User:SRodlund/Help: Accessing Cloud VPS instances (Staging)

Help improve the content on this page: https://phabricator.wikimedia.org/T232545

Overview

This page explains how to gain access to Cloud VPS using SSH.

What you'll need

Required accounts

Account Type	Description	Where to sign up
Wikimedia account	Wikimedia single user login (SUL) account allows you to log into general wikis like Wikipedia, MediaWiki, and MetaWiki	Create Wikimedia account
Wikimedia developer account	Wikimedia developer account allows you to log into Wikitech, Phabricator, Gerrit and other developer tools.	Create Wikimedia developer account

Set up and upload SSH keys

SSH Recommendations

Linux or Mac OS

Natively supports SSH. You should be able to SSH from the terminal.

Windows 10

Windows 10 (Spring 2018 Creators update or higher) has a built in SSH client.
- If the OpenSSH client is not already enabled, you can do this by following Settings -> Apps & features -> Optional features -> Add a feature. Scroll down and enable the SSH Client.
- Access the SSH client via Windows Powershell using the ssh directive.

Older versions of Windows

It is recommended that you run the most current version of Windows. However, if you choose to run an older version, you will need an SSH client. PuTTY / KiTTY is often recommended.

Accessing Cloud VPS instances

You'll need to proxy through a machine a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances.

How should you proxy?
Your role	Use
A general Cloud VPS Contributor	primary.bastion.wmflabs.org
A member of Wikimedia Operations	restricted.bastion.wmflabs.org

ProxyJump (recommended)

Use this directive if you are using OpenSSH version 7.3 or higher

$ ssh -J <your-shell-name>@primary.bastion.wmflabs.org <your-shell-name>@<your-instance>.<your-project>.eqiad.wmflabs

Set default configuration

To save time, you can configure the $HOME/.ssh/config file to instruct SSH to use primary.bastion.wmflabs.org as a jump host when connecting to wmflabs instances.

Host *.wmflabs
  User <your-shell-name>
  ProxyJump primary.bastion.wmflabs.org:22

Host primary.bastion.wmflabs.org
  User <your-shell-name>

ProxyCommand

Use this directive if you are using OpenSSH 7.2 or older

Host *.wmflabs
  ProxyCommand ssh -a -W %h:%p <your-shell-name>@primary.bastion.wmflabs.org
  User <your-shell-name>

Run the following from your local computer, substituting the instance and project names as appropriate:

ssh your-instance.your-project.eqiad.wmflabs

File managers

You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below.

Note:' The following options are maintained by third parties. Please see the technical documentation or ReadMe on the software's website to determine the best method of connection.

Options

Windows

PuTTY

Linux

Gnome: (Files, formerly Nautilus),
KDE: Dolphin

Mac

SSHFS

Troubleshooting

In general, adding SSH option -v, -vv, or -vvv may help identify possible issues.

#when using ProxyCommand
ssh -v your-instance.your-project.eqiad.wmflabs

Into Bastion

Permission denied (publickey)

Make sure you have uploaded the correct SSH key to your preferences
Use lowercase letters for your username
Your SSH user name is your instance shell account name name (see User Profile > Basic Information in your WikiTech account's Preferences page). It is not necessarily the same as your account's username

Connection closed by remote host

Make sure you have uploaded the correct SSH key to your preferences
If you have access to other SSH servers, can you connect to them? If not, then there may be an issue with your SSH client.
If you use Windows, is Pageant (PuTTY authentication agent) set up with correct keys and running?

Blocking connection on OS X with no error message

If you are running OS X and your SSH connection blocks without any error message (while pinging the server works), try unset SSH_AUTH_SOCK, and then SSH again. This will unset the socket to ssh-agent.

Into your-instance

Permission denied (publickey)

Make sure the instance build has completed.
Search in the console output for “Finished puppet run”, BEGIN SSH HOST KEY FINGERPRINTS, and BEGIN SSH HOST KEY KEYS.

Banners

If you log into any instance apart from bastion, SSH will display:

If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances

This message cannot be suppressed, and you need to manually filter it if you want to process the output.

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support

Chat in real time in the IRC channel #wikimedia-cloud ^connect or the bridged Telegram group
Discuss via email after you have subscribed to the cloud@ mailing list

Stay aware of critical changes and plans

Subscribe to the cloud-announce@ mailing list (all messages are also mirrored to the cloud@ list)
Read the News wiki page

Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)

[[Category:Cloud VPS]] [[Category:Toolforge]]