Oracle Cloud Infrastructure

The Grafana Plugins for Oracle Cloud Infrastructure Monitoring are back!

Author: Martin Berger 7. October 2020

In September 2019 I wrote a blog post how to monitor an Oracle Cloud Infrastructure Autonomous database with Grafana plugin oci-datasource. But some weeks after publication, the plugin was not available on the Grafana page anymore. And only Oracle and Grafana had a clue why.

Now everything will be fine now. Since the 6th of October, there are two new Grafana plugins available for download. They both don’t require a Grafana enterprise account.

The first one is a successor of the former oci-datasource plugin, the second allows to get logs from OCI resources like Compute or Storage. As an infrastructure guy, let’s install the Oracle Cloud Infrastructure Metrics on an local Oracle Enterprise Linux 8 installation!

Install and configure the OCI CLI

Link: https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm

OS User oci and Installer

As OS user root, create a new user mentioned oci, change to new created user oci.

# groupadd oci
# useradd oci -g oci
# su - oci

# groupadd oci

# useradd oci -g oci

# su - oci

Run the installer script.

$ bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

1	$ bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

In this demo case, I use the default settings and the tab completion. After some seconds, all packages are installed and the OCI CLI is ready to configure.

-- Installation successful.
-- Run the CLI with /home/oci/bin/oci --help

1 2	-- Installation successful. -- Run the CLI with /home/oci/bin/oci --help

Configure the OCI CLI

If you have already a created SSH key pair from a former OCI action, then you can use it here. Otherwise this setup process creates a new private and public key for you. Take care, the public key has to be in the PEM format!

Required values to finish the setup:

config location	/home/oci/.oci/config
user OCID	OCI > Identity > Users > [YOUR_USER] > OCID
tenancy OCID	OCI > Administration > Tenancy Details > [YOUR_TENANCY] > OCID
region	choose your region, e.g. eu-zurich-1
generate a new API signing RSA key pair	Y -> only if you don’t have already an existing key pair
key directory	/home/oci/.oci
key name	oci_api_key_07102020

Run the setup.

$ /home/oci/bin/oci setup config

1	$ /home/oci/bin/oci setup config

OCI Console API Key

The content of the created public key has to be added in OCI Console as API key – just copy and paste it. OCI Console >> Identity >> Users >> User Details >> API Keys >> Add Public Key.

How to: https://docs.cloud.oracle.com/Content/API/Concepts/apisigningkey.htm#How2

OCI CLI Configuration Test

Verify the configuration by execute a CLI command. Example to list images based on Oracle Linux.

$ export var_compartment_id= [YOUR_COMPARTMENT_OCID]
$ oci compute image list --compartment-id $var_compartment_id --query "data[?\"operating-system\"=='Oracle Linux']".{"name:\"display-name\",os:\"operating-system\""} --output table

+----------------------------------------+--------------+
| name | os |
+----------------------------------------+--------------+
| Oracle-Linux-8.2-2020.09.23-0          | Oracle Linux |
| Oracle-Linux-8.2-2020.08.27-0          | Oracle Linux |
| Oracle-Linux-8.2-2020.07.28-0          | Oracle Linux |
| Oracle-Linux-7.8-Gen2-GPU-2020.09.23-0 | Oracle Linux |
| Oracle-Linux-7.8-Gen2-GPU-2020.08.27-0 | Oracle Linux |
| Oracle-Linux-7.8-Gen2-GPU-2020.07.28-0 | Oracle Linux |
| Oracle-Linux-7.8-2020.09.23-0          | Oracle Linux |
| Oracle-Linux-7.8-2020.08.26-0          | Oracle Linux |
| Oracle-Linux-7.8-2020.07.28-0          | Oracle Linux |
| Oracle-Linux-7.8-2020.05.26-0          | Oracle Linux |
| Oracle-Linux-6.10-2020.09.22-0         | Oracle Linux |
| Oracle-Linux-6.10-2020.09.03-0         | Oracle Linux |
| Oracle-Linux-6.10-2020.07.28-0         | Oracle Linux |
+----------------------------------------+--------------+

$ export var_compartment_id= [YOUR_COMPARTMENT_OCID]

$ oci compute image list --compartment-id $var_compartment_id --query "data[?\"operating-system\"=='Oracle Linux']".{"name:\"display-name\",os:\"operating-system\""} --output table

