Help talk:Accessing Cloud VPS instances

• Please add a detailed description of how to access labs using windows oren 16:18, 31 December 2011 (UTC)Reply

Leave a comment with:

• Your preferred wiki username - will also be your git username, legal name would be reasonable (this will be permanent so choose wisely)
• Your preferred email address
• "I already DID/DID NOT have a Subversion account"
• Your svn account name if you have one, or if you didn't, your preferred shell account name (1 to 17 numbers and lower case ASCII letters, as well as the . (full stop), - (hyphen-minus) and _ (low line) characters)

and someone with the relevant privileges will create an account for you. Check back here to see whether it's been done. User:Sumanah 02:58, 19 March 2012‎ (UTC) - migrated from LiquidThreadsReply

Erm, this doesn't work; the anons do not have the user rights to post LQT User:Jeffw 03:11, 19 March 2012‎ (UTC) - migrated from LiquidThreadsReply

Aiee. Thanks for pointing this out. Argh. Ryan's addressing this. User:Sumanah 23:56, 19 March 2012‎ (UTC) - migrated from LiquidThreadsReply

I've went ahead and made a requests area at mediawikiwiki:Project:Labsconsole_accounts. User:Jeffw 03:18, 20 March 2012‎ (UTC) - migrated from LiquidThreadsReply

This page does not really explain how to get to the git repository as promised at the top. At least, I could not see it. The link to gerrit simply brings you to a code review page without any explanation of how to actually do a local git clone. User:Greg Sabino Mullane 23:37, 23 March 2012‎ (UTC) - mirgrated from LiquidThreadsReply

This is listed in step 1: "Go to the login page and enter your username..." but it is probably only needed to enter your username in step 2, after you click the Forgot... link. --svemir (talk) 13:01, 6 June 2012 (UTC)Reply

Done, diff jeremyb (talk) 17:58, 6 June 2012 (UTC)Reply

While trying to do ssh nischayn22@bastion.wmflabs.org -L 8080:greensmw1:80 I am able to log into the instance, but when opening localhost:8080 It shows "No Data Recieved" and the console shows "channel 4: open failed: connect failed: Connection timed out"--nischayn22 (talk) 20:21, 16 August 2012 (UTC)Reply

Before you can get forwarding working you need to be able to connect to that port at all. (even from the inside) Make sure something's listening there, double check your security groups (which cannot be changed for an instance after creation) / iptables / etc. Try #wikimedia-labs on freenode if you still can't figure it out.

$ ssh bastion1.pmtpa.wmflabs nc -v greensmw1 80
nc: connect to greensmw1 port 80 (tcp) failed: Connection timed out

What files should and shouldn't be in your /home/$USER/.ssh directory on labs machines? If you try to update a labs instance over ssh from gerrit then I think you need your private key on the labs machine. Is that OK? -- [A concerned user] :)

You should absolutely not have a private ssh key there. If you want to access gerrit, forward your agent. Otherwise, that directory is generally ignored.--Ryan Lane (talk) 18:50, 21 August 2013 (UTC)Reply

ssh is usually rather slow for most users on Labs, I think. Should we add ControlMaster to the configuration suggested to the users? It can make a big difference especially for those used to local editing of remote files (optionally with the help of KIOslaves). --Nemo 10:53, 4 January 2015 (UTC)Reply

now, I cann't access via ssh with an error message Permission denied (publickey,hostbased). what that's mean ? --Wahrani (talk) 20:46, 22 March 2015 (UTC)Reply

This happened to me too, Wahrani. Are you trying to ssh into tools-login? If so I suspect that you need to generate a new pair of keys, since this change suggests that the SSH fingerprint for that server has changed. Yuvi, could you confirm or deny this? jmorgan (talk) 16:59, 23 March 2015 (UTC)Reply

Update. Ah, just checked the mailing list, and it looks like we probably don't need new keys; just remove the tools-login.wmflabs.org line from your /path/to/ssh/known_hosts file and accept the new fingerprint when prompted, next time you try to SSH in. Hope that helps, jmorgan (talk) 17:10, 23 March 2015 (UTC)Reply

thank you very much jmorgan. the denied access was temporary. --Wahrani (talk) 21:01, 23 March 2015 (UTC)Reply

ssh bastion1.eqiad.wmflabs
~/.ssh/config line 20: Bad SSH2 cipher spec 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'.

ssh -V
OpenSSH_6.2p2, OpenSSL 1.0.1k 8 Jan 2015

Any suggestion about that? (usually I wouldn't try to login to bastion directly but I just wanted to try the update config) -- Rillke (talk) 10:08, 13 June 2015 (UTC)Reply

That sounds like you have a cipher spec in your ssh config that is unsupported. Google suggests it's caused by the 'aes128-gcm@openssh.com' one: . I'd just remove the entire cipher spec, and let the client and server work it out among themselves. valhallasw (Merlijn van Deen) (talk) 11:29, 13 June 2015 (UTC)Reply

