martinberger.com

Latest Posts

How to build OCI Infrastructure Environments with Ansible

Author: Martin Berger 12. March 2019

The Oracle provided Ansible module gives us the opportunity to provision and configure Oracle Cloud Infrastructure resources on an automated base. The Ansible basic setup is very easy and the Oracle provided example playbooks in Git are a good base to start with your infrastructure automation project. Oracle provides Ansible example playbooks for

Block Volumes
Compute
Database
File Storage
IAM
Load Balancer
Private Subnets with VPN
Delete Objects
etc.

In this blog post, I will show you how easy it is to bring Ansible and the Oracle Cloud Infrastructure together.

Requirements

A local machine to install Ansible and the required software and modules, in my case it’s an Oracle Linux 7 virtual machine with Internet access.
An Oracle Cloud Infrastructure Account with permissons to create new resources.

Steps to configure Ansible and OCI

Install and configure the Oracle Cloud Infrastructure Python SDK
Install and configure Ansible
Download and configure the OCI modules for Ansible
OCI Test Run

Install and configure the Oracle Cloud Infrastructure Python SDK

In this step, the OCI Python SDK will be installed an configured. The new created SSH public key has to be added in the OCI console for further actions. As OS user root we create a new operating system user called oci for Oracle Cllud Infrastrcuture actions and give him sudo privileges.

Create a User and SSH Keys

# groupadd oci
# useradd oci -g oci
# passwd oci

# groupadd oci

# useradd oci -g oci

# passwd oci

Add this line in /etc/sudoers.

oci ALL=(ALL) ALL

1	oci ALL=(ALL) ALL

$ mkdir ~/.oci
$ openssl genrsa -out ~/.oci/oci_api_key.pem 2048
$ chmod go-rwx ~/.oci/oci_api_key.pem
$ openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
$ chmod go-rwx ~/.oci/oci_api_key_public.pem
$ chmod go-rwx ~/.oci/oci_api_key.pem

$ mkdir ~/.oci

$ openssl genrsa -out ~/.oci/oci_api_key.pem 2048

$ chmod go-rwx ~/.oci/oci_api_key.pem

$ openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

$ chmod go-rwx ~/.oci/oci_api_key_public.pem

$ chmod go-rwx ~/.oci/oci_api_key.pem

Show the public key and add it in the OCI console to your cloud account user.

The OCI Configuration File

As user oci, create the Oracle Cloud Infrastructure configuration file

$ vi  ~/.oci/config

1	$ vi ~/.oci/config

Content of the file – for example in region Frankfurt and with the created SSH key file from above.

[DEFAULT]
user=ocid1.[OCID of your OCI User]
fingerprint=[API Key Fingerprint of added SSH public key]
tenancy=[Your tenancy id]
region=eu-frankfurt-1
key_file=~/.oci/oci_api_key_public.pem

[DEFAULT]

user=ocid1.[OCID of your OCI User]

fingerprint=[API Key Fingerprint of added SSH public key]

tenancy=[Your tenancy id]

region=eu-frankfurt-1

key_file=~/.oci/oci_api_key_public.pem

Install the Oracle Cloud Infrastructure Python SDK

$ sudo yum-config-manager --enable ol7_developer ol7_developer_epel
$ sudo yum -y install python-oci-sdk python-oci-cli

1 2	$ sudo yum-config-manager --enable ol7_developer ol7_developer_epel $ sudo yum -y install python-oci-sdk python-oci-cli

Test

Command to list all instances in the selected compartment.

$ oci compute instance list --compartment-id ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq | grep display-name
     "display-name": "Instance-AS-Test-1"

1 2	$ oci compute instance list --compartment-id ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq \| grep display-name "display-name": "Instance-AS-Test-1"

Install and configure Ansible

As user oci, download and install Ansible and Git.

$ sudo yum -y install git ansible
$ sudo mkdir -p /usr/share/ansible/modules

1 2	$ sudo yum -y install git ansible $ sudo mkdir -p /usr/share/ansible/modules

Set up the module directory.

$ sudo vi /etc/ansible/ansible.cfg
library=/usr/share/ansible/modules

1 2	$ sudo vi /etc/ansible/ansible.cfg library=/usr/share/ansible/modules

Install additional packages.

$ sudo yum install python-pip
$ sudo pip install --upgrade Jinja2

1 2	$ sudo yum install python-pip $ sudo pip install --upgrade Jinja2

This upgrade step is required, otherwise the public key creation in the OCI Ansible module fails (for example when you want to launch a new Compute instance).

Download and configure the OCI modules for Ansible

As user oci, download the Ansible modules from Git.

$ cd /usr/share/ansible/modules
$ sudo git clone https://github.com/oracle/oci-ansible-modules.git

1 2	$ cd /usr/share/ansible/modules $ sudo git clone https://github.com/oracle/oci-ansible-modules.git

Show the content.

$ ls -la
total 4
drwxr-xr-x. 3 root root 33 Mar 11 13:58 .
drwxr-xr-x. 3 root root 21 Mar 11 13:56 ..
drwxr-xr-x. 12 root root 4096 Mar 11 13:58 oci-ansible-modules

$ ls -la

total 4

drwxr-xr-x. 3 root root 33 Mar 11 13:58 .

drwxr-xr-x. 3 root root 21 Mar 11 13:56 ..

drwxr-xr-x. 12 root root 4096 Mar 11 13:58 oci-ansible-modules

Change into the new created directory and execute the configuration script install.py.

$ cd oci-ansible-modules

1	$ cd oci-ansible-modules

$ sudo ./install.py
Copying documentation fragments from /usr/share/ansible/modules/oci-ansible-modules/module_docs_fragments to /usr/lib/python2.7/site-packages/ansible/utils/module_docs_fragments
Copying oracle utility files from /usr/share/ansible/modules/oci-ansible-modules/module_utils/oracle to /usr/lib/python2.7/site-packages/ansible/module_utils/oracle
Creating directory /usr/lib/python2.7/site-packages/ansible/modules/cloud/oracle
Copying OCI Ansible modules from /usr/share/ansible/modules/oci-ansible-modules/library to /usr/lib/python2.7/site-packages/ansible/modules/cloud/oracle
OCI Ansible modules installed successfully.

$ sudo ./install.py

Copying documentation fragments from /usr/share/ansible/modules/oci-ansible-modules/module_docs_fragments to /usr/lib/python2.7/site-packages/ansible/utils/module_docs_fragments

Copying oracle utility files from /usr/share/ansible/modules/oci-ansible-modules/module_utils/oracle to /usr/lib/python2.7/site-packages/ansible/module_utils/oracle

Creating directory /usr/lib/python2.7/site-packages/ansible/modules/cloud/oracle

Copying OCI Ansible modules from /usr/share/ansible/modules/oci-ansible-modules/library to /usr/lib/python2.7/site-packages/ansible/modules/cloud/oracle

OCI Ansible modules installed successfully.

OCI Test Run

We copy the example playbook to launch a Compute cloud instance into the local folder and run the playbook. The Oracle provided playbook needs three variables:

SAMPLE_AD_NAME	Availability Domain, e.g. EUZg:EU-FRANKFURT-1-AD-1
SAMPLE_IMAGE_OCID	OCID of the selected OS – see https://docs.cloud.oracle.com/iaas/images/ to list all available images
SAMPLE_COMPARTMENT_OCID	OCID of your compartment – OCI > Identity > Compartments

Create a working directory and copy the example playbook.