+----------------------------------------+--------------+

| name | os |

+----------------------------------------+--------------+

| Oracle-Linux-8.2-2020.09.23-0 | Oracle Linux |

| Oracle-Linux-8.2-2020.08.27-0 | Oracle Linux |

| Oracle-Linux-8.2-2020.07.28-0 | Oracle Linux |

| Oracle-Linux-7.8-Gen2-GPU-2020.09.23-0 | Oracle Linux |

| Oracle-Linux-7.8-Gen2-GPU-2020.08.27-0 | Oracle Linux |

| Oracle-Linux-7.8-Gen2-GPU-2020.07.28-0 | Oracle Linux |

| Oracle-Linux-7.8-2020.09.23-0 | Oracle Linux |

| Oracle-Linux-7.8-2020.08.26-0 | Oracle Linux |

| Oracle-Linux-7.8-2020.07.28-0 | Oracle Linux |

| Oracle-Linux-7.8-2020.05.26-0 | Oracle Linux |

| Oracle-Linux-6.10-2020.09.22-0 | Oracle Linux |

| Oracle-Linux-6.10-2020.09.03-0 | Oracle Linux |

| Oracle-Linux-6.10-2020.07.28-0 | Oracle Linux |

+----------------------------------------+--------------+

OCI Console Group Policy

If your user is not part of the Administrator group, a new group and a group policy is needed which has the permissions to read tenant metrics. OCI Console >> Identity >> Groups >> Create Group.

Create the policy in the root compartment of your tenant. OCI Console >> Identity >> Policy>> Create Policy.

Install and configure Grafana and the Oracle Cloud Infrastructure Metrics Data Source Plugin

Grafana

Link: https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/grafana.htm

# wget https://dl.grafana.com/oss/release/grafana-7.2.0-1.x86_64.rpm
# yum install grafana-7.2.0-1.x86_64.rpm

1 2	# wget https://dl.grafana.com/oss/release/grafana-7.2.0-1.x86_64.rpm # yum install grafana-7.2.0-1.x86_64.rpm

Start and enable the service.

# systemctl daemon-reload
# systemctl enable grafana-server.service
# systemctl start grafana-server.service

# systemctl daemon-reload

# systemctl enable grafana-server.service

# systemctl start grafana-server.service

Don’t forget to open the firewall port 3000 for the Grafana UI.

# firewall-cmd --permanent --zone=public --add-port=3000/tcp
# firewall-cmd --reload

1 2	# firewall-cmd --permanent --zone=public --add-port=3000/tcp # firewall-cmd --reload

Oracle Cloud Infrastructure Metrics Data Source Plugin

List the available OCI Grafana plugins.

# grafana-cli plugins list-remote | grep oci
id: oci-logs-datasource version: 1.1.0
id: oci-metrics-datasource version: 2.0.0

# grafana-cli plugins list-remote | grep oci

id: oci-logs-datasource version: 1.1.0

id: oci-metrics-datasource version: 2.0.0

Install the metric plugin.

# grafana-cli plugins install oci-metrics-datasource
installing oci-metrics-datasource @ 2.0.0
from: https://grafana.com/api/plugins/oci-metrics-datasource/versions/2.0.0/download
into: /var/lib/grafana/plugins

✔ Installed oci-metrics-datasource successfully

Restart grafana after installing plugins . <service grafana-server restart>

# grafana-cli plugins install oci-metrics-datasource

installing oci-metrics-datasource @ 2.0.0

from: https://grafana.com/api/plugins/oci-metrics-datasource/versions/2.0.0/download

into: /var/lib/grafana/plugins

✔ Installed oci-metrics-datasource successfully

Restart grafana after installing plugins . <service grafana-server restart>

Restart Grafana Server.

# service grafana-server restart
Restarting grafana-server (via systemctl): [ OK ]

1 2	# service grafana-server restart Restarting grafana-server (via systemctl): [ OK ]

Grafana Data Source Configuration

RSA Key Configuration

Grafana needs the configuration file and the RSA Key from the user oci. One solution: as user root, copy the files and set the ownership to OS user grafana.

# cp -r /home/oci/.oci /usr/share/grafana
# chown -R grafana:grafana /usr/share/grafana/.oci

1 2	# cp -r /home/oci/.oci /usr/share/grafana # chown -R grafana:grafana /usr/share/grafana/.oci

Change the path to the key file in /usr/share/grafana/.oci/config.

from:

key_file=/home/oci/.oci/oci_api_key_07102020.pem

1	key_file=/home/oci/.oci/oci_api_key_07102020.pem

to:

key_file=/usr/share/grafana/.oci/oci_api_key_07102020.pem

1	key_file=/usr/share/grafana/.oci/oci_api_key_07102020.pem

Add a new Data Source

Login into the Grafana server by address <server-ip>:3000. The initial username and password is admin. It’s recommended to change the password at the first login. Add a new data source. Configuration >> Data Sources >> Add data source.

Filter by oracle and select the Oracle Cloud Infrastructure Metrics plugin.

Set Tenancy OCID, select your Default Region and set the Environment to local. Press Save & Test to verify the functionality.

Create a new Dashboard and add a new panel.

Now you can query the data, for example the VPN bandwidth for region eu-zurich1 in my personal compartment. Feel free to add new panels based on the available metrics.

Example

Summary

Great to have the Oracle Cloud Infrastructure Grafana plugins back. To get an idea, which metrics are all available, verify it in the OCI Console >> Monitoring >> Metrics Explorer. The free ADB is not available in the collected metrics. But this is a general issue.

This was a review of the first OCI plugin. In the next week I will take a deeper look into the Oracle Cloud Infrastructure Logging Data Source plugin.

Autonomous Database, Oracle ACE, Oracle Cloud, Oracle Cloud Infrastructure, Oracle Linux, TrivadisContent

Let’s IPSec VPN – How to connect your Unifi Security Gateway to Oracle Cloud Infrastructure

Author: Martin Berger 28. September 2020

When I connect from home to the Oracle Cloud Infrastructure normally I used a Bastion Host, an Open VPN compute instance or Public IPs. Some of the cool stuff like MV2OCI (which transfers data from on-premises to OCI) or integration of an ADB instance in my local running Oracle Enterprise Manager are referred to direct cloud connections. A SSH reverse tunnel works fine, but this cannot be a permanent solution for my lab environment.

At home I have an Unifi Security Gateway (USG) up an running at home. This gateway has the capability, to create site-to-site VPN connections. Good: The Oracle Cloud Infrastruicture VPN service is for free, and I don’t expect over 10 TB outbound traffic. Time to create a VPN setup from home to OCI. Take care about the USG, it needs a “direct” internet contact, this is why my FTTH modem is configured in bridge mode on port 4. Small hint: If your modem is not bridged, ask your internet provider. Here in Switzerland, almost all internet providers support this function.

Architecture

Click on the image for a larger view.

Prerequisites

Unifi Security Gateway Public IP – visible in the USG web interface or on webpage (search term: what’s my IP)
Oracle Cloud Infrastructure network setup according the setup guide
Knowledge about IPSec details which are used by OCI and as described in the setup guide: Key Exchange Version (IKEv1), Encryption (AES-256), Hash (SHA-1), DH Group (5)
VCN and local network ranges
The IPSec endpoint IP addresses and the secrets

Oracle Cloud Infrastructure IPSec Setup

My Oracle Cloud infrastructure network is configured 1:1 as described in the manual Setting Up VPN Connect: https://docs.cloud.oracle.com/en-en/iaas/Content/Network/Tasks/settingupIPsec.htm. Here in the IPSec connection you can see the endpoint IPs, the IPSec status is actually shown as down. The secrets are provided in the detail view.

Unifi Security Gateway Setup

Here you find the details of the USG site-to-site configuration: https://help.ui.com/hc/en-us/articles/360002668854#3. Create a new network in Settings – Networks.

Oracle Cloud Infrastructure Settings

VPN Type	Manual IPsec
Enabled	Checkbox activated
Route Distance	30
Peer IP	OCI VPN endpoint IP
Local WAN IP	Local public address of the USG
Pre-Shared Key	OCI IPsec tunnel secret
IPsec Profile	Customized
Key Exchange Version	IKEv1
Encryption	AES-256
Hash	SHA1
DG Group	5
PFS	Checkbox activated
Dynamic Routing	Checkbox activated

Network Configuration

Oracle Cloud Infrastructure IPSec Status Update

After about two minutes, the OCI tunnel status turns into green. The VPN tunnel is now ready to use.

Unifi Security Gateway Routing

To be sure that local connections to instances running in the Oracle Cloud Infrastructure private subnet are working properly, we need a routing entry in the USG. Create a new routing entry in Settings – Routing & Firewall.

Routing Settings

Enabled	Checkbox activated
Type	Bullet activated
Destination Network	CIDR of the OCI VCN network / subnet
Local WAN IP	Local public address of the USG
Static Route Type:	Interface
Interface	Select interface created above, in my case OCI – Tunnel 1

Connection Verification

For testing purposes, I have created a compute instance in the OCI private subnet with IP 172.16.0.2, no public access – works!

