OPS335 Lab 1

From CDOT Wiki
Revision as of 05:16, 12 July 2016 by Peter.callaghan (talk | contribs) (Undo revision 117153 by Peter.callaghan (Talk))
Jump to: navigation, search

OBJECTIVE & PREPARATION

In OPS235, you learned how to configure a virtual private network via graphical applications for the centos1 and centos2 machines. In the previous lab, you have created and cloned VMs that are text-based only (like centos3). All of the virtual machines will be text-based (just like centos3 in OPS235) for this course. All of the services that we are configuring in this course require a working network connection; therefore, it is very important that you know how to set (preferable configure) a static IP address, default gateway, as well as your DNS server from the command line.

This lab is a review of the material from labs 6 ( CLI Network Configuration ), but will also show other commands in the process.

Online Resources

INVESTIGATION 1: BASIC NETWORK CONFIGURATION (REVISITED)

Remember how you set up the network interfaces in your virtual machines in OPS235? You're expected to know that "inside-out" by now.

Checking Your Current Network Settings

In OPS235 have used the deprecated ifconfig and route commands. In this course we'll use the ip command instead (you may be familiar with the old commands but you're expected to know the new ones as well).


Perform the following steps:

  1. View the table below comparing older vs newer methods of obtaining network setting information for a Linux machine.


Comparison of Older and Newer Methods of Obtaining Network Settings
PurposeOlder Method
(command)
Newer Method
(command)
Obtain IP ADDRESS and Subnet Maskifconfigip address
Obtain Default Gatewayroute -nip route
Obtain DNS Servernslookupmore resolv.conf
Obtain Hostnameuname -nuname -n


  1. Run the ifconfig and ip address commands separately. Do you notice any differences between their respective outputs?
  2. Repeat the same steps for the other set of older vs newer commands listed in the table.
  3. Which commands do you prefer to use?
  4. Use the man pages to see how to issue the above commands to create a temporary connection to your existing network.


Making Persistent (Permanent) Network Setting Changes

If you change your network settings using the commands in the previous section, those changes will be lost if you restart your Linux machine. In order to have your network settings become permanent, you need to edit and save the settings changes in a file. For the IP address, subnet mask, default gateway, and DNS server you edit that file is contained in a directory called: network-scripts.

Perform the following steps:

  1. From your OPS335/OPS235/ULI101 notes, issue a command to provide the full path-name of the directory: network-scripts. If that command or utility does not exist, simply install it.
  2. The name of the file that contains your persistent network settings has the following name format:
    ifcfg-interfacename
  3. Which file-name in your network-scripts directory do you think contains your current network settings?
  4. View the contents of the file to see if it contains the IP address, subnet mask, and default gateway.
  5. What is the MAC address if your current machine?
  6. Does this file contain the hostname of your machine? If not, what command can allow you to change your machine's hostname?


Except for your host machine, all the Virtual Machines in this course will have static network configuration (as opposed to Automatic or DHCP). Sometimes, you will be required to debug networking problems quickly by changing the network configuration of your VMs.

  1. Edit the ifcfg-interfacename file for each of your VMs to use a static IP address (refer to previous OPS235 lab on networking: [ Network Config - CLI ].
    You should be configuring the BOOTPROTO, IPADDR, NETMASK, GATEWAY, and DNS1 for this file.
  2. Your vm1 should use the first available address in the subnet, vm2 the second, and vm3 the third.
    You can refer to your previous lab to obtain this information: [ Configuring a VM Host ]
  3. Don't forget to set the default gateway and DNS server for your VMs. You can use your host's IP address as a DNS server (libvirt will proxy the requests to the real DNS server).
  4. Make note of the files used and entries required and note them in your lab log-book.
  5. Save your editing session, and then restart each VM and run the following command to ensure they still have the network configuration you set:
ping (what is the purpose of this command?). Try to ping matrix and google from your host machine. Try to ping matrix and google from each of your VM's to ensure you can reach the outside world.
ssh (into another server, like Matrix)


If you are uncertain how to perform those above-listed operations by member, take time to practice them. If everything works and you are comfortable with these operations then you may proceed to the next section.

