and start it if it is disabled.

Older versions of Windows

It is recommended that you run the most current version of Windows. However, if you choose to run an older version, you will need an SSH client. PuTTY / KiTTY is often recommended.

Accessing Cloud VPS instances

Key concepts

Bastion host
An instance you use to access other instances. Most instances do not have floating IP addresses assigned, due to our shortage of public IPs. To access them, it's necessary to go through a bastion host as an intermediary. For example bastion.wmcloud.org is accessible by every Cloud VPS account holder who has been added to the bastion project. There are other bastion hosts, e.g. to access Toolforge. See also Bastion.
Bastion instance
For security purposes most Cloud VPS instances cannot be directly accessed from the Internet. A bastion instance is used to gain ssh access to other instances. The Cloud VPS bastion (bastion.wmcloud.org) is accessible by every Wikimedia developer account holder who is a member of a Cloud VPS project. Toolforge members are not automatically granted access to the shared Cloud VPS bastion as Toolforge has its own bastion servers (for example: login.toolforge.org).


Toolforge has its own bastions and does not require the below configuration.

You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances.

How should you proxy?
Your role Use
A member of Wikimedia SRE Team restricted.bastion.wmcloud.org
Everyone else (including volunteers and Wikimedia Foundation staff) primary.bastion.wmcloud.org
bastion.wmcloud.org (alias)

Configure your $HOME/.ssh/config file to instruct SSH to use bastion.wmcloud.org as a jump host when connecting to *.wikimedia.cloud instances:

Host *.wmflabs.org *.wmcloud.org *.toolforge.org
  User <your-shell-name>

Host *.wmflabs *.wikimedia.cloud
  User <your-shell-name>
  ProxyJump bastion.wmcloud.org:22

With the above config you can use ssh <your-instance>.<your-project>.eqiad1.wikimedia.cloud to connect to an instance.

If you can't or prefer to not alter SSH config files, you can also use the following command to specify the settings all in a longer ssh command:

$ ssh -J <your-shell-name>@bastion.wmcloud.org <your-shell-name>@<your-instance>.<your-project>.eqiad1.wikimedia.cloud

Logging in

Run the following from your local computer, substituting the instance and project names as appropriate:

ssh your-instance.your-project.eqiad1.wikimedia.cloud

SSH fingerprints

See Help:SSH Fingerprints for host key fingerprints which can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server. It is good practice to verify the SSH fingerprint of the bastions you use in order to reduce the likelihood of a MITM attack.

SSH fingerprints of non-bastion servers are usually not listed there; if you can't find a way to get their fingerprint from elsewhere (e.g., it might be printed to the log on first boot, which you can see in Horizon if the instance was newly created), then it's probably fine to accept the host key you connect to it (trust on first use), since the risk of a MITM attack between the instance and the bastion should be lower than between the bastion and your client.

File managers

You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below.

Note: The following options are maintained by third parties. Please see the technical documentation or readme on the software's website to determine the best method of connection.






In general, adding SSH option -v, -vv, or -vvv may help identify possible issues.

Into Bastion

Permission denied (publickey)
  1. Make sure you have uploaded the correct SSH key at idm.wikimedia.org
  2. Use lowercase letters for your username
  3. Your SSH user name is your instance shell account name name (see idm.wikimedia.org, your shell account is listed as "SSH access (shell) username"). It is not necessarily the same as your account's username
Connection closed by remote host
  • Make sure you have uploaded the correct SSH key at idm.wikimedia.org
  • If you have access to other SSH servers, can you connect to them? If not, then there may be an issue with your SSH client.
  • If you use Windows, is Pageant (PuTTY authentication agent) set up with correct keys and running?
Blocking connection on OS X with no error message

If you are running OS X and your SSH connection blocks without any error message (while pinging the server works), try unset SSH_AUTH_SOCK, and then SSH again. This will unset the socket to ssh-agent.

Into your-instance

Permission denied (publickey)
  • Make sure the instance build has completed.
  • Search in the console output for “Finished puppet run”, BEGIN SSH HOST KEY FINGERPRINTS, and BEGIN SSH HOST KEY KEYS.

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support
Stay aware of critical changes and plans
Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)