Getting started with the serial console
The serial console allows you to access a VM regardless of the network or OS status. For example, you can use the console for troubleshooting VM issues or when there are problems with SSH access.
Serial console access is disabled by default.
Warning
Assess the risk of enabling access via the serial console considering the following:
-
The user will be able to manage the VM from the internet even if there is no external IP address.
To access the VM serial console from the Yandex.Cloud management console, the user must be authenticated in the Yandex.Cloud management console and have the proper rights to the VM. The user can also access the VM serial console from an SSH client application (such as PuTTY) or the YC CLI via SSH key authentication. In this regard, to reduce the risk of web session hijacking, the user needs to carefully monitor the SSH key and end the web session.
-
The session will be simultaneously shared by all users who have access to the serial console.
Users will be able to see each other's actions when they're watching the serial console's output.
-
A valid session can be exploited by another user.
We recommend using the serial console only when absolutely necessary, grant access to a narrow group of people, and use strong VM passwords.
Make sure you disable access when you finish working with the serial console.
Federated users can only connect to the serial console using the CLI or SSH. These users can't access the serial console from the Yandex.Cloud management console.
Before you start
Before you enable serial console access on a VM:
-
Prepare the key pair (public and private keys) for SSH access to the VM. The serial console authenticates users via SSH keys.
-
Create a text file (for example,
sshkeys.txt) and specify the following:<user name>:<user's public SSH keyExample of a text file for
yc-user:yc-user:ssh-rsa AAAAB3Nza......OjbSMRX yc-user@example.comBy default, a user's SSH keys are stored in the
~/.sshdirectory of this user. You can get a public key by runningcat ~/.ssh/<public key name>.pub.
Enabling the console when creating a VM from a public image
To enable access to the serial console when creating a VM, set the serial-port-enable parameter in metadata to 1.
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
View the description of the CLI command for creating a VM:
$ yc compute instance create --help -
Select a public image based on the Linux OS (such as Ubuntu).
To get a list of available images, run the following command:
yc compute image list --folder-id standard-imagesCommand execution result:
+----------------------+-------------------------------------+--------------------------+----------------------+--------+ | ID | NAME | FAMILY | PRODUCT IDS | STATUS | +----------------------+-------------------------------------+--------------------------+----------------------+--------+ ... | fdvk34al8k5nltb58shr | centos-7-1549279494 | centos-7 | dqni65lfhvv2den5gtv9 | READY | | fdv7ooobjfl3ts9gqp0q | windows-2016-gvlk-1548913814 | windows-2016-gvlk | dqnnc72gj2ist3ktjj1p | READY | | fdv4f5kv5cvf3ohu4flt | ubuntu-1604-lts-1549457823 | ubuntu-1604-lts | dqnnb6dc7640c5i968ro | READY | ... +----------------------+-------------------------------------+--------------------------+----------------------+--------+ -
Create a VM in the default folder:
$ yc compute instance create \ --name first-instance \ --zone ru-central1-a \ --network-interface subnet-name=default-a,nat-ip-version=ipv4 \ --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-1604-lts \ --metadata-from-file ssh-keys=sshkeys.txt \ --ssh-key ~/.ssh/<public key name>.pub \ --metadata serial-port-enable=1This command creates the VM:
- With Ubuntu.
- Named
first-instance. - In the
ru-central1-azone. - With the serial console active.
A user named
yc-userwill be automatically created in the VM's OS with the specified public key.
-
View the description of the CLI command for creating a VM:
$ yc compute instance create --help -
Select a public image for Windows.
To get a list of available images, run the following command:
yc compute image list --folder-id standard-imagesCommand execution result:
+----------------------+-------------------------------------+--------------------------+----------------------+--------+ | ID | NAME | FAMILY | PRODUCT IDS | STATUS | +----------------------+-------------------------------------+--------------------------+----------------------+--------+ ... | fdvk34al8k5nltb58shr | centos-7-1549279494 | centos-7 | dqni65lfhvv2den5gtv9 | READY | | fdv7ooobjfl3ts9gqp0q | windows-2016-gvlk-1548913814 | windows-2016-gvlk | dqnnc72gj2ist3ktjj1p | READY | | fdv4f5kv5cvf3ohu4flt | ubuntu-1604-lts-1549457823 | ubuntu-1604-lts | dqnnb6dc7640c5i968ro | READY | ... +----------------------+-------------------------------------+--------------------------+----------------------+--------+ -
Create a VM in the default folder:
$ yc compute instance create \ --name win-instance \ --metadata-from-file user-data=metadata.yaml \ --zone ru-central1-c \ --network-interface subnet-name=default-c,nat-ip-version=ipv4 \ --create-boot-disk image-folder-id=standard-images,image-family=windows-2016-gvlk \ --metadata serial-port-enable=1This command creates the VM:
- With Windows.
