This guide provides an example of how to install and set up your Landscape server on Google Cloud with cloud-init. The instructions here can be used for both standard or FIPS-compliant deployments.
For the most up-to-date documentation on Google Cloud, see Google Cloud’s documentation.
Contents:
- Install and set up Google Cloud CLI
- Deploy Landscape Server VMs with cloud-init
- Configure Landscape
- Clean up provisioning metadata containing secrets
- (Optional) Perform a complete teardown
Install and set up Google Cloud CLI
Install gcloud
To install gcloud
, run:
sudo snap install google-cloud-cli --classic
Connect gcloud
with your Google Cloud account
-
To initialize the Google Cloud CLI, run:
gcloud init
-
Enter Y when prompted with Would you like to log in (Y/n)?
-
Visit the authentication link provided
- The authentication link should start with
https://accounts.google.com/
- The authentication link should start with
-
Sign in with a Google account
-
Click Allow to grant access to the Google Cloud SDK
-
Click Copy to copy the verification code
-
Paste the verification code into the terminal window where the
gcloud init
process is running
If you complete the gcloud init
process successfully, you will receive the following output:
You are now logged in as [your@email.com].
Your current project is [None]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
Provision resources and deploy
-
List the projects that are in your account:
gcloud projects list
You’ll receive output similar to:
PROJECT_ID NAME PROJECT_NUMBER project-id project-name 12345678910
-
Set your project ID to the
PROJECT_ID
environment variable. Replaceproject-id
with your personal project ID from the previous output:PROJECT_ID=project-id
This step isn’t required, but it’s recommended because the
PROJECT_ID
variable is used often. -
Connect
gcloud
to thisPROJECT_ID
:gcloud config set project $PROJECT_ID
This is where the Landscape virtual machine (VM) will be launched.
-
List the available cloud zones and cloud regions where VMs can be run:
gcloud compute zones list
You’ll receive output similar to:
NAME REGION STATUS NEXT_MAINTENANCE TURNDOWN_DATE us-east1-b us-east1 UP
-
Set the
ZONE
andREGION
environment variables. Replaceus-east1-b
andus-east1
with your desired zone and region from the previous output:ZONE=us-east1-b REGION=us-east1
-
Reserve a static IP address and label it
landscape-external-ip
:gcloud compute addresses create landscape-external-ip --region=$REGION
This step isn’t required, but it’s recommended because Landscape benefits from a static IP address assignment. A DNS record called an “A record” is responsible for pointing the fully qualified domain name (FQDN) to the Landscape Server’s IP address. If you use a static IP address, the A record doesn’t have to be updated every time the dynamic IP changes.
-
List the addresses you’ve created:
gcloud compute addresses list
-
Copy the IP address and set it as the A record value for the domain or subdomain that will serve as the FQDN. You set the A record in your DNS service.
-
Verify the A record using
nslookup
. Replace{landscape-fips.domain.com}
with your FQDN:nslookup {landscape-fips.domain.com}
You’ll receive output similar to:
Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: landscape-fips.domain.com Address: 34.139.255.120
If the address value in the
nslookup
output matches the value of thelandscape-external-ip
static IP address, the LetsEncrypt SSL provisioning step defined in the cloud-init configuration automation template will succeed.
Deploy Landscape Server VMs with cloud-init
Before beginning the deployment process with cloud-init, you must choose which of the two cloud-init configuration automation templates you want to use. In the Landscape Scripts Github repository, there are two Landscape Quickstart cloud-init configuration templates: cloud-init-quickstart.yaml
and cloud-init-quickstart-fips.yaml
.
The cloud-init-quickstart.yaml
template is designed for anyone, and the cloud-init-quickstart-fips.yaml
is designed for FIPS compliant deployments of Landscape Server. For more information, see how to install FIPS hardened Landscape Server.
Once you’ve chosen your configuration template, complete the following steps.
-
Set the
IMAGE_FAMILY
environment variable based on the cloud-init configuration you chose.-
If you’re using
cloud-init-quickstart.yaml
, run:curl -s https://raw.githubusercontent.com/canonical/landscape-scripts/main/provisioning/cloud-init-quickstart.yaml -o cloud-init.yaml IMAGE_FAMILY=ubuntu-pro-2204-lts
-
If you’re using
cloud-init-quickstart-fips.yaml
, run:curl -s https://raw.githubusercontent.com/canonical/landscape-scripts/main/provisioning/cloud-init-quickstart-fips.yaml -o cloud-init.yaml IMAGE_FAMILY=ubuntu-pro-fips-2004-lts
-
-
Open the downloaded cloud-init YAML file in an editor, determine which configuration parameters need to be changed between lines 4 and 32 and change these parameters.
