Google compute engine ssh unavailable - ssh

I have restarted our google cloud compute engine instance, however after the restart ssh is no longer working and giving connection refused.
I have verified and the ssh keys are configured for the users, and firewall rules are open for ssh.
Is there any other method I can use to try and resolve this?

The first thing to do is to check the Serial console output of the machine to determine if the SSH daemon has started or not. That log can be accessed from the Developer Console.

If you couldn't ssh to the instance you can follow the below step to access the instance from the serial console:
Connect to the instance using the serial console
1. Go to the VM instances page in Google Cloud Platform console.
2. Click on the instance for which you want to add a startup script.
3. Click the Edit button at the top of the page.
4. Click on ‘Enable connecting to serial ports’
5. Under Custom metadata, click Add item.
6. Set 'Key' to 'startup-script' and set 'Value' to this script:
#! /bin/bash
useradd -G sudo USERNAME
echo 'USERNAME:PASSWORD' | chpasswd
7. Click Save and then click RESET on the top of the page. You might need to wait for some time for the instance to reboot.
8. Click on 'Connect to serial port' in the page.
9. In the new window, you might need to wait a bit and press on Enter of your keyboard once; then, you should see the login prompt.
10. Login using the USERNAME and PASSWORD you provided.

Related

I started FirewallD service but didn't allow SSH port, now I can't login my VM through SSH

I have a Centos VM on Google Cloud, I am using a custom SSH port and private SSH file to manage my VM.It worked fine for a long time but yesterday I started the "FirewallD" service in CentOS but I forgot to add a rule to allow my custom SSH port.
Now I can't connect to my VM through SSH, I also have tried to connect my VM through Web Console ("Open in browser window on custom port" and Open in browser window using provided private SSH key),neither of them works.
Are there any other solutions?
If you don’t have access through ssh at your vm, you could use the serial port to login
Go to the VM instances page in Google Cloud Platform console.
Click on the instance for which you want to add a startup script.
Click the Edit button at the top of the page.
Click on ‘Enable connecting to serial ports’
Click Save and then click RESET on the top of the page. You might need to wait for some time for the instance to reboot.
Click on 'Connect to serial port' in the page.
If you don’t have a root password for the serial console, you could use a startup script to add it to your instance, the script would be like this:
Go to the VM instances page in Google Cloud Platform console.
Click on the instance for which you want to add a startup script.
Click the Edit button at the top of the page.
Click on ‘Enable connecting to serial ports’
Under Custom metadata, click Add item.
Set 'Key' to 'startup-script' and set 'Value' to this script:
#! /bin/bash
useradd -G <an existing group in the instance> USERNAME
echo USERNAME:PASSWORD | chpasswd
Click Save and then click RESET on the top of the page. You might need to wait for some time for the instance to reboot.
Click on 'Connect to serial port' in the page.
In the new window, you might need to wait a bit and press on Enter of your keyboard once; then, you should see the login prompt.
Login using the USERNAME and PASSWORD you provided.
In this way you can login at the vm and stop the firewall service to modify your rules before to start the service again

Cannot ssh into GCP instance

I cannot ssh into Google compute engine instance. Here is scenario.
I tried to ssh into an instance from ubuntu ssh client, so generated a private & public key in my local and added pubkey to metadata.
But got Permission denied (publickey) error message and the instance console was saying No space left on device
I then increased the size of the instance by 100GB more and then restart the instance.
After few mins later, tried to ssh into the instance again and getting the Permission denied (publickey) error again and the console said No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']
Now I can't connect to the instance by any tool such as browser console, ssh client etc.
Is there any solution to address this problem?
Thanks in advance.
I faced the same problem during these days, and I solved it using winSCP to access the storage and delete a lot of heavy files created by my scripts, also because the the instructions here have been not so useful.
If you do not know how to configure winSCP and GCP, follow my steps or this video.
winSCP - Create Keys
While creating a new site in winSCP
go to advanced --> ssh --> Authentication
click on Tools and open the Putty gen
generate public and private key
save them
copy the public key and open GCP
Setting your GCP instance
Click on your instance to edit its settings
scroll down until you reach ssh keys
paste your key
save
Done, now you can access your instance storage and remove some files; after that, your instance will be able to boot correctly creating the temporary files needed.
As Dan mentioned, you need to connect on serial console to expand the filesystem making use of the additional disk space allocated. You can also attempt to free up some space etc.
A complete tutorial is linked:
https://youtu.be/HSBTnfDsVRs
In this video, I talked about how to SSH into GCP using Windows Terminal. There are three methods to do so:
Access via Chrome
Access via Command Prompt
Access via a custom Windows Terminal tab (best!!)
Process for Chrome:
Open Google Chrome
Type "https://console.cloud.google.com/"
And you can access it!!
Process for Installing Google Cloud SDK:
Install Google Cloud SDK (https://cloud.google.com/sdk/docs/downloads-interactive)
Click "Next"
Click "I Agree"
It's installed!!
Process for Command Prompt (via PuTTy):
Open Windows Terminal
Then, open Command Prompt
Type "gcloud cloud-shell ssh"
And you can access it!!
Process for a custom Windows Terminal tab:
Open Windows Terminal
Go to Settings and click "Open JSON file"
Then add the following:
{
"backgroundImage": "C:/Users/user/Downloads/Pictures/gcp.png",
"backgroundImageOpacity": 0.2,
"commandline": "wsl ~/ssh-gcloud-env.sh [email] [project_id]",
"hidden": false,
"icon": "C:/Users/user/Downloads/Pictures/gcp.png",
"name": "SSH into GCP"
},
Then, open your wsl2 Ubuntu VM, and in your /home/user/ directory make a file named "ssh-gcloud-env.sh". And type in the following commands:
gcloud auth login $1
gcloud config set project $2
gcloud cloud-shell ssh
Save the file and type the following: "chmod +x ssh-gcloud-env.sh"
Finally, go to your Windows Terminal and open the custom tab.
Yay! We did it

