1,234
edits
Changes
→Generating a Public/Private Key Pair & Sharing the Public Key
== OBJECTIVE & PREPARATION==
In OPS235, you learned how to configure a virtual private network for the your '''centos1vm1''', '''centos2vm2''' and '''centos3vm3''' virtual machines. All of the virtual machines in the You were required to configure a static network connection for your VMs. In OPS335 course , you will also be setting up a static network connection for labs and assignments all of your VMs (which all VMs will be '''CLI''' or '''"text-based"''' (just as centos3 was CLI for your OPS235 labs). All of the services that we are configuring install and configure for this course '''require a working network connection'''; therefore, it is very important that you know how to configure a network connection for your VMs, whether via command line for trouble-shooting purposes, or to create a persistent (permanent) network connection that uses static IP address (as opposed to DHCP).
This lab is a <u>review</u> of the material from labs 6 ( [http://zenit.senecac.on.ca/wiki/index.php/OPS235_Lab_6_-_CentOS7#Part_4:_Configuring_VM_Network_Setup_via_Command_Line_.28centos3.29 CLI Network Configuration] ), but will also additional topics.
*[https://www.tty1.net/blog/2010/ifconfig-ip-comparison_en.html ip vs ifconfig]
*[https://www.digitalocean.com/community/tutorials/how-to-use-rsync-to-sync-local-and-remote-directories-on-a-vps rsync Howto]
*[https://help.ubuntu.com/community/CronHowto Cron HowTo]
=== Checking Your Current Network Settings ===
In OPS235, you have used the deprecated '''ifconfig''' and '''route''' commands. In this course we'll use the '''ip''' command instead. You may , so that you'll be familiar with the deprecated ifconfig and route both sets of commands, but you are expected to know the newer ip command as well.
<tr> <td>Obtain Hostname</td><th>uname -n</th><th>uname -n</th></tr>
<tr> <td>See MAC cache</td><th>arp -n</th><th>ip neighbour</th></tr>
</table>
<ol><li value="2">Run the '''ifconfig''' and command on your '''ip addresshost''' commands in your c7host machine . Check and at least one of record the IPADDR for your VMsdefault (dhcp) network interface card (possibly eno1) and the virtual bridge. Do all of these commands work both in the c7host and Virtual Machine? Do you notice any differences between their respective outputs?</li><li>Repeat Issue the same steps for the other set of ''older'ip''' command on your '' vs 'host'newer'' commands listed in machine to determine the tableIPADDR and GATEWAY information (refer to above chart).How are the result similar or different than the ifconfig command?</li><li>Which commands do you prefer to useIssue the ifconfig command on your VMs. what happened?</li><li>Use the '''ip''' command for your VMs to list the IPADDR and GATEWAY information.</li><li>Refer to the man pages or refer to following article [http://www.tecmint.com/ip-command-examples/ 10 Useful ip Commands] to see how to issue the above commands to create a <u>temporary</u> connection to your existing network.</ol>
=== Making Persistent (Permanent) Network Setting Changes ===
In order to have your network settings become permanent, you need to edit and save the settings changes in a file.
For the IP address, subnet mask, default gateway, and DNS server you edit that file is contained in a directory called: '''network-scripts'''.
'''Perform the following steps:'''
# From Change to the ''network-scripts'' directory (see your ''OPS335''/''OPS235''/''ULI101'' notes, issue a command to provide the full path-name of the directory: ''network-scripts''. If that command or utility does not exist, simply install it).
# The name of the file that contains your persistent network settings has the following name format:<br>'''ifcfg-''interfacename'''''
# Which file-name in your network-scripts directory do you think contains your current network settings?
Except for your host machine, all the Virtual Machines in this course will have '''static network configuration''' (as opposed to Automatic or DHCP).Sometimes, you will be required to debug networking problems quickly by changing the network configuration of your VMs.
