=Accessing your AWS account = OBJECTIVE & PREPARATION==In OSL740, you learned how to configure a virtual private network for your '''vm1''', '''vm2''' and '''vm3''' virtual machines. You were required to configure a static network connection for your VMs. In OSL840, you will also be setting up a static network connection for all of your VMs (which all VMs will be text-based). All of the services that we install and configure for this course '''require a working network connection'''; therefore, it is very important that you know how to configure a network connection for your VMs, whether via command line for trouble-shooting purposes, or to create a persistent (permanent) network connection that uses static IP address (as opposed to DHCP).
This lab is a <u>review</u> At the beginning of the material from labs 6 ( [http://zenitsemester your professor will create a Leaner Lab in AWS Academy.senecacThe professor will add all the students enrolled in their OPS345 sections as students in that Learner Lab.on.ca/wiki/index.php/OPS235_Lab_6_-_CentOS7#Part_4You should automatically receive an email that looks like this in the beginning of the course:_Configuring_VM_Network_Setup_via_Command_Line_.28centos3.29 CLI Network Configuration] ), but will also additional topics.
=== Online Resources===[[File:AWSAcademyInvitation.png|800px|border|center]]
*[httpsIf you haven't received such an email://www.tty1.net/blog/2010/ifconfig-ip-comparison_en.html ip vs ifconfig]*[https://www.digitalocean.com/community/tutorials/how-to-use-rsync-you need to-sync-local-and-remote-directories-on-a-vps rsync Howto]*[https://help.ubuntulet your professor know.com/community/CronHowto Cron HowTo]
== INVESTIGATION 1Once you complete setting up your account: BASIC NETWORK CONFIGURATION (REVISITED) ==you might want to bookmark this page, or even make it your home page: https://awsacademy.instructure.com
Remember how you set up Browse around the network interfaces in interface. To do your virtual machines in OPS235?You are expected work for OPS345 you only ever need to be familiar with how navigate to configure and test out a VM's network connectivity at "Courses" > "AWS Academy Learner Lab - Foundation Services" > "Modules" > "Learner Lab - Foundational Services", which looks like this point.:
=== Checking Your Current Network Settings ===[[File:AWSAcademyLearnerLabHomeScreen.png|800px|border|center]]
In OPS235, The links you have used the '''ifconfig''' and '''route''' commands. In this course we'll use the '''ip''' command instead, so that you'll be familiar with both sets of commands.most often are highlighted in green:
# This is the amount of credits you have used out of your allocated 100$. Unlike the screenshot yours will start at zero.
# Most of your AWS resources are turned off unless your lab is started. Click this button to start the lab. There is only one lab for the entire OPS345 course, you will start it many times.
# The amount of time the current session of the lab has been running. After the 4 hours runs out the lab will be stopped and the associated resources will be shut down.
# Click here to get to the AWS web interface where you'll do most of your work.
Your work which you save inside your virtual machines is not deleted once the lab stops. AWS Academy simply shuts down your virtual machines. Your virtual machines and the rest of your Learner Lab resources '''Perform the following steps:will'''be deleted automatically at the end of OPS345.
# View The first time you start the table below comparing ''older'' vs ''newer'' methods of obtaining network setting information for lab it may take a Linux machinefew minutes, much longer than usual.
= AWS cost monitoring =
::'''Comparison of Older and Newer Methods Normally using resources from AWS costs money. AWS costs are very competitive, but their resources are not free. In an AWS Academy Learner Lab you get a 100$ credit which will be more than enough to cover all your resources until the end of Obtaining Network Settings''the course if you're not reckless.
<table border="1" cellspacing="0" cellpadding="5" style="margin{{Admon/important|You are responsible for your AWS usage!|If you run out of credits: you will have to find another way to finance completing the required hands-left:51px;"><tr><td>'''Purpose'''</td><td>'''Older Method'''<br>''(command)''</td><td>'''Newer Method'''<br>''(command)''</td></tr><tr> <td>Obtain IP ADDRESS and Subnet Mask</td><th>ifconfig</th><th>ip address</th></tr>on parts of OPS345.}}
<tr> <td>Obtain Default Gateway</td><th>route -n</th><th>ip route</th></tr>Take this as an opportunity during OPS345 to learn what costs how much money in the cloud. The skills of managing cloud costs are very valuable. Unfortunately AWS Academy doesn't make it easy for you. On the unrestricted AWS you have access to AWS Budgets, Amazon CloudWatch Billing Alarms, and other tools to help you monitor and control your costs. But due to the way AWS Academy was designed: you won't have access to those tools. That's in return for the free 100$, which most students don't complain about.
