Problem: I want to only open access to some services on my OCI Instance(s) to my home IP address (pihole for example). However, my home IP is dynamic, changing every week or so or whenever my router restarts.

Solution: Have my router do a HTTP GET on a publicly open website running on an instance, which allows the site to record my home public IP. A script runs periodically on an instance, and if the IP has changed, update OCI ingress firewall rules (using the OCI Python API) to allow that IP address.

Warnings:

1. Backup your rules first. Since the API doesn't let us modify rules in-place, we need to replace them all with updated versions - so if something goes wrong, you could end up with an empty ingress rule-set, and be locked out.
2. Have a backup way into your instances in case something like the above happens - see the Oracle Free Tier VPS - Best Practices post (e.g. use the magical Tailscale, and/or have a local console login ready and tested).
3. Don't publicise the URL where your incoming PHP script lives (or the key) from step 2 below. This should really be more secure (https, a key exchange) to avoid risk of abuse / denial of service attacks - left as an exercise for the reader :-)
4. Caveat Emptor. Should be obvious, but use anything here at your own risk. This works for me, and has done so flawlessly for some time, but the script was thrown together quickly, APIs change - YMMV.

Step 1 - Router Ping

I have a MikroTik router which makes this nice and easy. I initially wrote a RouterOS script to only ping my site when the router's assigned public IP address changed, but shortly after a reboot / IP change Internet access was unreliable so pings could go missing - so the script now pings the website every minute.

{
:local posterURL "http://aa.bb.cc.dd/poster.php?key=12345";

# GET to webserver watching for calls, so it gets current public IP
/tool fetch url=$posterURL keep-result=no;
}

Step 2 - Script to Record Public IP

Save the IP address of the client to a local file using a simple PHP script served by a webserver on an instance (Apache, Nginx, your choice). Simple double-check for a key so nobody else can potentially DoS us.

<?php
        $ipaddress = getenv("REMOTE_ADDR") ;
        echo "Client IP $ipaddress <br>";

        $queryString = $_SERVER['QUERY_STRING'];

        if (str_contains($queryString, 'key=12345')) {
                $myfile = fopen("/abc/xyz/currentip.txt", "w") or die("Unable to open file. Argh.");
                fwrite($myfile, $ipaddress);
                fclose($myfile);

                echo "Done.<br>";
        } else {
                echo "Undone.<br>";
        }
?>

Step 3 - Use OCI API to Update Firewall Rules

Import libraries we need - the oci one is key, you'll need to install it first, see the quickstart reference docs link below. Also setup logging - level is debug since we want lots of detail - and the output format I prefer:

import oci
import json
import os
from datetime import datetime
import logging
import os.path
from os import path

logging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s')

Check if we have an IP address saved from home router (by above PHP script). If one exists and it is different from the last address we used for an update, then proceed. Otherwise exit now.

# first check for IP posted from home router, if none then exit.
ipFilename = '/xxx/xxx/currentip.txt'

savedIP = '10.0.0.123'  # safe fallback JIC
try:
  with open(ipFilename) as file:
    savedIP = file.read().strip()
    logging.info(f'Got IP: {savedIP}')
except:
  logging.info('No IP file, exiting peacefully.')
  exit()

lastIPFilename = '/tmp/poster-lastip.txt'

# have a posted home IP, check if different from last seen/update
if path.exists(lastIPFilename):
  # contains last IP we updated the FW rules to, so if it's the same as the one we just got, we can ignore and no update needed.
  with open(lastIPFilename) as lastIPfile:
    lastIP = lastIPfile.read().strip()
    logging.info(f'Got last update IP: {lastIP}')
    if (lastIP == savedIP):
      # is same as last update, so no need to do another update
      os.remove(ipFilename)
      logging.info('Same IP as last update, exiting.')
      exit()
    else:
      logging.info(f'New IP {savedIP} differs from last update IP {lastIP}, carrying on.')
else:
  logging.info(f'No last update IP saved, so carrying on.')