Linux Network Connection Configuration Troubleshooting

If the network works in your host, but not in your Virtual Machine, you should perform the following routine steps to troubleshoot the network connection:

  1. Is network on VM plugged in? On a physical network you would check whether the cable is plugged in and the link light is on on your network card. In a virtual network environment, you don't have a physical network adapter. Instead, you will need to check the NIC settings in the virtual machine details to view and confirm the appropriate network connection.
  2. Is the network enabled? This is a problem more common with virtual networks than physical networks. Check in your VirtManager->ConnectionDetails->VirtualNetworks that your network is active.
  3. Do you have an IP address? Run ip address to check.
  4. Can you ping the host by IP? (by its internal IP address). If not - check all of the above, check if you have an IP address conflict, and check that your subnet mask is correct.
  5. Can you ping 8.8.8.8? If all of the above work - check that your default gateway is set correctly with ip route and that you can ping the default gateway.
  6. Can you resolve google.ca? Run host google.ca. If the output doesn't provide an IP address, check that your DNS server is configured correctly and that you can ping that address.

There are a number of other problems that could prevent your network connection from functioning but the above are the most common problems.

Break my network script

Move to your vm1 machine in order to perform the following trouble-shooting task:
  1. Use the wget command (with option "--no-check-certificate" ) to download and run the following shell script:
    http://scs.senecacollege.ca/~murray.saul/ops335/break-network.bash

    NOTE: If the wget command is not available with your minimum install vms, then install that command.

  2. after you have run that shell script, restart your vm1 machine.
  3. Use the commands taught in this lab to confirm if your network connection is broken.
  4. Carefully check your configuration to see if there is a change to your settings
  5. Try to temporarily connect to the Internet
  6. Edit your network settings file to make the changes permanent
  7. Test your connectivity (including after a reboot of your vm1.

Note: You should be able to go through that troubleshooting process pretty quickly. Setting up the network in this course is never a primary task, but it's almost always a prerequisite for anything else we're going to do. You can't have a working web server (or any other kind of server) if you don't have a working network connection.


Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book

INVESTIGATION 2: SSH

The default (and often the only way) to administer a Linux server is via SSH. Even if you work in a graphical Linux environment, it is very useful to open a terminal and use SSH to monitor and manage your VMs (you can resize the terminal window).

Managing Services

The SSH server should be installed and running in your VMs. If it's not installed - you can install openssh-server using yum. It is essential for CNS/CTY students to become comfortable managing services since you will need to constantly stop services, change their configuration, and start them for the configuration changes to take effect in nearly every topic this semester, and for other courses involving Linux network management.


Perform the following steps:

  1. Note the following systemctl commands (refer to man pages or the Internet) and become comfortable using them:
  • systemctl list-units --all
  • systemctl start/stop
  • systemctl enable/disable
  • systemctl status
  1. Launch your vm2 machine, login to the machine, and open a shell terminal.
  2. Use one of the commands above to check the status of your SSH server.
  3. Issue one of the above commands to stop of the ssh server and run a command to verify that the ssh server is no longer running.
  4. Issue another one of the above commands to start the SSH server and to verify that it is running.
  5. Issue a command (not listed above) to confirm that the ssh service will run upon the next vm2 startup.