$ mkdir -p ~/ansible/playbooks$ cd ~/ansible/playbooks
$ cp -r /usr/share/ansible/modules/oci-ansible-modules/samples/compute/launch_compute_instance ~/ansible/playbooks

$ cd ~/ansible/playbooks/launch_compute_instance

$ mkdir -p ~/ansible/playbooks$ cd ~/ansible/playbooks

$ cp -r /usr/share/ansible/modules/oci-ansible-modules/samples/compute/launch_compute_instance ~/ansible/playbooks

$ cd ~/ansible/playbooks/launch_compute_instance

Set variables.

$ export SAMPLE_AD_NAME=EUZg:EU-FRANKFURT-1-AD-1
$ export SAMPLE_IMAGE_OCID=ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq
$ export SAMPLE_COMPARTMENT_OCID=ocid1.compartment.oc1..aaaaaaaayc4703470347034703470347034703o3hx2exkz5pzi6kt4kunhiq

$ export SAMPLE_AD_NAME=EUZg:EU-FRANKFURT-1-AD-1

$ export SAMPLE_IMAGE_OCID=ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq

$ export SAMPLE_COMPARTMENT_OCID=ocid1.compartment.oc1..aaaaaaaayc4703470347034703470347034703o3hx2exkz5pzi6kt4kunhiq

Run the playbook

Attention: All OCI resources are created and afterwards terminated immediately. If you don’t want to terminate them, comment out this line in file sample.yaml.

- import_tasks: teardown.yaml

1	- import_tasks: teardown.yaml

Execute the Ansible playbook. The infrastructure will be created step by step. Key generation, network configuration, firewall rule setup, instance creation etc. is all automated.

$ ansible-playbook sample.yaml
 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'


PLAY [Launch a compute instance and connect to it using SSH] *******************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************
ok: [localhost]

TASK [Check pre-requisites] ****************************************************************************************************************************************************
skipping: [localhost] => (item=SAMPLE_COMPARTMENT_OCID)
skipping: [localhost] => (item=SAMPLE_IMAGE_OCID)
skipping: [localhost] => (item=SAMPLE_AD_NAME)

TASK [Create a temporary directory to house a temporary SSH keypair we will later use to connect to instance] ******************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Generate a Private Key] **************************************************************************************************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Generate a Public Key] ***************************************************************************************************************************************************
changed: [localhost]

TASK [Create a VCN] ************************************************************************************************************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Create a new Internet Gateway] *******************************************************************************************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Create route table to connect internet gateway to the VCN] ***************************************************************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [create ingress rules yaml body] ******************************************************************************************************************************************
ok: [localhost]

TASK [create egress yaml body] *************************************************************************************************************************************************
ok: [localhost]

TASK [load the variables defined in the ingress rules yaml body] ***************************************************************************************************************
ok: [localhost]

TASK [print loaded_ingress] ****************************************************************************************************************************************************
ok: [localhost] => {
    "msg": "loaded ingress is {u'instance_ingress_security_rules': [{u'source': u'0.0.0.0/0', u'protocol': u'6', u'tcp_options': {u'destination_port_range': {u'max': 22, u'min': 22}}}]}"
}

TASK [load the variables defined in the egress rules yaml body] ****************************************************************************************************************
ok: [localhost]

TASK [print loaded_egress] *****************************************************************************************************************************************************
ok: [localhost] => {
    "msg": "loaded egress is {u'instance_egress_security_rules': [{u'tcp_options': {u'destination_port_range': {u'max': 22, u'min': 22}}, u'destination': u'0.0.0.0/0', u'protocol': u'6'}]}"
}

TASK [Create a security list for allowing access to public instance] ***********************************************************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Create a subnet to host the public instance. Link security_list and route_table.] ****************************************************************************************
changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Launch an instance] ******************************************************************************************************************************************************
changed: [localhost]

TASK [Print instance details] **************************************************************************************************************************************************
ok: [localhost] => {
    "msg": "Launched a new instance {u'added_instances': [{u'lifecycle_state': u'RUNNING', u'availability_domain': u'EUZg:EU-FRANKFURT-1-AD-1', u'display_name': u'my_test_instance', u'time_maintenance_reboot_due': None, u'compartment_id': u'ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq', u'defined_tags': {}, u'region': u'eu-frankfurt-1', u'freeform_tags': {}, u'time_created': u'2019-03-11T13:52:34.238000+00:00', u'launch_options': {u'remote_data_volume_type': u'PARAVIRTUALIZED', u'firmware': u'UEFI_64', u'boot_volume_type': u'PARAVIRTUALIZED', u'is_consistent_volume_naming_enabled': True, u'network_type': u'VFIO', u'is_pv_encryption_in_transit_enabled': True}, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'source_details': {u'source_type': u'image', u'kms_key_id': None, u'boot_volume_size_in_gbs': None, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq'}, u'fault_domain': u'FAULT-DOMAIN-3', u'shape': u'VM.Standard1.1', u'launch_mode': u'NATIVE', u'agent_config': {u'is_monitoring_disabled': False}, u'extended_metadata': {}, u'ipxe_script': None, u'id': u'ocid1.instance.oc1.eu-frankfurt-1.abtheljslxpqenvnafkstq2s7hxqizyam7shjd6kihyg33i7w2geeynedotq', u'metadata': {u'ssh_authorized_keys': u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA4703470347034703470347034703470347034703470347034703470347034703XR6Zcv4sHKdMH/aDfZKFaLpqHtJ2P+JEC0ok2lWrPQSG0zPoSYWTrldllpgSfzOv1kQ1R/Uor+eedRz9x2DXtKl0anSXY6KNW1GVfOvoFk/c8AuaQy6Y7AZnJAculyF1pRJiHQyZEPuBL9E9EsiRqkQR18G9yewBApRZf/QGXZbLydG8vAa9T1DCYrODb3N2u73IIqbMFwr7sgQ8XQb7h9wlYq2mfUKxy+8H4w7S67'}}], u'instances': [{u'lifecycle_state': u'RUNNING', u'availability_domain': u'EUZg:EU-FRANKFURT-1-AD-1', u'display_name': u'my_test_instance', u'time_maintenance_reboot_due': None, u'compartment_id': u'ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq', u'defined_tags': {}, u'region': u'eu-frankfurt-1', u'freeform_tags': {}, u'time_created': u'2019-03-11T13:52:34.238000+00:00', u'launch_options': {u'remote_data_volume_type': u'PARAVIRTUALIZED', u'firmware': u'UEFI_64', u'boot_volume_type': u'PARAVIRTUALIZED', u'is_consistent_volume_naming_enabled': True, u'network_type': u'VFIO', u'is_pv_encryption_in_transit_enabled': True}, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'source_details': {u'source_type': u'image', u'kms_key_id': None, u'boot_volume_size_in_gbs': None, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq'}, u'fault_domain': u'FAULT-DOMAIN-3', u'shape': u'VM.Standard1.1', u'launch_mode': u'NATIVE', u'agent_config': {u'is_monitoring_disabled': False}, u'extended_metadata': {}, u'ipxe_script': None, u'id': u'ocid1.instance.oc1.eu-frankfurt-1.abtheljslxpqenvnafkstq2s7hxqizyam7shjd6kihyg33i7w2geeynedotq', u'metadata': {u'ssh_authorized_keys': u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA4703470347034703470347034703470347034703470347034703470347034703XR6Zcv4sHKdMH/aDfZKFaLpqHtJ2P+JEC0ok2lWrPQSG0zPoSYWTrldllpgSfzOv1kQ1R/Uor+eedRz9x2DXtKl0anSXY6KNW1GVfOvoFk/c8AuaQy6Y7AZnJAculyF1pRJiHQyZEPuBL9E9EsiRqkQR18G9yewBApRZf/QGXZbLydG8vAa9T1DCYrODb3N2u73IIqbMFwr7sgQ8XQb7h9wlYq2mfUKxy+8H4w7S67'}}], u'changed': True, 'failed': False, u'instance': {u'lifecycle_state': u'RUNNING', u'fault_domain': u'FAULT-DOMAIN-3', u'extended_metadata': {}, u'time_maintenance_reboot_due': None, u'compartment_id': u'ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq', u'defined_tags': {}, u'region': u'eu-frankfurt-1', u'freeform_tags': {}, u'time_created': u'2019-03-11T13:52:34.238000+00:00', u'source_details': {u'source_type': u'image', u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'kms_key_id': None, u'boot_volume_size_in_gbs': None}, u'agent_config': {u'is_monitoring_disabled': False}, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'shape': u'VM.Standard1.1', u'availability_domain': u'EUZg:EU-FRANKFURT-1-AD-1', u'launch_mode': u'NATIVE', u'ipxe_script': None, u'display_name': u'my_test_instance', u'launch_options': {u'remote_data_volume_type': u'PARAVIRTUALIZED', u'firmware': u'UEFI_64', u'boot_volume_type': u'PARAVIRTUALIZED', u'is_consistent_volume_naming_enabled': True, u'network_type': u'VFIO', u'is_pv_encryption_in_transit_enabled': True}, u'id': u'ocid1.instance.oc1.eu-frankfurt-1.abtheljslxpqenvnafkstq2s7hxqizyam7shjd6kihyg33i7w2geeynedotq', u'metadata': {u'ssh_authorized_keys': u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA4703470347034703470347034703470347034703470347034703470347034703XR6Zcv4sHKdMH/aDfZKFaLpqHtJ2P+JEC0ok2lWrPQSG0zPoSYWTrldllpgSfzOv1kQ1R/Uor+eedRz9x2DXtKl0anSXY6KNW1GVfOvoFk/c8AuaQy6Y7AZnJAculyF1pRJiHQyZEPuBL9E9EsiRqkQR18G9yewBApRZf/QGXZbLydG8vAa9T1DCYrODb3N2u73IIqbMFwr7sgQ8XQb7h9wlYq2mfUKxy+8H4w7S67'}}}"
}

