I tested the Oracle Cloud Services and changed in the end to the „Always Free cloud services“ which includes following:
Infrastructure
- 2 AMD based Compute VMs with 1/8 OCPU** and 1 GB memory each
- 4 Arm-based Ampere A1 cores and 24 GB of memory usable as one VM or up to 4 VMs
- 2 Block Volumes Storage, 200 GB total
- 10 GB Object Storage – Standard
- 10 GB Object Storage – Infrequent Access
- 10 GB Archive Storage
- Resource Manager: managed Terraform
- 5 OCI Bastions
Databases
- Your choice of Oracle Autonomous Transaction Processing, Autonomous Data Warehouse, Autonomous JSON Database, or APEX Application Development. Two databases total, each with 1 OCPU** and 20 GB storage.
- NoSQL Database with 133 million reads per month, 133 million writes per month, 25 GB storage per table, up to 3 tables.
Observability and Management
- Monitoring: 500 million ingestion datapoints, 1 billion retrieval datapoints
- Application Performance Monitoring: 1000 tracing events per hour
- Logging: 10 GB per month
- Notifications: 1 million sent through https per month, 1000 sent through email per month
- Service Connector Hub: 2 service connectors
Additional services
- Flexible Load Balancer: 1 instance, 10 Mbps
- Flexible Network Load Balancer
- Outbound Data Transfer: 10 TB per month
- Virtual Cloud Networks (VCN): Maximum of 2 VCNs, includes IPv4 and IPv6 support
- VCN Flow Logs: Up to 10 GB per month shared across OCI Logging services
- Site-to-Site VPN: 50 IPSec connections
- Content Management Starter Edition: 5000 assets per month
- Certificates: 5 Private CA and 150 private TLS certificates
Installation
It is very easy to install a predefined image (for example, Canonical Ubuntu, CentOS, Oracle Autonomous Linux, Oracle Linux or Oracle Linux Cloud Developer). You copy your public ssh key into the interface can you are able to login to the system in seconds. Now your journey can start. You get a virtual machine with a public IP address.
Network Stuff
After your first test you will want to make the system available for the world and open some ports.
First you have to:
Network Security Group
Go to you Dashboard Page and click on „Virtual Cloud Networks“ then you can choose the network you want to change. Now you can find „Network Security Groups“ on the left site and there you can create a new Group. In this group you can define the ports you want to forward. Use 0.0.0.0/0 to allow all traffic
In your „instance“-page you have to edit the „Network security groups:“ and klick on „Another network security group“ to add the settings to you virtual machine.
Then you can check if your ports are open.
Opening Ports
With following command you can get the full list of open ports and allow / disallow settings.
iptables -L
example output from „Canonical Ubuntu“ system:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
InstanceServices all -- anywhere link-local/16
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8443
ACCEPT tcp -- anywhere 172.18.0.4 tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain InstanceServices (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 169.254.0.2 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.2.0/24 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.4.0/24 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.5.0/24 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.0.2 tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.169.254 tcp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.0.3 owner UID match root tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.0.4 tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.169.254 tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:bootps /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:tftp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:ntp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
REJECT tcp -- anywhere link-local/16 tcp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with tcp-reset
REJECT udp -- anywhere link-local/16 udp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with icmp-port-unreachable
Add Ports
If you want to add some ports you can use following:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
netfilter-persistent save
and then check again with:
iptables -L
Add root user
Default you can only use the user „ubuntu“, only with ssh-key and without a password. Sometimes you need a root-user so I did following: (replace username with the new root username)
adduser username
usermod -aG sudo username