<tr> <td>Obtain DNS Server</td><th>nslookup</th><th>more resolvEven without the budget restrictions in AWS Academy: AWS costs are not easy to manage.conf</th></tr>Here are some examples of what you'll run into:
<tr> <td>Obtain Hostname</td><th>uname -n</th><th>uname -n</th></tr>* Resources that say "Free" on the label, but will only be free in a specific configuration.* Resources that are free unless you exceed some threshold of usage (CPU usage, bandwidth, etc.)* Resources that cost money only when they are ''not'' used. That was not a typo.* And the most common of all: resources that don't have a cost listed next to them at all.
<tr> <td>See MAC cache</td><th>arp -n</th><th>ip neighbour</th></tr>So in order to learn anything about costs on AWS: pay attention whenever you see a note about the cost of anything, even though it will be a distraction from what you're trying to accomplish at that time. There are many places where such notes are scattered. Always keep cost in the back of your mind when doing ''anything'' on AWS. Then hopefully you'll get a general idea, so that when you're done with OPS345 you can have an intelligent conversation about it.
</table>= Basic security on a public-facing server =
Security is a topic most people aren't qualified to address. That's because it's complicated on its own, but in order to set it up properly: it also requires a solid understanding of the fundamentals of the systems which need to be secured.
<ol><li value="2">Run the '''ifconfig''' command on your '''host'That doesn't mean you can' machinet learn it. Check and record As with most technologies, the IPADDR recipe for your default (dhcp) network interface card (possibly eno1) and the virtual bridgesuccess is simple.</li><li>Issue the '''ip''' command The more time you spend on your '''host''' machine to determine it: the IPADDR and GATEWAY information (refer better you get. Every bit of learning you do related to above chart)security will make you more qualified. How The more qualified you are to speak about security issues: the result similar more valuable you are as a technician or different than the ifconfig command?</li><li>Issue the ifconfig command on your VMsengineer. what happened?</li><li>Use the '''ip''Even if you' command re not directly responsible for your VMs security of a system: you will always have to list the IPADDR work with security measures, and GATEWAY information.</li><li>Refer to the man pages or refer to following article [http://www.tecmint.com/ip-command-examples/ 10 Useful ip Commands] to see how to issue the above commands to create a <u>temporary</u> connection to your existing networksometimes around them.</ol>
=== Making Persistent (Permanent) Network Setting Changes ==={{Admon/tip|Your attitude matters|Usually if you follow the rules of the organization you work for: security breaches are somebody else's problem. But not always. For example if you get your AWS Academy account suspended by Amazon because your password was "123" - I won't feel bad for you, and ''you'' will have to find a way to complete the requirements of the course. And whether it's your problem or not: wouldn't you rather be a part of the solution?}}
In your OPS235 courseSo as with AWS costs there are some steps I can tell you to follow, but overall you used a series should take some time to think of commands (ifconfig, route, and nameserver) to setup a temporary network connectionsecurity whenever you do anything. You can use the ip command (a another command) in a similar way Who has access to create a temporary network connection. The problem with this network connection method is that those changes will be lost if you restart your Linux specific machine, although you may want to do that ? Network? Service? Storage device? Is it hard to create steal/crack a temporary network connection for troubleshooting purposes. In order to have password and impersonate one of your users? Is your network settings become permanent, you need system vulnerable to edit and save off-the settings changes -shelf attacks? Keep those questions in a file.For the IP address, subnet mask, default gatewayback of your mind, and DNS server you edit that file is contained in as a directory called '''network-scripts'''.minimum follow the following guidelines:
* Set a good password for your AWS account, and don't use that password for ''Perform 'any''' resources inside AWS. Your AWS account password is like a super-root password. It gives you full access not only to a specific machine, but to all machines, networks, storage devices, and billing. You can end up running someone else's botnet, and paying for it too.* Possibly the following stepsmost common attack on a Linux machine is the brute-force SSH login attack. It takes very little setup to mitigate almost all these attacks:** Delete all default usernames, except root which you can't delete.** Make sure that root is never allowed to log in remotely.** Whenever possible:don't use passwords at all, use SSH keys for logging in. You've learned how to use them in OPS245.* Learn how to use sudo and how to configure it.* Get in the habit of organising your SSH keys so you don't accidentally lose them.
