Installation and use of SSL certificates (LetsEncrypt) to protect websites running on CREODIAS instances in Linux.
This article shows how to Install Let’s Encrypt SSL on Ubuntu 18.04 with Nginx
1. Login to OpenStack dashboard, choose the right project if different than default, go to Project → DNS → Zones, click Create Zone and fill the required fields (DNS as a Service - user documentation).
In the example below the domain is "akdomain.pl".
To add a new record to domain, click Create Record Set next to domain name and fill the required fields. For example, to configure an address of web server in akdomain.pl , so that www.akdomain.pl is resolved to 185.52.195.61 which is a Floating IP address of your server, you should fill the form as follows:
2. Add Security Group
Then select Project → Network → Security Groups, click Create Security Group and fill the required fields. (See: How to use security groups in Horizon?)
Next click Manage Rules → Add Rule, add port 80, 8080, 443
Then add Security Group to the Instance.
Project → Instances, select the menu on the right of your instance and click Edit Security Groups
Add DNSy group to Instance Security Groups
3. Configure NS records for your domain to the following CloudFerro name servers:
Purpose | Name Server | IP |
---|---|---|
primary name server | cf2-ns1.cloudferro.net | 185.48.233.242 |
secondary name server | cf2-ns2.cloudferro.net | 185.48.233.243 |
secondary name server | cf2-ns3.cloudferro.net | 185.48.233.244 |
4. Connect to your server with SSH (How to connect to your virtual machine via SSH in Linux?) and login as root.
Once you are logged in, run the following commands to make sure that all installed packages on your server are updated to the latest available version
5. Install the Nginx Web Server
Once the Nginx web server is installed, it should be automatically started. You can check its status with the following command:
6. Install Certbot
During the process of adding the repository you will be prompted to hit the Enter button to accept it. After that update the repositories list
Once the repository is added and the repositories list updated, go ahead and install the Certbot Nginx package
7. Install a Let's Encrypt SSL certificate
You can use Cerbot to verify the certificate and check the certificate expire date
Result:
How to open ports in Linux?
We might try to start with the firewall definition which is needed to fulfil understanding of "port-vocabulary". Firewall is software or firmware that enforces a set of rules about what data packets will be allowed to enter or leave a network. It is in charge of managing Allow and Deny rules for ports.
Accordingly to the topic of this guide we would like to open ports in Linux distributions such as Ubuntu or CentOS. Both distros allow to configure it with different set of tools (firewalls packages) but with the same results.
Tools that we will be using:
• UFW
• Firewalld
Let’s have a look at the Ubuntu scenario first:
This distribution contains preinstalled service UFW(Uncomplicated Firewall) by default. It simplifies the whole configuration and it is user-friendly for every person.
For the first step, install the ufw tool command:
$ sudo apt install ufw
Check the service status with standard systemctl command:
$ sudo systemctl status ufw |
Enable UFW with enable command:
$ sudo ufw enable |
Syntax to open specific TCP port:
$ sudo ufw allow (port)/tcp |
for example:
$ sudo ufw allow 53/tcp |
Syntax supports also names which reffer to specific ports:
$ sudo ufw allow https |
To allow incoming tcp and udp packet on port 21, enter:
$ sudo ufw allow 21 |
Example for specific IP Address:
$ sudo ufw allow from 190.34.21.113 to any port |
Let’s check the configuration:
$ sudo ufw status verbose |
Command displays a provisional table with three columns:
Explanations:
• To – describes the particular protocol
• Action – tells us whether it is allowed or denied
• From – It says about the source e.g anywhere or one ip address like presented above
It’s time for CentOS already:
Firewalld is more advanced tool which uses zones in its configuration. They are responsible for taking care of some area, or one “attached” network interface.
Firewalld is frontend controller for iptables used to implement persistent network traffic rules.
Let’s take a look for a bunch of commands that elaborate with firewalld.
1. Install firewalld command:
$ sudo yum install firewalld
Start our service with stardand systemctl command:
$ sudo systemctl start firewalld |
Enable it:
$ sudo systemctl enable firewalld |
This command informs us about state of service. It may only display two sentences: “running” or “no running”
$ sudo firewall-cmd --state |
Default zone is public. In this short tutorial we will not be changing it, but if you would like to then use this commands:
$ sudo firewall-cmd --set-default-zone=work |
Let’s try to add tcp traffic on port 1112:
$ sudo firewall-cmd --zone=public --add-port=1112/tcp --permanent |
TO reload and get those changes applied instantly we have to reload the firewalld state.
