CentOS Firewall Issues on GCE - google-compute-engine

I am trying out a "Hello World" exercise for GCE. First, I went with CentOS Image, added the instance, installed Apache, added the Firewall. All looks good as far as configuration is concerned. When I try to access the web page from outside, it cannot reach the page.
The Local Apache Server is running, from the local instance I can do a curl and all is well.
On the other hand, if I try out the same exact steps with the Debian distribution, everything works smoothly.
I saw another post that mentioned about additional firewall settings but I have not tried that out and I am not sure why it should be done either.
Can anyone explain if the CentOS setup does need additional Firewall settings and what those are?

CentOS defaults to a restrictive operating system level firewall (using iptables), while debian defaults to a permissive one. You can relax the firewall rules on CentOS as well. When running on Compute Engine, the service level firewall will only allow connections from the internet via configured ports.
To relax the CentOS firewall:
$ sudo iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
Then test that your connections work as expected. To save this configuration across system reboots:
$ /sbin/service iptables save
See the IPTables HowTo on the CentOS wiki for more information about working with iptables on CentOS.

You need free the ports in the cloud console.
Watch this video that explain the proccess.
Google Compute Engine Test Drive

Related

Openshift OKD 4.5 on VMware

I am getting the connection time out when running the command in bootstrap.
Any configuration suggestions on networking part if I am missing
It’s says kubernetes api calling time out
This is obviously very hard to debug without having access to your environment. Some tips to debug the OKD installation:
Before starting the installation, make sure your environment meets all the prerequisites. Often, the problem lies with a faulty DNS / DHCP / networking setup. Potentially deploy a separate VM into the network to check if everything works as expected.
The bootstrap node and the Master Nodes are deployed with the SSH key you specify, so in vCenter, get the IP of the machines that are already deployed and use SSH to connect to them. Once on the machine, use sudo crictl ps and sudo crictl logs <container-id> to review the logs for the running containers, focussing on the components:
kube-apiserver
etcd
machine-controller
In your case, the API is not coming up, so reviewing the logs of the above components will likely show the root cause.

Why do I get ssh connection error after installing MYSQL server on Ubuntu 18.04 running on AWS (Lightsail and EC2)?

So I followed this tutorial to install and configure a MySQL server on an AWS instance that was originally running on EC2.
When I tried to login back to the server via ssh, I would get a port 22: Connection timed out error.
So I tried to do the same on Lightsail and ended up getting the same error when I try to login back.
Is this a known issue? Am I doing anything wrong? Is there a way to fix this?
Thanks.
mentioned tutorial says: enable firewall to allow mysql remote access.
sudo ufw enable
sudo ufw allow mysql
which is allowing only mysql and stopping every incoming request it can be either ssh or http or anything else which you have defied in security group of ec2 instance.
In my case i have allowed following inbound rule but nothing was working even ssh also says connection refused
To get this working either disable firewall or allow required port in firewall. Off course, still you need to login into ec2 instance to get this done.
There are 3 ways to connect with ec2 instance
SSH is not working so I choose Session Manager (Browser based ssh). I follow this video and was able to connect with instance through session manager.
After login i just disable the firewall and every thing works fine.
sudo ufw disable
All the inbound rules working properly. Hope it will work for you.