# Change to the ''network-scripts'' directory (see your ''OPS335''/''OPS235''Remember that unlike ULI101/''ULI101'' notes).# The name of the file that contains OPS245 your persistent network settings has servers are on the following name formatreal internet, and depending on how you configure them:<br>'''ifcfg-''interfacename'''''# Which file-name in your network-scripts directory do you think contains your current network settings?# View they might be accessible by any attacker on the contents of the file planet. You need to pay much more attention to see if it contains the IP address, subnet mask, and default gatewaysecurity in this course than was required in ULI101/OPS245.# What is the MAC address if your current machine?# Does this file contain the hostname of your machine? If not, what command can allow you to change your machine's hostname?
= First AWS VM =
Except for your host We're going to set up a virtual machine, all in AWS now so you can start to get used to the Virtual Machines in process. You'll be repeating this several times during the course will have '''static network configuration''' (as opposed , try to Automatic or DHCP). Sometimes, learn a little more about it each time you will be required to debug networking problems quickly by changing the network configuration of your VMsdo it.
== Security group ops345first ==
<ol><li value="7">Edit the A '''ifcfg-security group''interfacename''''' (most likely ifcfg-eth0) file for each of your VMs to use is a static IP address (refer to previous OPS235 lab on networking: [ [https://wiki.cdot.senecacollege.ca/wiki/OPS235_Lab_6#Part_3:_Configuring_VM_Network_Setup_via_Command_Line_.28centos3_and_centos2fundamental concept in AWS.29 Network Config - CLI] ].<br> You should be configuring the BOOTPROTO ('''static''' instead of dhcp), IPADDR, PREFIX (or NETMASK), GATEWAY, HWADDR, and DNS1 for this file. Note the following information for this setup:<ul><li>Set your IPADDR for each VM with the following rules:<ol type="a"><li>Your IPADDRIt's third octet will use the last 2 digits in your student number.</li><li> Make certain that the 4th octet for your VMs does not start with '''1''' since that completely clear what it is reserved by your host machine.<br>Use the recommended fourth octets: '''2 for vm1''', '''3 for vm2''', and '''4 for vm3'''.</li></ol></li><li>Don't forget to set the default gateway and DNS server for your VMs. You can use your hostThe closest thing you would have seen that's IP address as similar is a gateway and DNS server<br>(''libvirt'' will proxy the requests to the real DNS server)set of iptables rules.</li><li> You can refer to your previous lab to obtain information for setup of these options: [ [https://wiki.cdot.senecacollege.ca/wiki/OPS335_Installation_Lab#Configuring_a_VM_host Configuring a VM Host] ]<br><br></li></ul><li>Make note of assign the files used and entries required and note them in your lab log-book.</li><li>Save your editing session, and then restart each VM and run the following command to ensure they still have the network configuration you security group (this set:<ul><li>'''ping''' (what is the purpose of this command?rules). Try to ping google from your host machine.<br>Try to ping google from each of your VM's to ensure you can reach the outside world.</li><li>'''ssh''' (into another server, like Matrix) </li></ul></li><li>After setting the network configuration for EACH VM, then either the the ifdown and ifup commands one or reboot each VM, to verify that you can connect to the Internet with the new static IP network configuration. If you cannot connect to the Internet, then check the network configuration file and make corrections until you have a workable network connection for each VM from boot-upmore virtual machines.</ol>
A security group with no rules does not allow any traffic to pass through.
If you are uncertain how * Create a new security group "ops345first" with only the SSH port open to perform those above-listed operations by member, take time to practice themthe world in the incoming rules.If everything works and you are comfortable Familiarize yourself with these operations then the interface. You'll use this security group for your first VM you may proceed to the next section'll soon create.