Init the main oci object, reading config from the OCI config file usually saved locally in ~/.oci along with your private key (xxx.pem), and set values we'll need later:

config = oci.config.from_file()

# Initialize service client with default config file
core_client = oci.core.VirtualNetworkClient(config)

# consts.
network_compartment_name = "ManagedCompartmentForPaaS"
vcn_cidr_range = "10.0.0.0/16"
vcn_subnet_cidr_range = "10.0.0.0/24"

# hardcoded specific values - can get most programatically, but easier to hardcode for now.
vcn_id = "ocid1.vcn.oc1.XXXXXX-YYYYYYYYyjkpeva"
vcn_name = "vcn-XXXX-YYYY"
# hardcode security list name
sl_name = "Default Security List for vcn-XXXX-YYYY"
vcn_sl_id = "ocid1.securitylist.oc1.AAAAAA-BBBBBBBBBBmegoq"

Get existing ingress rules (and dump them to disk just in case before we modify them). The API doesn't allow us to modify existing individual rules, instead we need to replace them all with our modified versions:

# get the current security list data (ingress rules since we'll be updating those)
get_security_list_response = core_client.get_security_list(
    security_list_id=vcn_sl_id)
current_vcn_sl=json.loads(str(get_security_list_response.data.ingress_security_rules))

# write details before modifying... JIC
with open('vcn_ingress_list_before.json', "w") as f:
   json.dump(current_vcn_sl, f, ensure_ascii=False, indent=4)

Define the rules we wish to update, making any required changes - in this case, we only change the IP address. In this example, I'm updating 2 rules for DNS via TCP and UDP respectively. To see how existing rules are represented, inspect the populated "current_vcn_sl" variable above which will contain all your existing rules and their config parameters:

# updated rules that we want to replace/update existing ones
sl_update_rules=[
    {
      "description": "DNS TCP",
      "icmp_options": None,
      "is_stateless": False,
      "protocol": "6",
      "source": '' + savedIP + '/32',
      "source_type": "CIDR_BLOCK",
      "tcp_options": {
        "destination_port_range": {
          "max": 53,
          "min": 53
        },
        "source_port_range": None
      },
      "udp_options": None
    },

    {
      "description": "DNS UDP",
      "icmp_options": None,
      "is_stateless": False,
      "protocol": "17",
      "source": '' + savedIP + '/32',
      "source_type": "CIDR_BLOCK",
      "tcp_options": None,
      "udp_options": {
        "destination_port_range": {
          "max": 53,
          "min": 53
        },
        "source_port_range": None
      }
    }

    ]

Build a new list of every rule (since we need to replace them all, even if they are not changing). Build a list of the rules we don't want to change, and append our changed rules defined above:

# test conditional update - skip existing with the same description
# try adding current_vcn_sl items one by one, *unless* their same "description" exists in sl_update_rules, then skip as we'll be updating it.
updateRuleDescriptions = ""
for i in sl_update_rules:
  updateRuleDescriptions += "__" + i['description'] + "__"

logging.info(f'Rules to update: {updateRuleDescriptions}')

# for a rule to be replaced, it must already exist with same description as above
newUpdateRulesString = "[" # string for now
for i in current_vcn_sl:
  if not (i.get('description') is None) and (i['description'] in updateRuleDescriptions): # handle value "None" too
    # we're going to replace this one with an updated version, so skip it
    logging.info(f"Skipping existing rule as will update/replace: {i['description']}")
    pass
  else:
    newUpdateRulesString = newUpdateRulesString + json.dumps(i) + ","
    logging.info(f"Keeping existing rule unmodified: {i['description']}")

# strip trailing comma, and append closing bracket
newUpdateRulesString = newUpdateRulesString[:-1] + "]"

# we now have a list of all existing rules, besides those we want to update - so append the new ones
newUpdateRules = json.loads(newUpdateRulesString) + sl_update_rules

Define a function to help us update the entire security list in the next step:

##################################################################
# API to update the security list doesn’t expect a JSON object, 
#   so use this function to update the rules into something the API expects using IngressSecurityRule, 
#   this function would be called for every one of the rules
########################
def makeIngressRules(t):
    if t.get('tcp_options') is None:
       theseTcpOptions = None
    else:
        theseTcpOptions = oci.core.models.TcpOptions(
                    destination_port_range=oci.core.models.PortRange(
                        max=t['tcp_options']['destination_port_range']['max'],
                        min=t['tcp_options']['destination_port_range']['min']),
                    )

    if t.get('udp_options') is None:
       theseUdpOptions = None
    else:
        theseUdpOptions = oci.core.models.UdpOptions(
                    destination_port_range=oci.core.models.PortRange(
                        max=t['udp_options']['destination_port_range']['max'],
                        min=t['udp_options']['destination_port_range']['min']),
                    )

    if t.get('icmp_options') is None:
       theseIcmpOptions = None
    else:
        theseIcmpOptions = oci.core.models.IcmpOptions(
                        type=t['icmp_options']['type'],
                        code=t['icmp_options']['code']
                        )

    return(oci.core.models.IngressSecurityRule(
        source=t['source'],
        icmp_options=theseIcmpOptions,
        protocol=t['protocol'],
        source_type=t['source_type'],
        is_stateless=t['is_stateless'],
        tcp_options=theseTcpOptions,
        udp_options=theseUdpOptions,
        description=t['description'])
        )

Use the above function to update the security list with the complete list of all ingress rules, unchanged and changed:

updateReturn = core_client.update_security_list(
    security_list_id=vcn_sl_id,
    update_security_list_details=oci.core.models.UpdateSecurityListDetails(
        display_name=sl_name,
        ingress_security_rules=[makeIngressRules(t) for t in newUpdateRules]
))

Finally tidy up, delete the recorded IP file, save the new IP address for comparison on the next run.

if (updateReturn.status == 200):
  # delete IP file
  logging.info(f"Deleting IP file")
  try:
    os.remove(ipFilename)
  except:
    logging.info(f"Failed to remove IP file.")

  # log IP just updated, so next time we can check any new IPs against this, and only update FW if they differ
  logging.info(f'Updating last change IP file')
  try:
    with open(lastIPFilename, "w") as updateFile:
      updateFile.write(savedIP)
      logging.info("Updated last updated IP file.")
  except:
    logging.error("Failed to update last updated IP file")
    
else:
  logging.info(f"Final status not 200, not deleting IP file or updating last updated file.")

Step 4 - Schedule the Script to run periodically

A cron job is probably easiest, something like

# every minute, look for new IP address file and update FW rules
* * * * *       /home/ubuntu/XXX/YYY.py >> /home/ubuntu/XXX/YYY.log 2>&1

References

• Python SDK for Oracle Cloud Infrastructure main page (v2.95.0 is latest at as March 2023). An excellent resource, start with the installation instructions / quickstart sections.

I asked ChatGPT to "Write me a story about the early days of computing, using as many terms from the Jargon File as possible". This was the first result.

In the early days of computing, the world was a different place. There were no smartphones, no laptops, and no Internet. Instead, there were giant mainframe computers, blinking lights, and punch cards.

One of the pioneers of this era was a man named Bill. He was a hacker, in the true sense of the word. He loved nothing more than tinkering with computers, exploring their inner workings, and pushing them to their limits.

Bill worked at a university, where he had access to one of the most powerful mainframes in the world. He spent countless hours in the machine room, typing away at the console, surrounded by the hum of the cooling fans.

At first, Bill was just a neophyte, struggling to understand the arcane commands and cryptic error messages that filled the screen. But he was determined to learn, and he quickly became a wizard with the tools of his trade.

He learned to program in a variety of languages, from FORTRAN to assembly. He wrote elegant, efficient code that could do things that no one had ever thought possible. He created elaborate algorithms, recursive functions, and elegant data structures.