A quick Bandwith Test

I am using iperf for this small test between my Windows client and the OCI compute instance. It’s not for production, just for the feeling. 68.7 Mbits/sec 🙂

Troubleshooting in USG

The connection can be verified when logged in as administrator in the Unifi Security Gateway as user ubnt / admin. Link to the documentation: https://help.ui.com/hc/en-us/articles/360002668854-UniFi-UDM-USG-Verifying-and-Troubleshooting-IPsec-VPNs

Show the current VPN configuration

$ sudo swanctl --list-conns
peer-140.238.123.456-tunnel-vti:
local: 139.178.78.910
remote: 140.238.123.456
local pre-shared key authentication:
id: 139.178.78.910
remote pre-shared key authentication:
id: 140.238.123.456
peer-140.238.123.456-tunnel-vti: TUNNEL
local: 0.0.0.0/0
remote: 0.0.0.0/0
remote-access: IKEv1
local: 139.178.78.910
remote: %any
local pre-shared key authentication:
id: 139.178.78.910
remote pre-shared key authentication:
remote-access: TRANSPORT
local: dynamic[udp/l2f]

$ sudo swanctl --list-conns

peer-140.238.123.456-tunnel-vti:

local: 139.178.78.910

remote: 140.238.123.456

local pre-shared key authentication:

id: 139.178.78.910

remote pre-shared key authentication:

id: 140.238.123.456

peer-140.238.123.456-tunnel-vti: TUNNEL

local: 0.0.0.0/0

remote: 0.0.0.0/0

remote-access: IKEv1

local: 139.178.78.910

remote: %any

local pre-shared key authentication:

id: 139.178.78.910

remote pre-shared key authentication:

remote-access: TRANSPORT

local: dynamic[udp/l2f]

Follow the Logfile

$ sudo swanctl --log
08[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes)
08[ENC] parsed INFORMATIONAL_V1 request 1450492415 [ HASH N(DPD) ]
08[ENC] generating INFORMATIONAL_V1 request 3141172786 [ HASH N(DPD_ACK) ]
08[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes)
14[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2294336399 [ HASH N(DPD) ]
14[ENC] generating INFORMATIONAL_V1 request 1226471776 [ HASH N(DPD_ACK) ]
14[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes)

$ sudo swanctl --log

08[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes)

08[ENC] parsed INFORMATIONAL_V1 request 1450492415 [ HASH N(DPD) ]

08[ENC] generating INFORMATIONAL_V1 request 3141172786 [ HASH N(DPD_ACK) ]

08[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes)

14[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes)

14[ENC] parsed INFORMATIONAL_V1 request 2294336399 [ HASH N(DPD) ]

14[ENC] generating INFORMATIONAL_V1 request 1226471776 [ HASH N(DPD_ACK) ]

14[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes)

Troubleshooting in Oracle Cloud Infrastructure

There is a small document available to verify the basic configuration, maybe in future some log access will be provided. In a past project where we had VPN connection issues with a Fortigate firewall, I had a good experience with the guys from My Oracle Support.

Link: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Troubleshoot/ipsectroubleshoot.htm

Summary

Finally I have a stable VPN connection to Oracle Cloud Infrastructure for free. If all requirements are met, the configuration can be done in a few minutes. Next steps: Activation of the second tunnel to get VPN redundancy, enable notifications when a IPsec tunnel is down and some other Oracle Enterprise Manager 13c monitoring stuff. The weather conditions in Switzerland are bad for the next days, so there is enough time in the evenings to do further research.

#freedom #network #together #doer #curiosity

DBaaS, Oracle Cloud Infrastructure, Oracle Linux, Oracle Tools, Security, TrivadisContent

Oracle Cloud Infrastructure – Security first: Cloud Guard and Security Zones – a first View

Author: Martin Berger 15. September 2020

Two new Oracle Cloud Infrastructure Cloud Security Services

Good news: Oracle has provided two new services for cloud security. Cloud Guard to get an overview of existing possible security breaches and Security Zones, which allows to create a full restricted compartment. In this blog, I will give you a short overview about this brand new services.

Cloud Guard

The Cloud Guard service helps you to identify security issues in your tenancy. Before the first use, it has to be enabled and a base region and for a minimum one compartment has to be selected. It needs a new policy which Cloud Guard allows to gather information in your tenancy. Oracle Cloud Guard discovers available object in compartments like Compute Instances, Object Storage and many more and checks Oracle Cloud Infrastructure security best practices.