=== Linux Network Connection Configuration Troubleshooting ===[[File:AWSCreateSecurityGroup.png|800px|border|center]]
If the network works in your host, but not in your Virtual Machine, you should perform the following routine steps to troubleshoot the network connection:== Create ops435-first VM ==
# In AWS language an '''IS THE NETWORK ON VM PLUGGED IN?instance''' On a physical network you would check whether the cable is plugged in and the link light is on on your network card. In a virtual network environment, what you don't have ve called a physical network adapter. Instead, you will need to check the NIC settings in the <u>'''virtualmachine'''</u> machine details to view and confirm the appropriate network connectionin OPS245.# An '''IS THE NETWORK ENABLED?AMI''' This is a problem more common with virtual networks than physical networks. Check in:<br> '''VirtManager'''-> '''ConnectionDetails'''pre-> '''VirtualNetworks''' that your network is active.# '''DO YOU HAVE AN IP ADDRESS?''' Run '''ip address''' to check.# '''CAN YOU PING THE HOST BY IP?built disk image''' (by its internal IP address). If not - check all of the above, check if you have an IP address conflictoperating system, and check that your subnet mask is correct.# '''CAN YOU PING 8.8.8.8?''' If all of the above work - check that your default gateway is set correctly with '''ip route''' and provided so that you can ping the default gateway.# don'''CAN YOU RESOLVE googlet need to install an operating system from scratch.ca?''' Run '''host google.ca'''. If The AMIs are typically provided by Amazon or the output doesn't provide an IP address, check that your DNS server is configured correctly and that you can ping that addressAWS community.
There are a number of other problems that could prevent An AMI is only the initial disk image your VM will start with. As soon as the VM is booted for the first time: your network connection disk image will begin to deviate from functioning but the above are original. That means for example that you have to keep up with security updates on it even though the AMI you used had all the most common problemssecurity updates installed when you used it to bootstrap your instance.
==== Run Script to Break Network Connection for Troubleshooting ====With an AWS Academy account you can see what AMIs are available on AWS, but your selection is severely limited. We'll only be using the '''Amazon Linux''' AMI. You'll find it quite familiar as it was originally based on CentOS.
You will now download, set execute permissions and run * To create a Bash shell script new virtual machine you need to try go to "breakInstances" and click "Launch Instances" the network connection for your vm1. This will provide troubleshooting practice to check your network configuration file, look and correct errors and restart your network interface connectionAn unfortunate choice of words by Amazon. It sounds like that button should start an existing instance. It should have been called "Create Instance".
The first time you go through this process try to concentrate on not getting overwhelmed by the available options and the unintelligible AWS lingo. You'll have lots of opportunities to better understand the available options.
Perform * Select the Following Steps"Amazon Linux 2 AMI (HVM), SSD" AMI.* Don't use the "Review and Launch" button instead go through each of the 7 steps.* Leave the t2.micro default checked and click Next.* Leave all the defaults under '''Instance Details'''.* Don't change the storage configuration under '''Add Storage'''* Don't add any tags under '''Add Tags'''.* At the '''Configure Security Group''' step:select the security group "ops345first" which you just created.
#Move to After you review your '''vm1''' machine configuration and make certain that click "Launch" a popup will come up asking you are logged in as '''root'for a key pair. It's important for you to understand what it's asking for.#Make certain that the '''wget''' command It is available on your VM. If not, install the wget application. Make certain to do for ALL same type of your VMs.#Use the '''wgetSSH key pair that you''' command (with option "--no-check-certificate" ) to download ve created and run used in the following shell script:<br>http://scs[[OPS245 Lab 7]].senecacollege.ca/~murray.saul/ops335/break-network.bash#When you have run Remember that shell scriptyour private key is yours, it should automatically restart your vm1's private to you, and not for anyone else to see.#Login AWS is asking you to your vm1.#Use give them the public key which is the pair of the commands taught private key which you wish to use to log in this lab to confirm if your network connection is brokennew VM.#Carefully check In this case your configuration to see if there private key is a change to your settings#Try to temporarily connect to the Internet#Edit your network settings file to make effective equivalent of the changes permanent#Test your connectivity (including after a reboot of your vm1)root password.
'''Note:''' You should be able to go through that troubleshooting process pretty quickly. Setting up the network in this course is never * Create a primary tasknew RSA key pair named ops345-first-key, but and download it's almost always a prerequisite for anything else we're going to doas ops345-first-key. You can't have a working web server (or any other kind of server) if you don't have pem on your workstation under a working network connection.new directory ~/ops345/keys/ssh/
Yes, that means AWS generated your private key and theoreticaly they could keep it, but they promise that they don't and that's almost certainly true. Once you donwload the private key and click "Launch Instances" - the only way to log into your new virtual machine is using the private key you saved. AWS does not provide the equivalent option of "reset your password" for instances that were already created.
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''[[File:AWSFirstInstanceCreated.png|800px|border|center]]
== INVESTIGATION 2* After your instance is created: Configuring SSH ==you will see it listed under "Instances". Set its name to "ops435-first". Get used to naming things in AWS because otherwise you'll have a hard time distinguishing your instances from each other, unless you're unusually good at remembering long random strings of characters.