But Bill didn't just write code for its own sake. He was a hacker with a cause. He wanted to use his skills to make the world a better place. He believed that computers could be a powerful tool for social change, if only they were used correctly.

So he started working on a project that he called the "Hackers' Manifesto." It was a bold vision for a future in which everyone had access to computers, and in which the power of technology was harnessed for the greater good.

To make this vision a reality, Bill knew that he would need to recruit other like-minded hackers. And so he began to network, using the primitive tools of the day: bulletin board systems, usenet, and email.

He met other hackers who shared his passion, and together they formed a loose-knit community that spanned the globe. They called themselves the "Netizens," and they believed that the Internet was the key to a brighter future.

Together, the Netizens worked on a variety of projects. They created software tools that made it easier to use computers. They built networks that allowed people to communicate with each other from anywhere in the world. And they fought against the forces of corporate greed and government censorship that threatened to stifle innovation and creativity.

In the end, the Netizens' vision prevailed. Today, we live in a world that is more connected, more open, and more innovative than ever before. And it all started with a few intrepid hackers, like Bill, who saw the potential of computers and dared to dream of a better future.

If you lose access to an instance (e.g. by forgetting/losing your SSH keys, or a server update breaks SSH access due to file permission changes) then you can try the following options, in order of increasing effort.

For future reference, tailscale's wonderful ssh feature would mitigate this too since accessing your ssh server via tailscale's ssh feature safely bypasses key authentication anyway.

Use the OCI Console to login

If you followed best practices and created a password for a local account (with sudo rights) then use the OCI Console to connect to your instance from a browser, and fix the issue.

Boot into Single User Mode

You can use the instance's serial console to boot into Single User Mode, and from there you should have the access to fix whatever needs fixing.

Follow the instructions in Oracle's documentation:

• Troubleshooting Instances Using Instance Console Connections

Use a Bastion

Thanks to reddit user Need2Survive, this works nicely (original post):

• Create a bastion in the same VCN (it's free)
• Create a bastion session into the corrupted host by generating or adding a known key
• Copy the SSH command generated and connect by replacing the <privateKey> part (2 times)
• You will be logged into the instance.
• Fix the issue(s) e.g. by editing /home/opc/.ssh/authorized_keys

Using Another Instance

the least fun of all, but good as a last resort (assuming you can spin up a new instance or reuse an existing one). Again thanks to user Needs2Survive.

• Terminate instance preserving boot volume
• Bring up another Linux instance from scratch
• Attach the boot volume as additional volume, run attach commands and mount it
• Edit the file /home/opc/.ssh/authorized_keys to add the required key
• Disconnect and detach the additional volume
• Terminate the second instance
• Create new instance from the fixed boot volume

Oracle References

• https://blogs.oracle.com/cloud-infrastructure/post/recovering-opc-user-ssh-key-on-oracle-cloud-infrastructure

Assuming you're using a private Ubuntu Server, Ghost will run in a container for convenience, with a local MySQL instance, and Apache2 as a reverse proxy.

Step 1 - install docker

Instructions at https://docs.docker.com/engine/install/ubuntu/, installing from docker's apt repo:

sudo apt-get update

sudo apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

sudo mkdir -p /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

Test docker with:

sudo docker run hello-world

Step 2 - Setup MySQL User and DB

Create a user "ghost", a database with the same name, and give the ghost user all rights to the ghost database:

CREATE USER 'ghost'@'localhost' IDENTIFIED BY 'passwordxxx';
create database ghost;
GRANT ALL PRIVILEGES ON ghost.* TO 'ghost'@'%';

Step 3 - Configure MySQL to listen to Docker gateway IP

For containers to see services on the host, like MySQL / MariaDB, those services need to listen to the Docker network's gateway IP - 172.17.0.1 by default.

For MySQL, edit the MySQL config file:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

and change "bind-address" to append the gateway IP address:

bind-address            = 127.0.0.1,172.17.0.1

Some older versions of MySQL don't support multiple different listening addresses, in which case YMMV.