The
HOSTNAME
on line 16 andDOMAIN
on line 19 must be changed. UpdatingEMAIL
on line 9, and adding your SendGrid API key on line 29 as theSMTP_PASSWORD
are optional, but strongly recommended. -
Run the following code to launch a machine with generally suitable resource specifications:
gcloud compute instances create landscape \ --zone $ZONE \ --machine-type=c3-standard-4 \ --address landscape-external-ip \ --tags http-server,https-server \ --boot-disk-size 200 \ --image-family $IMAGE_FAMILY \ --image-project ubuntu-os-pro-cloud \ --metadata-from-file user-data=cloud-init.yaml
You can also downgrade
machine-type
fromc3-standard-4
toe2-medium
, andboot-disk-size
from200
to20
for cost savings. However, thee2-medium
machine is a shared compute resource and using it may result in temporary and sporadic instability of the Landscape dashboard. This size machine should only be used for proof-of-concepts and limited testing. -
List all VMs in this project:
gcloud compute instances list
-
Observe the process by tailing the
cloud-init-output.log
file:gcloud compute ssh landscape --zone $ZONE --command "tail -f /var/log/cloud-init-output.log"
-
If you are a first time
gcloud
user, you’ll be prompted for a passphrase twice. This can be left blank. Press Enter twice to proceed:WARNING: The private SSH key file for gcloud does not exist. WARNING: The public SSH key file for gcloud does not exist. WARNING: You do not have an SSH key for gcloud. WARNING: SSH keygen will be executed to generate a key. Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again:
-
A reboot may be required during the cloud-init process. If a reboot is required, you’ll receive the following output:
2023-08-20 17:30:04,721 - cc_package_update_upgrade_install.py[WARNING]: Rebooting after upgrade or install per /var/run/reboot-required
If the
IMAGE_FAMILY
specified earlier contained all the security patches, this reboot step may not occur. -
Repeat the following code if a reboot was necessary to continue observing the log file:
gcloud compute ssh landscape --zone $ZONE --command "tail -f /var/log/cloud-init-output.log"
-
Wait until the cloud-init process is complete. When it’s complete, you’ll receive two lines similar to this:
cloud-init v. 23.2.2-0ubuntu0~20.04.1 running 'modules:final' at Sun, 20 Aug 2023 17:30:43 +0000. Up 25.14 seconds. cloud-init v. 23.2.2-0ubuntu0~20.04.1 finished at Sun, 20 Aug 2023 17:30:56 +0000. Datasource DataSourceGCELocal. Up 37.35 seconds
-
Press
CTRL + C
to terminate the tail process in your terminal window.
Configure Landscape
-
Navigate to the Landscape dashboard by entering the FQDN of the Landscape VM into a browser window
-
Provide a name, email address, and password for the first global administrator on the machine.
If the email address Landscape sends emails from should not be a subdomain based on the machine’s hostname, remove the hostname, or make the appropriate correction.
Alerts and administrator invitations sent via email are less likely to fail SPF or DMARC checks if the system email address is configured in a way the email service provider expects. If the email service provider sends emails which fail SPF and DMARC checks, mail delivery can be delayed or miscategorized as spam.
Clean up provisioning metadata containing secrets
To delete the cloud-init user-data
key, run:
gcloud compute instances remove-metadata landscape --zone $ZONE --keys=user-data
Cloud-init scripts are provided in a custom metadata key named user-data
. The user-data
key is consumed during instance creation and is executed when the instance starts. Sensitive information such as API keys shouldn’t be left visible within the custom metadata of the VM or in the cloud dashboard. Once the cloud-init process is complete, it’s safe to delete the cloud-init user-data
key.
(Optional) Perform a complete teardown
You may want to perform a teardown to clean up unused or unnecessary resources. This can help control costs and optimize resources. To perform a complete teardown:
-
Delete the VMs:
gcloud compute instances delete landscape --zone $ZONE
-
Release the static IP:
gcloud compute addresses delete landscape-external-ip --region $REGION