Link to documentation: https://docs.cloud.oracle.com/en-us/iaas/cloud-guard/using/index.htm

Enable Cloud Guard first

Based on recipes, it show you security recommendations for the findings and can execute corrective actions. There are two different receipes types available:

Oracle Managed Detector Recipe – provided by Cloud Guard, doesn’t allow to disable rules
User Managed Detector Recipe – a clone of an Oracle managed recipe, allows to disable individual rules

Examples for recipes – docs.cloud.oracle.com

	Oracle Managed Recipe		User Managed Recipe
Rule	Status	Risk Level	Status	Risk Level
Bucket is public	ENABLED	HIGH	DISABLED	HIGH
Instance has public IP address	ENABLED	CRITICAL	ENABLED	HIGH
VCN has no inbound Security List	ENABLED	MEDIUM	DISABLED	MEDIUM

Based on detected findings, Cloud Guard is able to to corrective actions. This feature called Responder Rules requires a policy. Problems can be fixed on three ways:

Remediated – Fix using Cloud Guard responder
Resolved – Fixed by other process
Dismissed – Ignore and close

Example for a Cloud Guard Responder Action

Example – Cloud Guard has detected a Public IP

Cloud Guard Dashboard

The dashboard gives you an overview of the findings and actions. There are direct links to the findings and recommendations. Ok, It looks I have to review my test compartment 😉

Security Zones

A security zone is associated on a compartment and a security zone recipe. For example when in the recipe is defined, users cannot create an Internet Gateway in a defined compartement, an error message occurs when he tries to create one.

Link to documentation: https://docs.cloud.oracle.com/en-us/iaas/security-zone/using/security-zones.htm

Create a new Security Zone

Recipes

There are some basic rules in the Oracle defined recipe (at the moment you can not create a customer based recipe) – for example:

Resources can’t be moved out from a security zone to a regular compartment
Resources are not accessible by Internet
Resources must be regularly backed up

Test – Create an Internet Gateway in the new created Security Zone

A violation message occurs, the security zone recipe doesn’t allow creating Internet Gateways.

Summary

I really like these two new services. Cloud Guard which helps me to identify possible security issues and Security Zones to create secure compartments without writing manual policies. This is only a short overview, in next days I will definitely take a deeper look, especially in Cloud Guard and the corrective actions. I have a great interest to find out how it works in the background for example when a public IP is detected and so on. The Oracle Cloud Infrastructure security is definitely on track!

DBaaS, Oracle Cloud Infrastructure, Oracle RDBMS, Security, TrivadisContent

Oracle Cloud Infrastructure and SSH Keys – Jump!

Author: Martin Berger 27. April 2020

Jump!

In our Trivadis Oracle Cloud Infrastructure training environments, we never use direct access to an application or database server by a public IP address. For this case, we use an Oracle Linux based bastion host which acts as a jump host. For security reasons, I never put any SSH keys on a bastion host to connect from there to the target instances. If your bastion host is compromitted, your SSH keys are lost! In one of the last trainings, some participants had problems with. So I decided to blog about. This blog post shows you the different methods to connect to an Oracle Cloud Infrastructure private/public network by using a bastion host.

SSH Keys

Oracle Cloud Infrastructure Linux based offerings like compute instances and virtual machines for databases are accessible by SSH key as per default. For working with these machines, I use these three types of SSH keys:

id_rsa_oci – Private key generated by ssh-keygen
id_rsa_oci.pub – Public key generated by ssh-keygen
id_rsa_oci.ppk – Puttygen-converted private key

This gives me the flexibility, to connect to running OCI instances on different ways like Putty, MobaXterm, Windows Subsystem for Linux, WinSCP etc.

Oracle Cloud Infrastructure Sample Setup

Host	Public IP	Private IP	Accessible by
Bastion Host	140.238.216.114	10.0.0.2	SSH
Windows Application Server		10.0.1.2	RDP
Oracle Database Server		10.0.2.2	SSH

Reminder: In OCI only SSH port 22 is open in the subnet security lists as per default when the VCN is created by the VCN Wizard. If you want to allow connection from the public to the private subnet by RDP and Oracle Net, then port 3389 and 1521 must be added in the security list for the private subnet. Create stateful ingress rules and restrict the source connections to the bastion host private IP range.