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Get the VNIC attachment details of instance] *****************************************************************************************************************************
ok: [localhost]

TASK [Get details of the VNIC] *************************************************************************************************************************************************
ok: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************
ok: [localhost]

TASK [Print the public ip of the newly launched instance] **********************************************************************************************************************
ok: [localhost] => {
    "msg": "Public IP of launched instance 130.61.40.231"
}

TASK [Wait (upto 5 minutes) for port 22 to become open] ************************************************************************************************************************
ok: [localhost]

TASK [Attempt a ssh connection to the newly launced instance] ******************************************************************************************************************
changed: [localhost]

TASK [Print SSH response from launched instance] *******************************************************************************************************************************
ok: [localhost] => {
    "msg": "SSH response from instance -> [u'Linux mytestinstance 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux']"
}

TASK [Terminate the instance] **************************************************************************************************************************************************
changed: [localhost]

TASK [Delete the subnet] *******************************************************************************************************************************************************
changed: [localhost]

TASK [Delete the security list] ************************************************************************************************************************************************
changed: [localhost]

TASK [Delete the route table] **************************************************************************************************************************************************
changed: [localhost]

TASK [Delete the Internet Gateway] *********************************************************************************************************************************************
changed: [localhost]

TASK [Delete the VCN] **********************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP *********************************************************************************************************************************************************************
localhost                  : ok=38   changed=16   unreachable=0    failed=0

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

$ ansible-playbook sample.yaml

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Launch a compute instance and connect to it using SSH] *******************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************

ok: [localhost]

TASK [Check pre-requisites] ****************************************************************************************************************************************************

skipping: [localhost] => (item=SAMPLE_COMPARTMENT_OCID)

skipping: [localhost] => (item=SAMPLE_IMAGE_OCID)

skipping: [localhost] => (item=SAMPLE_AD_NAME)

TASK [Create a temporary directory to house a temporary SSH keypair we will later use to connect to instance] ******************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Generate a Private Key] **************************************************************************************************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Generate a Public Key] ***************************************************************************************************************************************************

changed: [localhost]

TASK [Create a VCN] ************************************************************************************************************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Create a new Internet Gateway] *******************************************************************************************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Create route table to connect internet gateway to the VCN] ***************************************************************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [create ingress rules yaml body] ******************************************************************************************************************************************

ok: [localhost]

TASK [create egress yaml body] *************************************************************************************************************************************************

ok: [localhost]

TASK [load the variables defined in the ingress rules yaml body] ***************************************************************************************************************

ok: [localhost]

TASK [print loaded_ingress] ****************************************************************************************************************************************************

ok: [localhost] => {

"msg": "loaded ingress is {u'instance_ingress_security_rules': [{u'source': u'0.0.0.0/0', u'protocol': u'6', u'tcp_options': {u'destination_port_range': {u'max': 22, u'min': 22}}}]}"

}

TASK [load the variables defined in the egress rules yaml body] ****************************************************************************************************************

ok: [localhost]

TASK [print loaded_egress] *****************************************************************************************************************************************************

ok: [localhost] => {

"msg": "loaded egress is {u'instance_egress_security_rules': [{u'tcp_options': {u'destination_port_range': {u'max': 22, u'min': 22}}, u'destination': u'0.0.0.0/0', u'protocol': u'6'}]}"

}

TASK [Create a security list for allowing access to public instance] ***********************************************************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Create a subnet to host the public instance. Link security_list and route_table.] ****************************************************************************************

changed: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Launch an instance] ******************************************************************************************************************************************************

changed: [localhost]