Step 4 - setup the Ghost docker container

Create a folder to store Ghost content outside container, and the docker compose YAML config file:

mkdir ~/ghost

and then create ghost.yaml in folder, replacing XXX as required (assuming you're using a local MySQL database, with a database user "ghost" and database named "ghost", setup in the next step):

version: '3.1'

services:

  ghost:
    image: ghost:latest
    restart: always
    ports:
      - 2368:2368
    volumes:
      - /XXX/ghost/content:/var/lib/ghost/content:z
    environment:
      # see https://ghost.org/docs/config/#configuration-options
      database__client: mysql
      database__connection__host: 172.17.0.1
      database__connection__user: ghost
      database__connection__password: passwordxxx
      database__connection__database: ghost
      url: https://blog.johnswitzerland.com
      # defaults to PROD env unless you override here
      #NODE_ENV: development

Use docker compose to fetch, configure and start the latest Ghost container image:

docker compose -f ghost.yaml up

Step 5 - Apache as a Reverse Proxy

I chose Apache2, NGINX is also an easy substitute.

Apache needs the following modules enabled:

• headers
• proxy_http

And config for the site needs to include something like this:

        RequestHeader set X-Forwarded-Proto "https"
        SSLProxyEngine on

        ProxyRequests Off
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        ProxyPreserveHost On
        ProxyPass "/" "http://localhost:2368/"
        ProxyPassReverse "/" "http://localhost:2368/"

        <Location />
          Order allow,deny
          Allow from all
        </Location>

Where:

1. RequestHeader is required to avoid Ghost redirect loops (endless 301/302 responses) - letting Ghost know Apache is handling SSL and not to try and redirect to a secure link
2. ProxyPreserveHost is required to pass your full Ghost public domain name to Ghost, rather than the internal address specified by ProxyPass

Links to handy references. Oracle's documentation is generally excellent, worth looking before asking.

General

/r/oraclecloud is a great place to search for answers and ask questions, plenty of helpful souls around.

Oracle

1. Free Tier docs top level
   • Always Free Resources section (including specifics of what counts as "free tier")
   • Unused instances can be reclaimed by Oracle, and what defines "unused"
   • Incoming bandwidth is free, and a very generous 10 TB outbound data a month. You can track it via Billing & Cost Management --> Cost Analysis (Show: Usage, Filter --> Service, Network)
2. OCI Free Tier Frequently Asked Questions
   • Accepted payment methods in particular state "We accept credit cards and debit cards that function like credit cards. We do not accept debit cards with a PIN, virtual cards, or prepaid cards."
3. If you go paid (PAYG highly recommended for free tier users), the Oracle Cost Estimator is excellent
   • You can also easily set up a cost alert, for both actual and projected spend, for extra peace of mind.
4. After switching to PAYG, enabling 2FA / MFA on your logins - especially those with OCI admin access - is crucial. You don't want anyone creating instances and costing you money, or getting access to existing instances. See the well written IAM MFA (Identity & Access Management - Multi-Factor Authentication) guide
   • u/threehappypenguins recently shared the process they followed here:
   • Sign into the console
   • Menu > Identity & Security > Users
   • Federation > OracleIdentityCloudService
   • find the link to "Oracle Identity Cloud Service Console" in the Identity Provider Information section
   • Security section / menu item
   • followed steps 7-10 from here (a few things are different, but it's generally the same).
   • Sign in again and you should be prompted to setup MFA.
5. Cloud Customer Connect community
6. TOS / Terms of Service - what not to do with your free resources if you want to avoid your instances / account being terminated:
   7. TOS document
   8. Good discussion / breakdown of the above
7. OCI status page

My son asked ChatGPT to "write a poem about appreciation as a kid":

Nature's canvas, painted bright,
With colors that are pure and light,
Each leaf and petal, every tree,
A masterpiece for you and me.

The sun, it rises in the east,
And sets in the west, with perfect peace,
It warms the earth and lights the way,
For all that live and grow each day.

