TAGS

There are no tags associated with this article.

Installation and use of SSL certificates (LetsEncrypt) to protect websites running on CREODIAS instances in Linux.

This article shows how to Install Let’s Encrypt SSL on Ubuntu 18.04 with Nginx

1. Login to OpenStack dashboard, choose the right project if different than default, go to Project → DNS → Zones, click Create Zone and fill the required fields (DNS as a Service - user documentation).

In the example below the domain is "akdomain.pl".

To add a new record to domain, click Create Record Set next to domain name and fill the required fields. For example, to configure an address of web server in akdomain.pl , so that www.akdomain.pl is resolved to 185.52.195.61 which is a Floating IP address of your server, you should fill the form as follows:

 

 

2. Add Security Group

Then select Project → Network → Security Groups, click Create Security Group and fill the required fields. (See: How to use security groups in Horizon?)

 

Next click Manage Rules → Add Rule, add port 80, 8080, 443

Then add Security Group to the Instance.

Project → Instances, select the menu on the right of your instance and click Edit Security Groups

Add DNSy group to Instance Security Groups

3. Configure NS records for your domain to the following CloudFerro name servers:

Purpose
Name Server
IP
primary name server cf2-ns1.cloudferro.net 185.48.233.242
secondary name server cf2-ns2.cloudferro.net 185.48.233.243
secondary name server cf2-ns3.cloudferro.net 185.48.233.244

 

4. Connect to your server with SSH (How to connect to your virtual machine via SSH in Linux?) and login as root.

Once you are logged in, run the following commands to make sure that all installed packages on your server are updated to the latest available version

apt update && apt upgrade

 

5. Install the Nginx Web Server

Install nginx
apt -y install nginx

 

Once the Nginx web server is installed, it should be automatically started. You can check its status with the following command:

systemctl status nginx

6. Install Certbot

apt install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot

 

During the process of adding the repository you will be prompted to hit the Enter button to accept it. After that update the repositories list

apt update

Once the repository is added and the repositories list updated, go ahead and install the Certbot Nginx package

Install Certbot Nginx
apt -y install python3-certbot-nginx

 

7. Install a Let's Encrypt SSL certificate

Nginx configuration
certbot --nginx -d www.akdomain.pl

 

You can use Cerbot to verify the certificate and check the certificate expire date

certbot certificates

Result:


How to open ports in Linux?

We might try to start with the firewall definition which is needed to fulfil understanding of "port-vocabulary". Firewall is software or firmware that enforces a set of rules about what data packets will be allowed to enter or leave a network. It is in charge of managing Allow and Deny rules for ports.

Accordingly to the topic of this guide we would like to open ports in Linux distributions such as Ubuntu or CentOS. Both distros allow to configure it with different set of tools (firewalls packages) but with the same results.

 

Tools that we will be using:

    • UFW

    • Firewalld

 

Let’s have a look at the Ubuntu scenario first:

 

 

This distribution contains preinstalled service UFW(Uncomplicated Firewall) by default. It simplifies the whole configuration and it is user-friendly for every person.

For the first step, install the ufw tool command:

$ sudo apt install ufw

 

Check the service status with standard systemctl command:

$ sudo systemctl status ufw 

 

Enable UFW with enable command:

$ sudo ufw enable

 

Syntax to open specific TCP port:

$ sudo ufw allow (port)/tcp

 

for example:

$ sudo ufw allow 53/tcp

 

Syntax supports also names which reffer to specific ports:

$ sudo ufw allow https

 

To allow incoming tcp and udp packet on port 21, enter:

$ sudo ufw allow 21

 

Example for specific IP Address:

$ sudo ufw allow from 190.34.21.113 to any port

 

Let’s check the configuration:

$ sudo ufw status verbose

 

Command displays a provisional table with three columns:

Explanations:

    • To – describes the particular protocol

    • Action – tells us whether it is allowed or denied

    • From – It says about the source e.g anywhere or one ip address like presented above

 

It’s time for CentOS already:

 

Firewalld is more advanced tool which uses zones in its configuration. They are responsible for taking care of some area, or one “attached” network interface.

 

Firewalld is frontend controller for iptables used to implement persistent network traffic rules.

Let’s take a look for a bunch of commands that elaborate with firewalld.

1. Install firewalld command:

$ sudo yum install firewalld

 

Start our service with stardand systemctl command:

$ sudo systemctl start firewalld

 

Enable it:

$ sudo systemctl enable firewalld

 

This command informs us about state of service. It may only display two sentences: “running” or “no running”

$ sudo firewall-cmd --state

 

Default zone is public. In this short tutorial we will not be changing it, but if you would like to then use this commands:

$ sudo firewall-cmd --set-default-zone=work

 

Let’s try to add tcp traffic on port 1112:

$ sudo firewall-cmd --zone=public --add-port=1112/tcp --permanent

 

TO reload and get those changes applied instantly we have to reload the firewalld state.