Why can't I connect to a Google VM instance via SSH over a network other than "default"?

Using the Google Developer Console "Compute Engine" I am trying to connect to a Google VM instance via SSH.
It doesn't work. I had trouble creating the instance to begin with due to a problem with the "network association".
Here was my question and solution for that: Why is "Create" disabled in Google Compute Engine VM instances?
What are the likely causes for my SSH issue now?
It turned out to be a firewall issue. Unlike the "default" network, when you add one manually, it doesn't automatically open port 22 for ssh to work.
The easiest way to fix this is via the Google Developer Console "Networking" page. If you go to the networks section and select the custom network you are using, it has the option to add firewall rules. Unfortunately for me, I didn't figure this out until I did it with the Google Cloud Shell... Here's how I did it the "long way", which will in fact give you more control and insight into this whole Google VM management model. It will also ensure you can connect via the Google Cloud Shell in case you need to again in the future:
In the "Compute Engine" go to the VM section and select your VM. In the top left corner of the screen is an "SSH" button and an ellipsis ("...") button. Click the "..." and select "View gcloud command". When that window opens, copy the command to the clipboard. Then close the window and click the ">_" (Activate Google Cloud Shell) button in the upper right corner of the screen.
When the shell loads, paste in the command (with Ctrl+V). After attempting to connect, it will eventually time out if you have this firewall problem going on.
To display the firewall rules on the network you are using enter the following:
gcloud compute firewall-rules list
To inspect a rule in more detail use this:
gcloud compute firewall-rules describe [rule name]
Check for a rule with a suffix of "allow-ssh", or more specifically one that opens up port 22. It is probably missing.
If you were in fact on the "default" network, you could use the command you'll find in the Google documentation for this:
gcloud compute firewall-rules create default-allow-ssh --allow tcp:22
But, if you are on an alternate network, use this more explicit command:
gcloud compute firewall-rules create [network name]-allow-ssh --allow tcp:22 --network [network name] --source-ranges 0.0.0.0/0 --description "Allow SSH from anywhere."
Replace [network name] with your literal value.
After executing that, try the connection command again. It ought to work now!

ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255]