Build your own SSH Tunnel

There different ways to build a SSH (tunnel) configuration to Oracle Cloud Infrastructure instances on a Windows based platform, my favourites:

Windows Subsystem for Linux (WSL)
MobaXterm
Putty

Here are some connection examples how to work with instances in a private subnet via bastion host with this three methods. As a Windows 10 user, for some connections I d’ like to use WSL Ubuntu more and more – now available in version 20 🙂

1. Connect by using Windows Subsystem for Linux (WSL)

Test: Verify the Connection to the Bastion Host public IP Address

$ <strong>ssh -i .ssh/id_rsa_oci opc@140.238.216.114</strong>
Last login: Mon Apr 27 15:47:54 2020 from 139.178.22.30
[opc@bastion-host ~]$ oci-metadata | grep hostname
hostname: bastion-host

$ <strong>ssh -i .ssh/id_rsa_oci opc@140.238.216.114</strong>

Last login: Mon Apr 27 15:47:54 2020 from 139.178.22.30

[opc@bastion-host ~]$ oci-metadata | grep hostname

hostname: bastion-host

Database Server: SSH Connect via Bastion Host

This opens a session on the database server as user opc.

$ <strong>ssh -i .ssh/id_rsa_oci -o ProxyCommand="ssh -i .ssh/id_rsa_oci -W %h:%p opc@140.238.216.114" opc@10.0.2.2</strong>
Last login: Mon Apr 27 15:51:32 2020 from 10.0.0.2
[opc@dbsrv01 ~]$ sudo su - oracle
Last login: Mon Apr 27 15:51:47 UTC 2020 on pts/0
[oracle@dbsrv01 ~]$ . oraenv
ORACLE_SID = [DB0427] ?
The Oracle base has been set to /u01/app/oracle
[oracle@dbsrv01 ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Mon Apr 27 15:52:14 2020
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.


Connected to:
Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production
Version 19.6.0.0.0

SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB01 READ WRITE NO

$ <strong>ssh -i .ssh/id_rsa_oci -o ProxyCommand="ssh -i .ssh/id_rsa_oci -W %h:%p opc@140.238.216.114" opc@10.0.2.2</strong>

Last login: Mon Apr 27 15:51:32 2020 from 10.0.0.2

[opc@dbsrv01 ~]$ sudo su - oracle

Last login: Mon Apr 27 15:51:47 UTC 2020 on pts/0

[oracle@dbsrv01 ~]$ . oraenv

ORACLE_SID = [DB0427] ?

The Oracle base has been set to /u01/app/oracle

[oracle@dbsrv01 ~]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Mon Apr 27 15:52:14 2020

Version 19.6.0.0.0

Connected to:

Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production

Version 19.6.0.0.0

SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED

---------- ------------------------------ ---------- ----------

2 PDB$SEED READ ONLY NO

3 PDB01 READ WRITE NO

Database Server: Create a new SSH Tunnel to forward port 1521 as port 15210

This opens a connection to the bastion host.

$ ssh -i .ssh/id_rsa_oci -A -L 15210:10.0.2.2:1521 opc@140.238.216.114
Last login: Mon Apr 27 15:48:23 2020 from 139.178.22.30
[opc@bastion-host ~]$

$ ssh -i .ssh/id_rsa_oci -A -L 15210:10.0.2.2:1521 opc@140.238.216.114

Last login: Mon Apr 27 15:48:23 2020 from 139.178.22.30

[opc@bastion-host ~]$

Database Server: Connect to the Database by SQL Developer

Use port 15210 and localhost as hostname.

Verify the Oracle Net service name from the DBA panel menu.

Application Server: Create a new SSH Tunnel to forward port 3389 as port 33890

This opens a connection to the bastion host.

$ ssh -i .ssh/id_rsa_oci -A -L 33890:10.0.1.2:3389 opc@140.238.216.114
Last login: Mon Apr 27 15:48:23 2020 from 139.178.22.30
[opc@bastion-host ~]$

$ ssh -i .ssh/id_rsa_oci -A -L 33890:10.0.1.2:3389 opc@140.238.216.114

Last login: Mon Apr 27 15:48:23 2020 from 139.178.22.30

[opc@bastion-host ~]$

Application Server: Connect to the Windows Desktop by Remote Desktop Connection

Use port 33890 and localhost as hostname.

2. Connect by using MobaXterm

Database Server: SSH Connect via Bastion Host

This opens a session ion the database server as user opc.

Fill in Remote Host, Specify username and Port. Activate Use private key and select the local private SSH key in Putty format.

Activate Connect through SSH gateway, fill in Gateway SSH server, Port, User. Activate Use private key and select the local private SSH key in Putty format.

Start the session.