The default (and often the only way) to administer a Linux server is via SSH. Even if you work in a graphical Linux environment, it is very useful to open a terminal and use SSH to monitor and manage == Explore your VMs (you can resize the terminal window). Using SSH to connect to remote servers on a network helps to protect your Linux machine from being penetrated. You can also generate a private and public encryption key for the root user, and copy that public key from your host to your VMs in order to allow certain backup programs to run via a scheduling daemon (called cron) without having to be required to enter the password for the remote machine. You will be doing those operations later in this lab.new VM ==
=== Managing Services ===You're not going to find a button in the AWS to "view the screen" of your virtual machine. The only way to control it is via an SSH connection.
The SSH server should already be installed Look at your ops435-first instance details and running in your VMsfind its automatically-assigned public IP address. If Connect to it's not installedwith SSH. Note that you need to user your private key to connect, you can install and since it doesn'''openssh-server''' using yum.It t have a default name nor is essential it in the default location for CNS/CTY students to become comfortable managing services since SSH keys: you will need to constantly stop services, change their configuration, and start them for specify the configuration changes path to take effect in nearly every topic this semester, and for other courses involving Linux network managementit manually.
The default username on Amazon Linux is '''ec2-user'''.
'''Perform the following steps[[File:'''AWSFirstSSH.png|800px|border|center]]
# Note the following [http://zenit.senecac.onYou have at least one semester's worth of experience of CentOS, so look around to see if anything looks different from what you're used to.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] commands (refer to man pages or the Internet) and become comfortable using themFor example:
* Many packages not installed by default in the Minimal installation of CentOS (e.g. net-tools) ''are'' installed by default in Amazon Linux. I like to also install telnet and nmap.** Note that Amazon Linux has its own package repositories::* '''systemctl list-units --all/etc/yum.repos.d/''', but the yum/rpm commands work the same as in CentOS.* The systemctl command to control your services works the same way as in CentOS.* Note neither iptables nor any other firewall is installed by default. It is in CentOS.::* You user information files ('''systemctl start/stopetc/passwd''', '''/etc/shadow'''::* , '''systemctl enable/disableetc/group''') are used in a completely standard way.::* Have a look at the output of '''systemctl statusnetstat -atnp''' and '''netstat -aunp'''to see what ports services are listening on in a default installation.
<ol><li value="2">Launch your It's not completely clear what Amazon's policies are for supporting Amazon Linux. From people'vm2''' machine, login s experience it appears to the machinebe quite stable, and open but as a shell terminal.</li><li>Use one of the commands above rolling release you might not want to check the status of your SSH server (idepend on it for production use.e. service: For our learning purposes it''sshd'')s plenty stable and consistent.</li><li>Issue one of the above commands to stop of the ssh server and run a command to verify that the ssh server One nice thing about Amazon Linux is no longer running.</li><li>Issue another one of the above commands to start the SSH server and to verify that it is running.<not linked to RedHat/li><li>Issue a command to confirm that the ssh service will run upon when the vm2 server restarts (iIBM support cycles and policies which have changed significantly after IBM's acquisition of RedHat.e. "enabled").</li></ol>
===Configuring Change the SSH Service=default username ==
A common (For security purposes we're going to remove the default ec2-user. That would be simple if somewhat blatant) way to try to hack into a you were sitting in front of the machine is , but since you can only connect to try to ssh it via SSH and the only user you can SSH as '''root''' and bruteis ec2-force root's passworduser: it takes some extra work. The root user always exists, meaning the attacker doesnYou't need re going to try guessing what user names are on your system. If they can get access to root, they can do anything. To prevent thisfor every machine you create in OPS345, we will edit so get used to the configuration file for the ssh service to prevent root from sshsteps. It'ing into your host machine.s good practice:
* Use the useradd command to create a new user. To make your life easier: set the username to be the same as your myseneca username, with the same capitalization.
You do not need to set a password for this user. Passwords can be guessed using a brute-force attack. SSH keys are practically immune to such attacks.
