Search This Blog
Showing posts with label bastion. Show all posts
Showing posts with label bastion. Show all posts

Wednesday, August 29, 2012

How to control and manage you cloud servers from a bastion server

The idea is very simple. We would like to have one (or more) server that belongs to our cloud account and use it only to execute and orchestrate various execution tasks. A diagram below is showing the concept. From the machine you have to ssh to your bastion (1) and then from it you can run any further tasks (2).



An hardened servers should be used as a bastion host. This server will provide the following functions:

  • Act as a secure gateway into the cloud environment 
  • You should configure all other server to accept connections from this server only
  • From bastion you can lunch tasks that will perform further actions on the other cloud servers

Problem

How to run ssh or scp command over ssh that is initiated by the client and need to be executed from a bastion host on other cloud server.

Solution

This relatively long script written in python that uses paramiko module demonstrates the idea. It can be definitely extended and improved but you get the idea I hope :).
0 comments
Labels: , , , , ,

Tuesday, August 14, 2012

How to find the public IP address for my rackconnected cloud server

Every cloud server that belongs to a cloud account that was linked with Rackconnect is going to have a static NAT created on the external network device like ASA firewall or F5 loadbalancer. At the moment there is a problem that there is not an easy way to find out what this IP actually is.

When you first create a cloud server it will have assigned an IP from the cloud public IP address pool. You can find it the example output below. 

$ cloudservers --username user --apikey  key  boot rctest --flavor 1 --image 112
+-----------+------------------------------------------------------------------+
|  Property |                              Value                               |
+-----------+------------------------------------------------------------------+
| addresses | {u'public': [u'31.222.163.128'], u'private': [u'10.177.69.211']} |
| adminPass |                         rrrrrrrrrrrr                          |
|  flavorId |                                1                                 |
|   hostId  |                 0652da292b44004e3aa76dc80bd912d5                 |
|     id    |                             10209889                             |
|  imageId  |                               112                                |
|  metadata |                                {}                                |
|    name   |                              rctest                              |
|  progress |                                0                                 |
|   status  |                              BUILD                               |
+-----------+------------------------------------------------------------------+

The initial IP of 31.222.163.128 is going to be changed as soon as all  RackConnect task will be run again this cloud server. A next problem is that all subsequent API calls still may return the original IP address instead of the new one assigned by the RackConnect system.

$ cloudservers --username user  --apikey  key show 10209889
+------------+----------------------------------+
|  Property  |              Value               |
+------------+----------------------------------+
|   flavor   |            256 server            |
|   hostId   | 0652da292b44004e3aa76dc80bd912d5 |
|     id     |             10209889             |
|   image    |         Ubuntu 10.04 LTS         |
|  metadata  |                {}                |
|    name    |              rctest              |
| private ip |          10.177.69.211           |
|  progress  |                0                 |
| public ip  |          31.222.163.128          |
|   status   |              BUILD               |
+------------+----------------------------------+

Problem

How do I find the external IP address that Rackconnect assigns to my cloud server.

Solution

Once the cloud server is built you can open a browser from the cloud server (may by a bit of a problem) and try to google for: what's my IP.

Alternatively you can have a bastion server that you know how to login over SSH and from there try run run over internal IP address of your new cloud server his command:

mybastion$ ssh root@10.177.69.211 "curl  http://icanhazip.com"
11.138.183.11
0 comments
Labels: , , ,
Subscribe to: Posts (Atom)