Qumulo in GCP: SSH to a Cloud Cluster

REQUIREMENTS

Qumulo cloud cluster in GCP running Qumulo Core 2.14.0 or above
Google Cloud Console access

DETAILS

In GCP, our instances use the google-accounts-daemon service to allow automatic configuration of SSH keys via instance metadata. GCP has various ways to transfer keys, automatically generate keys, and connect to the instances via SSH.

SSH to your Cloud Cluster via the Web Browser

GCP has a feature where users can SSH to their instances in the web browser via a button on the Instances page. If the button appears greyed out, then the user account does not have sufficient privileges to use SSH via the web browser. The SSH from the browser article from Google Cloud explains how to configure SSH from the browser.

SSH to your Cloud Cluster via the gcloud CLI Tool

GCP Instances can be accessed from the command line by running the following:

gcloud compute ssh --internal-ip USER@INSTANCE-NAME

You should have an SSH session on the remote machine. If you wish to use a different SSH key than the one that GCP automatically generates, run the following:

gcloud compute ssh --internal-ip USER@INSTANCE-NAME --ssh-key-file PATH_TO_PRIVATE_SSH_KEY

SSH to your Cloud Cluster via Traditional SSH

Traditional SSH can also be used to connect to the instance, if the instance has been specified to use a known key. We allow customers to provide their SSH key when they deploy their instances in the marketplace, as described in the Qumulo in GCP: Deploy an Instance article. This will propagate the key to each instance’s metadata, and it can be used for SSH outside of the browser.

Keys can also be added manually to an instance or project after creation and will be automatically usable by the instance after 5 to 10 minutes, or after a reboot. For more details, reference the Managing SSH keys in metadata Google Cloud article.

Manage SSH Access with OS Login

OS login is a feature of GCP which allows for faster and more reliable SSH connections via the browser or gcloud CLI. Using OS Login requires instances or the project containing the instance to be configured to use OS Login as outlined in the Enabling or disabling OS Login article from Google Cloud. This can be done for an instance by running:

gcloud compute instances add-metadata <INSTANCE-NAME> --metadata=enable-oslogin="TRUE"

The user attempting to use OS login also needs IAM roles configured. The Configuring OS Login roles on user accounts Google Cloud article explains how to configure OS Login for a user.

TROUBLESHOOTING

If having trouble running gcloud or browser SSH, try configuring OS login. Occasionally this has allowed a user to have access when previously they were getting stuck.

If various issues are continuing with OS login, try giving the user attempting the operation the Project/Owner IAM role.