<ol>
<li value="7">Edit the '''ifcfg-''interfacename''''' (most likely ifcfg-eth0) file for each of your VMs to use a static IP address (refer to previous OPS235 lab on networking: [ [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS235_Lab_6_-_CentOS7OPS235_Lab_6#Part_4Part_3:_Configuring_VM_Network_Setup_via_Command_Line_.28centos328centos3_and_centos2.29 Network Config - CLI] ].<br> You should be configuring the BOOTPROTO ('''static ''' instead of dhcp), IPADDR, PREFIX (or NETMASK), GATEWAY, HWADDR, and DNS1 for this file. Note the following information for this setup:<ul><li>You Set your IPADDR for each VM with the following rules:<ol type="a"><li>Your IPADDR's third octet will be using your use the last 2 digits in your student number for .</li><li> Make certain that the third 4th octet in for your VMs does not start with '''1''' since that is reserved by your IPADDRhost machine. Your <br>Use the recommended fourth octets: '''2 for vm1 should use the first available address in the subnet''', '''3 for vm2 the second''', and vm3 the third. Make certain that the '''IPADDR does not interfere with the GATEWAY or DNS!4 for vm3'''.</li></ol></li><li>Don't forget to set the default gateway and DNS server for your VMs. You can use your host's IP address as a gateway and DNS server <br>(''libvirt'' will proxy the requests to the real DNS server).</li><li> You can refer to your previous lab to obtain information for setup of these options: [ [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS335_Installation_Lab#Configuring_a_VM_host Configuring a VM Host] ]<br><br></li></ul><li>Make note of the files used and entries required and note them in your lab log-book.</li><li>Save your editing session, and then restart each VM and run the following command to ensure they still have the network configuration you set:</liul></olli> ::'''ping''' (what is the purpose of this command?). Try to ping matrix and google from your host machine. <br>Try to ping matrix and google from each of your VM's to ensure you can reach the outside world.::</li><li>'''ssh''' (into another server, like Matrix) </li></ul></li><li>After setting the network configuration for EACH VM, then either the the ifdown and ifup commands or reboot each VM, to verify that you can connect to the Internet with the new static IP network configuration. If you cannot connect to the Internet, then check the network configuration file and make corrections until you have a workable network connection for each VM from boot-up.</ol>
If the network works in your host, but not in your Virtual Machine, you should perform the following routine steps to troubleshoot the network connection:
# '''Is network on IS THE NETWORK ON VM plugged inPLUGGED IN?''' On a physical network you would check whether the cable is plugged in and the link light is on on your network card. In a virtual network environment, you don't have a physical network adapter. Instead, you will need to check the NIC settings in the <u>'''virtual'''</u> machine details to view and confirm the appropriate network connection.# '''Is the network enabledIS THE NETWORK ENABLED?''' This is a problem more common with virtual networks than physical networks. Check in your :<br> '''VirtManager'''->'''ConnectionDetails'''->'''VirtualNetworks''' that your network is active.# '''Do you have an DO YOU HAVE AN IP addressADDRESS?''' Run '''ip address''' to check.# '''Can you ping the host by CAN YOU PING THE HOST BY IP?''' (by its internal IP address). If not - check all of the above, check if you have an IP address conflict, and check that your subnet mask is correct.# '''Can you ping CAN YOU PING 8.8.8.8?''' If all of the above work - check that your default gateway is set correctly with '''ip route''' and that you can ping the default gateway.# '''Can you resolve CAN YOU RESOLVE google.ca?''' Run '''host google.ca'''. If the output doesn't provide an IP address, check that your DNS server is configured correctly and that you can ping that address.
There are a number of other problems that could prevent your network connection from functioning but the above are the most common problems.
==== "Run Script to Break My Network" script Connection for Troubleshooting ==== You will now download, set execute permissions and run a Bash shell script to try to "break" the network connection for your vm1. This will provide troubleshooting practice to check your network configuration file, look and correct errors and restart your network interface connection. Perform the Following Steps:
#Move to your '''vm1''' machine and make certain that you are logged in order as '''root'''.#Make certain that the '''wget''' command is available on your VM. If not, install the wget application. Make certain to perform the following trouble-shooting task:<ol type="a"><li>do for ALL of your VMs.#Use the '''wget''' command (with option "--no-check-certificate" ) to download and run the following shell script:<br>http://scs.senecacollege.ca/~murray.saul/ops335/break-network.bash<br><br>'''NOTE: If the wget command is not available with your minimum install vms, then install that command.'''<br><br></li><li>#When you have run that shell script, it should automatically restart your vm1 machine.</li><li>#Login to your vm1.#Use the commands taught in this lab to confirm if your network connection is broken.</li><li>#Carefully check your configuration to see if there is a change to your settings</li><li>#Try to temporarily connect to the Internet</li><li>#Edit your network settings file to make the changes permanent</li><li>#Test your connectivity (including after a reboot of your vm1.<br><br></li></ol>) '''Note:''' You should be able to go through that troubleshooting process pretty quickly. Setting up the network in this course is never a primary task, but it's almost always a prerequisite for anything else we're going to do. You can't have a working web server (or any other kind of server) if you don't have a working network connection.