The moon and stars, they shine so bright,
A beacon in the dark of night,
They guide us through the darkest hours,
And light the path to better powers.

So let us take a moment now,
To gaze upon this beauty, wow,
For nature's art is all around,
And always here, to astound.

"CrowdSec offers a crowd-based cyber security suite to protect your online services, visualize & act upon threats, and a TIP (Threat Intel Platform) to block malicious IPs."

Why CrowdSec

From your perspective, CrowdSec helps protect your public-facing server(s) from malicious scanners trying to abuse open ports, brute force passwords, scan webservers for vulnerabilities - and generally keeps your logfiles free of most junk. It is both proactive and reactive.

You also get a great free dashboard which lets you see CrowdSec in action across all your servers.

From a community perspective, it uses collected info from all users to improve everyone's protection dynamically (far better than an isolated reactive-only tool like Fail2Ban) - and also as a bonus hurts dodgy actors by forcing them to change IP addresses.

Installing CrowdSec on Ubuntu Server

Follow the install instructions at https://docs.crowdsec.net/docs/getting_started/install_crowdsec

# Step 1 - add crowdsec repos for easy updates/removal
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

# step 2 - install crowdsec detection (monitor attempts by parsing logfiles) 
apt install crowdsec

# step 3 - install a bouncer so crowdsec can take actions to block etc
apt install crowdsec-firewall-bouncer-iptables

That will instal the most common firewall bouncer (using iptables to block offending IP addresses dynamically). There are also tons of blockers for use in your applications themselves (e.g. wordpress, PHP) or to help with blocking for specific providers like CloudFlare or AWS.

Whitelist your own IPs

Whitelisting your own addresses is suggested - handy to know you won't be locked out of your own webserver when you do a mass vulnerability scan for example :-)

Create / edit /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml and add something like:

name: crowdsecurity/whitelists
description: "Whitelist events from my fixed ip addresses"
whitelist:
  reason: "thine own ip ranges"
  ip:
    - "100.xxx.xxx.xxx"
    - "100.xxx.xxx.xxx"
    - "100.xxx.xxx.xxx"
    - "100.xxx.xxx.xxx"

and then restart the crowdsec service

sudo service crowdsec restart

Whitelist Google and other Search Engine IPs

You probably also want to ensure that search engines are whitelisted to avoid any chance of accidentally blocking good spiders / indexing services.

Install the "SEO Bots Whitelist" postoverflow (which does have a slight performance impact):

cscli postoverflows install crowdsecurity/seo-bots-whitelist
sudo service crowdsec restart

Testing Crowdsec

If you've got everything running and want to test your setup is working, one easy way is to temporarily block your own IP address, and then confirm access is blocked (e.g. website won't load for you):

cscli decisions add --ip 1.2.3.4 --duration 5m --reason "Bouncer ban test"

Handy CLI cheat sheet

# pretty-list all installed collections
sudo cscli hub list

# list active decisions (append --ip to be specific)
sudo cscli decisions list

# list alerts (stay around after decisions expire)
sudo cscli alerts list

# list ipset IPs currently in place for blocking (by bouncer).
# pipe to "head" to see summary as list can be looooong
sudo ipset list crowdsec-blacklists | less

# to see the ipset list DROP rule
sudo iptables -S | grep crowdsec

# check list of bouncers
sudo cscli bouncers list

# update hub index
sudo cscli hub update
# and then upgrade collections/parsers/scenarios/overflows
sudo cscli hub upgrade

# rerun the setup wizard at any time (attempt to autodetect collections etc)
/usr/share/crowdsec/wizard.sh -c

# Test a logfile entry against the current setup to see what happens
sudo cscli explain --log "Jan 16 00:08:39 oracle sshd[49646]: Disconnected from authenticating user root 36.89.217.30 port 55820 [preauth]" --type syslog

Troubleshooting

1. check both the crowdsec and crowdsec-firewall-bouncer services (and any other bouncers you may have installed) are running
2. Check the logs - /var/log/crowdsec*
3. Use the CLI's explain functionality to see why something is or isn't being flagged (example above in the cheat-sheet)
4. The CrowdSec discord server is full of helpful people willing to assist, and also a great resource to search for any issues you may be having (from basic through to advanced custom scenarios)

Oracle offers a very generous free tier (although a little too generous perhaps which has led to temporary capacity issues in some regions - see FAQ).

