Help talk:Accessing Cloud VPS instances

Rendered with Parsoid
From Wikitech
Latest comment: 4 years ago by BryanDavis in topic Major page update

Minor tweak for login instructions

This is listed in step 1: "Go to the login page and enter your username..." but it is probably only needed to enter your username in step 2, after you click the Forgot... link. --svemir (talk) 13:01, 6 June 2012 (UTC)Reply

Yes Done, diff jeremyb (talk) 17:58, 6 June 2012 (UTC)Reply

Forwarding not working

While trying to do ssh -L 8080:greensmw1:80 I am able to log into the instance, but when opening localhost:8080 It shows "No Data Recieved" and the console shows "channel 4: open failed: connect failed: Connection timed out"--nischayn22 (talk) 20:21, 16 August 2012 (UTC)Reply

Before you can get forwarding working you need to be able to connect to that port at all. (even from the inside) Make sure something's listening there, double check your security groups (which cannot be changed for an instance after creation) / iptables / etc. Try #wikimedia-labs on freenode if you still can't figure it out.
$ ssh bastion1.pmtpa.wmflabs nc -v greensmw1 80
nc: connect to greensmw1 port 80 (tcp) failed: Connection timed out

--jeremyb (talk) 20:35, 16 August 2012 (UTC)Reply

What should be in labs ~/.ssh

What files should and shouldn't be in your /home/$USER/.ssh directory on labs machines? If you try to update a labs instance over ssh from gerrit then I think you need your private key on the labs machine. Is that OK? -- [A concerned user] :)

You should absolutely not have a private ssh key there. If you want to access gerrit, forward your agent. Otherwise, that directory is generally ignored.--Ryan Lane (talk) 18:50, 21 August 2013 (UTC)Reply


ssh is usually rather slow for most users on Labs, I think. Should we add ControlMaster to the configuration suggested to the users? It can make a big difference especially for those used to local editing of remote files (optionally with the help of KIOslaves). --Nemo 10:53, 4 January 2015 (UTC)Reply

Permission denied

now, I cann't access via ssh with an error message Permission denied (publickey,hostbased). what that's mean ? --Wahrani (talk) 20:46, 22 March 2015 (UTC)Reply

This happened to me too, Wahrani. Are you trying to ssh into tools-login? If so I suspect that you need to generate a new pair of keys, since this change suggests that the SSH fingerprint for that server has changed. Yuvi, could you confirm or deny this? jmorgan (talk) 16:59, 23 March 2015 (UTC)Reply
Update. Ah, just checked the mailing list, and it looks like we probably don't need new keys; just remove the line from your /path/to/ssh/known_hosts file and accept the new fingerprint when prompted, next time you try to SSH in. Hope that helps, jmorgan (talk) 17:10, 23 March 2015 (UTC)Reply
thank you very much jmorgan. the denied access was temporary. --Wahrani (talk) 21:01, 23 March 2015 (UTC)Reply

Bad SSH2 cipher spec

ssh bastion1.eqiad.wmflabs
~/.ssh/config line 20: Bad SSH2 cipher spec ',,,aes256-ctr,aes192-ctr,aes128-ctr'.

ssh -V
OpenSSH_6.2p2, OpenSSL 1.0.1k 8 Jan 2015

Any suggestion about that? (usually I wouldn't try to login to bastion directly but I just wanted to try the update config) -- Rillke (talk) 10:08, 13 June 2015 (UTC)Reply

That sounds like you have a cipher spec in your ssh config that is unsupported. Google suggests it's caused by the '' one: . I'd just remove the entire cipher spec, and let the client and server work it out among themselves. valhallasw (Merlijn van Deen) (talk) 11:29, 13 June 2015 (UTC)Reply

sshfs on Mac

I have been attempting (over several months) to set up a local directory to access my faebot scripts using sshfs. The guidance in this help page of " sshfs -o defer_permissions your-instance.eqiad.wmflabs someLocalFolder " seems to miss something, many variations such as changing the server name have failed. For example sshfs -o defer_permissions faebot@faebot.eqiad.wmflabs labs eventually gives me 'remote host has disconnected'. Any examples and suggestions would be appreciated as these network configurations are an enigma to me. By the way, connection via ssh works fine. -- (talk) 17:18, 18 February 2016 (UTC)Reply

