Review at amazon: SAP Cloud Platform

Last week i read this book:

Before starting with the Oracle Cloud i wanted to read something other than AWS or Microsoft Azure. I was surprised at the completely different target of this cloud in respect to AWS and Azure. It is much more focused on business and business value - which is clearly one core domains of SAP.

This book contains a very well written introduction into cloud services - many other books could take this as an example. Very impressing are the over 120 mainly conceptional pictures - they make it much easier to understand the SAP Cloud Platform.

If you are interested, take a look at my review at amazon.de (like all my reviews: written in german ;-).

Oracle Database 19c (19.3) released!

And after nearly 3 months of waiting - Oracle released 19c:

First special feature: The rpm is still there and the release is only done for Linux and Oracle Solaris.

To get to the Linux download page just click here.

But the Grid Infrastructure is still not delivered as RPM package. :-(

Wireguard: An easy way to build VPNs

Last week i came across the following tool:

https://www.wireguard.com/

If you want to build up a VPN you can choose one of the following strategies:

• based on IPSec
• using TLS

(These two are the options to choose - of course there are some others...)

The nice thing with wireguard (from the linux point of view) is, that the wireguard interfaces are handled like all other  network interfaces on your device.

If you are really interested in this way, you should read the whitepaper. Here some excerpts:

... IPSec ... updating these data structures based on the results of a key exchange, generally done with IKEv2 [13], itself a complicated protocol with much choice and malleability. The complexity, as well as the sheer amount of code, of this solution is considerable. Administrators have a completely separate set of firewalling semantics and secure labeling for IPsec packets.

... based solution that uses TLS. By virtue of it being in user space, it has very poor performance—since packets must be copied multiple times between kernel space and user space—and a long-lived daemon is required; OpenVPN appears far from stateless to an administrator.

A WireGuard interface,wg0, can be added and configured to have a tunnelIP address of10.192.122.3in a/24subnet with the standard ip(8)utilities...

One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated,WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided bynot allowing unauthenticated packets to influence any state. And more generally, it is possible to implement WireGuard in a way that requires no dynamic memory allocation at all, even for authenticated packets, as explained in section 7.

So next step is to install this VPN solution and see, if the administration is really so easy as promised...

Oracle VM Server: Working with ovm cli

After getting the ovmcli run, here some commands which are quite helpful, when you are working with Oracle VM server.
But first:
Starting the ovmcli is done via

ssh admin@localhost -p 10000

at the OVM Manager.

After that you can get some overviews:

OVM> list server
Command: list server
Status: Success
Time: 2019-01-25 06:56:55,065 EST
Data: 
  id:18:e2:a6:9d:5c:b6:48:3a:9b:d2:b0:0f:56:7e:ab:e9  name:oraclevm
OVM> list vm
Command: list vm
Status: Success
Time: 2019-01-25 06:56:57,357 EST
Data: 
  id:0004fb0000060000fa3b1b883e717582  name:myAlpineLinux
OVM> list ServerPool
Command: list ServerPool
Status: Success
Time: 2019-01-25 06:57:12,165 EST
Data: 
  id:0004fb0000020000fca85278d951ce27  name:MyServerPool

A complete list of all list commands can be obtained like this:

OVM> list ?
          AccessGroup
          AntiAffinityGroup
          Assembly
          AssemblyVirtualDisk
          AssemblyVm
          BondPort
          ControlDomain
          Cpu
          CpuCompatibilityGroup
          FileServer
          FileServerPlugin
          FileSystem
          Job
          Manager
          Network
          PeriodicTask
          PhysicalDisk
          Port
          Repository
          RepositoryExport
          Server
          ServerController
          ServerPool
          ServerPoolNetworkPolicy
          ServerUpdateGroup
          ServerUpdateRepository
          StorageArray
          StorageArrayPlugin
          StorageInitiator
          Tag
          VirtualAppliance
          VirtualApplianceVirtualDisk
          VirtualApplianceVm
          VirtualCdrom
          VirtualDisk
          VlanInterface
          Vm
          VmCloneCustomizer
          VmCloneNetworkMapping
          VmCloneStorageMapping
          VmDiskMapping
          Vnic
          VolumeGroup

An overview which kind of command can be used like list:

OVM> help
For Most Object Types:
    create  [(attribute1)="value1"] ... [on  ]
    delete  
    edit    (attribute1)="value1" ...
    list 
    show  
For Most Object Types with Children:
    add   to  
    remove   from  
Client Session Commands:
    set alphabetizeAttributes=[Yes|No]
    set commandMode=[Asynchronous|Synchronous]
    set commandTimeout=[1-43200]
    set endLineChars=[CRLF,CR,LF]
    set outputMode=[Verbose,XML,Sparse]
    showclisession
Other Commands:
    exit
    showallcustomcmds
    showcustomcmds 
    showobjtypes
    showversion

If you want to get you vm.cfg file, you can use the id from "list vm" and type:

OVM> getVmCfgFileContent Vm id=0004fb0000060000fa3b1b883e717582
Command: getVmCfgFileContent Vm id=0004fb0000060000fa3b1b883e717582
Status: Success
Time: 2019-01-25 06:59:46,875 EST
Data: 
  OVM_domain_type = xen_pvm
  bootargs = 
  disk = [file:/OVS/Repositories/0004fb0000030000dad74d9c43176d2e/ISOs/0004fb0000150000226a713414eaa501.iso,xvda:cdrom,r,file:/OVS/Repositories/0004fb0000030000dad74d9c43176d2e/VirtualDisks/0004fb0000120000f62a7bba83063840.img,xvdb,w]
  bootloader = /usr/bin/pygrub
  vcpus = 1
  memory = 512
  on_poweroff = destroy
  OVM_os_type = Other Linux
  on_crash = restart
  cpu_weight = 27500
  OVM_description = 
  cpu_cap = 0
  on_reboot = restart
  OVM_simple_name = myAlpineLinux
  name = 0004fb0000060000fa3b1b883e717582
  maxvcpus = 1
  vfb = [type=vnc,vncunused=1,vnclisten=127.0.0.1,keymap=en-us]
  uuid = 0004fb00-0006-0000-fa3b-1b883e717582
  guest_os_type = linux
  OVM_cpu_compat_group = 
  OVM_high_availability = false
  vif = []

Very helpful is the Oracle documentation (here).

Oracle Database 19c download

In january 2019 Oracle released the documentation for Oracle Database 19c.

More than 7 weeks later there is still nothing at https://www.oracle.com/downloads/:

The gap between release date of the documentation and the on premises software was for 18c not so long...

Will 19c on premises software be released before may? Or later in summer?

AWS: Accessing S3 buckets from the internet and from ec2 instances (2)

After accessing a S3 bucket from an ec2 instance by adding an IAM role to my EC2 instance, i tried to get the access from an ec2 instance by using a AWS endpoint.

First step: Launch an ec2 instance within your VPC and try to access your S3 bucket:

[ec2-user@ip-172-31-30-93 ~]$ wget https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
--2019-02-02 18:29:28--  https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
Auflösen des Hostnamen »s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)«... 52.218.16.244
Verbindungsaufbau zu s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)|52.218.16.244|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2019-02-02 18:29:28 FEHLER 403: Forbidden.

Second step: change the bucket policy to this:

{
    "Version": "2012-10-17",
    "Id": "Policy1119991119999",
    "Statement": [
        {
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::my.webtest",
                "arn:aws:s3:::my.webtest/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpc": "vpc-12e0cc74"
                }
            }
        }
    ]
}

The access to the bucket is still forbidden. So next step is to add the endpoint:
Goto VPC -> endpoint:

And then choose the following:

(Here you have to select your route table ID!!!)

After that everything works like expected:

[ec2-user@ip-172-31-30-93 ~]$ wget https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
--2019-02-02 18:29:51--  https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
Auflösen des Hostnamen »s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)«... 52.218.53.66
Verbindungsaufbau zu s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)|52.218.53.66|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 130 [application/json]
In »»website.json.1«« speichern.

100%[===============================================================================================================>] 130         --.-K/s   in 0s      

2019-02-02 18:29:51 (5,28 MB/s) - »»website.json.1«« gespeichert [130/130]

Oracle VM Server: OVM CLI via ssh admin@localhost -p 10000 does not work

In my Oracle VM server installation the ovmcli refuses to work:

ssh -l admin localhost -p 10000 

Connection to localhost closed by remote host.

Connection to localhost closed.

There some workarounds like:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -l  admin localhost -p 10000

But the result is the same.

Here a debug output from ssh -v:

[root@oraVMManager mnt]# ssh -l admin localhost -p 10000  -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to localhost [::1] port 10000.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version ${POM.ARTIFACTID}-${POM.VERSION}
debug1: no match: ${POM.ARTIFACTID}-${POM.VERSION}
debug1: Authenticating to localhost:10000 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group1-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group1-sha1 need=20 dh_need=20
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: ssh-dss SHA256:E6FYsSD9om4ChxJT17vBGUyqHmz3kLLAIxxJZlYjJCM
debug1: Host '[localhost]:10000' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/admin
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:10000).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = de_DE.UTF-8
debug1: channel 0: free: client-session, nchannels 1
Connection to localhost closed by remote host.
Connection to localhost closed.
Transferred: sent 3224, received 1432 bytes, in 0.0 seconds
Bytes per second: sent 2461309.8, received 1093236.9
debug1: Exit status -1

The solution was:
Upgrade the OVM Manager (take a look here)

And then:

ssh -l admin localhost -p 10000  -v
SHA256:pidDB23XNyVHE55Q7GJ+9uqJvBfoR3B1lm02gdYeus8
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:pidDB23XNyVHE55Q7GJ+9uqJvBfoR3B1lm02gdYeus8.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending DSA key in /root/.ssh/known_hosts:1
RSA host key for [localhost]:10000 has changed and you have requested strict checking.
Host key verification failed.

Ok - this was not expected, but the upgrade changed the host key.

But after removing that line from the known_hosts file:

[root@oraVMManager mnt]# ssh -l admin localhost -p 10000  
OVM> list server
Command: list server
Status: Success
Time: 2019-01-25 05:52:14,849 EST
Data: 
  id:18:e2:a6:9d:5c:b6:48:3a:9b:d2:b0:0f:56:7e:ab:e9  name:oraclevm
OVM> ?
     add
     create
     delete
     edit
     embeddedcreate
     embeddeddelete
     embeddededit
     exit
     help
     list
     remove
     set
     show
     showallcustomcmds
     showclisession
     showcustomcmds
     showobjtypes
     showversion