Configuring a Service

  • A common, if somewhat blatant, way to try to hack into a machine is to try to ssh as root and brute-force the password.
    • The root user always exists, meaning the attacker doesn't need to try guessing what user names are on your system.
    • And if they can get access to root, they can do anything.
  • To prevent this, we'll edit the configuration file for the ssh service to prevent root from ssh'ing into your host machine.
  • Use cat to display /etc/ssh/sshd_config on your host.
  • This file contains the configuration parameters for the ssh service.
  • Lines that begin with # are comments. Either simple explanations of parameters, or parameters that have not been set.
  • Open the man page for sshd_config
    • This lists all the possible parameters in alphabetical order along with a brief explanation of what each one does.
    • The parameter we are looking for is PermitRootLogin, read its description.
  • Use an editor (e.g. vi) to open /etc/ssh/sshd_config, and find the line that has PermitRootLogin.
    • By default it is set to yes, allowing the root user to ssh in to the machine.
    • Uncomment it, and change it to no.
  • Now try to use ssh from one of your VMs to log into your host as root.
    • You'll still be able to. This is because (for most services) the changes you make to the configuration file do not take effect until the service restarts.
    • Restart the sshd service on your host and try to ssh in again. Now it should prevent you.
  • The configuration files for most services follow a very similar format. Some use an = between the parameter and its value, some require you to group certain parameters together, and most use # to be a comment. You will get lots of experience working with the configuration files for services in this course.

SSH Keys

After performing lab7 in OPS235, you should have a basic understanding of ssh and public/private key cryptography to create secure connections between servers.
The public key can be "shared" with other server accounts, and can be used in conjunction with your private key in order to help encrypt/de-crypt data.

The diagram below is shared from Sébastien Saunier's blog. It demonstrates how SSH key authentication works. It's not a complete diagram, but it helps see all the parts of ssh key authentication in one place.

A diagram explaining how public / Private keys work. Another term to represent this process is called PKI (Public/Private Key Infrastructure)

Public/Private Key Pair

This needs to be generated on and used on your client machine (i.e. the user/machine you're connecting from). The private key is the equivalent of a password (that it why it is considered to be private - only to be used by one owner). That is why the private key is stored in the owner's ~/.ssh/ directory.

You generate a new keypair with this command (press enter for all the questions):

ssh-keygen -t rsa

When issuing this command, you will end up with the files: ~/.ssh/id_rsa and ~/.ss/id_rsa.pub (private and public keys)


Sharing your Public Key on a Remote server

So far, this topic is generally a repeat of OPS235 lab7.


What you may not know is that by using a "trick" (the magic of public key cryptography), you can SSH to a Linux machine without using a password!
Learning to perform this trick is essential in this course and in the industry in general. SSH keys are used everywhere that Linux servers are used.

If you have the private key, you can prove to someone who has your public key that you are indeed the actual owner of that public key. That is how ssh key authentication works. You are then only required to transfer your public key to a remote server.


You can transfer the public key to a remote server using either of the following methods:

  • You are going to share the public key from the root user in your hostname with the root user of your vm1.
  • Make certain you are logged on as root.
  • Copy contents of your ~/.ssh/id_rsa.pub from your host machine, and append the contents to ~/.ssh/authorized_keys on each of your Virtual Machine servers
  • Simply issue the Linux command ssh-copy-id -i ~/.ssh/id_rsa.pub username@server

    In your case: ssh-copy-id -i ~/.ssh/id_rsa.pub root@IPADDR_for_vm1


After you perform either of those operations, you can then ssh into a remote vm without a password.


NOTE: Always remember that these keys are per-user, not per machine. This means that sharing a user's public key will only work for that specific user.


Perform the following steps:

  1. Refer to the above notes to allow an ssh connection from your host machine to any of your Virtual Machines (vm1, vm2, vm3) without requiring a password.
  2. Test each ssh connection between host and each virtual machine to ensure that this works.

INVESTIGATION 3: BACKUPS

In OPS235, you learned to use the gzip, gunzip, and virsh dumpxml / virsh define commands to backup your virtual machines and the tar command as an archiving tool.

In this lab, we will focus on a method to provide automatic backups of your VMs to your host machine as opposed to performing full and incremental backups (although it is recommended to study these techniques since they may be useful at some point in a later lab, and will be useful in later courses). We will now focus on using the rsync command for backing up our VMs.

Rsync is a very versatile backup tool. As the name suggests, rsync is used for synchronizing files typically across a network. It works over the SSH protocol, which is useful in our situation since we are running ssh on our server and VMs. You are going to use your host machine to backup files from the virtual machines.

