GCP: Difference between revisions
No edit summary |
|||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=== Basics === | === Tasks === | ||
==== Basics ==== | |||
Auth | Auth | ||
gcloud auth login | gcloud auth login | ||
Line 5: | Line 6: | ||
gcloud config set compute/zone us-east4-a | gcloud config set compute/zone us-east4-a | ||
# see es command for more | # see es command for more | ||
=== | ==== Increase VM hard drive size ==== | ||
Allegedly you don't even have to stop the VM to do this! Maybe better to do so, though. | |||
Compute Engine > Storage > Disks > (find the VM's matching disk) > Edit > Upsize it | |||
==== Cloning a VM ==== | ==== Cloning a VM ==== | ||
* Create an image of an existing VM, with the same name. It will be added under... | * Create an image of an existing VM, with the same name. It will be added under... | ||
Line 20: | Line 14: | ||
* Create a new VM from the machine image | * Create a new VM from the machine image | ||
==== Remove external IP ==== | ==== Remove external IP ==== | ||
Edit the network and change the External IP from Ephemeral to None. | |||
==== Set up a new VM for gcloud SSH 2fa access ==== | |||
* Do one of these: | |||
** Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling". | |||
** Specifically request IAP tunneling: | |||
gcloud compute ssh box-1 --tunnel-through-iap | |||
* Add a network tag to the VM that allows access - not sure which rules for IAP yet... try SSH and see if that's it... | |||
==== Harden SSH to internal connections only ==== | |||
* create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right) | |||
* make the user that is connectable FULL SUDO or you will be fucked out of access! | |||
sudo visudo # and change sudo group to: (ALL) NOPASSWD: ALL | |||
sudo usermod -a -G sudo esauto | |||
* Remove the GCP ssh bullshit | |||
** set metadata key enable-oslogin to FALSE | |||
** [x] block project-wide ssh | |||
** restart | |||
* Now normal ssh should start working | |||
==== old notes ==== | |||
(This no longer seems true.) It never seems enough to remove external IP. Additional steps to get it done: | |||
gcloud compute instances describe box-1 | gcloud compute instances describe box-1 | ||
networkInteface | networkInteface | ||
Line 28: | Line 43: | ||
gcloud compute instances delete-access-config box-1 --access-config-name "External NAT" | gcloud compute instances delete-access-config box-1 --access-config-name "External NAT" | ||
# REBOOT THE VM | # REBOOT THE VM | ||
=== | |||
=== Install gcloud CLI === | |||
sudo apt-get install apt-transport-https ca-certificates gnupg | |||
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list | |||
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - | |||
sudo apt-get update && sudo apt-get install google-cloud-cli | |||
[https://cloud.google.com/sdk/docs/install#deb Details] | |||
* | Then you should copy the ssh key from another location: | ||
scp -r case:.ssh/google_compute* ~/.ssh/ |
Latest revision as of 21:26, 26 April 2022
Tasks
Basics
Auth
gcloud auth login
Set project and zone
gcloud config set compute/zone us-east4-a # see es command for more
Increase VM hard drive size
Allegedly you don't even have to stop the VM to do this! Maybe better to do so, though.
Compute Engine > Storage > Disks > (find the VM's matching disk) > Edit > Upsize it
Cloning a VM
- Create an image of an existing VM, with the same name. It will be added under...
Compute Engine > VMs > Machine images
- Create a new VM from the machine image
Remove external IP
Edit the network and change the External IP from Ephemeral to None.
Set up a new VM for gcloud SSH 2fa access
- Do one of these:
- Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling".
- Specifically request IAP tunneling:
gcloud compute ssh box-1 --tunnel-through-iap
- Add a network tag to the VM that allows access - not sure which rules for IAP yet... try SSH and see if that's it...
Harden SSH to internal connections only
- create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right)
- make the user that is connectable FULL SUDO or you will be fucked out of access!
sudo visudo # and change sudo group to: (ALL) NOPASSWD: ALL sudo usermod -a -G sudo esauto
- Remove the GCP ssh bullshit
- set metadata key enable-oslogin to FALSE
- [x] block project-wide ssh
- restart
- Now normal ssh should start working
old notes
(This no longer seems true.) It never seems enough to remove external IP. Additional steps to get it done:
gcloud compute instances describe box-1 networkInteface - accessConfigs: - ... name: External NAT gcloud compute instances delete-access-config box-1 --access-config-name "External NAT" # REBOOT THE VM
Install gcloud CLI
sudo apt-get install apt-transport-https ca-certificates gnupg echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - sudo apt-get update && sudo apt-get install google-cloud-cli
Details Then you should copy the ssh key from another location:
scp -r case:.ssh/google_compute* ~/.ssh/