TASK [Print instance details] **************************************************************************************************************************************************

ok: [localhost] => {

"msg": "Launched a new instance {u'added_instances': [{u'lifecycle_state': u'RUNNING', u'availability_domain': u'EUZg:EU-FRANKFURT-1-AD-1', u'display_name': u'my_test_instance', u'time_maintenance_reboot_due': None, u'compartment_id': u'ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq', u'defined_tags': {}, u'region': u'eu-frankfurt-1', u'freeform_tags': {}, u'time_created': u'2019-03-11T13:52:34.238000+00:00', u'launch_options': {u'remote_data_volume_type': u'PARAVIRTUALIZED', u'firmware': u'UEFI_64', u'boot_volume_type': u'PARAVIRTUALIZED', u'is_consistent_volume_naming_enabled': True, u'network_type': u'VFIO', u'is_pv_encryption_in_transit_enabled': True}, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'source_details': {u'source_type': u'image', u'kms_key_id': None, u'boot_volume_size_in_gbs': None, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq'}, u'fault_domain': u'FAULT-DOMAIN-3', u'shape': u'VM.Standard1.1', u'launch_mode': u'NATIVE', u'agent_config': {u'is_monitoring_disabled': False}, u'extended_metadata': {}, u'ipxe_script': None, u'id': u'ocid1.instance.oc1.eu-frankfurt-1.abtheljslxpqenvnafkstq2s7hxqizyam7shjd6kihyg33i7w2geeynedotq', u'metadata': {u'ssh_authorized_keys': u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA4703470347034703470347034703470347034703470347034703470347034703XR6Zcv4sHKdMH/aDfZKFaLpqHtJ2P+JEC0ok2lWrPQSG0zPoSYWTrldllpgSfzOv1kQ1R/Uor+eedRz9x2DXtKl0anSXY6KNW1GVfOvoFk/c8AuaQy6Y7AZnJAculyF1pRJiHQyZEPuBL9E9EsiRqkQR18G9yewBApRZf/QGXZbLydG8vAa9T1DCYrODb3N2u73IIqbMFwr7sgQ8XQb7h9wlYq2mfUKxy+8H4w7S67'}}], u'instances': [{u'lifecycle_state': u'RUNNING', u'availability_domain': u'EUZg:EU-FRANKFURT-1-AD-1', u'display_name': u'my_test_instance', u'time_maintenance_reboot_due': None, u'compartment_id': u'ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq', u'defined_tags': {}, u'region': u'eu-frankfurt-1', u'freeform_tags': {}, u'time_created': u'2019-03-11T13:52:34.238000+00:00', u'launch_options': {u'remote_data_volume_type': u'PARAVIRTUALIZED', u'firmware': u'UEFI_64', u'boot_volume_type': u'PARAVIRTUALIZED', u'is_consistent_volume_naming_enabled': True, u'network_type': u'VFIO', u'is_pv_encryption_in_transit_enabled': True}, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'source_details': {u'source_type': u'image', u'kms_key_id': None, u'boot_volume_size_in_gbs': None, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq'}, u'fault_domain': u'FAULT-DOMAIN-3', u'shape': u'VM.Standard1.1', u'launch_mode': u'NATIVE', u'agent_config': {u'is_monitoring_disabled': False}, u'extended_metadata': {}, u'ipxe_script': None, u'id': u'ocid1.instance.oc1.eu-frankfurt-1.abtheljslxpqenvnafkstq2s7hxqizyam7shjd6kihyg33i7w2geeynedotq', u'metadata': {u'ssh_authorized_keys': u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA4703470347034703470347034703470347034703470347034703470347034703XR6Zcv4sHKdMH/aDfZKFaLpqHtJ2P+JEC0ok2lWrPQSG0zPoSYWTrldllpgSfzOv1kQ1R/Uor+eedRz9x2DXtKl0anSXY6KNW1GVfOvoFk/c8AuaQy6Y7AZnJAculyF1pRJiHQyZEPuBL9E9EsiRqkQR18G9yewBApRZf/QGXZbLydG8vAa9T1DCYrODb3N2u73IIqbMFwr7sgQ8XQb7h9wlYq2mfUKxy+8H4w7S67'}}], u'changed': True, 'failed': False, u'instance': {u'lifecycle_state': u'RUNNING', u'fault_domain': u'FAULT-DOMAIN-3', u'extended_metadata': {}, u'time_maintenance_reboot_due': None, u'compartment_id': u'ocid1.compartment.oc1..aaaaaaaayc5kgqshdb5g2mjg4bnt34htnybbho3hx2exkz5pzi6kt4kunhiq', u'defined_tags': {}, u'region': u'eu-frankfurt-1', u'freeform_tags': {}, u'time_created': u'2019-03-11T13:52:34.238000+00:00', u'source_details': {u'source_type': u'image', u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'kms_key_id': None, u'boot_volume_size_in_gbs': None}, u'agent_config': {u'is_monitoring_disabled': False}, u'image_id': u'ocid1.image.oc1.eu-frankfurt-1.aaaaaaaan7ghs3nhu6bbujqnyukj755642xnmzshck5pm5svol6uigkxl2hq', u'shape': u'VM.Standard1.1', u'availability_domain': u'EUZg:EU-FRANKFURT-1-AD-1', u'launch_mode': u'NATIVE', u'ipxe_script': None, u'display_name': u'my_test_instance', u'launch_options': {u'remote_data_volume_type': u'PARAVIRTUALIZED', u'firmware': u'UEFI_64', u'boot_volume_type': u'PARAVIRTUALIZED', u'is_consistent_volume_naming_enabled': True, u'network_type': u'VFIO', u'is_pv_encryption_in_transit_enabled': True}, u'id': u'ocid1.instance.oc1.eu-frankfurt-1.abtheljslxpqenvnafkstq2s7hxqizyam7shjd6kihyg33i7w2geeynedotq', u'metadata': {u'ssh_authorized_keys': u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA4703470347034703470347034703470347034703470347034703470347034703XR6Zcv4sHKdMH/aDfZKFaLpqHtJ2P+JEC0ok2lWrPQSG0zPoSYWTrldllpgSfzOv1kQ1R/Uor+eedRz9x2DXtKl0anSXY6KNW1GVfOvoFk/c8AuaQy6Y7AZnJAculyF1pRJiHQyZEPuBL9E9EsiRqkQR18G9yewBApRZf/QGXZbLydG8vAa9T1DCYrODb3N2u73IIqbMFwr7sgQ8XQb7h9wlYq2mfUKxy+8H4w7S67'}}}"

}

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Get the VNIC attachment details of instance] *****************************************************************************************************************************

ok: [localhost]

TASK [Get details of the VNIC] *************************************************************************************************************************************************

ok: [localhost]

TASK [set_fact] ****************************************************************************************************************************************************************

ok: [localhost]

TASK [Print the public ip of the newly launched instance] **********************************************************************************************************************

ok: [localhost] => {

"msg": "Public IP of launched instance 130.61.40.231"

}

TASK [Wait (upto 5 minutes) for port 22 to become open] ************************************************************************************************************************

ok: [localhost]

TASK [Attempt a ssh connection to the newly launced instance] ******************************************************************************************************************

changed: [localhost]

TASK [Print SSH response from launched instance] *******************************************************************************************************************************

ok: [localhost] => {

"msg": "SSH response from instance -> [u'Linux mytestinstance 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux']"

}

TASK [Terminate the instance] **************************************************************************************************************************************************

changed: [localhost]

TASK [Delete the subnet] *******************************************************************************************************************************************************

changed: [localhost]

TASK [Delete the security list] ************************************************************************************************************************************************

changed: [localhost]

TASK [Delete the route table] **************************************************************************************************************************************************

changed: [localhost]

TASK [Delete the Internet Gateway] *********************************************************************************************************************************************

changed: [localhost]

TASK [Delete the VCN] **********************************************************************************************************************************************************

changed: [localhost]

PLAY RECAP *********************************************************************************************************************************************************************

localhost : ok=38 changed=16 unreachable=0 failed=0

Ready to Use

After a few minutes, a complete infrastructure for an OCI compute instance is created and the instance is ready to connect.