I kept getting kicked out of my compute engine instance after a few seconds of idle with the indicated error (255).
I used 'gcloud compute ssh' to log in.
I am using the default firewall setting, which I believe would be good enough for ssh.
But if I am missing something, please so indicate and suggest the fix for this error.
Basically I can't get any efficient work done at this point having to ssh in so many times.
gcloud denies an ssh connection if there was a change in the setup, e.g.
after you changed your default zone or region, or you created another instance.
Then, you must update the ssh keys in your metadata by
sudo gcloud compute config-ssh
If this complains about different entries in your config file where your ssh key entries are stored, ~/.ssh/config, delete this file and execute the above command again.
If you have installed gcloud without sudo, you can omit sudo.
255 is the interactive ssh exit code for ssh failure - otherwise interactive ssh exits with the exit code of the last command executed in the ssh session.
The next time you get exit code 255 from ssh try running with --ssh-flag="-vvv" (more v's => more debugging output) and see if it helps track down connection problems.
For those who stop by this page. This helped me to solve the problem.
Try to the following:
Go to your Google and remove the SSH key for the server
Go to your google cloud console -> compute engine -> Metadata -> "SSH
keys" tab and click on edit. Here you can delete the ssh keys.
Run the gcloud command again
Click on the "Instances" link on the left side of your google cloud account, which will list down all the instances on the right side. Under
connect column, you will see "SSH" drop-down, click on "View cloud
Command" and this will bring a new dialog. Copy that command and run on your PC's terminal. This will let you SSH into the google compute engine.
It seems a feature/issue from Google Cloud Platform itself, we are going to continue checking it.
If the default network was edited, or if not using the default network, you may need to explicitly enable ssh access by adding a firewall-rule:
$ gcloud compute firewall-rules create --network=YOUR_NETWORK \
default-allow-ssh --allow tcp:22
After that, retry the 'gcloud compute ssh' command.
This is a real problem with very little documentation to dealing with it.
Sometime after creating the instance using the gcloud sdk ssh snippet provided via GCP console stopped working and continually errors with 255 making connecting to ssh on the instance only available through browser via GCP console for the compute instance in question. Not to mention this has happened to me on many different instances some without touching the default account permissions after initial setup and deployment which is overly frustrating. Cause for no reason it just stops working...works, then doesn't...
The only thing that worked for me was creating a new user to connect with through gcloud sdk! Be it Windows/PowerShell or Linux locally, using the following snippet:
gcloud compute ssh newuser-name#instance-name
That all per GCP documentation here: https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh
Everything else passed per suggestions in documentation - port 22 open with access meaning it has to be a a problem with the default users authorization_keys WHICH they provide absolutely no documentation on how to fix that - at least nothing I could find on fixing (not creating or deleting)
I've tried updating the account, tried deleting the user and credentials from the instance, nothing appears to work. using:
gcloud compute --project "project-name" ssh --zone "us-east4-a" "instance-name"
Just doesn't work...
- even tried 'gcloud compute config-ssh --force-key-file-overwrite' NOTHING WORKS...
But creating a new user works every time, and once the user is created you can keep using that user via gcloud sdk
It's a work around, and I hate work around's for things like this but for my sanity this works at least until I can figure out how to reset the default account permissions, so if anyone has any ideas there or can point me in a direction for that I'd more than appreciate it!
IT was my mistake stating that the default firewall would allow all connections into an instance. The contrary turned out to be true. Please refer to an appropriate firewall rule must be set up to allow connection into an instance
Anh-
If you have Identity-Aware Proxy (IAP) enabled for your setup, try adding the --tunnel-through-iap option to the gcloud compute ssh command.
$ gcloud compute ssh --zone <zone> --project <project> --tunnel-through-iap <instance-name>
More information for people landing on this page, if you're using preemptible instances to save some compute costs, that could also be the reason for getting kicked out like this. Your instance may have just randomly stopped.
In my case, the I had created a bootable disk for the VM without adding the information of what source-image it needs to have. Because of this, even though the instance was coming up alright and ssh-allow rule was there, the VM was not booting up.
Finally added the source image to the disk and I was able to ssh into the VM.
Hope this helps for someone.
I had the same error . i restarted the VM instance and ssh workis fine
I had the problem where after clicking on the SSH button it would keep trying to establish a connection and fail. After long struggle I resolved it by adding Service Account User role to myself. If your account was created after the VM instance was created, it might result in this situation.
I know this was opened a long time ago, but for a more recent update on this topic. I had the same trouble connecting via ssh. It was giving the error code 225. Obviously there was a connectivity issue. There was already a firewall rule set under VPC network-> Firewall to allow ssh. However, to fix this problem I had to go to the specific network and create a rule under the network Firewall Rules. VPC network details -> FIREWALL RULES and create an inbound TCP rule for port 22.
if you are having a problem trying to access you g-cloud VM instance from your computer terminal remotely, and are getting the error code 255,the problem is that the ssh protocols in your computer are wrong or not updated.