As you can see in the MobaXterm Header, X-Forwarding works too.

Database Server: Create a new SSH Tunnel to forward port 1521 as port 15210

Open MobaXterm Tunneling menu and add a New SSH tunnel. Fill in Forwarded port, Remote server, Remote port, SSH server, SSH login and SSH port. Save the tunnel settings. For an application server tunnel, just replace Remote server, Remote port and Forwared port settings.

Add the private SSH key in Putty format by click on the key icon. Start the tunnel.

Database Server: Connect to the Database by SQL Developer

Use port 15210 and localhost as hostname.

Verify the database control file settings from the DBA panel menu.

3. Connect by using Putty

Database Server: SSH Connect via Bastion Host

As prerequisite, I have created a Putty session called OCI Bastion Host for the jump host connection with the SSH private key in Putty format and user opc. This session is now used as Proxy.

Fill in database server private IP. The red one is the already existing session.

Add proxy command and save session settings. Optioanl enable proxy diagnostics.

plink "OCI Bastion Host" -agent -nc %host:%port

1	plink "OCI Bastion Host" -agent -nc %host:%port

Open the new created session to connect to database server with user opc.

Application Server: Create a new SSH Tunnel to forward port 3389 as port 33890

This opens a connection to the bastion host. Fill in bastion host public IP.

Add private key file in Putty format and enable checkbox Allow agent forwarding.

Add a port forwarding rule for RDP. Save session.

Open the new created session to enable port forwarding for Remote Desktop Protocol.

Application Server: Connect to the Windows Desktop by Remote Desktop Connection

Use port 33890 and localhost as hostname.

Alternative Method – Start Putty from Command Line

Start Putty with the port forwarding settings by command line. This opens a Putty session and port 3389 can be used. No addtional settings are required.

C:\> putty.exe -ssh -A -i C:\oci\ssh\id_rsa_oci.ppk -L 33890:10.0.1.2:3389 opc@140.238.216.114

1	C:\> putty.exe -ssh -A -i C:\oci\ssh\id_rsa_oci.ppk -L 33890:10.0.1.2:3389 opc@140.238.216.114

Summary

A bastion host is an “easy-to-setup” alternative to a VPN connection without any huge infrastructure overhead. There are several ways how to connect & tunnel to the target servers. Use the method which are you familiar with it, but NEVER place SSH keys on a bastion host.

And now: click here to make some noise – Jump by Van Halen

Links

Oracle Cloud Infrastructure, Oracle Linux, Oracle RDBMS, TrivadisContent

Oracle Cloud Infrastructure – Stop your 20c Preview Database Instance Node by OCI CLI now – Great MOS Experience

Author: Martin Berger 31. March 2020

This was really great experience with the guys from My Oracle Support and Oracle teams. Seven days ago I raised an SR that there was no possibility to stop a 20c Preview database instance node if it’s not in use.

No chance to stop a 20c Preview Instance

There was no stop action in the Oracle Cloud Infrastructure UI and not in OCI CLI. The only way was to terminate an 20c preview instance. If I tried to stop a database node in the OCI CLI, this message occurs: Operation is not allowed for Preview Database version.

mbg@LTMBG03:~$ oci db node stop --db-node-id ocid1.dbnode.oc1.eu-zurich-1.ab5heljr6uogrcbvopqvw4ppihq3hl75nh6e1234567891234567
ServiceError:
{
"code": "NotAuthorizedOrNotFound",
"message": "Operation is not allowed for Preview Database version.",
"opc-request-id": "0627623907F948C6AB50645F4D5086B9/A5A12041A7E77DDD5551AF4146963663/2A14DAC00F90DC2A657DA47E7856F0F1",
"status": 404
}

mbg@LTMBG03:~$ oci db node stop --db-node-id ocid1.dbnode.oc1.eu-zurich-1.ab5heljr6uogrcbvopqvw4ppihq3hl75nh6e1234567891234567

ServiceError:

{

"code": "NotAuthorizedOrNotFound",

"message": "Operation is not allowed for Preview Database version.",

"opc-request-id": "0627623907F948C6AB50645F4D5086B9/A5A12041A7E77DDD5551AF4146963663/2A14DAC00F90DC2A657DA47E7856F0F1",