"Each tenancy gets the first 3,000 OCPU hours and 18,000 GB hours per month for free to create Ampere A1 Compute instances using the VM.Standard.A1.Flex shape (equivalent to 4 OCPUs and 24 GB of memory). Each tenancy also gets two VM.Standard.E2.1.Micro instances for free" --Oracle

I have the following instances on the free tier:

• 2x VM.Standard.E2.1.Micro instances (AMD processor - each with 1 OCPU + 1GB RAM) running Ubuntu Minimal. Good for smaller workloads.
• 2x VM.Standard.A1.Flex instances (ARM processor - each with 2 OCPUs and 12GB RAM) running Ubuntu Server. Great performance.

While this hasn't happened to me personally, I have seen many people locked out of their instances for various reasons, which can result in data loss or the loss of the instance if you have to delete it and then run into capacity issues in your region. So make sure you have a backup access plan...

Simple: Password Enabled User Account

Make sure you have a local user account which has sudo privileges and a password set. In an emergency, you can use the OCI Console Connection to login to your instances from the web.

I suggest using an account other than the default "ubuntu" (assuming youre using an Ubuntu imge) for security reasons, e.g. the default "opc" account - and then be sure to test it works before moving on:

sudo passwd opc
sudo usermod -aG sudo opc

I also recommend ensuring you use certificates for SSH authentication, not passwords. If you do use passwords for some reason, ensure the above account is not permitted to login.

Better: Enable Tailscale SSH on your instances

Tailscale is pure magic freely available to everyone :-)

I strongly recommend setting up a Tailnet and adding all your instances to it with Tailscale SSH enabled. This lets you SSH securely into your instances from any of your Tailscale machines (linux, windows, mac) without needing a separate password or certificate - and as if that isn't enough, you can even SSH into your instances from the web!

Once you have a Tailscale account, register each instance (and enable SSH access):

sudo tailscale up --ssh

then from any other machine on your Tailscale network (windows, mac, linux) you can connect to the instance (without needing a password or certificate):

ssh <tailscale-machine-ip>

Note: You might want to disable Tailscale key expiry on your instances - otherwise you'll need to reauthenticate each of them after the default 180 days, which may be an issue if the only way you can connect is via Tailscale - see the first recommendation above for enabling OCI Console connections).

Don't Let Your Instances Sit Idle for Long

Oracle will sometimes reclaim (free tier) instances which are idle for extended periods to free up scarce free-tier capacity.

Oracle defines an instance as idle if, during a 7-day period, these all apply:

• CPU utilization for the 95th percentile is less than 10%
• Network utilization is less than 10%
• Memory utilization is less than 10% (applies to A1 shapes only)

So make sure you actually USE them - setup CrowdSec, a simple website, a container running your favourite service - the options are endless.

You can also convert your account to PAYG to avoid idle instances being reclaimed - highly recommended, as you still pay nothing if you stay within free tier limits.

Back Up Your Content

This should be obvious, and applies to everything not just Oracle - back up your data (content, config, etc). Anything you'd regret losing if you permanently lost access to your instances or account tomorrow - back it up.

Oracle allows multiple backups of each volume which don't count against your storage limit. And make you also backup offsite.

Enable 2FA

Oracle pretty much insists on this nowadays for good reasons - so enable 2-factor authentication on your OCI account to protect your setup.

Process is fairly straightforward - see my 2FA notes on my Oracle Free Tier  Notes and References page for a guide.

If you're paranoid (like me) you can also create a new local (non-federated) OCI user account which doesn't use 2FA for emergencies (with a very strong password, and only used in emergencies). Just to be sure to add it to the Administrators group.