English
cegedim.cloudITCareAPI
Privacy

Virtual instances - Get started

How do I deploy a virtual instance?

To create a new virtual instance, head over to ITCare and search for your target global service where you'll create your new instance.

Search for your Global Service in the top search bar and click on it to display its information page.

Once in your Global Service, click on the Create Resource button, select either Linux, Windows or AIX and the desired version and/or distribution.

Fill in the fields:

  • Name of the virtual machine

  • CPU/RAM sizing

  • Disks and storage capacity for each disk

  • Target location

  • Target network

  • Management options (backup, monitoring, 24/7, data replication)

Click Next once all fields have been filled in.

In the customization step, you can:

  • Ask for a specific request (note that this will delay the automated task as it requires human intervention)

  • Create multiple instances with the same configuration (names and location to be provided)

Then click on Next.

Review the summary before submitting the form.

Provisioning can take up to 2 hours, depending on the current automation load.

Once the deployment is ready, you'll be notified by e-mail.

How do I connect to my virtual instance?

Whatever the instance or operating system you need to connect to, the use of a Bastion is mandatory. You first need to connect to the Bastion assigned to your tenant from which you can then initiate an SSH or RDP connection to your instances.

Linux

SSH connection using Putty or mRemoteNG installed on your Bastion. Credentials to use are your own adm.corp user credentials.

Direct root login is disabled on all Linux virtual instances. You have to login with a non root user, then use sudoers permissions to perform high privilege action.

How to authenticate ?

Two authentication methods are allowed:

  • LDAP

  • Public and Private Key

To login over SSH using LDAP authentication method, you must have a valid account in the same LDAP domain where your virtual instance is enrolled.

It is not necessary to specify the LDAP domain name in your login.

$ ssh johndoe@myinstance
 johndoe@myinstance's password: xxxxxx 
 Creating directory '/home/johndoe'. 
 johndoe@myinstance:~$

On first logon, your home directory will be automatically created : /home/<yourlogin>/

To get the list of your allowed commands, enter the following command: sudo -l

johndoe@myinstance:~$ sudo -l
Matching Defaults entries for johndoe on myinstance:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
User johndoe may run the following commands on myinstance:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL

To login to a virtual linux instance with your SSH public key, your key must be added in the /home/<user>/.ssh/authorized_keys file.

Where <user> is the name of the local account on the target server and login specifying the name of the local user : ssh user@host

To remove access to an user with SSH key, delete its public key from authorized_keys file on the target local account.

Window

RDP connection using Remote Desktop from mRemoteNG or builtin Windows mstsc on your Bastion. Credentials to use are your own adm.corp user credentials.

AIX

SSH connection using Putty or mRemoteNG installed on your Bastion. Local user account with sudo or root access will be provided when the instance is delivered.

How do I grant access to a Linux virtual instance ?

LDAP login authorization

To list LDAP users and groups allowed to login, use the following command:

$ grep allow /etc/sssd/sssd.conf
simple_allow_groups = LDAP_GROUP_ADMIN
simple_allow_users = bernard

  • simple_allow_groups : LDAP groups

  • simple_allow_users : LDAP users

You can only add group or user that are enrolled into the same LDAP Domain where your virtual instance is enrolled.

Add users

To allow login to an LDAP user, use the following command:

// add one user
$ realm permit --realm <domain> <user>

// add multiple users
$ realm permit --realm <domain> user1 user2 userX

Add groups

To allow login to an LDAP groups, use the following command:

// add one group
$ realm permit --realm <domain> --groups <group>

// add multiple groups
$ realm permit --realm <domain> --groups group1 group2 groupX

Remove access

To remove access to an LDAP user or group, use the following command:

// remove user
$ realm permit --withdraw <user>

// remove group
$ realm permit --withdraw --groups <group>

How do I manage Linux permissions ?

To grant sudo statements to an LDAP users or groups (and also for local user or groups), create a new file in /etc/sudoers.d

It is not recommended to add some sudoers statement in /etc/sudoers file. Reserved to the system.

$ touch /etc/sudoers.d/devops

Use visudo command to edit your sudoers file:

$ visudo -f /etc/sudoers.d/devops
# devops
%G_GROUP_DEVOPS    ALL=(ALL)  NOPASSWD:ALL
bernard            ALL=(ALL)  NOPASSWD:ALL

As UNIX groups, LDAP groups in sudoers file, must be prefixed by a '%'.

PreviousLinux - HardeningNextContainers (K8s)

Last updated