Troubleshooting
The following sections provide step-by-step guidance for diagnosing and resolving common issues when deploying and operating the Cloud Scanner on Google Cloud.
Verify region
Before deploying the Cloud Scanner, ensure that you do not attempt installation in the regions that do not support its deployment due to feature limitations. The following regions are not supported for Cloud Scanner deployment:
| Region Code | Location |
|---|---|
asia-northeast3 | Osaka, Japan |
asia-south2 | Delhi, India |
australia-southeast2 | Melbourne, Australia |
europe-north1 | Hamina, Finland |
europe-southwest1 | Madrid, Spain |
europe-west10 | Paris, France |
europe-west12 | Milan, Italy |
europe-west4 | Eemshaven, Netherlands |
europe-west8 | Warsaw, Poland |
europe-west9 | Zurich, Switzerland |
me-central1 | Doha, Qatar |
me-central2 | Dubai, UAE |
me-west1 | Riyadh, Saudi Arabia |
northamerica-northeast2 | Toronto, Canada |
us-east5 | Ashburn, USA |
us-south1 | Dallas, USA |
Verify system logs
When launching the Cloud Scanner's worker instances in your Google Cloud project, you can confirm that the deployment and connection processes were completed successfully by examining the instance logs. This inspection helps ensure that the instances are properly configured and are communicating as expected.
Accessing the system logs
To access the system logs, follow these steps:
- Open the Google Cloud console .
- In the left navigation pane, choose Compute Engine, then navigate to Instance Groups.
- Select the Instance Group of the Cloud Scanner, then the VM instance to view logs for.
- Select Logging > Serial port 1 (console).
Analyzing the system logs
Once you have access to the system logs, you should look for specific entries that confirm the instance is performing as expected:
- Verify Userdata Execution: Search for the entry
running 'modules:final'. This indicates that the userdata script has started executing. This is a crucial step where various initialization scripts configure the instance. - Verify Initial Configuration: Search for the entry
upwind credentials. This indicates that the instance has the necessary permissions to retrieve the client credentials from the Google Secret Manager.
Following this, the logs should show that the instance is downloading and executing the installation script from Upwind. This is critical as it sets up the necessary software and configurations specific to your deployment.
2024-10-01 [...] Getting CloudScanner install script...
2024-10-01 [...] Executing CloudScanner install for usc-413b425f7c20af37...
2024-10-01 [...] Beginning CloudScanner installer script...
2024-10-01 [...] *** Upwind CloudScanner install script: latest***
2024-10-01 [...] Processing triggers for man-db (2.12.0-2build2) ...
2024-10-01 [...] Processing triggers for libc-bin (2.39-ubuntu3.3) ...
2024-10-01 [...] debconf: unable to initialize frontend: Dialog
2024-10-01 [...] debconf: (TERM is not set, so the dialog frontend is not usable.)
2024-10-01 [...] debconf: (This frontend requires a controlling tty.)
2024-10-01 [...] Running kernel seems to be up-to-date.
2024-10-01 [...] No services need to be restarted.
2024-10-01 [...] No containers need to be restarted.
2024-10-01 [...] INFO: No GCP tools to install
2024-10-01 [...] INFO: Dependencies installed ...
2024-10-01 [...] INFO: Checking SubCommand ...
2024-10-01 [...] INFO: Installing Upwind CloudScanner
2024-10-01 [...] INFO: Pulling Upwind CloudScanner Binary stable from https://releases.upwind.io ...
2024-10-01 [...] INFO: Pulling Upwind Agent Binary 0.87.0 from https://releases.upwind.io ...
2024-10-01 [...] INFO: Generating config ...
2024-10-01 [...] INFO: Creating config file: /etc/upwind/agent.yaml
2024-10-01 [...] INFO: Finished generating config ...
2024-10-01 [...] INFO: Creating Upwind CloudScanner service ...
2024-10-01 [...] INFO: Finished creating service ...
2024-10-01 [...] INFO: Starting Upwind CloudScanner service ...
Verify permissions
Cloud Scanner requires specific Google Cloud permissions for successful deployment and operation. Ensure that the following permissions are granted:
| Permission | Description |
|---|---|
compute.disks.create | Create new persistent disks. |
compute.disks.createSnapshot | Create snapshots of persistent disks. |
compute.disks.delete | Delete persistent disks. |
compute.disks.get | Retrieve details about persistent disks. |
compute.disks.setLabels | Apply labels to persistent disks. |
compute.disks.use | Use persistent disks for operations. |
compute.globalOperations.get | Access global operations. |
compute.instanceGroupManagers.get | Access instance group manager details. |
compute.instanceGroupManagers.list | List instance group managers. |
compute.instanceGroupManagers.update | Update instance group managers. |
compute.instanceGroups.get | Get details about instance groups. |
compute.instanceGroups.list | List instance groups. |
compute.instances.attachDisk | Attach disks to virtual machine instances. |
compute.instances.detachDisk | Detach disks from virtual machine instances. |
compute.instances.get | Retrieve VM instance details. |
compute.instanceTemplates.create | Create new instance templates. |
compute.instanceTemplates.delete | Delete instance templates. |
compute.instanceTemplates.get | Retrieve instance template details. |
compute.snapshots.create | Create snapshots from volumes. |
compute.snapshots.delete | Delete volume snapshots. |
compute.snapshots.get | Retrieve snapshot details. |
compute.snapshots.setLabels | Set labels on snapshots. |
compute.snapshots.useReadOnly | Access snapshots in read-only mode. |
compute.subnetworks.get | Retrieve subnetworks information. |
compute.zoneOperations.get | Access zone-level operations. |
iam.serviceAccounts.actAs | Act as service accounts. |
secretmanager.versions.access | Access secret version contents. |
secretmanager.versions.list | List versions of a secret. |