, 7 min read
First Impressions on Oracle Cloud
I read about the Oracle Always Free Instance here:
I registered for Oracle cloud.
The registration requires:
- a credit card
- a smartphone with the Oracle Mobile Authenticator app
1. Instance Setup
The credit card will be debited with 0.93 EUR, but this sum will be refunded.
The Oracle authenticator app is known to be problematic, as it seems there is no way to transfer the credentials to another phone, in case you upgrade your phone.
The setup of a virtual Linux machine on Oracle cloud is quite confusing, but clicking through all the endless dialogues will finally provide you with a simple virtual machine and a public IP.
You can then connect to this public IP giving ssh keys, which were generated during the dialogues.
ssh -l opc -i ssh-key-2025-08-02.key 144.24.181.149
The machine itself is fast, although it uses a now no longer produced AMD EPYC 7551 ("Naples") processor. This AMD EPYC 7551 was produced in 2017.
opc /home/opc: lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 40 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Vendor ID: AuthenticAMD
Model name: AMD EPYC 7551 32-Core Processor
CPU family: 23
Model: 1
Thread(s) per core: 2
Core(s) per socket: 1
Socket(s): 1
Stepping: 2
BogoMIPS: 3992.49
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe
1gb rdtscp lm rep_good nopl xtopology cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcn
t tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy svm cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw
topoext perfctr_core ssbd ibpb vmmcall fsgsbase tsc_adjust bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xg
etbv1 clzero xsaveerptr virt_ssbd arat npt nrip_save vgif overflow_recov succor arch_capabilities
Virtualization features:
Virtualization: AMD-V
Hypervisor vendor: KVM
Virtualization type: full
Caches (sum of all):
L1d: 64 KiB (1 instance)
L1i: 64 KiB (1 instance)
L2: 512 KiB (1 instance)
L3: 16 MiB (1 instance)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0,1
Vulnerabilities:
Gather data sampling: Not affected
Indirect target selection: Not affected
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Reg file data sampling: Not affected
Retbleed: Mitigation; untrained return thunk; SMT vulnerable
Spec rstack overflow: Vulnerable: Safe RET, no microcode
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines; IBPB conditional; STIBP disabled; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Srbds: Not affected
Tsa: Not affected
Tsx async abort: Not affected
Memory is not opulent, one GB:
opc /home/opc: lsmem
RANGE SIZE STATE REMOVABLE BLOCK
0x0000000000000000-0x000000003fffffff 1G online yes 0-7
Memory block size: 128M
Total online memory: 1G
Total offline memory: 0B
SSD storage is 30 GB:
opc /home/opc: df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 252M 0 252M 0% /dev/shm
tmpfs 101M 2.8M 99M 3% /run
efivarfs 256K 35K 217K 14% /sys/firmware/efi/efivars
/dev/mapper/ocivolume-root 30G 5.6G 24G 19% /
/dev/sda2 2.0G 623M 1.4G 32% /boot
/dev/mapper/ocivolume-oled 15G 202M 15G 2% /var/oled
/dev/sda1 100M 7.2M 93M 8% /boot/efi
tmpfs 51M 0 51M 0% /run/user/989
tmpfs 51M 0 51M 0% /run/user/1000
After I installed NGINX:
[root@instance-20250802-1100 ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:44321 0.0.0.0:* LISTEN 2410/pmcd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6307/nginx: master
tcp 0 0 127.0.0.1:4330 0.0.0.0:* LISTEN 3296/pmlogger
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2230/sshd: /usr/sbi
tcp 0 0 10.0.0.138:49994 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp 0 0 10.0.0.138:53180 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp 0 0 10.0.0.138:47106 147.154.152.55:443 ESTABLISHED 2421/gomon
tcp 0 0 10.0.0.138:38010 169.254.169.254:80 ESTABLISHED 2421/gomon
tcp 0 0 10.0.0.138:45260 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp 0 196 10.0.0.138:22 149.172.93.57:60574 ESTABLISHED 4872/sshd: opc [pri
tcp 0 0 10.0.0.138:58454 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp 0 0 10.0.0.138:51840 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp 0 0 10.0.0.138:40406 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp 0 0 10.0.0.138:46170 169.254.169.254:80 ESTABLISHED 3356/runcommand
tcp6 0 0 ::1:44321 :::* LISTEN 2410/pmcd
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::80 :::* LISTEN 6307/nginx: master
tcp6 0 0 ::1:4330 :::* LISTEN 3296/pmlogger
tcp6 0 0 :::22 :::* LISTEN 2230/sshd: /usr/sbi
2. Problem with dnf
Just using dnf or yum, will essentially hang the machine.
User Any_Working3520 figured out in dnf install is very slow on my OCI compute instances, that you have to disable one particular repo for dnf/yum:
yum --disablerepo=ol9_oci_included ...
dnf --disablerepo=ol9_oci_included ...
With that you can update the machine:
dnf --disablerepo=ol9_oci_included update
3. Setup NGINX
The help center post "Create a web server on a compute instance" was helpful.
Installing NGINX:
dnf --disablerepo=ol9_oci_included install nginx
systemctrl enable nginx
systemctrl start nginx
You have to specifically allow incoming TCP traffic for port 80:
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --reload
Then head to Virtual Cloud Networks.
Click on the Default Security List for vcn-xyz. Then Security rules.
Create an ingress rule:
- Source Type: CIDR
- Source CIDR: 0.0.0.0/0
- IP Protocol: TCP
- Source Port Range: All
- Destination Port Range: 80
Check in a browser:
4. Problem with sporadic dropouts
If you experiment with the above Security Lists be prepared to get yourself disconnected.
However, for unknown reasons the connection to the instance drops completely, i.e., no ssh connection and no HTTP connection. You have to wait an hour to get it back again.
This happened multiple times.
The default iptables rules are:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N BareMetalInstanceServices
-A OUTPUT -d 169.254.0.0/16 -j BareMetalInstanceServices
-A BareMetalInstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 123 -m comment --comment "Allow access to OBMCS local NTP service" -j ACCEPT
-A BareMetalInstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A BareMetalInstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable