ramar.work

Provisioning with Tornado

Tornado VPS (formerly known as prgmr.com) is a small and not-very-often mentioned VPS provider coming from the West Coast. Their plans are inexpensive and the service has been reliable thus far. This site is actually hosted on one of their slices. Outages are rare and maintenance logs are sent out all of the time. I’m not certain how large their staff is, but it seems to be more than enough to keep the service up and running for the past 17 years.

Of all the providers available, they are probably the most lightweight and most appropriate for programmers who are more comfortable at the command line and fairly knowledgeable about Linux and BSD tooling. The web interface does about 5% of the work and the command line handles the rest.

That said, the documentation is a bit sparse and is really only good to point you in the right direction should you get stuck. This is cool if you are planning on architecting your own DevOps pipeline. (Perhaps, DevOps is a stretch, as maybe you’re just pushing changes to a Git repo and have written a hook that can copy the newest snapshot to production.)

Having self-hosted for a couple of years, I so far am really enjoying the service I’m getting from Tornado. Though I miss the power of a strong dedicated webserver, it has proven much more economical to scale down the heavy infrastructure for my current projects.

Instructions

As mentioned previously, Tornado is not the most straightforward setup compared to the myriad options already available (digitalOcean, Linode, AWS, etc etc etc). For those who want to get started with the system, I’ve outlined some of the steps I took to move my stack from self-hosted to a smaller VPS.

Initial Setup

First step is to go in and choose the plan you want. Clicking on Pricing will display the available options.

Caption

Tornado has six standard options to choose from. With the exception of two projects, the majority of applications I’m working on don’t require too much horsepower, so I’m opting for the 1.25 GiB option.

caption

OS Setup

After checking that the machine is up and running, we’re ready to go in and actually install everything.

caption

If you opt to let the web installer do it, all you’ll have to do is go to option 8 and check the reverse DNS settings.

Tornado, in essence, will give you two terminal-based interfaces to administer your server. The first is the console, accessed via $LABEL.console.tornadovps.net and the second is your actual box at $LABEL.vm.tornadovps.net

The Box

I’m lazy and am happy using Arch for my Linux work, so I’ll use it to demonstrate walking through the first steps to get rolling. By default, there are no other users on the system except root, so we’ll use that account for this preliminary setup work.

First, let’s get the latest keys.

[root@box]$ pacman -S archlinux-keyring

Second, let’s update the system (and in the process, grab whatever other packages you think you’ll need).

[root@box]$ pacman -Syu [ package1, package2, ... ]

Third, we’ll need to check that the sudo command is present and check for the existence of a group that has sudo access. (Typically, this group will be named either 'wheel' or 'sudo'–for obvious reasons you may want to change this, so that would be a good idea here.)

Tornado seems to ship with a sudo binary in their default Arch distribution. That means we can go ahead and add a user to the system, set the user’s password and add the user to the group with sudo access.

[root@box]$ useradd -m $USERNAME
[root@box]$ passwd $USERNAME
( ... you'll be asked to type your password here ... )
[root@box]$ vim /etc/sudoers 

/etc/sudoers looks like this

In the sudoers file, find the following line and change it from this

# %wheel ALL=(ALL:ALL) ALL

to this:

%wheel ALL=(ALL:ALL) ALL

And finally, you can add your new user to the wheel group with gpasswd.

[root@box]$ gpasswd -a $USERNAME wheel 

If you want something a bit more restrictive (for example, limiting the commands that can be invoked by users within the group wheel), you can either edit the permissions on this line or use a drop-in configuration file at a directory you see fit. This can vary wildly, so I’ll leave the details on how to do that up to you. (Just do 'man sudo' to learn more.)

Access

Finally, we’ll want to button up our access rights for the new box. Ideally, we want to disallow remote root access, generate a new one for our new user and explicitly allow only this user to access the box.

We can create the key from the root account and change owner and permission in two steps.

[root@box]$ DIR=/home/$USERNAME
[root@box]$ mkdir $DIR/.ssh/ && chmod 644 $DIR/.ssh/ && chown $USERNAME:$USERNAME $DIR/.ssh/
[root@box]$ ssh-keygen $KEYNAME
( ...answer the prompts... )

Assuming that this a fresh install, we can also copy the key to the expected location.

[root@box]$ AUTHKEYS=$DIR/.ssh/authorized_keys
[root@box]$ cat ${KEYNAME}.pub >> $AUTHKEYS
[root@box]$ chmod 444 $AUTHKEYS && chown $USERNAME:$USERNAME $AUTHKEYS

Notice that we didn’t move the private key. Now would be a good time to copy it to the system that you plan to do administration from.

[you@adminmgr]$ scp root@${LABEL}.vm.tornadovps.net:~/$KEYNAME .

Before testing, we’ll need to modify the SSH daemon’s configuration file.

[root@box]$ vim /etc/ssh/sshd_config

Finally, we can restart SSH and test that our configuration works.

[root@box]$ systemctl restart sshd 
[root@box]$ ssh -i $KEYNAME $USERNAME@${LABEL}.vm.tornadovps.net

If you see a prompt displaying your new username, then you are all good. You can cleanup by removing the public and private key from root’s home directory.

[root@box]$ rm -f $KEYNAME $KEYNAME.pub

Use 'Ctrl + ]' to log out, then use 0 to exit and go back to your terminal.

Conclusion and Final Thoughts

If you’re comfortable with the command-line and just mildly familiar with maintaining your own Linux system, you’ll probably love Tornado. Even though the process is not as straightforward as other VPS solutions, it is a welcome change from the GUI-focused (and somewhat limiting) administration that many VPS providers are opting for today. Simplicity might be one of the best reasons to make a switch to Tornado if that’s an important factor to you.