- Named
win-instance. - In the
ru-central1-czone. - With the serial console active.
The
Administratoruser with the password specified in themetadata.yamlfile will be automatically created in the OS.
Enabling the console when updating a VM
To enable access to the serial console when editing the VM settings, set the serial-port-enable parameter in metadata to 1.
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Get a list of VMs in the default folder:
$ yc compute instance list +----------------------+-----------------+---------------+---------+----------------------+ | ID | NAME | ZONE ID | STATUS | DESCRIPTION | +----------------------+-----------------+---------------+---------+----------------------+ | fhm0b28lgfp4tkoa3jl6 | first-instance | ru-central1-a | RUNNING | my first vm via CLI | | fhm9gk85nj7gcoji2f8s | second-instance | ru-central1-a | RUNNING | my second vm via CLI | +----------------------+-----------------+---------------+---------+----------------------+ -
Select the VM
IDorNAME(for example,first-instance). -
Set
serial-port-enable=1in the VM metadata:$ yc compute instance add-metadata \ --name first-instance \ --metadata serial-port-enable=1This command will start activating the serial console on the machine named
first-instance.
Configuring a VM for serial port access
For the serial console to be available from the operating system, the OS must be configured accordingly:
Linux
To connect to the Linux serial console, make sure that SSH password authentication is disabled and, if necessary, set a password for the appropriate OS user.
Disable SSH password authentication
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex.Cloud.
If you use your own image, make sure that SSH access with your username and password is disabled.
To disable SSH password authentication:
-
Open the configuration file on the SSH server (
/etc/ssh/sshd_configby default). Only a superuser has read and write access to the file. -
Set the
PasswordAuthenticationoption tono. -
Restart the SSH server:
$ sudo systemctl restart ssh
Create a password for a Linux user
Some operating systems may request user data to access the VM. Before connecting to these machines, create a local password for the default user.
To create a local password, use the CLI.
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Get a list of VMs in the default folder:
$ yc compute instance list +----------------------+-----------------+---------------+---------+----------------------+ | ID | NAME | ZONE ID | STATUS | DESCRIPTION | +----------------------+-----------------+---------------+---------+----------------------+ | fhm0b28lgfp4tkoa3jl6 | first-instance | ru-central1-a | RUNNING | my first vm via CLI | | fhm9gk85nj7gcoji2f8s | second-instance | ru-central1-a | RUNNING | my second vm via CLI | +----------------------+-----------------+---------------+---------+----------------------+ -
Select the VM
IDorNAME(for example,first-instance). -
Get the VM's public IP address.
$ yc compute instance get first-instanceIn the command output, find the address of the VM in the
one_to_one_natsection:... one_to_one_nat: address: <public IP address> ip_version: IPV4 ... -
Connect to the VM. For more information, see Connecting to a VM.
-
Create a local password. In Linux, you can set a password using the
passwdcommand:$ sudo passwd <user name>Example for
yc-user:$ sudo passwd yc-user -
Terminate the SSH session with the
exitcommand.
Windows
An equivalent of the serial console in Windows is the Speicial Administration Console (SAC).
Note
If you created your VM after February 22, 2019, you don't need to configure anything else: the SAC is enabled by default.
If you created it before February 22, 2019, you need to update the Windows registry to connect to the SAC:
-
To do this, run
cmdor PowerShell and execute the following commands:$ bcdedit /ems "{current}" on The operation completed successfully. $ bcdedit /emssettings EMSPORT:2 EMSBAUDRATE:115200 The operation completed successfully. -
Restart the VM.