The required SSH keys for the terminal connection were generated in a subdirectory of /tmp with the prefix ansible. In my example, the private and the public SSH key are located in /tmp/ansible.v6ckX0cert.

$ pwd
/tmp/ansible.v6ckX0cert

$ ll
total 8
-rw-------. 1 oci oci 1708 Mar 11 14:03 private_key.pem
-rw-rw-r--. 1 oci oci  380 Mar 11 14:03 public_key.pem

$ pwd

/tmp/ansible.v6ckX0cert

$ ll

total 8

-rw-------. 1 oci oci 1708 Mar 11 14:03 private_key.pem

-rw-rw-r--. 1 oci oci 380 Mar 11 14:03 public_key.pem

Summary

The Oracle provided Ansible playbooks are a good entry point to start with OCI automation. I am already working at the next tasks to make my work easier with more variables and simplified playbooks. And finally I want to integrate it in Ansible AWX. Well done Oracle!

Ansible, Oracle Cloud Infrastructure, Oracle RDBMS, TrivadisContent

Monitor your Oracle Cloud Infrastructure with Grafana on Oracle Linux 7

Author: Martin Berger 6. March 2019

Since the end of February there is a new Grafana plugin for Oracle Cloud Infrastructure available. With this plugin we can access and monitor OCI metrics and data. Grafana is an open-source platform for data visualization and monitoring. This blog post shows you how to install and configure the Grafana plugin based on the Oracle blog entry https://blogs.oracle.com/cloudnative/data-source-grafana on an Oracle Enterprise Linux 7 server.

The OCI Grafana Plugin is a nice solution for companies who don’t have a full stack infrastructure monitoring environment up and running like the Enterprise Manager EM13c. But who want to know how their machines in the Oracle Cloud Infrastructure are performing.

Steps to configure the OCI Grafana Plugin

Install and configure the Oracle Cloud Infrastructure CLI – by download or by YUM install
Configure Group, User and Policy in Oracle Cloud Infrastructure Console
Install Grafana and the OCI Plugin
Create a new Dashboard based on OCI Metrics

Machine Requirements

The server needs access to the internet.

Install and configure the Oracle Cloud Infrastructure CLI

Method 1 – Download

In this step, the software will be installed an configured. The new created SSH public key has to be added in the OCI console for further actions.

As OS user root we create a new user for OCI actions.

# groupadd oci
# useradd oci -g oci
# passwd oci

# groupadd oci

# useradd oci -g oci

# passwd oci

Login as user oci, execute the CLI download and installation script. Answer questions with Y / Enter to get the default installation.

$ bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

1	$ bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

Default values:

installation directory	/home/oci/lib/oracle-cli
executable directory	/home/oci/bin
OCI scripts	/home/oci/bin/oci-cli-scripts
shell/tab completion	Y
path to rc file	/home/oci/.bashrc

After the successful CLI installation, you have to configure it.

$ /home/oci/bin/oci setup config

1	$ /home/oci/bin/oci setup config

Based on your OCI account, these information are required – let the config and key location on default values.

config location	/home/oci/.oci/config
user OCID	OCI > Identity > Users > [YOUR_USER] > OCID
tenancy OCID	OCI > Administration > Tenancy Details > [YOUR_TENANCY] > OCID
region	choose your region, e.g. eu-frankfurt-1
generate a new key pair	Y
key directory	/home/oci/.oci
key name	oci_api_key

Test the CLI configuration – example to list all compartments in your tenant.

/home/oci/bin/oci iam compartment list --all | grep name
"name": "Compartment_Trivadis_BDS_MBg",
"name": "ManagedCompartmentForPaaS"

/home/oci/bin/oci iam compartment list --all | grep name

"name": "Compartment_Trivadis_BDS_MBg",

"name": "ManagedCompartmentForPaaS"

Show the content of the public key to add it in the OCI console to your user which you want to work with. Attention: Three different API keys are the limit!

# cat /home/oci/.oci/oci_api_key_public.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtrh7gsSJDdcKKmYs+EAL
4444444444444444444444444444444444444444444444444444444444444444
7777777777777777777777777777777777777777777777777777777777777777
0000000000000000000000000000000000000000000000000000000000000000
3333333333333333333333333333333333333333333333333333333333333333
+d2Kyn/xNUA1zBBM6LUYZGTZsAxJFxubY/98RTF4GmY/7g26WPmFz+7gqM0+j+3r
YQIDAQAB
-----END PUBLIC KEY-----

# cat /home/oci/.oci/oci_api_key_public.pem

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtrh7gsSJDdcKKmYs+EAL

4444444444444444444444444444444444444444444444444444444444444444

7777777777777777777777777777777777777777777777777777777777777777

0000000000000000000000000000000000000000000000000000000000000000

3333333333333333333333333333333333333333333333333333333333333333

+d2Kyn/xNUA1zBBM6LUYZGTZsAxJFxubY/98RTF4GmY/7g26WPmFz+7gqM0+j+3r

YQIDAQAB

-----END PUBLIC KEY-----

Attention: Be sure that you add the public key to the user which you have used for the CLI configuration!

Method 2 – YUM Repository

Thanks to Sergio Leunissen from Oracle for his input, the Python SDK and oci utilities are is available in the YUM repository too and ready to install. Take a look at his blog post to see how to work with the Python SDK and OCI metadata:

https://blogs.oracle.com/linux/easy-compute-instance-metadata-access-with-oci-utils

Enable the repository

# yum-config-manager --enable ol7_developer

1	# yum-config-manager --enable ol7_developer

Show the OCI package information

# yum info python-oci-cli
Loaded plugins: langpacks, ulninfo
Available Packages
Name        : python-oci-cli
Arch        : noarch
Version     : 2.5.3
Release     : 1.el7
Size        : 670 k
Repo        : ol7_developer/x86_64
Summary     : Oracle Bare Metal Cloud Services CLI client
URL         : http://pypi.python.org/pypi/oci-cli
License     : Apache2.0
Description : Python SDK for Oracle Bare Metal Cloud Services command line client utilities.

# yum info python-oci-cli

Loaded plugins: langpacks, ulninfo

Available Packages

Name : python-oci-cli

Arch : noarch

Version : 2.5.3

Release : 1.el7

Size : 670 k

Repo : ol7_developer/x86_64

Summary : Oracle Bare Metal Cloud Services CLI client

URL : http://pypi.python.org/pypi/oci-cli

License : Apache2.0

Description : Python SDK for Oracle Bare Metal Cloud Services command line client utilities.

Configure Group, modify User and add a Policy in Oracle Cloud Infrastructure Web Interface

A new group is created for a better access control.

Group

Create a new OCI group called Grafana. OCI > Identity > Groups.

Modify User

Add the selected user to the group – for example this is my user.

Add a Policy

Create a new policy called GrafanaPolicy. OCI > Identity > Policies with these two statements.

allow group grafana to read metrics in tenancy
allow group grafana to read compartments in tenancy

Install Grafana and the OCI Plugin

# wget https://dl.grafana.com/oss/release/grafana-6.0.0-1.x86_64.rpm 
# yum localinstall grafana-6.0.0-1.x86_64.rpm

1 2	# wget https://dl.grafana.com/oss/release/grafana-6.0.0-1.x86_64.rpm # yum localinstall grafana-6.0.0-1.x86_64.rpm

Enable auto start and start the Grafana server manually.

