You have a Debian instance running in Google Cloud Compute Engine. You connect to this instance via SSH. One day you decide to enable the UFW firewall and your SSH connection drops. You cannot reconnect.
The problem is that by enabling UFW you blocked SSH access.
This article shows two methods of solving this problem.
The first method is to create a startup-script that disables UFW. The second method attaches the boot disk to another instance and modifies the file
Login into the Google Cloud Console. Go to Compute Engine -> VM instances. Click on your instance. Click on the Edit button.
Scroll down to the section “Custom metadata”. For Key enter
startup-script. For Value enter:
Click the Save button
Note: An option is to just enable SSH in the startup-script.
/usr/sbin/ufw allow ssh
Reboot your instance. During reboot, the startup-script will run disabling the UFW firewall. Log into your instance using SSH.
Repeat Step #2 except this time, delete the startup-script. Otherwise, the firewall will be disabled each time your instance boots.
Shutdown your instance with the UFW problem. Login into the Google Cloud Console. Go to Compute Engine -> VM instances. Click on your instance and make note of the “Boot disk” name. This will be the first disk under “Boot disk and local disks”.
Create a snapshot of the boot disk before doing anything further. While still in Compute Engine -> Disk. Click on your boot disk. Click on “CREATE SNAPSHOT”.
Create a new instance in the same zone. A micro instance will work.
Open a Cloud Shell prompt (this also works from your desktop if gcloud is setup). Execute this command. Replace NAME with your instance name (broken system) and DISK with the boot disk name and ZONE with the zone that the system is in:
gcloud compute instances detach-disk NAME --disk=DISK --zone=ZONE
Make sure that the previous command did not report an error.
Now we will attach this disk to the new instance that you created.
Make sure that the repair instance is running before attaching the second disk. Sometimes an instance can get confused on which disk to boot from if more than one disk is bootable.
Go to Compute Engine -> VM instances. Click on your instance. Click Edit. Under “Additional disks” click “Add item”. For name enter/select the disk that you detached from your broken instance. Click Save.
SSH into your new instance with both disks attached.
Follow these steps carefully. We will mount the second disk to the root file system. Then change the contents of
/mnt/repair/etc/ufw/ufw.conf to disable the firewall.
- Become superuser. Execute
- Execute df. Make sure that
/dev/sdb1is not mounted.
- Create a directory for the mountpoint:
- Mount the second disk:
mount /dev/sdb1 /mnt/repair
- Change directories:
- Shutdown the repair system:
Now reverse the procedure and move the second disk back to your original instance and reattach using the command below. Then start your instance and connect via SSH.
Note: To reattach the boot disk you have to use gcloud with the
gcloud beta compute instances attach-disk NAME --disk=DISK --zone=ZONE --boot
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.