Perform the following steps:

  1. Make certain that your vm1 machine is running.
  2. Make certain that you are logged in as root user on your host machine.
  3. Make certain that the rsync command is installed on your host machine and all your vms.
  4. On your host machine, run the following commands:
mkdir -p /backup/vm1
rsync -avz 192.168.x.x:/etc /backup/vm1/     # where 192.168.x.x is the IPADDR of your vm1
  1. If rsync prompts for a password, make certain that you completed the SSH key section above, and that you assigned the keys for the appropriate user
    (in this case, for the root user for both the hostname and vm1!)
  2. When the rsync command runs correctly, you should see all the files from vm1 being copied over to your host machine.
  3. Run the rsync command again. Notice that the second time nothing is copied over to your host machine since none of the files have changed on your vm1 machine.
  4. Create a new file in vm1's /etc/ directory, and rerun rsync. Confirm on your host machine that only that file that was created on your vm1 machine actually got backed up to your host machine.
  5. Repeat the above steps to create backups for your vm2 and vm3 machines on your host machine as well (for the respective directories: /backup/vm2 and /backup/vm3).


Scheduling Tasks with Cron (Automatic Backups)

Cron is a daemon (i.e. a program that runs in the background). The term "Cron" is short for Chronograph which was an old fashioned term for a stop watch or timer. The role of Cron is to run tasks periodically. It can run tasks for the system (as root) or for a user (including regular users).

You will get cron to run some backup scripts for vms for this course, but first, let's see how Cron works.

Every user has a crontab (Cron Table) which is a list of tasks they want to run periodically. You do not edit this file manually: instead, you edit this table using the command crontab -e. Once you run the command, you will get an empty file where you have to insert a line like this:

10 * * * * echo "Cron ran this job at: "`date` >> /tmp/cron.log

This tells cron to run the command echo "Cron ran this job at: "`date` > /tmp/cron.log at the 10th minute of every hour of every day of every month.


Perform the following steps:

  1. In your host machine as root, edit your crontab and enter the line above. Modify the setting so it will run that echo command every 2 minutes.
  2. Wait for two minutes to pass, and check the /tmp/cron.log file to see if it was created with the expected contents.
    (You can also check /var/log/cron file to see what jobs were run).
  3. Edit your crontab to make automatic backups of the /etc directory from vm1, vm2, and vm3 into /backup/vm1, /backup/vm2, and /backup/vm3 every hour and overwrite the previous backup.


Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book

COMPLETING THE LAB

Students should be prepared with all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff.

Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

Each of your VMs should now boot to a command prompt (no graphical interface), and should be using a static IP address.
Each of your VMs should have a working network connection and a static IP address.
Each of your VMs should have an SSH server running.
should be able to ssh from your host to each VM as the root user without a password.
Backups of the three VMs' /etc/ directories are made automatically in the host.
You have notes in your labbook about what you've learned in this lab.
Run a shell script to submit your lab:
Steps:
labcheck_network_backup.sh
  • NOTE: When prompted for the network interface, use the virtual interface.

EXPLORATION QUESTIONS

  1. Explain the major different between the ip and ifconfig commands.
  2. List the steps to create a temporary static IP network connection for your vm1 machine to connect to your host machine.
  3. List the steps to create a persistent static IP network connection for your vm1 machine to connect to your host machine.
  4. List at least 3 trouble-shooting techniques to check or verify a network connection from a vm to a host machine.
  5. List at least 5 reasons (from networking trouble-shooting) that can break a network connection.
  6. List the tools (commands) how to configure / stop / start the ssh service.
  7. Explain why it is important to know how to manage network services if you intend to configure ("tweak") the service.
  8. Briefly explain the purpose of the tar, cpio, dump, restore commands.
  9. Explain how the rsync command differs from the tar, cpio, dump, and restore commands.
  10. List the steps to create a crontab entry to run the program /bin/clean-out.bash every half day.
  11. What is the purpose of using crontabs for backing up your virtual machines' data to your host machine?