# systemctl enable grafana-server.service
# systemctl daemon-reload
# systemctl start grafana-server

# systemctl enable grafana-server.service

# systemctl daemon-reload

# systemctl start grafana-server

Enable port 3000 (Grafana default port in firewall – the port can be changed in /etc/grafana/grafana.ini) to provide web access to Grafana.

# firewall-cmd --permanent --zone=public --add-port=3000/tcp
# firewall-cmd --reload
# firewall-cmd --permanent --zone=public --list-ports
3000/tcp

# firewall-cmd --permanent --zone=public --add-port=3000/tcp

# firewall-cmd --reload

# firewall-cmd --permanent --zone=public --list-ports

3000/tcp

Install the oci-datasource plugin.

# grafana-cli plugins install oci-datasource
# service grafana-server restart

1 2	# grafana-cli plugins install oci-datasource # service grafana-server restart

The Grafana plugin directorya with the installed plugin.

# ls -la /var/lib/grafana/plugins
total 0
drwxr-xr-x. 3 grafana grafana 28 Mar 4 12:26 .
drwxr-xr-x. 4 grafana grafana 50 Mar 4 12:39 ..
drwxr-xr-x. 3 root root 18 Mar 4 12:26 oci-datasource

# ls -la /var/lib/grafana/plugins

total 0

drwxr-xr-x. 3 grafana grafana 28 Mar 4 12:26 .

drwxr-xr-x. 4 grafana grafana 50 Mar 4 12:39 ..

drwxr-xr-x. 3 root root 18 Mar 4 12:26 oci-datasource

Grafana needs the configuration file and the SSH Key from the user oci. As user root, copy the files and modify the permissions.

# cp -r /home/oci/.oci /usr/share/grafana
# chown -R grafana:grafana cd

1 2	# cp -r /home/oci/.oci /usr/share/grafana # chown -R grafana:grafana cd

Change the path to the key file in /usr/share/grafana/.oci/config.

# vi /usr/share/grafana/.oci/config

From:

key_file=/home/oci/.oci/oci_api_key.pem

1	key_file=/home/oci/.oci/oci_api_key.pem

To:

key_file=/usr/share/grafana/.oci/oci_api_key.pem

1	key_file=/usr/share/grafana/.oci/oci_api_key.pem

Create a new Dashboard based on OCI Metrics

Login into Grafana with [SERVERNAME]:3000. Username and password are admin/admin. Please change your password after first login.

Add data source

Select Oracle Cloud Infrastructure

Configure the Data Source

Fill in your tenancy OCI, region and set Environment = Local. Test the connection. For troubleshooting see Grafana logfile in /var/log/grafana.

Create a new Dashboard and Add Query

Create a Query to visualize Data

In this dashboard example I used the region FRA, my compartment, the namespace oci_blockstorage and the metric VolumeWriteOps.

Available Metrics

For instance monitoring like CPU or Memory you have to enable the metric collection first and install the OCI Cloud Agent that the value is available in the namespace. Example, there are eight metrics are available for my compute instance. Learn more about metrics and monitoring in the OCI documentation here:

Summary

The OCI Grafana plugin is a nice solution to visualize cloud environments based on Open Source software. Take care that Grafana needs acccess to the OCI CLI SSH information for the Oracle Cloud Infrastructure connection.

Oracle Cloud Infrastructure, Oracle Linux, TrivadisContent

OCI Compute Instances – Stop SSH Brute Force Attacks with fail2ban & UseDNS

Author: Martin Berger 6. November 2018

Every day and night, the SSH login by key into my public accessible Oracle Cloud Infrastructure Linux Compute Instance was permitted for hours. And sometimes, when I had luck, it worked. For me it was not clear when it works and when not. But something has blocked me. The password authentification in the OCI Linux instance is basically disabled, the key is the only way to log in.

After some investigation on the OCI instance, I found a huge amount of login trials in the /var/log/secure file. These brute force attacks were locking me out!

Nov  4 03:57:24 instance-as-1 sshd[1975]: Received disconnect from 132.232.17.146 port 53924:11: Normal Shutdown, Thank you for playing [preauth]
Nov  4 03:57:24 instance-as-1 sshd[1975]: Disconnected from 132.232.17.146 port 53924 [preauth]
Nov  4 04:01:22 instance-as-1 sshd[2194]: Received disconnect from 132.232.17.146 port 59916:11: Normal Shutdown, Thank you for playing [preauth]
Nov  4 04:01:22 instance-as-1 sshd[2194]: Disconnected from 132.232.17.146 port 59916 [preauth]
Nov  4 04:05:28 instance-as-1 sshd[2448]: Received disconnect from 132.232.17.146 port 37640:11: Normal Shutdown, Thank you for playing [preauth]
Nov  4 04:05:28 instance-as-1 sshd[2448]: Disconnected from 132.232.17.146 port 37640 [preauth]
Nov  4 04:20:28 instance-as-1 sshd[3206]: Received disconnect from 125.65.42.187 port 48506:11:  [preauth]
Nov  4 04:20:28 instance-as-1 sshd[3206]: Disconnected from 125.65.42.187 port 48506 [preauth]
Nov  4 04:21:47 instance-as-1 sshd[3275]: Did not receive identification string from 46.101.174.170 port 46073
Nov  4 04:21:47 instance-as-1 sshd[3272]: Received disconnect from 118.123.15.142 port 38448:11:  [preauth]
Nov  4 04:21:47 instance-as-1 sshd[3272]: Disconnected from 118.123.15.142 port 38448 [preauth]
Nov  4 04:24:33 instance-as-1 sshd[3409]: Received disconnect from 118.123.15.210 port 41616:11:  [preauth]
Nov  4 04:24:33 instance-as-1 sshd[3409]: Disconnected from 118.123.15.210 port 41616 [preauth]
Nov  4 04:24:48 instance-as-1 sshd[3421]: Received disconnect from 115.238.245.2 port 50782:11:  [preauth]
Nov  4 04:24:48 instance-as-1 sshd[3421]: Disconnected from 115.238.245.2 port 50782 [preauth]
Nov  4 04:27:08 instance-as-1 sshd[3538]: Received disconnect from 61.184.247.2 port 59804:11:  [preauth]
Nov  4 04:27:08 instance-as-1 sshd[3538]: Disconnected from 61.184.247.2 port 59804 [preauth]
Nov  4 04:32:07 instance-as-1 sshd[3785]: Received disconnect from 125.65.42.192 port 41143:11:  [preauth]
Nov  4 04:32:07 instance-as-1 sshd[3785]: Disconnected from 125.65.42.192 port 41143 [preauth]
Nov  4 04:32:35 instance-as-1 sshd[3811]: Received disconnect from 61.184.247.11 port 57407:11:  [preauth]
Nov  4 04:32:35 instance-as-1 sshd[3811]: Disconnected from 61.184.247.11 port 57407 [preauth]
Nov  4 04:36:02 instance-as-1 sshd[3981]: Received disconnect from 200.46.254.107 port 57063:11: Normal Shutdown, Thank you for playing [preauth]
Nov  4 04:36:02 instance-as-1 sshd[3981]: Disconnected from 200.46.254.107 port 57063 [preauth]
Nov  4 04:36:08 instance-as-1 sshd[3965]: Connection closed by 125.65.42.178 port 60537 [preauth]
Nov  4 04:36:49 instance-as-1 sshd[4020]: Received disconnect from 115.238.245.8 port 51409:11:  [preauth]
Nov  4 04:36:49 instance-as-1 sshd[4020]: Disconnected from 115.238.245.8 port 51409 [preauth]
Nov  4 04:39:32 instance-as-1 sshd[4168]: Invalid user pos from 200.46.254.107 port 50308
Nov  4 04:39:32 instance-as-1 sshd[4168]: input_userauth_request: invalid user pos [preauth]
Nov  4 04:39:32 instance-as-1 sshd[4168]: Received disconnect from 200.46.254.107 port 50308:11: Normal Shutdown, Thank you for playing [preauth]
Nov  4 04:39:32 instance-as-1 sshd[4168]: Disconnected from 200.46.254.107 port 50308 [preauth]
Nov  4 04:39:46 instance-as-1 sshd[4179]: Received disconnect from 122.226.181.165 port 57930:11:  [preauth]
Nov  4 04:39:46 instance-as-1 sshd[4179]: Disconnected from 122.226.181.165 port 57930 [preauth]
Nov  4 04:41:00 instance-as-1 sshd[4250]: Received disconnect from 115.238.245.14 port 42326:11:  [preauth]
Nov  4 04:41:00 instance-as-1 sshd[4250]: Disconnected from 115.238.245.14 port 42326 [preauth]
Nov  4 04:41:17 instance-as-1 sshd[4265]: Received disconnect from 61.184.247.5 port 51434:11:  [preauth]
Nov  4 04:41:17 instance-as-1 sshd[4265]: Disconnected from 61.184.247.5 port 51434 [preauth]