$ sudo firewall-cmd --reload |
We may obtain a readable review of our new rule with listing command:
To allow a ssh connection on specific Ipv4 we have to use syntax with “rich rule”
$ sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.13.44" port port=22 protocol=tcp accept' |
That’s the quick tutorial for firewalld.
Hint:
Firewall is the default package for CentOS to manage incoming and outcoming traffic. If the UFW seems more preferable for you may install those packages too.
How to access EODATA and Object Storage using s3cmd (Linux)?
How to access EO DATA using s3cmd (Linux)
Your virtual machine has to be launched in project with EO DATA!
You can install the s3cmd using Python PIP or from Linux repository.
Installation from system repository on Debian/Ubuntu systems:
Check for updates:
$ sudo apt update
Installing from repository:
$ sudo apt install s3cmd
Installation from Python repository (on most Linux distributions with python and pip preinstalled):
Installing with PIP:
Check if you have PIP installed
$ pip
The program 'pip' is currently not installed. To run 'pip' please ask your administrator to install the package 'python-pip'
If not installed (Ubuntu):
$
sudo
apt
install
python3-pip
$ pip --version
pip 8.1.1 from
/usr/lib/python2
.7
/dist-packages
(python 2.7)
$
sudo
pip
install
s3cmd
If you see the following:
Traceback (most recent call last):
File
"/usr/bin/pip"
, line 11,
in
<module>
sys.
exit
(main())
File
"/usr/lib/python2.7/dist-packages/pip/init.py"
, line 215,
in
main
locale.setlocale(locale.LC_ALL,
''
)
File
"/usr/lib/python2.7/locale.py"
, line 581,
in
setlocale
return
_setlocale(category, locale)
locale.Error: unsupported locale setting
add the following line:
export LC_ALL=en_US.UTF-8
to the file:
~/.profile
Now you can check the .profile:
$ cat ~/.profile export LC_ALL=en_US.UTF-8 $ source ~/.profile $ s3cmd --version s3cmd version 2.0.1
$ s3cmd --configure
Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.
Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
Access Key [access]:<ENTER> Secret Key [access]:<ENTER> Default Region [RegionOne]: <ENTER> Use "s3.amazonaws.com" for S3 Endpoint and not modify it to the target Amazon S3. S3 Endpoint [data.cloudferro.com:] <ENTER> Use "%(bucket)s.s3.amazonaws.com" to the target Amazon S3. "%(bucket)s" and "%(location)s" vars can be used if the target S3 system supports dns based buckets. DNS-style bucket+hostname:port template for accessing a bucket [%(bucket)s.s3.amazonaws.com]: <ENTER> Encryption password is used to protect your files from reading by unauthorized persons while in transfer to S3 Encryption password: <ENTER> Path to GPG program [/usr/bin/gpg]: <ENTER> When using secure HTTPS protocol all communication with Amazon S3 servers is protected from 3rd party eavesdropping. This method is slower than plain HTTP, and can only be proxied with Python 2.7 or newer Use HTTPS protocol [No]: <ENTER> On some networks all internet access must go through a HTTP proxy. Try setting it here if you can't connect to S3 directly HTTP Proxy server name: <ENTER> New settings: Access Key: access Secret Key: access Default Region: RegionOne S3 Endpoint: data.cloudferro.com DNS-style bucket+hostname:port template for accessing a bucket: %(bucket)s.s3.amazonaws.com Encryption password: Path to GPG program: /usr/bin/gpg Use HTTPS protocol: False HTTP Proxy server name: _____ HTTP Proxy server port: 0 Test access with supplied credentials? [Y/n] <ENTER> Please wait, attempting to list all buckets... Success. Your access key and secret key worked fine :-) Now verifying that encryption works... Not configured. Never mind. Save settings? [y/N] y <ENTER> Configuration saved to '/home/eouser/.s3cfg'
Now you can use s3cmd commands (additional information about s3cmd: http://s3tools.org/usage)
$ s3cmd
ls
2017-12-11 15:30 s3:
//DIAS
2017-12-11 15:30 s3:
//EOCLOUD
2017-12-11 15:30 s3:
//EODATA
$ s3cmd
ls
s3:
//EODATA/
DIR s3:
//EODATA/Envisat/
DIR s3:
//EODATA/Landsat-5/
DIR s3:
//EODATA/Landsat-7/
DIR s3:
//EODATA/Landsat-8/
DIR s3:
//EODATA/Sentinel-1/
DIR s3:
//EODATA/Sentinel-2/
DIR s3:
//EODATA/Sentinel-3/
DIR s3:
//EODATA/Sentinel-5P/
In order to acquire access to Object Storage buckets via s3cmd, first you have to generate your own ec2 credentials with this tutorial.
