GCP: Difference between revisions
No edit summary |
|||
| Line 5: | Line 5: | ||
gcloud config set compute/zone us-east4-a | gcloud config set compute/zone us-east4-a | ||
# see es command for more | # see es command for more | ||
=== Tasks === | === Tasks === | ||
==== Cloning a VM ==== | ==== Cloning a VM ==== | ||
| Line 20: | Line 11: | ||
* Create a new VM from the machine image | * Create a new VM from the machine image | ||
==== Remove external IP ==== | ==== Remove external IP ==== | ||
Edit the network and change the External IP from Ephemeral to None. | |||
==== Set up a new VM for gcloud SSH 2fa access ==== | |||
* Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling". | |||
* Add a network tag to the VM that allows access - it seems I don't have rights to tags, but I can use `demo-meteor-1` to get the job done | |||
==== Harden SSH to internal connections only ==== | ==== Harden SSH to internal connections only ==== | ||
* create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right) | * create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right) | ||
| Line 38: | Line 25: | ||
** restart | ** restart | ||
* Now normal ssh should start working | * Now normal ssh should start working | ||
==== old notes ==== | |||
(This no longer seems true.) It never seems enough to remove external IP. Additional steps to get it done: | |||
gcloud compute instances describe box-1 | |||
networkInteface | |||
- accessConfigs: | |||
- ... | |||
name: External NAT | |||
gcloud compute instances delete-access-config box-1 --access-config-name "External NAT" | |||
# REBOOT THE VM | |||
=== Install gcloud CLI === | |||
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - | |||
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list | |||
sudo apt update | |||
sudo apt install google-cloud-sdk | |||
[https://cloud.google.com/sdk/docs/install#deb Details] | |||
Then you should copy the ssh key from another location: | |||
scp -r case:.ssh/google_compute* ~/.ssh/ | |||
Revision as of 18:37, 29 January 2022
Basics
Auth
gcloud auth login
Set project and zone
gcloud config set compute/zone us-east4-a # see es command for more
Tasks
Cloning a VM
- Create an image of an existing VM, with the same name. It will be added under...
Compute Engine > VMs > Machine images
- Create a new VM from the machine image
Remove external IP
Edit the network and change the External IP from Ephemeral to None.
Set up a new VM for gcloud SSH 2fa access
- Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling".
- Add a network tag to the VM that allows access - it seems I don't have rights to tags, but I can use `demo-meteor-1` to get the job done
Harden SSH to internal connections only
- create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right)
- make the user that is connectable FULL SUDO or you will be fucked out of access!
sudo visudo # and change sudo group to: (ALL) NOPASSWD: ALL sudo usermod -a -G sudo esauto
- Remove the GCP ssh bullshit
- set metadata key enable-oslogin to FALSE
- [x] block project-wide ssh
- restart
- Now normal ssh should start working
old notes
(This no longer seems true.) It never seems enough to remove external IP. Additional steps to get it done:
gcloud compute instances describe box-1
networkInteface
- accessConfigs:
- ...
name: External NAT
gcloud compute instances delete-access-config box-1 --access-config-name "External NAT"
# REBOOT THE VM
Install gcloud CLI
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list sudo apt update sudo apt install google-cloud-sdk
Details Then you should copy the ssh key from another location:
scp -r case:.ssh/google_compute* ~/.ssh/