Oracle Secure Global Desktop | Friday, October 20, 2017

Friday Spotlight: Use SGD to automatically provision and access OCI VM serial consoles

By: Jan Hendrik Mangold | SGD Product Manager

I have created a Proof of Concept (POC) how to use the Python SDK to manage access to VM serial consoles in Oracle Cloud Infrastructure (OCI). This POC currently is implemented by creating an Oracle Secure Global Desktop (SGD) application that launches a python script on the SGD server.

Problem Statement

There is a feature for VM shapes provisioned in OCI that allows to create a connection to the serial console of the VM to troubleshoot issues that might have occurred when booting the VM. In order to create this connection, access to the OCI Web Console or the API is required. Finally access via ssh can be established to the console. The ssh command to accomplish this is a little bit involved and requires some familiarity with the ssh command options, and even more tweaking when using it from Windows with putty, for example. Here is an example ssh command

ssh -o ProxyCommand='ssh -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.phx.abyhqljrgt3wvfxt765457ew3hpk7mwibnhnyo2rltyv3icfbfahwjmstava@instance-console.us-phoenix-1.oraclecloud.com' ocid1.instance.oc1.phx.abyhqljrks2ie4ph25d266gpua7q52j3oaft2uoytc7wr2nojxsum3zezbpq

Use Cases

  • Simplify access to Serial Consoles in OCI
  • Give users who don't have API credentials access to OCI resources
  • Granular Access Control to Serial Consoles for users who do NOT have API access

Proof of Concept

This POC script does the following

  • relies on a properly configured OCI SDK on the SGD server
  • provides its own generic ssh key for the console connection
  • supports profiles
  • lists compartments
  • lists VMs in a compartment
  • checks if a VM has a Serial Console Connection configured (SC)
  • checks if the  SC has been configured through the POC script and deletes it if it has been created outside the POC
  • creates a SC with a generic ssh key known to the POC
  • drops the SGD user into the console of selected VM

Serial Console Access without SGD

In order for a user to access the Serial Console of a VM, valid credentials for the OCI API are required. Either the user goes to the Web UI and creates the SC and then uses the provided ssh command to connect, or does the same via oci-cli

Both ways will require the user to either specify the used ssh key as the default key in ${HOME}/.ssh/id_rsa or modify the command to include the required key, twice.

Serial Console Access with SGD

All a user needs is access to an SGD server configured with this POC. After authentication to the SGD server, the user is offered the typical workspace in the web browser.

After launching the OCI Console SGD application (name is arbitrary) the user will be presented with a menu to choose the VM to connect to and either a Serial Console Connection is being created on the fly, or an existing SC is being used and the appropriate ssh command is being launched

All the user needs to know are the credentials for SGD, no OCI API setup needs to be performed on the users system.

Join the discussion

Comments ( 3 )
  • Andy T Wednesday, October 25, 2017
    Hello,
    great article and use case. Is there a place where I can download the script?

    Thanks
    Andy
  • Jan Hendrik Mangold Wednesday, October 25, 2017
    Thanks for your interest. We will publish a more detailed white paper soon, which will contain the script.

    Jan
  • Jan Hendrik Mangold Wednesday, December 6, 2017
    I have posted an article in the SGD Community site that includes more detailed setup instructions and the actual script

    https://community.oracle.com/docs/DOC-1020174

    Jan
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
 

Visit the Oracle Blog

 

Contact Us

Oracle

Integrated Cloud Applications & Platform Services