After creation of credentials please remove file .s3cfg in Home folder and then reconfigure s3cmd by entering:
s3cmd --configure
and following values:
New settings: Access Key: (your EC2 credentials) Secret Key: (your EC2 credentials) Default Region: none S3 Endpoint: s3.waw2-1.cloudferro.com DNS-style bucket+hostname:port template for accessing a bucket: s3.waw2-1.cloudferro.com Encryption password: (your password) Path to GPG program: /usr/bin/gpg Use HTTPS protocol: True HTTP Proxy server name: HTTP Proxy server port: 0
After this operation, you should be allowed to list and access your Object Storage.
How to Shelve/Unshelve your VM?
If you are not using your VM for a while, or want to turn it off say for a night, you can use Shelve option instead of Pause, Suspend or Shutoff.
Lets look at all this options:
Pause:
The pause command stores the state of the VM in RAM. A paused instance becomes frozen.
Suspend:
When you suspend an instance, its VM state is stored on disk, all memory is written to disk, and the virtual machine is stopped. Suspending an instance is similar to placing a device in hibernation; memory and vCPUs become available to create other instances.
But it is still counted in RAM quota, even though the RAM is released so that it can be used by other projects, for example.
Resume will put the suspended server back to an active state.
Shut Off:
The virtual machine is not running and is in a powered off state. However a shut off virtual machine still consumes billing units in the same way as an Active virtual machine. This is because active/powered off virtual machine reserves same computing resources on compute nodes.
Shelve:
Shelving an instance means to put aside your instance along with its resources (can be volume) and later if you unshelve it you get the same instance you have shelved earlier.
Unshelve:
Unshelve is the reverse operation of Shelve. It builds and boots the server again, on a new scheduled host if it was offloaded, using the shelved image in the glance repository if booted from image.
Each shelving process creates a new snapshot that is stored and billed in your domain. When VM is created with option "Create New Volume", a snapshot will not be created, only the ram and cpu will be freed, nevertheless the volume will be normally charged.
Every shelving operation creates an additional image that is stored and billed, Unshelving will not automatically remove this image, so you will have to do it manually. Keep in mind that the image cannot be erased as long as the machine is alive because it is in use through the backend store outside of Glance.
It is important to remember, that from the billing point of view "Paused", "Suspended" and "Shut Off" states are billed the same way (RAM and storage), yet the option that frees RAM and CPU resouces and is only billed for the storage (SSD) is the Shelve option.
How to Shelve the VM:
Go to Instances in Horizon, then choose "Shelve Instance" option from the drop down menu:
The Shelving may take several minutes you will most likely see something like this:
Then this:
Finaly it will go to „Shelved Oflloaded” state:You can leave it in this state and it will save your billing costs.
To boot your VM again simply go to Instances menu and choose „Unshelve” option:
Again it may take serveral minutes, you will see the progress of it booting:
And when its completed it will go back to „Running” state:
If you want to check the status, power or billing of an instance, it is worth having a look: https://creodias.eu/-/status-power-state-and-dependences-in-billing-of-an-instances-vms-
Connecting to a Windows VM via RDP through a Linux bastion host (port forwarding)
Requirements:
Linux virtual machine with ssh access – bastion host
Windows VM located in the same network as bastion host
The private key downloaded from OpenStack dashboard converted from .pem to .ppk format (using “PuTTYgen”)
The password for Administrator account has been changed via OpenStack dashboard Console
Make sure your VMs are assigned the following security groups:
Windows VM – allow_rdp (ingress 3389)
Bastion – allow_ssh_ping
Step 1. Information required to establish connection with bastion host.
Launch PuTTY application and change the settings according to instructions:
session tab: Provide host (bastion) floating IP address and SSH port (default 22).
connection > data tab: set auto-login username as “eouser”.
connection > SSH > Auth: select private key in .ppk format.
connection > SSH > Tunnels: provide source port for localhost RDP connection and destination (private IP address of Windows VM : RDP port).
Click “Add” button to confirm changes.
Your forwarded port should be now visible now in the upper tab.
Provide name of session and save your config, to avoid repeating whole process every time you’d like to connect with an instance again.
Step 2. Open connection in PuTTy
Click “Open” to establish connection.
Step 3. Start an RDP session to localhost to reach the destination server
set localhost address:port selected in step 2 (in this case 127.0.0.1:8888 or localhost:8888 if you prefer)
set username as “Administrator”
Click “Connect” and enter your VM’s administrator password(the one you’ve set in OpenStack console).
Confirm connection in the certificate prompt.
That’s it, you’re now successfully connected to your Windows VM!