Terrascope Policies
Networking policy
The safety and security of the Terrascope platform are taken very seriously, and constant efforts are made to balance usability and security. Therefore, outgoing traffic from a Terrascope VM is limited to the following protocols:
Protocol | Remarks |
---|---|
HTTPS | Permissive, but with HTTPS inspection |
HTTP | Port 80 and 8080 |
FTP(S) | FTP and FTPS protocols are allowed |
HTTPS inspection
As of May 2nd, 2023, all Terrascope VMs have enabled HTTPS inspection. HTTPS traffic can be inspected on the firewall using an intermediate SSL certificate. This inspection performs deep packet inspection on HTTPS traffic and non-standard HTTPS ports (other than port 443). HTTPS inspection is permissive and does not block any traffic; it logs traffic for analysis.
The intermediate certificate is stored in the /etc/pki/ca-trust/extracted/pem/
folder on each Terrascope VM. While efforts were made to configure this intermediate SSL certificate at the VM OS level and for several pre-installed tools (Python, QGIS, SNAP toolbox, PyCharm, etc.), issues may still occur when HTTPS inspection is enabled for a Terrascope VM.
Docker containers
Code running in Docker containers will not pick up the pre-installed intermediate SSL certificate on the Terrascope VM. In this case, it is necessary to mount the SSL certificate in the Docker container and, if needed, configure it for the client library being used.
For using a system utility (like curl) that relies on the OS CA bundle, mounting the intermediate certificate is sufficient. Note that the following examples use CentOS/Alma Linux-based Docker containers, so if a different Linux distribution is being used, please revisit the mount options accordingly.
$ docker run --rm -v /etc/pki/ca-trust/extracted/pem/:/etc/pki/ca-trust/extracted/pem/ almalinux:latest curl "https://www.wekeo.eu"
When using the Python requests library in a Docker container, set the REQUESTS_CA_BUNDLE
environment variable.
$ docker run --rm -it -e REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt -v /etc/pki/ca-trust/extracted/pem/:/etc/pki/ca-trust/extracted/pem/ vito-docker.artifactory.vgt.vito.be/python38-spark320:latest /bin/bash
$ pip3 -q install requests
$ python3.8
Python 3.8.8 (default, Oct 9 2021, 19:01:47)
[GCC 8.5.0 20210514 (Red Hat 8.5.0-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get('https://www.wekeo.eu')
<Response [200]>
Unmanaged libraries and tools
If a self-installed tool or library doesn’t use the OS CA trust store, configure the library to use the intermediate SSL certificate. Refer to the relevant documentation for more information.
Whitelisting
If specific endpoints detect the intermediate certificate and deny access (SSL certificate pinning), allow those endpoints in the firewall settings. Post the issue in the HTTPS inspection issues forum for further assistance.
VM policy
- By requesting a VM, a user also agrees with the Terrascope terms of use.
- Users are limited to requesting a single VM. Additional VMs can be requested through the Network of Resources, provided by ‘Provider VITO’.
- Terrascope manages the VM, its operating system (OS), and pre-installed packages using a configuration management system.
- Upgrading the OS or removing or upgrading pre-installed packages is forbidden, as it may break necessary packages to manage the VM.
- VMs are not backed up, as outlined in the backup policy.
- Unused VMs will be removed per the VM removal policy.
Terrascope will provide users with a new VM and notify them accordingly if necessary. This could occur during major operating system upgrades or migrating VMs to a different hypervisor. Terrascope also reserves the right to decommission VMs and deactivate accounts if misuse of the VM is suspected.
Backup policy
User VMs are not backed up. Like other cloud environments, virtual machines should not be considered persistent. This means all data in your home directory and other system directories could be lost in case of a system failure.
To mitigate the risk of losing all the files and folders, consider the following suggestions:
- Use version control for critical data.
- Utilize the
/data/users/Public
and/data/users/Private
folders on a shared file system and offer more persistence than regular directories. Note, however, that these folders do not have snapshots. Therefore, if a file is deleted or corrupted, it cannot be recovered.
VM removal policy
Due to the increasing usage of Terrascope VMs, any VM that remains inactive for six (6) months will be removed automatically.
After 4 and 5 months of inactivity, reminders will be sent to ensure users are informed. If a VM remains unused after this period, it will be permanently deleted.