* Make sure your new user can run sudo without a password, same as ec2-user. Create '''/etc/sudoers.d/10-ops345-users''' with these contents:
<pre>yoursenecaid ALL=(ALL) NOPASSWD:ALL</pre>
* Allow your new user to log in using the SSH key you already have. You could create a new key pair instead, but you don't have to. Remember that your username is not asmith15:
'''Perform the following steps[[File:'''AWSCopySSHKey.png|border|center]]
#Login to your Centos '''host''' machine for the following steps.#Use the more command to display '''/etc/ssh/sshd_config''' on your host. This file contains the configuration parameters for the * Confirm ssh service.#Take a few moments to view this file. Lines that begin with # are comments. Either simple explanations of parameters, or parameters that have not been set.#Open the man page for '''sshd_config'''. This lists all the possible parameters in alphabetical order along with a brief explanation of what each one does. The parameter we are looking for is '''PermitRootLogin''', read its description.#Use a text editor to edit the file '''/etc/ssh/sshd_config''', and find the line that has '''PermitRootLogin'''. By default it is set to yes, allowing the root user to ssh in to the machine.# Uncomment '''PermitRootLogin''', and change the value to '''no'''.#Try to use ssh from one of your VMs to log into your host VM as root. What happened?yoursenecaid and successfully sudo su -#This is because (for most services) the * ''After you'changes re sure that you make to the configuration file will not take effect until the service restartscan'''.#Restart : delete ec2-user including the sshd service on your host and try to ssh in againhome directory. Now it should prevent you.#The option '''PermitRootLogin''' for '''all of your VMs''' for both labs and assignments MUST be set to '''yes'''. The reason for this is that you have created a virtual network, so you have protected Use the host from root login, so you don't have to do the same for your VMs. Also, by allowing root login for your VM's will allow you to automatically backup your VMs to your host machine (via a crontab entry) without being prompted for a root password for each VMuserdel command.
'''Note:''' Configuration files for most services follow a very similar format. Some use an = between = Set the parameter and its value, some require you to group certain parameters together, and most use # to be a comment. You will get lots of experience working with the configuration files for services in this course.hostname ==
=== SSH Key Concepts===For reasons that are hard to explain quickly the hostname on your AWS VM is not static by default, but we'll make it static so it's more familiar to you.
After performing lab7 * Update the hostname to '''first.yoursenecaid.ops345.ca''' and make sure it doesn't get reset when your VM reboots. Follow the relevant parts in OPS235, you should have a basic understanding of ssh and publichttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/private key cryptography to create secure connections between serversset-hostname.<br>htmlThe public key can be * Also change the instance "Name" in the EC2 management console to "sharedfirst" with other server accounts, and can be . This is not necessarily the same as the hostname. It's the equivalent of the VM's name you've used in conjunction with your private key Vmware in order to help encrypt/de-crypt dataOPS245.
The diagram below is shared from [http[File://sebastienAWSSetHostname.saunier.me/blog/2015/05/10/github-public-key-authentication.html Sébastien Saunier's blogpng|800px|border|center]].It demonstrates how SSH key authentication works. It's not a complete diagram, but it helps see all the parts of ssh key authentication in one place.
[[Image:ssh_connection_explained.png|thumb|center|600px|A diagram explaining how public / Private keys = Submit evidence of your work. Another term to represent this process is called '''PKI''' (Public/Private Key Infrastructure) ]]<br />Put this book on your "must-read" list. You can borrow a copy from the Toronto Public Library. I have yet to see a better introduction to encryption. It's not a reqirement for OPS335 - but if you want to not be clueless about security fundamentals online - read that book and understand it.=
[[Image:cryptoFor this lab, please submit screenshots that show you've completed the work, unless your professor has given you different instructions.jpeg|center|"crypto" by Steven Levy]]
