GCP: Difference between revisions
No edit summary |
No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=== Basics === | === Tasks === | ||
==== Basics ==== | |||
Auth | Auth | ||
gcloud auth login | gcloud auth login | ||
| Line 5: | Line 6: | ||
gcloud config set compute/zone us-east4-a | gcloud config set compute/zone us-east4-a | ||
# see es command for more | # see es command for more | ||
=== | ==== Increase VM hard drive size ==== | ||
Allegedly you don't even have to stop the VM to do this! Maybe better to do so, though. | |||
Compute Engine > Storage > Disks > (find the VM's matching disk) > Edit > Upsize it | |||
==== Cloning a VM ==== | ==== Cloning a VM ==== | ||
* Create an image of an existing VM, with the same name. It will be added under... | * Create an image of an existing VM, with the same name. It will be added under... | ||
| Line 13: | Line 16: | ||
Edit the network and change the External IP from Ephemeral to None. | Edit the network and change the External IP from Ephemeral to None. | ||
==== Set up a new VM for gcloud SSH 2fa access ==== | ==== Set up a new VM for gcloud SSH 2fa access ==== | ||
* Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling". | * Do one of these: | ||
* Add a network tag to the VM that allows access - it | ** Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling". | ||
** Specifically request IAP tunneling: | |||
gcloud compute ssh box-1 --tunnel-through-iap | |||
* Add a network tag to the VM that allows access - not sure which rules for IAP yet... try SSH and see if that's it... | |||
==== Harden SSH to internal connections only ==== | ==== Harden SSH to internal connections only ==== | ||
* create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right) | * create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right) | ||
| Line 38: | Line 45: | ||
=== Install gcloud CLI === | === Install gcloud CLI === | ||
sudo apt-get install apt-transport-https ca-certificates gnupg | |||
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list | |||
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - | curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - | ||
sudo apt-get update && sudo apt-get install google-cloud-cli | |||
[https://cloud.google.com/sdk/docs/install#deb Details] | [https://cloud.google.com/sdk/docs/install#deb Details] | ||
Then you should copy the ssh key from another location: | Then you should copy the ssh key from another location: | ||
scp -r case:.ssh/google_compute* ~/.ssh/ | scp -r case:.ssh/google_compute* ~/.ssh/ | ||
Latest revision as of 21:26, 26 April 2022
Tasks
Basics
Auth
gcloud auth login
Set project and zone
gcloud config set compute/zone us-east4-a # see es command for more
Increase VM hard drive size
Allegedly you don't even have to stop the VM to do this! Maybe better to do so, though.
Compute Engine > Storage > Disks > (find the VM's matching disk) > Edit > Upsize it
Cloning a VM
- Create an image of an existing VM, with the same name. It will be added under...
Compute Engine > VMs > Machine images
- Create a new VM from the machine image
Remove external IP
Edit the network and change the External IP from Ephemeral to None.
Set up a new VM for gcloud SSH 2fa access
- Do one of these:
- Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling".
- Specifically request IAP tunneling:
gcloud compute ssh box-1 --tunnel-through-iap
- Add a network tag to the VM that allows access - not sure which rules for IAP yet... try SSH and see if that's it...
Harden SSH to internal connections only
- create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right)
- make the user that is connectable FULL SUDO or you will be fucked out of access!
sudo visudo # and change sudo group to: (ALL) NOPASSWD: ALL sudo usermod -a -G sudo esauto
- Remove the GCP ssh bullshit
- set metadata key enable-oslogin to FALSE
- [x] block project-wide ssh
- restart
- Now normal ssh should start working
old notes
(This no longer seems true.) It never seems enough to remove external IP. Additional steps to get it done:
gcloud compute instances describe box-1
networkInteface
- accessConfigs:
- ...
name: External NAT
gcloud compute instances delete-access-config box-1 --access-config-name "External NAT"
# REBOOT THE VM
Install gcloud CLI
sudo apt-get install apt-transport-https ca-certificates gnupg echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - sudo apt-get update && sudo apt-get install google-cloud-cli
Details Then you should copy the ssh key from another location:
scp -r case:.ssh/google_compute* ~/.ssh/