I have been attempting (over several months) to set up a local directory to access my faebot scripts using sshfs. The guidance in this help page of " sshfs -o defer_permissions your-instance.eqiad.wmflabs someLocalFolder " seems to miss something, many variations such as changing the server name have failed. For example sshfs -o defer_permissions faebot@faebot.eqiad.wmflabs labs eventually gives me 'remote host has disconnected'. Any examples and suggestions would be appreciated as these network configurations are an enigma to me. By the way, connection via ssh works fine. --Fæ (talk) 17:18, 18 February 2016 (UTC)Reply

The host faebot.eqiad.wmflabs does not exist. Are you trying to connect to your toollabs account? In that case, try faebot@tools.wmflabs.org instead. valhallasw (Merlijn van Deen) (talk) 17:38, 18 February 2016 (UTC)Reply

Thanks (yes, I missed out '.org', but the help page does too). I have tried sshfs -o defer_permissions faebot@tools.wmflabs.org:/ labs and several variations, but I get socket is not connected and remote host has disconnected errors. "labs" is the local folder I'm attempting to connect to. --Fæ (talk) 18:28, 18 February 2016 (UTC)Reply

suggests it can mean a whole range of issues. Maybe dmesg (or the os x equivalent of that) has some information? Alternatively, use an scp client such as 'cyberduck' or filezilla? valhallasw (Merlijn van Deen) (talk) 20:50, 18 February 2016 (UTC)Reply

tools.wmflabs.org does not work for me, but I can get a connection for faebot to bastion.wmflabs.org both using sshfs and cyberduck using SFTP. I've tried a few variations, but I have no idea how to configure the login or the URI in a way that gets me to the faebot tools directory. --Fæ (talk) 00:01, 19 February 2016 (UTC)Reply

tools.wmflabs.org is the web frontend. It is not accessible by ssh for normal users. You need to log into (for example) tools-login.wmflabs.org. --Tim Landscheidt (talk) 13:47, 19 February 2016 (UTC)Reply

That did the job! Thanks.

For anyone wanting to get SFTP working remotely for labs on a Mac, so you can drag and drop files, my settings for faebot on cyberduck are:

1. Select SFTP protocol
2. Server: tools-login.wmflabs.org
3. Port: 22, should be set already as a default
4. Username: <username, e.g. faebot>
5. Select use public key encryption and link to the file set up for ssh to work (e.g. ~/.ssh/id_rsa), there should be no need to change other settings
6. Once connected navigate back up to /data/projects/<tool name> to access tool files

I can use sshfs with similar settings (e.g. sshfs -o defer_permissions faebot@tools-login.wmflabs.org:/ /Volumes/labs) but I have yet to work out how to navigate up the tree to get to /data/projects/faebot once the remote home folder is connected as a virtual disk with OSXFuse. --Fæ (talk) 14:57, 19 February 2016 (UTC)Reply

Step 3 in Prerequisites is "After logging in, upload your public ssh key to Wikitech.". But following another's advice I added it using toolsadmin.wikimedia.org instead, and was able to log in. Are these instructions out of date, or do both methods work? Falsifian (talk)

Both methods work today. "Someday" the ability to manage ssh keys through wikitech will be removed, but that day is quite a way off. I personally like the UI for this in toolsadmin better, but I wrote that code too so I might have some bias. ;) --BryanDavis (talk) 21:49, 30 August 2019 (UTC)Reply

This page went through a major revision and update. It now focus primarily around Accessing Cloud VPS instances. Some code samples and instructions may still need updating. Please help improve this page!

Technical review task here: https://phabricator.wikimedia.org/T238836

--SRodlund (talk)

@SRodlund: I just now noticed that Portal:Toolforge/Toolforge quickstart links to this page. I feel like there is useful information here for the technical aspects of configuring ssh, but Toolforge uses a unique set of bastion hosts which are not mentioned on this page. Toolforge also does not require ProxyJump/ProxyCommand connections through the shared Cloud VPS bastions which this page describes. I would like to work with you to find a better way to lead new Toolforge project members into finding the special differences for that project. --BryanDavis (talk) 20:14, 29 January 2020 (UTC)Reply

@BryanDavis: I looked for the link and can't find it on that page. But did find it here: Help:Toolforge/My_first_Flask_OAuth_tool and here Help:Access_to_Toolforge_instances_with_PuTTY_and_WinSCP. I will remove these links. --SRodlund (talk)

SRodlund it looks like the reference I saw was changed in Special:Diff/1852087 to point at Help:Access to Toolforge instances with PuTTY and WinSCP. --BryanDavis (talk) 23:41, 4 February 2020 (UTC)Reply