Cant VNC into Google Compute Engine

I have spent a couple days trying to install software on Google Compute Engine (GCE) and then remotely access it from either my windows pc or local linux machine.
I can install software, like Google Chrome, etc. but can't open the applications as I keep getting display issues (understandably because GCE is headless). So I'm trying to VNC into the GCE instance.
I have tried installing the following on the server: (Instance Name is "talend")
vnc4server: I get output saying the server is running and everything looks good. Only error I get is a Language error like the following:
steven#talend:~$ vnc4server -geometry 1440x900 :1
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:LANGUAGE = (unset),LC_ALL = (unset),LANG = "en_ZA.UTF-8"are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
A VNC server is already running as :1
and
steven#talend:~$ vnc4server -geometry 1440x900 :2
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:LANGUAGE = (unset),LC_ALL = (unset),LANG = "en_ZA.UTF-8"are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
New 'talend:2 (steven)' desktop is talend:2
Starting applications specified in /home/steven/.vnc/xstartup
Log file is /home/steven/.vnc/talend:2.log
Remote Access: Using TightVNC client via Windows
I get the following message:
No connection could be made because the target machine actively refused it.
Remote Access: Using Vinagre via Linux
Connection to host 8.34.210.67::5902 was closed.
Via Google Compute Engine Web Console:
Tried changing to static ip > No Difference
Tried adding tcp:80 with Source: 0.0.0.0/0 > No Difference
I'm sure there is a simple solution to this but I can't seem to find it. Any help will be appreciated and then will post a link to the final solution.
Thanks.
You will need to configure three settings to all agree on the same port:
The port vnc4server is listening on.
A Compute Engine firewall rule to allow traffic on that port.
The port TightVNC is attempting to connect to.
From the error message "Connection to host 8.34.210.67::5902 was closed.", it looks like TightVNC is trying to connect to 5902. Assuming that vnc4server is also listening on that port, you should add a Compute Engine firewall rule to allow that port.
Visit the Console at https://cloud.google.com/console, click on your project, then Compute Engine, then Networks. Click the "Create new" next to "Firewalls" and add a new rule with tcp:5902 set in the Ports/Protocols field.
If you're running on Centos, there is an additional step to disable the local firewall as well: CentOS Firewall Issues on GCE
Another option is to use Guacamole and Tomcat to access your desktop via a browser or VNC client.
Use Aptitude or apt-get to install guacamole-tomcat. I have the VNC port in firewall settings (via tags) as well as http and https. I've set up a "guacamole" tag to use with the firewall as well. Your GCE instance will need these tags assigned. There are some configs to do via /etc/guacamole/ for user/login etc, but essentially it goes like this...
Once installed, the default ports are 8080. So browse to http://:8080/guacamole/ and you will get a Guacamole login screen. When you login, you will have links to click that start your desktop in a browser window.
You can also VNC directly (no browser) via :5901 - or whatever port you configured Guacamole with. It's best of course to have set up a st
Try:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
if it is not similar flush:
sudo iptables -F

Remote access to MySQL on Amazon EC2 Windows instance

I found some solutions for Linux here.
But didn't find any solution for Windows. I don't have my.cnf on Windows. I only have my.ini. there is no bind-address in it.
I have already added an inbound rule for MySQL.
Could anybody give me some advice? Thanks a lot!!!
Here's what I would check:
Verify that the MySQL service is up and running by remote desktop'ing to the instance and trying to connect to it on the instance.
If that checks out, try modifying or disabling Windows Firewall to ensure that outside machines can connect on the relevant port. Depending on the Windows version, there might be several places that you need to fiddle with this (i.e. both Windows Firewall and Windows Firewall with advanced security).
If you're using an Asp.Net Application with Entity Framework, you will need to install the MySQL connector on the EC2 instance (I would suggest running iisreset to make sure the dll's are loaded).

Hudson cmd.exe running as

Where does hudson CI get user to run the cmd.exe ?
I'm trying to start and stop some remote services on various slaves and special credentials that are different than what hudson is using are needed. I can't find a place to override the user. I've tried running the server as various users, but it doesn't change anything.
Any other ideas?
Since you want to start and stop the services on the remote machine you need to login with these credentials on the remote machine, since I haven't found a way to start and stop a service on remote machine.
There are different ways to do that. You can create a slave that runs on the remote machines with the correct credentials. You can even create more than one slave for the same machine without any issues, than you can use different credentials for the same machine. These can then fire up the net stop and net start command.
You can also use the SSH plugin. This allows you to configure pre- and post-build ssh scripts. You 'just' need and ssh server on the windows machine. The password for the connection will be stored encrypted.
Use a commad line tool. So far I haven't found a Windows on board tool to have a scripted login to the remote machine. I would use plink for that task. plink is the scripted version of putty. Putty supports different connection types. So you can also use the build in telnet service (not recommended since telnet does not encrypt the connection). Disadvantage is that you will have the password unencrypted in the job configuration.
We had a similar problem, and I resorted to using PsExec. To my advantage, our machines exist on a separate LAN, within 2 firewalls, so I was OK with unencrypted passwords floating around. I had also explored SSH w/ Putty, which seemed to work, but not straightforward.
If someone can help with single line runas command, that could work too.
You don't say how your slaves are connected to Hudson, but I'll assume it's through the "hudson slave" service, since that's probably the most popular way to connect Windows slaves.
If so, the CMD.EXE is run with the same permissions as the user running the service. This can be checked by:
1. run services.msc
2. double-click hudson-slave service
3. go to Log On tab
By default, the slave service runs as "LocalSystem", which is the most powerful account on the system. It should be able to do whatever you need it to do. (i.e. start/stop services)