Latest Posts

How to build OCI Infrastructure Environments with Ansible

The Oracle provided Ansible module gives us the opportunity to provision and configure Oracle Cloud Infrastructure resources on an automated base. The Ansible basic setup is very easy and the Oracle provided example playbooks in Git are a good base to start with your infrastructure automation project. Oracle provides Ansible example playbooks for

  • Block Volumes
  • Compute 
  • Database
  • File Storage
  • IAM
  • Load Balancer
  • Private Subnets with VPN
  • Delete Objects
  • etc.

In this blog post, I will show you how easy it is to bring Ansible and the Oracle Cloud Infrastructure together. 

Requirements

  • A local machine to install Ansible and the required software and modules, in my case it’s an Oracle Linux 7 virtual machine with Internet access.
  • An Oracle Cloud Infrastructure Account with permissons to create new resources.

Steps to configure Ansible and OCI

  1. Install and configure the Oracle Cloud Infrastructure Python SDK
  2. Install and configure Ansible
  3. Download and configure the OCI modules for Ansible
  4. OCI Test Run

Install and configure the Oracle Cloud Infrastructure Python SDK

In this step, the OCI Python SDK will be installed an configured. The new created SSH public key has to be added in the OCI console for further actions.  As OS user root we create a new operating system user called oci for Oracle Cllud Infrastrcuture actions and give him sudo privileges.

Create a User and SSH Keys

Add this line in /etc/sudoers.

Login as user oci, create a new SSH key and download an configure the OCI SDK. Protect your keys.

Show the public key and add it in the OCI console to your cloud account user.

 

The OCI Configuration File

As user oci, create the Oracle Cloud Infrastructure configuration file

Content of the file – for example in region Frankfurt and with the created SSH key file from above.

Install the Oracle Cloud Infrastructure Python SDK

Test

Command to list all instances in the selected compartment.

Install and configure Ansible

As user oci, download and install Ansible and Git.

Set up the module directory.

Install additional packages.

This upgrade step is required, otherwise the public key creation in the OCI Ansible module fails (for example when you want to launch a new Compute instance).

Download and configure the OCI modules for Ansible

As user oci, download the Ansible modules from Git.

Show the content.

Change into the new created directory and execute the configuration script install.py.

OCI Test Run

We copy the example playbook to launch a Compute cloud instance into the local folder and run the playbook. The Oracle provided playbook needs three variables:

SAMPLE_AD_NAME Availability Domain, e.g. EUZg:EU-FRANKFURT-1-AD-1
SAMPLE_IMAGE_OCID OCID of the selected OS – see https://docs.cloud.oracle.com/iaas/images/ to list all available images
SAMPLE_COMPARTMENT_OCID OCID of your compartment – OCI > Identity > Compartments

 

Create a working directory and copy the example playbook.

Set variables.

Run the playbook

Attention: All OCI resources are created and afterwards terminated immediately. If you don’t want to terminate them, comment out this line in file sample.yaml.

Execute the Ansible playbook. The infrastructure will be created step by step. Key generation, network configuration, firewall rule setup, instance creation etc. is all automated.

Ready to Use

After a few minutes, a complete infrastructure for an OCI compute instance is created and the instance is ready to connect. 

The required SSH keys for the terminal connection were generated in a subdirectory of /tmp with the prefix ansible. In my example, the private and the public SSH key are located in /tmp/ansible.v6ckX0cert.

Links

Summary

The Oracle provided Ansible playbooks are a good entry point to start with OCI automation. I am already working at the next tasks to make my work easier with more variables and simplified playbooks. And finally I want to integrate it in Ansible AWX. Well done Oracle!

Monitor your Oracle Cloud Infrastructure with Grafana on Oracle Linux 7

Since the end of February there is a new Grafana plugin for Oracle Cloud Infrastructure available. With this plugin we can access and monitor OCI metrics and data. Grafana is an open-source platform for data visualization and monitoring. This blog post shows you how to install and configure the Grafana plugin based on the Oracle blog entry https://blogs.oracle.com/cloudnative/data-source-grafana on an Oracle Enterprise Linux 7 server.

The OCI Grafana Plugin is a nice solution for companies who don’t have a full stack infrastructure monitoring environment up and running like the Enterprise Manager EM13c. But who want to know how their machines in the Oracle Cloud Infrastructure are performing.

Steps to configure the OCI Grafana Plugin

  1. Install and configure the Oracle Cloud Infrastructure CLI – by download or by YUM install
  2. Configure Group, User and Policy in Oracle Cloud Infrastructure Console
  3. Install Grafana and the OCI Plugin
  4. Create a new Dashboard based on OCI Metrics

Machine Requirements

The server needs access to the internet.

Install and configure the Oracle Cloud Infrastructure CLI

Method 1 – Download

In this step, the software will be installed an configured. The new created SSH public key has to be added in the OCI console for further actions.

As OS user root we create a new user for OCI actions. 

Login as user oci, execute the CLI download and installation script. Answer questions with Y / Enter to get the default installation.

Default values:

installation directory /home/oci/lib/oracle-cli
executable directory /home/oci/bin
OCI scripts /home/oci/bin/oci-cli-scripts
shell/tab completion Y
path to rc file /home/oci/.bashrc

 

After the successful CLI installation, you have to configure it.

