Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Getting started with the serial console

Written by
Updated at November 5, 2024

The serial console allows you to access a VM regardless of the network or OS status. For example, you can use the console to troubleshoot VM issues or when there are problems with SSH access.

To use the serial console, you need the сompute.admin or editor role.

Serial console access is disabled by default.

Warning

When assessing the risk of enabling access via the serial console, consider the following:

  • The VM can still be managed from the internet even if there is no external IP address.
    To access the VM serial console from the Yandex Cloud management console, a user must be authenticated in the Yandex Cloud management console and have the proper permissions to the VM. One can access the VM serial console from an SSH client application, such as PuTTY, or the YC CLI via SSH key authentication. To reduce the risk of web session hijacking, you should closely monitor your SSH key and make sure you terminate the web session.

  • The session will be simultaneously shared by all users who have access to the serial console.
    Users will be able to see each other's actions if concurrently watching the serial console's output.

  • A valid session can be exploited by another user.

We recommend using the serial console only when absolutely necessary, grant access to a narrow group of people, and use strong VM passwords.

Make sure you disable access after you finish using the serial console.

Getting started

Before you enable serial console access on a VM:

  1. Prepare the public and private key pair for SSH access to the VM. The serial console authenticates users via SSH keys.

  2. Create a text file (e.g., sshkeys.txt) and specify the following:

    <username>:<public_SSH_key_for_user>

    Example of a text file for yc-user:

    yc-user:ssh-ed25519 AAAAB3Nza......OjbSMRX yc-user@example.com

    By default, a user's SSH keys are stored in the user's ~/.ssh folder. You can get a public key by running the cat ~/.ssh/<public_key_name>.pub command.

Enabling the console when creating a VM from a public image

To enable access to the serial console when creating a VM, set the serial-port-enable parameter in the metadata to 1.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to create a VM:

    yc compute instance create --help

  2. Select a public image based on a Linux OS (such as Ubuntu).

    To get a list of available images using the CLI, run this command:

    yc compute image list --folder-id standard-images

    Result:

    +----------------------+-------------------------------------+--------------------------+----------------------+--------+
|          ID          |                NAME                 |          FAMILY          |     PRODUCT IDS      | STATUS |
+----------------------+-------------------------------------+--------------------------+----------------------+--------+
...
| fdvk34al8k5n******** | centos-7-1549279494                 | centos-7                 | dqni65lfhvv2******** | READY  |
| fdv7ooobjfl3******** | windows-2016-gvlk-1548913814        | windows-2016-gvlk        | dqnnc72gj2is******** | READY  |
| fdv4f5kv5cvf******** | ubuntu-1604-lts-1549457823          | ubuntu-1604-lts          | dqnnb6dc7640******** | READY  |
...
+----------------------+-------------------------------------+--------------------------+----------------------+--------+

  3. Create a VM in the default folder:

    yc compute instance create \
  --name first-instance \
  --zone ru-central1-a \
  --network-interface subnet-name=default-a,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-1604-lts \
  --metadata-from-file ssh-keys=sshkeys.txt \
  --metadata serial-port-enable=1

    This command will create a VM:

    A user named yc-user with the specified public key will be automatically created in the VM's OS.

Enabling the console when updating a VM

To enable access to the serial console when updating a VM, set the serial-port-enable parameter in the metadata to 1.

  1. Get a list of VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+----------------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |     DESCRIPTION      |
+----------------------+-----------------+---------------+---------+----------------------+
| fhm0b28lgfp4******** | first-instance  | ru-central1-a | RUNNING | my first vm via CLI  |
| fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI |
+----------------------+-----------------+---------------+---------+----------------------+

  2. Select the ID or NAME of the VM, e.g., first-instance.

  3. Set serial-port-enable=1 in the VM metadata:

    yc compute instance add-metadata \
  --name first-instance \
  --metadata-from-file ssh-keys=sshkeys.txt \
  --metadata serial-port-enable=1

    The command will start activating the serial console on the VM named first-instance.

Configuring a VM for serial port access

To configure access via the serial console, a VM must have a public IP address. You can look up the address in the management console in the Compute Cloud section, the Virtual machines page. If you created a VM without a public IP address, you can assign one. Once the configuration is complete, you can release the address. You do not need it for connections via the serial console.

For the serial console to be available from the OS, the OS must be configured properly:

Linux

To connect to the Linux serial console, make sure that password authentication is disabled for SSH and set a password for the appropriate OS user, if necessary.

Disable SSH password authentication

Note

SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.

If you use your own image, make sure that SSH access with your username and password is disabled.

To disable SSH password authentication:

  1. Open the SSH server configuration file (/etc/ssh/sshd_config by default). Only a superuser has read and write access to the file.

  2. Set PasswordAuthentication to no.

  3. Restart the SSH server:

    sudo systemctl restart ssh*

Create a password for the Linux user

Some OS's may request user credentials to access a VM. Before connecting to such VMs, create a local password for the default user.

To create a local password, use the CLI.

  1. Get a list of VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+----------------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |     DESCRIPTION      |
+----------------------+-----------------+---------------+---------+----------------------+
| fhm0b28lgfp4******** | first-instance  | ru-central1-a | RUNNING | my first vm via CLI  |
| fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI |
+----------------------+-----------------+---------------+---------+----------------------+

  2. Select the ID or NAME of the VM, e.g., first-instance.

  3. Get the public IP address of the VM.

    yc compute instance get first-instance

    In the command output, find the address of the VM in the one_to_one_nat section:

    ...
one_to_one_nat:
  address: <public_IP_address>
  ip_version: IPV4
...

  4. Connect to the VM. For more information, see Connecting to a VM.

  5. Create a local password. In Linux, you can set a password using the passwd command:

    sudo passwd <username>

    Example for yc-user:

    sudo passwd yc-user

  6. Terminate the SSH session with the exit command.

Previous
Deleting a file storage
Next
Connecting to a serial console via SSH