=== Generating a Public/Private Key Pair & Sharing the Public Key === The public/private key pair needs to be generated on and used on your '''host''' machine (i.e. the user/machine you're connecting '''from'''). The private key is the equivalent of a <u>''password''</u> (that is why it is considered to be <u>''private''</u> - only to be used by ''<u>one</u>'' owner). That is why the private key is stored in the owner's '''~/.ssh/''' directory. One very common mistake that students make is to either generate the key pair for the wrong account, or copy the public key to the wrong account on the intended remote machine. '''Perform the following Steps:''' # Make certain you are in your '''host''' machine.# You will be creating a '''key-pair on your host machine with no password''' (i.e. when generating keypair press enter for all prompts including the password).#Make certain you are logged on as '''root''' on your host machine.# Generate the key-pair by issuing the command:<br><source>ssh-keygen -t rsa</source> '''NOTE:''' When issuing this command, you will end up with the files: '''~/.ssh/id_rsa''' and '''~/.ssh/id_rsa.pub''' (private and public keys). So far, this topic is generally a repeat of OPS235 lab7. What you may '''<u>not</u>''' know is that by using a '''"trick"''' (the ''magic'' of public key cryptography), you can SSH to a Linux machine without using a password! Learning to perform this trick is <u>'''essential'''</u> in this course and in the industry in general. SSH keys are used everywhere that Linux servers are used. If you have the private key, you can prove to someone who has your public key that you are indeed the '''actual owner of that public key'''. That is how ssh key authentication works. You are then only required to transfer your public key to a remote server. <ol><li value="5">You are going to share the public key from the '''root user in your host machine''' with the '''root user of your vm1 machine'''.</li><li>Copy the contents of your '''~/.ssh/id_rsa.pub''' from your host machine and append to '''~/.ssh/authorized_keys''' on each of your Virtual Machines. In your case, you will issue the following command 3 times (for each vm IPADDR):<br><source>ssh-copy-id -i ~/.ssh/id_rsa.pub root@IPADDR_for_vm</source>'''NOTE:''' Press ENTER for all prompted information including the password (although this may seen counter-intuitive!).<br><br></li><li>Use the ssh command to test each ssh connection between your host and each virtual machine that you can connect to the VMs without having to use a password. This is essential to create backups from VMs to your hostmachine without being prompted for password.</li></ol> {{Admon/important|Errors in Copying Public Key from Host to VM|If you experience an error when copying the public key from your hostmachine to your VM, it is most likely caused from not permitting root login that you performed in the previous section. Set to allow login from root for each vm, restart your sshd service and then re-run the above command.}} After you perform either of those operations, you can then ssh into a remote vm without a password. '''NOTE:''' Always remember that these keys are '''per-user, <u>not</u> per machine'''. This means that sharing a user's public key will only work for that specific user. == INVESTIGATION 3: PERFORMING & AUTOMATING BACKUPS == Data backups are considered to be an insurance policy. Running backup can be tedious, but they MUST be performed in an accurate and consistent basis, since loss of data can be expensive (For example: cost of hiring staff to re-enter data). When performing labs or assignments in this class, if you fail to make backups and something bad occurs and there is loss of data, it only affects you. On the other hand, if you are supporting a client, or working for a company and fail to adequately perform backups and there is loss of data, then other users are affected by failure to backup essential data. === Performing Full Backups === A full backup represents backing up of all of the files of a computer machine (in our case, a VM). A full backup should be performed at the end of each lab or assignment working session. In OPS235, you learned to use the command '''gzip''', '''gunzip''' (plus'''virsh dumpxml''' / '''virsh define''' if backing up to external storage device like a usb key) to backup your virtual machines. We will use the same method to perform a full backup for these labs and assignments. '''Perform the following steps:''' #Make certain that your virtual machines are NOT running.#Make certain that you are logged in as '''root''' user on your host machine.#Refer to OPS235 lab2 on backing up your VMs using the '''gzip''' command [https://wiki.cdot.senecacollege.ca/wiki/OPS235_Lab_2_-_CentOS7_-_HD2#Part_1[Category:_Backing_Up_Virtual_Machines OPS235 Lab2 - Backing up VMs]#Make certain that you have performed a full backup for '''vm1''', '''vm2''', and '''vm3'''. It is recommended to create a Bash shell script to automate the backing up of ALL your VMs in sequence. You can do this by running a for loop using a list for vm1, vm2, and vm3 image file pathnames. <ol><li value="5">Create the sub-directory '''/root/bin/'''</li><li>You should know how to create full backups of your VMs in your OPS235 course. Create a Bash shell script called:<br>'''/root/bin/fullbackup.bash''' that will backup all of your other vms (i.e. vm1, vm2, and vm3) one at a time using the '''gzip''' command to your host machine into the directory path-name: '''/backup/full/'''</li><li>Set execute permissions, and run the shell script to verify that you shell script works.</li><li>It is also recommended to backup to your USB key as well (qcow2 images and xml config files).