::* '''systemctl status'''
<ol><li value="2">Launch your '''vm2''' machine, login to the machine, and open a shell terminal.</li><li>Use one of the commands above to check the status of your SSH server (i.e. service: ''sshd'').</li><li>Issue one of the above commands to stop of the ssh server and run a command to verify that the ssh server is no longer running.</li><li>Issue another one of the above commands to start the SSH server and to verify that it is running.</li><li>Issue a command (not listed above) to confirm that the ssh service will run upon when the vm2 server restarts(i.e. "enabled").</li></ol>
===Configuring the SSH Service===
=== SSH Key Concepts===
[[Image:ssh_connection_explained.png|thumb|center|600px|A diagram explaining how public / Private keys work. Another term to represent this process is called '''PKI''' (Public/Private Key Infrastructure) ]]
<br />
Put this book on your "must-read" list. You can borrow a copy from the Toronto Public Library. I have yet to see a better introduction to encryption. It's not a reqirement for OPS335 - but if you want to not be clueless about security fundamentals online - read that book and understand it.
<ol><li value="5">You are going to share the public key from the '''root user in your host machine''' with the '''root user of your vm1 machine'''.</li><li>Copy the contents of your '''~/.ssh/id_rsa.pub''' from your host machine and append to '''~/.ssh/authorized_keys''' on each of your Virtual Machines. In your case, you will issue the following command 3 times (for each vm IPADDR):<br><source>ssh-copy-id -i ~/.ssh/id_rsa.pub root@IPADDR_for_vm</source>'''NOTE:''' Press ENTER for all prompted information including the password (although this may seen counter-intuitive!).<br><br></li><li>Use the ssh command to test each ssh connection between your host and each virtual machine that you can connect to the VMs without having to use a password. This is essential to create backups from VMs to your hostmachine without being prompted for password.</li></ol>
{{Admon/important|Errors in Copying Public Key from Host to VM|If you experience an error when copying the public key from your hostmachine to your VM, it is most likely caused from not permitting root login that you performed in the previous section. Set to allow login from root for each vm, restart your sshd service and then re-run the above command.}}
After you perform either of those operations, you can then ssh into a remote vm without a password.
'''NOTE:''' Always remember that these keys are '''per-user, <u>not</u> per machine'''. This means that sharing a user's public key will only work for that specific user.
== INVESTIGATION 3: PERFORMING & AUTOMATING BACKUPS ==
=== Performing Full Backups ===
A full backup is backup represents backing up of all of the files on of a systemcomputer machine (in our case, a VM). Since it may take a long time, this A full backup is NOT should be performed on a daily basisat the end of each lab or assignment working session.
In OPS235, you learned to use the command '''gzip''', '''gunzip''', and (plus'''virsh dumpxml''' / '''virsh define''' commands if backing up to external storage device like a usb key) to backup your virtual machines and the '''tar''' command as an archiving tool. In this lab, we We will expose you to use the dump and restore utilities in order same method to perform a full backups of your VMs. You should be using this utility to perform full backups of all of your VMs (both lab backup for these labs and assignment) prior to leaving your OPS335 lab sessionassignments.
'''Perform the following steps:'''
#Make certain that your virtual machines are NOT running.
#Make certain that you are logged in as '''root ''' user on your host machine.#From Refer to OPS235 lab2 on backing up your VMs using the '''gzip''' command [https://wiki.cdot.senecacollege.ca/wiki/OPS235_Lab_2_-_CentOS7_-_HD2#Part_1:_Backing_Up_Virtual_Machines OPS235 Lab2 - Backing up VMs]#Make certain that you have performed a full backup for '''vm1 machine''', '''vm2''', make a cloned virtual machine called and '''backup-testvm3'''. #On It is recommended to create a Bash shell script to automate the backing up of ALL your host machineVMs in sequence. You can do this by running a for loop using a list for vm1, vm2, run the following commands:and vm3 image file pathnames. <brol><source langli value=bash"5">mkdir Create the sub-p directory '''/backup/fulldump -z100 -f root/backupbin/full/backup-test /var/lib/libvirt/images/backup-test.qcow2'''</sourceli>#When the backup operation has been completed, issue the following command <li>You should know how to determine the file-typecreate full backups of your VMs in your OPS235 course. Create a Bash shell script called:<br><source lang=bash>file '''/backuproot/fullbin/fullbackup.bash''' that will backup-test/full</source>#What is type all of file is this? Use your other vms (i.e. vm1, vm2, and vm3) one at a time using the '''ls -lhgzip''' command to determine your host machine into the size of this file.#Remove the vm you just created by issuing the follow commanddirectory path-name:<br><source lang=bash>rm '''/varbackup/libfull/libvirt/images/backup-test.qcow2'''</sourceli>#Try launching <li>Set execute permissions, and run the backup-test VM from the virtual machine managershell script to verify that you shell script works. Did it work?</li>#Issue the following command <li>It is also recommended to restore the backup-test VM by issuing the following command:to your USB key as well (qcow2 images and xml config files).<source lang=bash/li>restore /backup/full/backup-test</sourceol> It will be your responsibility as an administrator of your own Linux system, to backup all of your VMs for labs and assignments at the end of your lab session. Learning to create shell scripts to automate routine tasks (such as backups) will be EXTREMELY useful for your NDD430 course.