$ sudo firewall-cmd --reload

 

We may obtain a readable review of our new rule with listing command:

 

 

To allow a ssh connection on specific Ipv4 we have to use syntax with “rich rule”

$ sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4"
source address="192.168.13.44" port port=22 protocol=tcp accept'

That’s the quick tutorial for firewalld.

Hint:

 Firewall is the default package for CentOS to manage incoming and outcoming traffic. If the UFW seems more preferable for you may install those packages too.

 


How to access EODATA and Object Storage using s3cmd (Linux)?

How to access EO DATA using s3cmd (Linux)

Attention!
Your virtual machine has to be launched in project with EO DATA!

You can install the s3cmd using Python PIP or from Linux repository.

Installation from system repository on Debian/Ubuntu systems:

Check for updates:

$ sudo apt update

Installing from repository:

$ sudo apt install s3cmd

 

Installation from Python repository (on most Linux distributions with python and pip preinstalled):

Installing with PIP:

Check if you have PIP installed

$ pip

The program 'pip' is currently not installed. To run 'pip' please ask your administrator to install the package 'python-pip'

If not installed (Ubuntu):

$ sudo apt install python3-pip

$ pip --version

pip 8.1.1 from /usr/lib/python2.7/dist-packages (python 2.7)

$ sudo pip install s3cmd

If you see the following:

Traceback (most recent call last):
File "/usr/bin/pip", line 11, in <module>
sys.exit(main())
File "/usr/lib/python2.7/dist-packages/pip/init.py", line 215, in main
locale.setlocale(locale.LC_ALL, '')
File "/usr/lib/python2.7/locale.py", line 581, in setlocale
return _setlocale(category, locale)
locale.Error: unsupported locale setting

add the following line:

export LC_ALL=en_US.UTF-8

to the file:

~/.profile

Now you can check the .profile:

$ cat ~/.profile
export LC_ALL=en_US.UTF-8
$ source ~/.profile
$ s3cmd --version
s3cmd version 2.0.1
Configure s3cmd
 
$ s3cmd --configure


Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.

Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
 

Access Key [access]:<ENTER>
Secret Key [access]:<ENTER>
Default Region [RegionOne]: <ENTER>
Use "s3.amazonaws.com" for S3 Endpoint and not modify it to the target Amazon S3.
S3 Endpoint [data.cloudferro.com:] <ENTER>
Use "%(bucket)s.s3.amazonaws.com" to the target Amazon S3. "%(bucket)s" and "%(location)s" vars can be used
if the target S3 system supports dns based buckets.
DNS-style bucket+hostname:port template for accessing a bucket [%(bucket)s.s3.amazonaws.com]:  <ENTER>
Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password: <ENTER>
Path to GPG program [/usr/bin/gpg]: <ENTER>
When using secure HTTPS protocol all communication with Amazon S3
servers is protected from 3rd party eavesdropping. This method is
slower than plain HTTP, and can only be proxied with Python 2.7 or newer
Use HTTPS protocol [No]: <ENTER>
On some networks all internet access must go through a HTTP proxy.
Try setting it here if you can't connect to S3 directly
HTTP Proxy server name: <ENTER>

New settings:

   Access Key: access
   Secret Key: access
   Default Region: RegionOne
   S3 Endpoint: data.cloudferro.com
   DNS-style bucket+hostname:port template for accessing a bucket: %(bucket)s.s3.amazonaws.com
   Encryption password:
   Path to GPG program: /usr/bin/gpg
   Use HTTPS protocol: False
   HTTP Proxy server name: _____
   HTTP Proxy server port: 0

 Test access with supplied credentials? [Y/n] <ENTER>
 Please wait, attempting to list all buckets...
 Success. Your access key and secret key worked fine :-)
 Now verifying that encryption works...
 Not configured. Never mind.

 Save settings? [y/N]  y <ENTER>
 Configuration saved to '/home/eouser/.s3cfg'


Now you can use s3cmd commands (additional information about s3cmd: http://s3tools.org/usage)
 

$ s3cmd ls

2017-12-11 15:30  s3://DIAS
2017-12-11 15:30  s3://EOCLOUD
2017-12-11 15:30  s3://EODATA

$ s3cmd ls s3://EODATA/

                       DIR   s3://EODATA/Envisat/
                       DIR   s3://EODATA/Landsat-5/
                       DIR   s3://EODATA/Landsat-7/
                       DIR   s3://EODATA/Landsat-8/
                       DIR   s3://EODATA/Sentinel-1/
                       DIR   s3://EODATA/Sentinel-2/
                       DIR   s3://EODATA/Sentinel-3/
                       DIR   s3://EODATA/Sentinel-5P/

In order to acquire access to Object Storage buckets via s3cmd, first you have to generate your own ec2 credentials with this tutorial.
After creation of credentials please remove file .s3cfg in Home folder and then reconfigure s3cmd by entering:

s3cmd --configure 

and following values:

New settings:
Access Key: (your EC2 credentials)
Secret Key: (your EC2 credentials)
Default Region: none
S3 Endpoint: s3.waw2-1.cloudferro.com
DNS-style bucket+hostname:port template for accessing a bucket: s3.waw2-1.cloudferro.com
Encryption password: (your password)
Path to GPG program: /usr/bin/gpg
Use HTTPS protocol: True
HTTP Proxy server name:
HTTP Proxy server port: 0

After this operation, you should be allowed to list and access your Object Storage.


