Help:Accessing Cloud VPS instances
(Redirected from Help:Access)
Overview
This page explains how to gain access to Cloud VPS using SSH.
What you'll need
Required accounts
Account TypeDescriptionWhere to sign up
Wikimedia accountWikimedia single user login (SUL) account allows you to log into general wikis like Wikipedia, MediaWiki, and MetaWikiCreate Wikimedia account
Wikimedia developer accountWikimedia developer account allows you to log into Wikitech, Phabricator, Gerrit and other developer tools.Create Wikimedia developer account
Set up and upload SSH keys
  1. Set up a public SSH key
  2. Upload your public SSH key to Wikitech
  3. Upload your public SSH key Gerrit
Be a member of a Cloud VPS project
In order to SSH into instances of a particular Cloud VPS project, you must be a member of that project. In order to SSH even into a bastion, you need to be a member of at least one project (then the project-bastion LDAP group will be added automatically). Request a new Cloud VPS project, or ask someone to add you to their existing project.
SSH Recommendations
Linux or macOS
Natively support SSH. You should be able to SSH from the terminal.
Windows 10
Windows 10 (Spring 2018 Creators update or higher) has a built in SSH client.
  • If the OpenSSH client is not already enabled, you can do this by following Settings -> Apps & features -> Optional features -> Add a feature. Scroll down and enable the SSH Client.
  • Access the SSH client via Windows Powershell using the ssh directive.
  • To use an SSH agent, you will need to enable it.
    • Type into your search bar services.msc and open the Services program
    • Find OpenSSH Authentication Agent and set that service to "Automatic" and start it if it is disabled.
  • Please note, there is a bug in how ProxyJump works, so use the instructions for ProxyCommand below unless you are sure you are not affected by https://github.com/PowerShell/Win32-OpenSSH/issues/1172
Older versions of Windows
It is recommended that you run the most current version of Windows. However, if you choose to run an older version, you will need an SSH client. PuTTY / KiTTY is often recommended.
Accessing Cloud VPS instances
Setup
You'll need to proxy through a machine that is visible to the Internet and recognizes Cloud VPS (bastion) instances.
How should you proxy?
Your roleUse
A member of Wikimedia SRE Teamrestricted.bastion.wmcloud.org
Everyone else (including volunteers and Wikimedia Foundation staff)primary.bastion.wmcloud.org
bastion.wmcloud.org (alias)
The Toolforge Cloud VPS project has its own bastions and does not require any proxy to access them.
ProxyJump (recommended)
Use this directive if you are using OpenSSH version 7.3 or higher
$ ssh -J <your-shell-name>@bastion.wmcloud.org <your-shell-name>@<your-instance>.<your-project>.eqiad1.wikimedia.cloud
To save time, you can configure your $HOME/.ssh/config file to instruct SSH to use bastion.wmcloud.org as a jump host when connecting to wikimedia.cloud instances.
Host *.wmflabs.org *.wmcloud.org *.toolforge.org User <your-shell-name> Host *.wmflabs *.wikimedia.cloud User <your-shell-name> ProxyJump bastion.wmcloud.org:22
ProxyCommand (older ssh clients)
Use this directive if you are using OpenSSH 7.2 or older
Host *.wmflabs.org *.wmcloud.org *.toolforge.org User <your-shell-name> Host *.wmflabs *.wikimedia.cloud ProxyCommand ssh -a -W %h:%p <your-shell-name>@bastion.wmcloud.org User <your-shell-name>
Logging in
Run the following from your local computer, substituting the instance and project names as appropriate:
ssh your-instance​.​your-project​.eqiad1.wikimedia.cloud
SSH fingerprints
See Help:SSH Fingerprints for host key fingerprints which can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server. It is good practice to verify the SSH fingerprint of the bastions you use in order to reduce the likelihood of a MITM attack.
File managers
You can connect to your Cloud VPS instance through the bastion via SSH with a file manager. There are a number of Open Source options listed below.
Note: The following options are maintained by third parties. Please see the technical documentation or ReadMe on the software's website to determine the best method of connection.
Options
Windows
PuTTY
Linux
Mac
SSHFS
Troubleshooting
In general, adding SSH option -v, -vv, or -vvv may help identify possible issues.
#when using ProxyCommand ssh -v your-instance​.​your-project​.eqiad1.wikimedia.cloud
Into Bastion
Permission denied (publickey)
  1. Make sure you have uploaded the correct SSH key to your preferences
  2. Use lowercase letters for your username
  3. Your SSH user name is your instance shell account name name (see User Profile > Basic Information in your Wikitech account's Preferences page). It is not necessarily the same as your account's username
Connection closed by remote host
Blocking connection on OS X with no error message
If you are running OS X and your SSH connection blocks without any error message (while pinging the server works), try unset SSH_AUTH_SOCK, and then SSH again. This will unset the socket to ssh-agent.
Into your-instance
Permission denied (publickey)
Communication and support
We communicate and provide support through several primary channels. Please reach out with questions and to join the conversation.
Communicate with us
ConnectBest for
Phabricator Workboard#Cloud-ServicesTask tracking and bug reporting
IRC Channel#wikimedia-cloud​connect
Telegram bridge
mattermost bridge
General discussion and support
Mailing Listcloud@Information about ongoing initiatives, general discussion and support
Announcement emailscloud-announce@Information about critical changes (all messages mirrored to cloud@)
News wiki pageNewsInformation about major near-term plans
Cloud Services BlogClouds & UnicornsLearning more details about some of our work
Wikimedia Technical Blogtechblog.wikimedia.orgNews and stories from the Wikimedia technical movement
Last edited on 31 July 2021, at 20:42
Wikitech
Content is available under CC BY-SA 3.0 unless otherwise noted.
Privacy policy
Terms of Use
Desktop
 Home Random Log in  Settings  Donate  About Wikitech  Disclaimers
WatchEdit