Based on your OCI account, these information are required – let the config and key location on default values.

config location /home/oci/.oci/config
user OCID OCI > Identity > Users > [YOUR_USER] > OCID
tenancy OCID OCI > Administration > Tenancy Details > [YOUR_TENANCY] > OCID
region choose your region, e.g. eu-frankfurt-1
generate a new key pair Y
key directory /home/oci/.oci
key name oci_api_key

 

Test the CLI configuration – example to list all compartments in your tenant.

Show the content of the public key to add it in the OCI console to your user which you want to work with. Attention: Three different API keys are the limit!

 

Attention: Be sure that you add the public key to the user which you have used for the CLI configuration!

Method 2 – YUM Repository

Thanks to Sergio Leunissen from Oracle for his input, the Python SDK and oci utilities are is available in the YUM repository too and ready to install. Take a look at his blog post to see how to work with the Python SDK and OCI metadata:

Enable the repository

Show the OCI package information

Configure Group, modify User and add a Policy in Oracle Cloud Infrastructure Web Interface

A new group is created for a better access control.

Group

Create a new OCI group called Grafana. OCI > Identity > Groups.

Modify User

Add the selected user to the group – for example this is my user.

Add a Policy

Create a new policy called GrafanaPolicy. OCI > Identity > Policies with these two statements.

allow group grafana to read metrics in tenancy
allow group grafana to read compartments in tenancy

Install Grafana and the OCI Plugin

Login as user root and install the software.

Enable auto start and start the Grafana server manually.

Enable port 3000 (Grafana default port in firewall – the port can be changed in /etc/grafana/grafana.ini) to provide web access to Grafana.

Install the oci-datasource plugin.

The Grafana plugin directorya with the installed plugin.

Grafana needs the configuration file and the SSH Key from the user oci. As user root, copy the files and modify the permissions.

Change the path to the key file in /usr/share/grafana/.oci/config.

# vi /usr/share/grafana/.oci/config

From:

To:

Create a new Dashboard based on OCI Metrics

Login into Grafana with [SERVERNAME]:3000. Username and password are admin/admin. Please change your password after first login.

Add data source

Select Oracle Cloud Infrastructure

Configure the Data Source

Fill in your tenancy OCI, region and set Environment = Local. Test the connection. For troubleshooting see Grafana logfile in /var/log/grafana.

Create a new Dashboard and Add Query

Create a Query to visualize Data

In this dashboard example I used the region FRA, my compartment, the namespace oci_blockstorage and the metric VolumeWriteOps.

Available Metrics

For instance monitoring like CPU or Memory you have to enable the metric collection first and install the OCI Cloud Agent that the value is available in the namespace. Example, there are eight metrics are available for my compute instance. Learn more about metrics and monitoring in the OCI documentation here:

Summary

The OCI Grafana plugin is a nice solution to visualize cloud environments based on Open Source software. Take care that Grafana needs access to the OCI CLI SSH information for the Oracle Cloud Infrastructure connection.

OCI Compute Instances – Stop SSH Brute Force Attacks with fail2ban & UseDNS

Every day and night, the SSH login by key into my public accessible Oracle Cloud Infrastructure Linux Compute Instance was permitted for hours. And sometimes, when I had luck, it worked. For me it was not clear when it works and when not. But something has blocked me. The password authentification in the OCI Linux instance is basically disabled, the key is the only way to log in.

After some investigation on the OCI instance, I found a huge amount of login trials in the /var/log/secure file. These brute force attacks were locking me out!

There is a interesting OCI documentation available called Securing Compute with steps how to secure OCI compute cloud instances – and one of this recommendation is: install fail2ban.

https://docs.cloud.oracle.com/iaas/Content/Security/Reference/compute_security.htm

fail2ban

fail2ban is an open source tool which reads several types of logfiles and creates based on rules new entries in the firewall table to block remote connections. I has default filters for ssh, apache postfix and many more. From Wikipedia: 

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Link: https://www.fail2ban.org/wiki/index.php/Main_Page

Installation

All steps have to be executed as user root. FYI: I wanted to be informed when a new IP was banned, therefore I have installed sendmail too.

Configuration

For my fail2ban configuration I have created a new file called jail.local and made my settings there.

jail.local

After 2 unsuccesful logins, the source IP will be banned for 86400 seconds. And if a new IP is added to the ban list, I get an email.

/etc/fail2ban/jail.d/00-firewalld.conf

For OL7 where firewalld is used, verify if the command firewallcmd-ipset is set in /etc/fail2ban/jail.d/00-firewalld.conf. If you use iptables, the command can be changed. Please read the documentation how to change the firewall.

Start fail2ban

Verification

Status Check

Status Check with details, there is already one IP listed.

After some minutes, more entries were recognized in the /var/log/secure log file and added.

firewall-cmd

A new rule is automatically added with the match set failban-sshd.

sshd Configuration

After the fail2ban installation, there were other entries left in  /var/log/secure.

After changing the parameter UseDNS to no in /etc/ssdh/sshd_config and a restart, these entries were history.

Summary

Never let a OCI compute cloud running with a public IP without to monitor login attemps! fail2ban is one step to get more security. It is easy to configure and it helps a lot. But you have to do the basic work like software updates, SSH key enabling etc. The Oracle documentation is a good base to start! My next step will be to install and configure WAZUH – I keep you up to date!

Links

https://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html

https://fedoraproject.org/wiki/Fail2ban_with_FirewallD