How to Shelve/Unshelve your VM?

If you are not using your VM for a while, or want to turn it off say for a night, you can use Shelve option instead of Pause, Suspend or Shutoff.

Lets look at all this options:
 
Pause:
The pause command stores the state of the VM in RAM. A paused instance becomes frozen.
 
Suspend:
When you suspend an instance, its VM state is stored on disk, all memory is written to disk, and the virtual machine is stopped. Suspending an instance is similar to placing a device in hibernation; memory and vCPUs become available to create other instances.
But it is still counted in RAM quota, even though the RAM is released so that it can be used by other projects, for example.
Resume will put the suspended server back to an active state.
 
Shut Off:
The virtual machine is not running and is in a powered off state. However a shut off virtual machine still consumes billing units in the same way as an Active virtual machine. This is because active/powered off virtual machine reserves same computing resources on compute nodes.
 
Shelve:
Shelving an instance means to put aside your instance along with its resources (can be volume) and later if you unshelve it you get the same instance you have shelved earlier.
 
Unshelve:
Unshelve is the reverse operation of Shelve. It builds and boots the server again, on a new scheduled host if it was offloaded, using the shelved image in the glance repository if booted from image.

 

Each shelving process creates a new snapshot that is stored and billed in your domain. When VM is created with option "Create New Volume", a snapshot will not be created, only the ram and cpu will be freed, nevertheless the volume will be normally charged.

Remember

Every shelving operation creates an additional image that is stored and billed, Unshelving will not automatically remove this image, so you will have to do it manually. Keep in mind that the image cannot be erased as long as the machine is alive because it is in use through the backend store outside of Glance.


It is important to remember, that from the billing point of view "Paused", "Suspended" and "Shut Off" states are billed the same way (RAM and storage), yet the option that frees RAM and CPU resouces and is only billed for the storage (SSD) is the Shelve option.


How to Shelve the VM:
Go to Instances in Horizon, then choose "Shelve Instance" option from the drop down menu:

 

 

The Shelving may take several minutes you will most likely see something like this:

Then this:


Finaly it will go to „Shelved Oflloaded” state:You can leave it in this state and it will save your billing costs.

To boot your VM again simply go to Instances menu and choose „Unshelve” option:

Again it may take serveral minutes, you will see the progress of it booting:

And when its completed it will go back to „Running” state:

 

If you want to check the status, power or billing of an instance, it is worth having a look: https://creodias.eu/-/status-power-state-and-dependences-in-billing-of-an-instances-vms-


Connecting to a Windows VM via RDP through a Linux bastion host (port forwarding)

Requirements:

Linux virtual machine with ssh access – bastion host

Windows VM located in the same network as bastion host

The private key downloaded from OpenStack dashboard converted from .pem to .ppk format (using “PuTTYgen”)

The password for Administrator account has been changed via OpenStack dashboard Console

Make sure your VMs are assigned the following security groups:

Windows VM – allow_rdp (ingress 3389)

Bastion – allow_ssh_ping

../../_images/01.png

Step 1. Information required to establish connection with bastion host.

Launch PuTTY application and change the settings according to instructions:

session tab: Provide host (bastion) floating IP address and SSH port (default 22).

../../_images/11b.PNG

connection > data tab: set auto-login username as “eouser”.

../../_images/02b.PNG

connection > SSH > Auth: select private key in .ppk format.

../../_images/03b.PNG

connection > SSH > Tunnels: provide source port for localhost RDP connection and destination (private IP address of Windows VM : RDP port).

../../_images/04b.PNG

Click “Add” button to confirm changes.

Your forwarded port should be now visible now in the upper tab.

../../_images/05b.PNG

Provide name of session and save your config, to avoid repeating whole process every time you’d like to connect with an instance again.

../../_images/10b.PNG

Step 2. Open connection in PuTTy

Click “Open” to establish connection.

../../_images/06b.PNG

Step 3. Start an RDP session to localhost to reach the destination server

set localhost address:port selected in step 2 (in this case 127.0.0.1:8888 or localhost:8888 if you prefer)

set username as “Administrator”

../../_images/07b.PNG

Click “Connect” and enter your VM’s administrator password(the one you’ve set in OpenStack console). 

../../_images/08b.PNG

Confirm connection in the certificate prompt.

../../_images/09b.PNG

That’s it, you’re now successfully connected to your Windows VM!

../../_images/113.png