Cloud Servers¶

Classification: CONFIDENTIAL — Internal Use Only

This section documents GCP-hosted servers and Cloud Run services in the gpus-infra project.

GCP VM Fleet — cloud.us (us-central1-a)¶

All VMs follow the SKY baseline template: Rocky Linux 8.10, CIS hardened, 2-disk LVM layout (50GB boot + 50GB data pd-ssd), AIDE + auditd (immutable -e 2) + Fail2ban + SELinux enforcing + firewalld default-drop. Admin account: cloudadmin. SSH key: same ed25519 key as WDC servers.

Host	FQDN	IP	Machine Type	vCPU	RAM	Role	Status
OAK	oak.cloud.us	172.16.0.10	n2-standard-2	2	8GB	Security Scanner	✅ Running
MAPLE	maple.cloud.us	172.16.0.12	e2-standard-2	2	8GB	Cloud Monitoring	✅ Running
CEDAR	cedar.cloud.us	172.16.0.13	e2-standard-4	4	16GB	Cloud Logging	✅ Running

OAK — 172.16.0.10¶

Role: Security Scanner — OpenVAS/Greenbone Community Container

LVM Data Disk Layout:

LV	Mount	Size	Purpose
var_log	/var/log	15G	System logs
var_log_audit	/var/log/audit	10G	Audit logs
openvas	/var/lib/openvas	15G	OpenVAS scan data
backup	/backup	8G	Local backup staging

Services:

Service	Port	Status
Docker CE 26.1.3	—	✅ Active
Greenbone/OpenVAS	9392 (localhost)	✅ Running
node_exporter	9100	✅ Active
Wazuh Agent	→ MAPLE:1514	✅ Active
fail2ban	—	✅ Active
auditd	—	✅ Immutable
firewalld	—	✅ Active (drop)

OpenVAS Access (SSH tunnel):

ssh -N -L 9392:127.0.0.1:443 cloudadmin@172.16.0.10
# Browser: https://localhost:9392
# Login: admin / (see password manager)

Weekly Scan Schedule: Sunday 01:00 UTC — targets all 7 servers (WDC + GCP) over VPN.

Docker MTU fix (GCP requirement):

# /etc/docker/daemon.json
{"mtu": 1460}

Greenbone compose: /root/greenbone/docker-compose.yml
Registry: registry.community.greenbone.net/community/
Autostart: systemctl enable greenbone

MAPLE — 172.16.0.12¶

Role: Cloud Monitoring — Prometheus + Grafana + Wazuh Manager

LVM Data Disk Layout:

LV	Mount	Size	Purpose
var_log	/var/log	10G	System logs
var_log_audit	/var/log/audit	8G	Audit logs
prometheus	/var/lib/prometheus	25G	Prometheus TSDB (90d retention)
backup	/backup	5G	Local backup staging

Services:

Service	Port	Status
Prometheus v2.51.0	9090	✅ Active
Grafana	3000	✅ Active
Wazuh Manager	1514/1515	✅ Active
node_exporter	9100	✅ Active
Webmin	10000	✅ Active
fail2ban	—	✅ Active
auditd	—	✅ Immutable
firewalld	—	✅ Active (drop)

Prometheus scrape targets:

Job	Target	Labels
wdc-sky	192.168.120.1:9100	site=wdc, role=dns-dhcp
wdc-rain	192.168.120.2:9100	site=wdc, role=dns-dhcp
wdc-sun	192.168.120.3:9100	site=wdc, role=monitoring
wdc-wind	192.168.120.4:9100	site=wdc, role=logging
cloud-oak	172.16.0.10:9100	site=gcp, role=scanner
cloud-maple	localhost:9100	site=gcp, role=monitoring
cloud-cedar	172.16.0.13:9100	site=gcp, role=logging

Note

Wazuh Manager and Wazuh Agent cannot coexist on the same host. MAPLE runs the manager only and self-monitors via the manager process.

rsyslog forwarding: All logs → CEDAR:5140

CEDAR — 172.16.0.13¶

Role: Cloud Logging — ELK Stack + Wazuh Agent

LVM Data Disk Layout:

LV	Mount	Size	Purpose
var_log	/var/log	10G	System logs
var_log_audit	/var/log/audit	8G	Audit logs
elasticsearch	/var/lib/elasticsearch	20G	ES data
logstash	/var/lib/logstash	8G	Logstash data
backup	/backup	2G	Local backup staging

Services:

Service	Port	Status
Elasticsearch 8.19.13	9200	✅ Active (green)
Logstash 8.19.13	5140 (syslog in)	✅ Active
Kibana 8.19.13	5601	✅ Active
Wazuh Agent	→ MAPLE:1514	✅ Active
node_exporter	9100	✅ Active
Webmin	10000	✅ Active
fail2ban	—	✅ Active
auditd	—	✅ Immutable
firewalld	—	✅ Active (drop)

Elasticsearch config: Security disabled for internal use (xpack.security.enabled: false). Config at /etc/elasticsearch/elasticsearch.yml. JVM heap: 4GB.

Logstash pipeline: Syslog input on TCP 5140 → ES index cloud-logs-YYYY.MM.dd.

Initial ES password (auto-generated on install): 4993BA=8zV2nh+ms-zdg — saved in password manager; security disabled so not required for API access.

Cloud Run Services¶

Service	Cloud Run Name	URL	Status
MkDocs Portal	`gpus-mkdocs-portal`	https://infra.greenpeace.us	✅ Running
Status Site	`gpus-status-site`	https://status.greenpeace.us	✅ Running
Status Backend	`gpus-status-backend`	(internal)	✅ Running
Security Site	`gpus-security-site`	https://security.greenpeace.us	✅ Running
Security Backend	`gpus-security-backend`	(internal)	✅ Running
SOC Site	`gpus-soc-site`	https://soc.greenpeace.us	✅ Running
SOC Backend	`gpus-soc-backend`	(internal)	✅ Running

Cloud NAT¶

Cloud NAT (gpus-nat) on router gpus-nat-router provides outbound internet access for GCP VMs — required for package installs, GCS access, and container registry pulls.

GCP Build Lessons Learned¶

Key lessons from OAK/MAPLE/CEDAR provisioning (2026-03-20 to 2026-03-24):

NM connection name is "Wired connection 1" — not "System eth0"
169.254.169.254 must be added to /etc/hosts as metadata.google.internal
gsutil auth: Create /etc/boto.cfg with service_account = default — GOOGLE_APPLICATION_CREDENTIALS env var does not work with installed gsutil
LVM: Install lvm2 manually before any LVM commands
EPEL: Install epel-release before fail2ban
cloudadmin: Create with useradd cloudadmin — not pre-created on Rocky 8 GCP image
sshd drop-in: Create /etc/ssh/sshd_config.d/ directory first
AIDE: Default config is empty — use explicit config with database paths; db must be >1MB (142 bytes = broken config)
SELinux context: Any binary extracted from /tmp gets user_tmp_t — run restorecon -v /usr/local/bin/<binary> immediately after moving, before starting the service
Docker MTU: Set {"mtu": 1460} in /etc/docker/daemon.json for GCP networking
Greenbone registry: Use registry.community.greenbone.net/community/ — Docker Hub and GHCR require authentication
Cloud NAT: Required for all outbound internet access — gpus-nat-router / gpus-nat provisioned via Terraform
Mac VPN route: sudo route add -net 172.16.0.0/24 -interface ppp0 after every VPN connect
Prometheus/binary services: Always run restorecon on binaries before systemctl start or SELinux will block execution with status=203/EXEC

Cloud Servers · v2.1 · 2026-04-07 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only