Nov 4 03:57:24 instance-as-1 sshd[1975]: Received disconnect from 132.232.17.146 port 53924:11: Normal Shutdown, Thank you for playing [preauth]

Nov 4 03:57:24 instance-as-1 sshd[1975]: Disconnected from 132.232.17.146 port 53924 [preauth]

Nov 4 04:01:22 instance-as-1 sshd[2194]: Received disconnect from 132.232.17.146 port 59916:11: Normal Shutdown, Thank you for playing [preauth]

Nov 4 04:01:22 instance-as-1 sshd[2194]: Disconnected from 132.232.17.146 port 59916 [preauth]

Nov 4 04:05:28 instance-as-1 sshd[2448]: Received disconnect from 132.232.17.146 port 37640:11: Normal Shutdown, Thank you for playing [preauth]

Nov 4 04:05:28 instance-as-1 sshd[2448]: Disconnected from 132.232.17.146 port 37640 [preauth]

Nov 4 04:20:28 instance-as-1 sshd[3206]: Received disconnect from 125.65.42.187 port 48506:11: [preauth]

Nov 4 04:20:28 instance-as-1 sshd[3206]: Disconnected from 125.65.42.187 port 48506 [preauth]

Nov 4 04:21:47 instance-as-1 sshd[3275]: Did not receive identification string from 46.101.174.170 port 46073

Nov 4 04:21:47 instance-as-1 sshd[3272]: Received disconnect from 118.123.15.142 port 38448:11: [preauth]

Nov 4 04:21:47 instance-as-1 sshd[3272]: Disconnected from 118.123.15.142 port 38448 [preauth]

Nov 4 04:24:33 instance-as-1 sshd[3409]: Received disconnect from 118.123.15.210 port 41616:11: [preauth]

Nov 4 04:24:33 instance-as-1 sshd[3409]: Disconnected from 118.123.15.210 port 41616 [preauth]

Nov 4 04:24:48 instance-as-1 sshd[3421]: Received disconnect from 115.238.245.2 port 50782:11: [preauth]

Nov 4 04:24:48 instance-as-1 sshd[3421]: Disconnected from 115.238.245.2 port 50782 [preauth]

Nov 4 04:27:08 instance-as-1 sshd[3538]: Received disconnect from 61.184.247.2 port 59804:11: [preauth]

Nov 4 04:27:08 instance-as-1 sshd[3538]: Disconnected from 61.184.247.2 port 59804 [preauth]

Nov 4 04:32:07 instance-as-1 sshd[3785]: Received disconnect from 125.65.42.192 port 41143:11: [preauth]

Nov 4 04:32:07 instance-as-1 sshd[3785]: Disconnected from 125.65.42.192 port 41143 [preauth]

Nov 4 04:32:35 instance-as-1 sshd[3811]: Received disconnect from 61.184.247.11 port 57407:11: [preauth]

Nov 4 04:32:35 instance-as-1 sshd[3811]: Disconnected from 61.184.247.11 port 57407 [preauth]

Nov 4 04:36:02 instance-as-1 sshd[3981]: Received disconnect from 200.46.254.107 port 57063:11: Normal Shutdown, Thank you for playing [preauth]

Nov 4 04:36:02 instance-as-1 sshd[3981]: Disconnected from 200.46.254.107 port 57063 [preauth]

Nov 4 04:36:08 instance-as-1 sshd[3965]: Connection closed by 125.65.42.178 port 60537 [preauth]

Nov 4 04:36:49 instance-as-1 sshd[4020]: Received disconnect from 115.238.245.8 port 51409:11: [preauth]

Nov 4 04:36:49 instance-as-1 sshd[4020]: Disconnected from 115.238.245.8 port 51409 [preauth]

Nov 4 04:39:32 instance-as-1 sshd[4168]: Invalid user pos from 200.46.254.107 port 50308

Nov 4 04:39:32 instance-as-1 sshd[4168]: input_userauth_request: invalid user pos [preauth]

Nov 4 04:39:32 instance-as-1 sshd[4168]: Received disconnect from 200.46.254.107 port 50308:11: Normal Shutdown, Thank you for playing [preauth]

Nov 4 04:39:32 instance-as-1 sshd[4168]: Disconnected from 200.46.254.107 port 50308 [preauth]

Nov 4 04:39:46 instance-as-1 sshd[4179]: Received disconnect from 122.226.181.165 port 57930:11: [preauth]

Nov 4 04:39:46 instance-as-1 sshd[4179]: Disconnected from 122.226.181.165 port 57930 [preauth]

Nov 4 04:41:00 instance-as-1 sshd[4250]: Received disconnect from 115.238.245.14 port 42326:11: [preauth]

Nov 4 04:41:00 instance-as-1 sshd[4250]: Disconnected from 115.238.245.14 port 42326 [preauth]

Nov 4 04:41:17 instance-as-1 sshd[4265]: Received disconnect from 61.184.247.5 port 51434:11: [preauth]

Nov 4 04:41:17 instance-as-1 sshd[4265]: Disconnected from 61.184.247.5 port 51434 [preauth]

There is a interesting OCI documentation available called Securing Compute with steps how to secure OCI compute cloud instances – and one of this recommendation is: install fail2ban.

https://docs.cloud.oracle.com/iaas/Content/Security/Reference/compute_security.htm

fail2ban

fail2ban is an open source tool which reads several types of logfiles and creates based on rules new entries in the firewall table to block remote connections. I has default filters for ssh, apache postfix and many more. From Wikipedia:

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Link: https://www.fail2ban.org/wiki/index.php/Main_Page

Installation

All steps have to be executed as user root. FYI: I wanted to be informed when a new IP was banned, therefore I have installed sendmail too.