The host faebot.eqiad.wmflabs does not exist. Are you trying to connect to your toollabs account? In that case, try instead. valhallasw (Merlijn van Deen) (talk) 17:38, 18 February 2016 (UTC)Reply
Thanks (yes, I missed out '.org', but the help page does too). I have tried sshfs -o defer_permissions labs and several variations, but I get socket is not connected and remote host has disconnected errors. "labs" is the local folder I'm attempting to connect to. -- (talk) 18:28, 18 February 2016 (UTC)Reply
suggests it can mean a whole range of issues. Maybe dmesg (or the os x equivalent of that) has some information? Alternatively, use an scp client such as 'cyberduck' or filezilla? valhallasw (Merlijn van Deen) (talk) 20:50, 18 February 2016 (UTC)Reply does not work for me, but I can get a connection for faebot to both using sshfs and cyberduck using SFTP. I've tried a few variations, but I have no idea how to configure the login or the URI in a way that gets me to the faebot tools directory. -- (talk) 00:01, 19 February 2016 (UTC)Reply is the web frontend. It is not accessible by ssh for normal users. You need to log into (for example) --Tim Landscheidt (talk) 13:47, 19 February 2016 (UTC)Reply
That did the job! Thanks.

For anyone wanting to get SFTP working remotely for labs on a Mac, so you can drag and drop files, my settings for faebot on cyberduck are:

  1. Select SFTP protocol
  2. Server:
  3. Port: 22, should be set already as a default
  4. Username: <username, e.g. faebot>
  5. Select use public key encryption and link to the file set up for ssh to work (e.g. ~/.ssh/id_rsa), there should be no need to change other settings
  6. Once connected navigate back up to /data/projects/<tool name> to access tool files

I can use sshfs with similar settings (e.g. sshfs -o defer_permissions /Volumes/labs) but I have yet to work out how to navigate up the tree to get to /data/projects/faebot once the remote home folder is connected as a virtual disk with OSXFuse. -- (talk) 14:57, 19 February 2016 (UTC)Reply

ssh key instructions out of date?

Step 3 in Prerequisites is "After logging in, upload your public ssh key to Wikitech.". But following another's advice I added it using instead, and was able to log in. Are these instructions out of date, or do both methods work? Falsifian (talk)

Both methods work today. "Someday" the ability to manage ssh keys through wikitech will be removed, but that day is quite a way off. I personally like the UI for this in toolsadmin better, but I wrote that code too so I might have some bias. ;) --BryanDavis (talk) 21:49, 30 August 2019 (UTC)Reply

Major page update

This page went through a major revision and update. It now focus primarily around Accessing Cloud VPS instances. Some code samples and instructions may still need updating. Please help improve this page!

Technical review task here:

--SRodlund (talk)

@SRodlund: I just now noticed that Portal:Toolforge/Toolforge quickstart links to this page. I feel like there is useful information here for the technical aspects of configuring ssh, but Toolforge uses a unique set of bastion hosts which are not mentioned on this page. Toolforge also does not require ProxyJump/ProxyCommand connections through the shared Cloud VPS bastions which this page describes. I would like to work with you to find a better way to lead new Toolforge project members into finding the special differences for that project. --BryanDavis (talk) 20:14, 29 January 2020 (UTC)Reply
@BryanDavis: I looked for the link and can't find it on that page. But did find it here: Help:Toolforge/My_first_Flask_OAuth_tool and here Help:Access_to_Toolforge_instances_with_PuTTY_and_WinSCP. I will remove these links. --SRodlund (talk)
SRodlund it looks like the reference I saw was changed in Special:Diff/1852087 to point at Help:Access to Toolforge instances with PuTTY and WinSCP. --BryanDavis (talk) 23:41, 4 February 2020 (UTC)Reply