"status": 404

}

Service Request Update today

Today my SR was updated with a short message: “PIease retry through API and confirm.” Sure 🙂

mbg@LTMBG03:~$ oci db node stop --db-node-id ocid1.dbnode.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a
{
  "data": {
    "backup-vnic-id": null,
    "db-system-id": "ocid1.dbsystem.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a",
    "fault-domain": "FAULT-DOMAIN-3",
    "hostname": "srvst20c01",
    "id": "ocid1.dbnode.oc1.eu-zurich-1.ab5heljrmxvsgn44lrphahrvkmcbnldukzkyw123456789123456789a",
    "lifecycle-state": "STOPPING",
    "software-storage-size-in-gb": 200,
    "time-created": "2020-02-17T08:56:22.751000+00:00",
    "vnic-id": "ocid1.vnic.oc1.eu-zurich-1.ab5heljr3niyga3b73pxitfplpo6uvmjtqqt2123456789123456789a"
  },
  "etag": "a2cfce62",
  "opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.eu-zurich-1.ab5heljr7p5ez76oycfupmxwj4pvyhuekwicb5ketwa7avipq2cgpu5ipfpq,ocid1.coreservicesworkrequest.oc1.eu-zurich-1.ab5heljr7p5ez76oycfupmxwj4pvyhuekwicb5ketwa7avipq2cgpu5ipfpq"
}

mbg@LTMBG03:~$ oci db node stop --db-node-id ocid1.dbnode.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a

{

"data": {

"backup-vnic-id": null,

"db-system-id": "ocid1.dbsystem.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a",

"fault-domain": "FAULT-DOMAIN-3",

"hostname": "srvst20c01",

"id": "ocid1.dbnode.oc1.eu-zurich-1.ab5heljrmxvsgn44lrphahrvkmcbnldukzkyw123456789123456789a",

"lifecycle-state": "STOPPING",

"software-storage-size-in-gb": 200,

"time-created": "2020-02-17T08:56:22.751000+00:00",

"vnic-id": "ocid1.vnic.oc1.eu-zurich-1.ab5heljr3niyga3b73pxitfplpo6uvmjtqqt2123456789123456789a"

"etag": "a2cfce62",

"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.eu-zurich-1.ab5heljr7p5ez76oycfupmxwj4pvyhuekwicb5ketwa7avipq2cgpu5ipfpq,ocid1.coreservicesworkrequest.oc1.eu-zurich-1.ab5heljr7p5ez76oycfupmxwj4pvyhuekwicb5ketwa7avipq2cgpu5ipfpq"

}

After some seconds, the instance node was successfully stopped.

Let’s start it again.

mbg@LTMBG03:~$ oci db node start --db-node-id ocid1.dbnode.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a
"data": {
"backup-vnic-id": null,
"db-system-id": "ocid1.dbsystem.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a",
"fault-domain": "FAULT-DOMAIN-2",
"hostname": "srvst20c01",
"id": "ocid1.dbnode.oc1.eu-zurich-1.ab5heljrmxvsgn44lrphahrvkmcbnldukzkyw123456789123456789a",
"lifecycle-state": "STARTING",
"software-storage-size-in-gb": 200,
"time-created": "2020-02-17T08:22:36.336000+00:00",
"vnic-id": "ocid1.vnic.oc1.eu-zurich-1.ab5heljr3niyga3b73pxitfplpo6uvmjtqqt2123456789123456789a"
},
"etag": "69f24776",
"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.eu-zurich-1.ab5heljreak3amaiavzqgqek7zwbwnnlc47xbasmxart63putgdr7cqlo3ia"
}

mbg@LTMBG03:~$ oci db node start --db-node-id ocid1.dbnode.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a

"data": {

"backup-vnic-id": null,

"db-system-id": "ocid1.dbsystem.oc1.eu-zurich-1.ab5heljruj5qry2fs6l3xgk33cvolprvqs123456789123456789a",

"fault-domain": "FAULT-DOMAIN-2",

"hostname": "srvst20c01",

"id": "ocid1.dbnode.oc1.eu-zurich-1.ab5heljrmxvsgn44lrphahrvkmcbnldukzkyw123456789123456789a",

"lifecycle-state": "STARTING",

"software-storage-size-in-gb": 200,

"time-created": "2020-02-17T08:22:36.336000+00:00",

"vnic-id": "ocid1.vnic.oc1.eu-zurich-1.ab5heljr3niyga3b73pxitfplpo6uvmjtqqt2123456789123456789a"

"etag": "69f24776",

"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.eu-zurich-1.ab5heljreak3amaiavzqgqek7zwbwnnlc47xbasmxart63putgdr7cqlo3ia"

}

Node is starting…

Node is available

Summary

Thanks My Oracle Support to implement this change!

Oracle Cloud Infrastructure