In this case the best way to fix it is to go to your home directory (in your computer) check the hidden files and find the folder ".ssh" .Just delete this folder and re-open your bash terminal. Then run again your gcloud vm command.
Example:
you#your_computer:~$ gcloud beta compute ssh --zone "us-central1-a" "your_VM_name" --project "your_project_name"
You should this time instead of getting the error 255 code, the messages below:
WARNING: The private SSH key file for gcloud does not exist.
WARNING: The public SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
This tool needs to create the directory [/home/your_name/.ssh] before being able to
generate SSH keys.
Do you want to continue (Y/n)?
Type "Y" and gcloud will setup the new protocols by creating a brand new updated .ssh file.
After that you should be able to access your VM with your gcloud command without any problem.
That should solve the problem
Cheers
https://blackpearlmatrix.com
had the exact same symptoms - in my case the reason appeared to be the following. I was using root user + ssh key whereas root login is by default disabled in /etc/ssh/sshd_config (PermitRootLogin property).
I eventually had to delete my instance and make a new one with the same disk. See https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh#use_your_disk_on_a_new_instance for details.
For me, my other teammates were able to login into the machine, but not me. So I asked them to create a user of my name with sudo rights, logged into serial console and changed passwordAuthentication to yes followed by sudo service ssh restart (for few this could be sudo service sshd restart.)
Post this I was able to login with
ssh -o PreferredAuthentications=password username#publicIP -p 22
This trick worked fine for me.
Reinitializing the gcloud with "gcloud init" and generating new ssh keys resolved the problem for me.
I had same issue.
I had connected the serial control and had checked logs. and there was some error log like "there is no disk space". Then I had resized disk as written in this document.
Now I am able to connect to instance with ssh.
Try switching to a different Internet connection
So, I was getting the same error but in my case I was not able to log in to the instance at all.
(base) girish#girish:~$ gcloud beta compute ssh --zone "asia-east1-b" "fp-1" --project "fp-public"
ssh: connect to host 12.345.678.90 port 22: Resource temporarily unavailable
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
(base) girish#girish:~$ gcloud beta compute ssh --ssh-flag='-vvv' --zone "asia-east1-b" "fp-1" --project "fp-public"
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "12.345.678.90" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 12.345.678.90 [12.345.678.90] port 22.
[debug1: connect to address 12.345.678.90 port 22: Resource temporarily unavailable
ssh: connect to host 12.345.678.903 port 22: Resource temporarily unavailable
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
What worked for me:
I tried reinstalling lots of things and re-initializing various config and then landed on a thread which suggest to change the Internet network you are using and it worked!!
It's possible you have a rule that only allows whiltelisted IPs to ssh into a gcloud VM. So you may have forgotten to enable your work VPN or out of your work's office IP.
Try restarting your computer.
I got the same error and tried gcloud config ssh as mentioned previously to no avail. I then checked that the IDs and roles of serviceaccount and developer had 'editor' permissions, and that was fine. I started a new instance and logged out of all of my other google accounts and it still threw the error. Then, I restarted my computer and did not log back into my other google accounts. That fixed it.
When using IAP, GCP stores the key in instance metadata and then propagate
that to the ~/.ssh/authorized_keys file.
You might get the error OP talks about when you remove the key from the ~/.ssh/authorized_keys file and it's still in the instance metadata. Reason being:
GCP check that the user, key combo that you are using to ssh is already in the instance metadata.
It assumes that the exists in the ~/.ssh/authorized_keys file for that user and doesn't propagate the key.
As the key doesn't exist in ~/.ssh/authorized_keys file for whatever reason (you deleted it, someone else deleted it etc. etc.) - you get access denied.
If this is the case with you, then fix is simple: remove the instance metadata entry for that user, key combo (have attached an image for ref, just click X and remove your faulty key) and try ssh again
What worked for me was turning my firewall on. (On a Mac, ssh'ing into a gcp instance).
In another instance of the error, my connection worked fine when I was on ethernet, but not when I was on wifi. Switching back to ethernet allowed me to connect again.
In my case sorted out the issue after restarting the VM.
if you are able to access the VM previously and suddenly giving SSH issues, give it a try by restarting.
Permission wise check whether you have IAP-secured Tunnel User
gcloud compute ssh --zone "your_zone" "instance_name" --tunnel-through-iap --project "project_name"
If this not works check with the GCP built-in SSH client, and click open in browser window.
Hope this help !!!

Instance created by CloudStack not opening its console

After creating an instance from CloudStack UI, I can see the VMs:
# virsh list --all
Id Name State
----------------------------------------------------
1 v-2-VM running
4 s-1-VM running
5 r-4-VM running
8 i-2-5-VM running
10 i-2-3-VM running
But when I try to start a console for an instance say i-2-5-VM, i get the following:
# virsh console i-2-5-VM
Connected to domain i-2-5-VM
Escape character is ^]
Hereafter the console hangs, not even the command prompt comes. Then i have to press Ctrl+] to come back to the shell. Additional information:
# virsh ttyconsole i-2-5-VM
/dev/pts/4
I can ping to it, but cannot ssh.
Please let me know, how can I login to my instance ?
Start the console from the CloudStack GUI rather than the command line.
Also if you want to see the details of the VM, you can install GUI tool virt-manager which will show you all the instances running on the KVM hypervisor and their all the details (nics, volumes, memory, state etc)