Oracle Cloud Infrastructure

I tested the Oracle Cloud Services and changed in the end to the „Always Free cloud services“ which includes following:

Infrastructure

  • 2 AMD based Compute VMs with 1/8 OCPU** and 1 GB memory each
  • 4 Arm-based Ampere A1 cores and 24 GB of memory usable as one VM or up to 4 VMs
  • 2 Block Volumes Storage, 200 GB total
  • 10 GB Object Storage – Standard
  • 10 GB Object Storage – Infrequent Access
  • 10 GB Archive Storage
  • Resource Manager: managed Terraform
  • 5 OCI Bastions

Databases

  • Your choice of Oracle Autonomous Transaction Processing, Autonomous Data Warehouse, Autonomous JSON Database, or APEX Application Development. Two databases total, each with 1 OCPU** and 20 GB storage.
  • NoSQL Database with 133 million reads per month, 133 million writes per month, 25 GB storage per table, up to 3 tables.

Observability and Management

  • Monitoring: 500 million ingestion datapoints, 1 billion retrieval datapoints
  • Application Performance Monitoring: 1000 tracing events per hour
  • Logging: 10 GB per month
  • Notifications: 1 million sent through https per month, 1000 sent through email per month
  • Service Connector Hub: 2 service connectors

Additional services

  • Flexible Load Balancer: 1 instance, 10 Mbps
  • Flexible Network Load Balancer
  • Outbound Data Transfer: 10 TB per month
  • Virtual Cloud Networks (VCN): Maximum of 2 VCNs, includes IPv4 and IPv6 support
  • VCN Flow Logs: Up to 10 GB per month shared across OCI Logging services
  • Site-to-Site VPN: 50 IPSec connections
  • Content Management Starter Edition: 5000 assets per month
  • Certificates: 5 Private CA and 150 private TLS certificates

Installation

It is very easy to install a predefined image (for example, Canonical Ubuntu, CentOS, Oracle Autonomous Linux, Oracle Linux or Oracle Linux Cloud Developer). You copy your public ssh key into the interface can you are able to login to the system in seconds. Now your journey can start. You get a virtual machine with a public IP address.

Network Stuff

After your first test you will want to make the system available for the world and open some ports.
First you have to:

Network Security Group

Go to you Dashboard Page and click on „Virtual Cloud Networks“ then you can choose the network you want to change. Now you can find „Network Security Groups“ on the left site and there you can create a new Group. In this group you can define the ports you want to forward. Use 0.0.0.0/0 to allow all traffic

In your „instance“-page you have to edit the „Network security groups:“ and klick on „Another network security group“ to add the settings to you virtual machine.
Then you can check if your ports are open.

Opening Ports

With following command you can get the full list of open ports and allow / disallow settings.

iptables -L

example output from „Canonical Ubuntu“ system:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
InstanceServices  all  --  anywhere             link-local/16       

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8443
ACCEPT     tcp  --  anywhere             172.18.0.4           tcp dpt:zabbix-trapper
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain InstanceServices (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             169.254.0.2          owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.2.0/24       owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.4.0/24       owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.5.0/24       owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.0.2          tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.169.254      tcp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.0.3          owner UID match root tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.0.4          tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.169.254      tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:bootps /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:tftp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:ntp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
REJECT     tcp  --  anywhere             link-local/16        tcp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with tcp-reset
REJECT     udp  --  anywhere             link-local/16        udp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with icmp-port-unreachable

Add Ports

If you want to add some ports you can use following:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
netfilter-persistent save

and then check again with:

iptables -L

Add root user

Default you can only use the user „ubuntu“, only with ssh-key and without a password. Sometimes you need a root-user so I did following: (replace username with the new root username)

adduser username
usermod -aG sudo username

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Time limit is exhausted. Please reload the CAPTCHA.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.