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum install fail2ban
# yum install sendmail
# systemctl enable fail2ban
# systemctl start sendmail
# systemctl enable sendmail

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# yum install fail2ban

# yum install sendmail

# systemctl enable fail2ban

# systemctl start sendmail

# systemctl enable sendmail

Configuration

For my fail2ban configuration I have created a new file called jail.local and made my settings there.

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

1	# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

jail.local

After 2 unsuccesful logins, the source IP will be banned for 86400 seconds. And if a new IP is added to the ban list, I get an email.

[DEFAULT]
sender = OCI
destemail = root
action = %(action_mwl)s
maxretry = 2
destemail = <my_email_address>
bantime = 86400

[sshd]
enabled = true

[DEFAULT]

sender = OCI

destemail = root

action = %(action_mwl)s

maxretry = 2

destemail = <my_email_address>

bantime = 86400

[sshd]

enabled = true

/etc/fail2ban/jail.d/00-firewalld.conf

For OL7 where firewalld is used, verify if the command firewallcmd-ipset is set in /etc/fail2ban/jail.d/00-firewalld.conf. If you use iptables, the command can be changed. Please read the documentation how to change the firewall.

[DEFAULT]
banaction = firewallcmd-ipset

1 2	[DEFAULT] banaction = firewallcmd-ipset

Start fail2ban

# systemctl start fail2ban

1	# systemctl start fail2ban

Verification

Status Check

# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

# fail2ban-client status

Status

|- Number of jail: 1

`- Jail list: sshd

Status Check with details, there is already one IP listed.

[root@instance-as-1 ]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     7
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   46.101.204.153

[root@instance-as-1 ]# fail2ban-client status sshd

Status for the jail: sshd

|- Filter

| |- Currently failed: 0

| |- Total failed: 7

| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd

`- Actions

|- Currently banned: 1

|- Total banned: 1

`- Banned IP list: 46.101.204.153

After some minutes, more entries were recognized in the /var/log/secure log file and added.

# tail -f /var/log/fail2ban.log
2018-11-05 07:54:10,467 fail2ban.filter         [13219]: INFO    [sshd] Found 46.101.204.153
2018-11-05 07:54:10,472 fail2ban.filter         [13219]: INFO    [sshd] Found 46.101.204.153
2018-11-05 07:54:10,478 fail2ban.filter         [13219]: INFO    [sshd] Found 46.101.204.153
2018-11-05 07:54:10,483 fail2ban.filter         [13219]: INFO    [sshd] Found 46.101.204.153
2018-11-05 07:54:11,050 fail2ban.actions        [13219]: NOTICE  [sshd] Ban 46.101.204.153

# tail -f /var/log/fail2ban.log

2018-11-05 07:54:10,467 fail2ban.filter [13219]: INFO [sshd] Found 46.101.204.153

2018-11-05 07:54:10,472 fail2ban.filter [13219]: INFO [sshd] Found 46.101.204.153

2018-11-05 07:54:10,478 fail2ban.filter [13219]: INFO [sshd] Found 46.101.204.153

2018-11-05 07:54:10,483 fail2ban.filter [13219]: INFO [sshd] Found 46.101.204.153

2018-11-05 07:54:11,050 fail2ban.actions [13219]: NOTICE [sshd] Ban 46.101.204.153

firewall-cmd

A new rule is automatically added with the match set failban-sshd.

# firewall-cmd --direct --get-all-rule
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable

1 2	# firewall-cmd --direct --get-all-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable

sshd Configuration

After the fail2ban installation, there were other entries left in /var/log/secure.

Nov  6 04:50:25 instance-as-1 sshd[5885]: Received disconnect from 209.141.51.85 port 38056:11: Bye Bye [preauth]
Nov  6 04:50:25 instance-as-1 sshd[5885]: Disconnected from 209.141.51.85 port 38056 [preauth]
Nov  6 04:50:27 instance-as-1 sshd[5887]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov  6 04:50:27 instance-as-1 sshd[5887]: Received disconnect from 209.141.51.85 port 39492:11: Bye Bye [preauth]
Nov  6 04:50:27 instance-as-1 sshd[5887]: Disconnected from 209.141.51.85 port 39492 [preauth]
Nov  6 04:50:28 instance-as-1 sshd[5889]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov  6 04:50:28 instance-as-1 sshd[5889]: Received disconnect from 209.141.51.85 port 40808:11: Bye Bye [preauth]
Nov  6 04:50:28 instance-as-1 sshd[5889]: Disconnected from 209.141.51.85 port 40808 [preauth]
Nov  6 04:50:30 instance-as-1 sshd[5891]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov  6 04:50:30 instance-as-1 sshd[5891]: Received disconnect from 209.141.51.85 port 42144:11: Bye Bye [preauth]
Nov  6 04:50:30 instance-as-1 sshd[5891]: Disconnected from 209.141.51.85 port 42144 [preauth]
Nov  6 04:50:31 instance-as-1 sshd[5893]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!

Nov 6 04:50:25 instance-as-1 sshd[5885]: Received disconnect from 209.141.51.85 port 38056:11: Bye Bye [preauth]

Nov 6 04:50:25 instance-as-1 sshd[5885]: Disconnected from 209.141.51.85 port 38056 [preauth]

Nov 6 04:50:27 instance-as-1 sshd[5887]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!

Nov 6 04:50:27 instance-as-1 sshd[5887]: Received disconnect from 209.141.51.85 port 39492:11: Bye Bye [preauth]

Nov 6 04:50:27 instance-as-1 sshd[5887]: Disconnected from 209.141.51.85 port 39492 [preauth]

Nov 6 04:50:28 instance-as-1 sshd[5889]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!

Nov 6 04:50:28 instance-as-1 sshd[5889]: Received disconnect from 209.141.51.85 port 40808:11: Bye Bye [preauth]

Nov 6 04:50:28 instance-as-1 sshd[5889]: Disconnected from 209.141.51.85 port 40808 [preauth]

Nov 6 04:50:30 instance-as-1 sshd[5891]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!

Nov 6 04:50:30 instance-as-1 sshd[5891]: Received disconnect from 209.141.51.85 port 42144:11: Bye Bye [preauth]

Nov 6 04:50:30 instance-as-1 sshd[5891]: Disconnected from 209.141.51.85 port 42144 [preauth]

Nov 6 04:50:31 instance-as-1 sshd[5893]: reverse mapping checking getaddrinfo for offshore.onion [209.141.51.85] failed - POSSIBLE BREAK-IN ATTEMPT!

After changing the parameter UseDNS to no in /etc/ssdh/sshd_config and a restart, these entries were history.

# vi /etc/ssh/sshd_config
Set UseDNS no

1 2	# vi /etc/ssh/sshd_config Set UseDNS no

# service sshd stop
# service sshd start

1 2	# service sshd stop # service sshd start

Summary

Never let a OCI compute cloud running with a public IP without to monitor login attemps! fail2ban is one step to get more security. It is easy to configure and it helps a lot. But you have to do the basic work like software updates, SSH key enabling etc. The Oracle documentation is a good base to start! My next step will be to install and configure WAZUH – I keep you up to date!

Links

https://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html

https://fedoraproject.org/wiki/Fail2ban_with_FirewallD

Oracle Cloud Infrastructure, Oracle Linux