=== Performing Incremental Backups ===
An incremental backup is a backup of only files that have changed since the last backup. In your case, it may be a good idea to perform incremental backups of your '''/etc/ ''' directory for your VMs upon startup. We will be using the '''rsync''' command to perform incremental backups for all of your VMs.
'''Rsync''' is a very versatile backup tool. As the name suggests, rsync is used for <u>synchronizing</u> files typically across a network. It works over the '''SSH''' protocol, which is useful in our situation since we are running ssh on our server and VMs. You are going to use your ''host machine'' to backup files from the ''virtual machines''.
# On your '''host machine''', run the following commands:
<source lang=bash>mkdir -p /backup/incremental/vm1rsync -avz 192.168.x.x:/etc /backup/incremental/vm1/ # where 192.168.x.x is the IPADDR of your vm1</source>
'''NOTE:''' This command will '''NOT ''' work if '''permit root access is deniedfor your VMs''' for your sshd service configuration, so keep it off for now...
<ol><li value="4">If rsync prompts for a password, make certain that you completed the '''SSH key''' section above, and that you assigned the keys for the <u>appropriate user</u><br>(in this case, for the '''root user for both the hostname and vm1'''!)</li><li>When the rsync command runs correctly, you should see all the files from vm1 being copied over to your host machine.</li><li>Run the rsync command again. Notice that the second time nothing is copied over to your host machine since none of the files have changed on your vm1 machine.</li><li>Create a new file in vm1's '''/etc/''' directory, and rerun '''rsync'''. Confirm on your '''host machine''' that only that file that was created on your vm1 machine actually got backed up to your host machine.</li><li>Repeat the above steps to create backups for your '''vm2''' and '''vm3''' machines on your host machine as well (for the respective directories: '''/backup/incremental/vm2''' and '''/backup/incremental/vm3''').</li></ol>
=== Automating Backups (cron) ===
Since your host machine and VMs are '''Cronnot continuously running''' is a , ''daemon'you are not required to schedule to perform your FULL BACKUPS periodically''' (i.eeg. a program that runs in the backgroundevery week at 2:00 AM). The term ''"Cron"'' is short for '''Chronograph''' which was an old fashioned term for a '''stop watch''' Instead, it will be YOUR responsibility to run your full backup script when you complete each of your OPS335 labs, or '''timer'''when you finish your OPS335 assignment working session. The role of On the other hand, '''Cronyou will use cron to perform incremental backups''' is to run tasks periodically(eg. It can run tasks for copy updated files from the system (as rootVMs/ /etc/ directory) or for a user (including regular users).
'''Cron''' is a ''daemon'' (i.e. a program that runs in the background). The term ''"Cron"'' is short for '''Chronograph''' which was an old fashioned term for a '''stop watch''' or '''timer'''. The role of '''Cron''' is to run tasks periodically. It can run tasks for the system (as root) or for a user (including regular users). Every user has a crontab (Cron Table) which is a list of tasks they want to run periodically. You do not edit this file manually: instead, you edit this table using the command '''crontab -e'''. Once you run the command, you will get an empty file where you have to insert a line like this:
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the gzip command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
<!--
===Andrew's sections===
::<span style="color:green;font-size:1.5em;">✓</span> Each of your VMs should now boot to a command prompt (no graphical interface), and should be using a static IP address.
::<span style="color:green;font-size:1.5em;">✓</span> Each of your VMs should have an SSH server running.
::<span style="color:green;font-size:1.5em;">✓</span> should be able to ssh from your host to each VM as the root user without a password.
::<span style="color:green;font-size:1.5em;">✓</span> Backups Display contents of the three VMsbackup script called: ''' /etcroot/bin/fullbackup.bash'''::<span style="color:green;font-size:1.5em;">✓</ directories are made automatically in the hostspan> Full and incremental backups of your 3 VMs.::<span style="color:green;font-size:1.5em;">✓</span> You have notes in your labbook lab-book about what you've learned in this lab.::<span style="color:green;font-size:1.5em;">✓</span> Run a shell script to submit your lab:<br>:::'''Steps:''' :::*Issue the following command to download the bash shell script:<br>'''wget http://scsmatrix.senecac.senecacollegeon.ca/~andrewmurray.smithsaul/ops335/labcheck_network_backup.sh''':::*Assign execute permissions, and run the script to check your work:<br--> '''labcheck_network_backup.sh''':::*'''NOTE:''' When prompted for the network interface, use the '''virtual interface'''.
== EXPLORATION QUESTIONS ==