</li></ol> It will be your responsibility as an administrator of your own Linux system, to backup all of your VMs for labs and assignments at the end of your lab session. Learning to create shell scripts to automate routine tasks (such as backups) will be EXTREMELY useful for your NDD430 course. === Performing Incremental Backups === An incremental backup is a backup of only files that have changed since the last backup. In your case, it may be a good idea to perform incremental backups of your '''/etc/''' directory for your VMs upon startup. We will be using the '''rsync''' command to perform incremental backups for all of your VMs. '''Rsync''' is a very versatile backup tool. As the name suggests, rsync is used for <u>synchronizing</u> files typically across a network. It works over the '''SSH''' protocol, which is useful in our situation since we are running ssh on our server and VMs. You are going to use your ''host machine'' to backup files from the ''virtual machines''. '''Perform the following steps:''' {{Admon/important|Rsync Needs to be Installed on ALL VMs |Since you select minimum install on your VMs, the rsync command was not installed by default. You need the rsync command to be available on your host machine and all of your VMs. Make certain that the '''rsync''' command is installed on all your vms. }} # Make certain that your '''vm1''' machine is running.# Make certain that you are logged in as '''root''' user on your host machine.# On your '''host machine''', run the following commands: <source>mkdir -p /backup/incremental/vm1rsync -avz 192.168.x.x:/etc /backup/incremental/vm1/ # where 192.168.x.x is the IPADDR of your vm1</source> '''NOTE:''' This command will '''NOT''' work if '''permit root access is denied for your VMs''' for your sshd service configuration, so keep it off for now... <ol><li value="4">If rsync prompts for a password, make certain that you completed the '''SSH key''' section above, and that you assigned the keys for the <u>appropriate user</u><br>(in this case, for the '''root user for both the hostname and vm1'''!)</li><li>When the rsync command runs correctly, you should see all the files from vm1 being copied over to your host machine.</li><li>Run the rsync command again. Notice that the second time nothing is copied over to your host machine since none of the files have changed on your vm1 machine.</li><li>Create a new file in vm1's '''/etc/''' directory, and rerun '''rsync'''. Confirm on your '''host machine''' that only that file that was created on your vm1 machine actually got backed up to your host machine.</li><li>Repeat the above steps to create backups for your '''vm2''' and '''vm3''' machines on your host machine as well (for the respective directories: '''/backup/incremental/vm2''' and '''/backup/incremental/vm3''').</li></ol> === Automating Backups (cron) === Since your host machine and VMs are '''not continuously running''', '''you are not required to schedule to perform your FULL BACKUPS periodically''' (eg. every week at 2:00 AM). Instead, it will be YOUR responsibility to run your full backup script when you complete each of your OPS335 labs, or when you finish your OPS335 assignment working session. On the other hand, '''you will use cron to perform incremental backups''' (eg. copy updated files from the VMs/ /etc/ directory) '''Cron''' is a ''daemon'' (i.e. a program that runs in the background). The term ''"Cron"'' is short for '''Chronograph''' which was an old fashioned term for a '''stop watch''' or '''timer'''. The role of '''Cron''' is to run tasks periodically. It can run tasks for the system (as root) or for a user (including regular users). Every user has a crontab (Cron Table) which is a list of tasks they want to run periodically. You do not edit this file manually: instead, you edit this table using the command '''crontab -e'''. Once you run the command, you will get an empty file where you have to insert a line like this: '''Perform the following steps:''' # Refer to the following WIKI to learn how to use cron: [[crontab tutorialOSL840]]# In your host machine as root, modify the setting so it will run that echo command every minute by creating a crontab (via '''crontab -e''') entry with the following line:<br><source>* * * * * echo "Cron ran this job at: "`date` >> /tmp/cron.log</source># Save and exit your crontab edit session.# Wait for one minute to pass, and check the '''/tmp/cron.log''' file to see if it was created with the expected contents.<br>(You can also check '''/var/log/cron''' file to see what jobs were run).# Perform a Net-search to see how to configure that crontab entry to run every two minutes instead of every minute.# Edit your crontab entry to run same command every two minutes, save and exit, and then confirm by viewing '''/tmp/cron.log''' and '''/var/log/cron''' files.# Perform a Net-search to see how to run a cron for a command for every hour.# Edit your crontab to '''make automatic backups using the rsync command''' of the '''/etc''' directory from '''vm1''', '''vm2''', and '''vm3''' into '''/backup/incremental/vm1''', '''/backup/incremental/vm2''', and '''/backup/incremental/vm3''' every hour and overwrite the previous backup. {{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the gzip command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}} '''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book''' == COMPLETING THE LAB == ===Online Submission=== Follow the instructions for lab 1 on blackboard. <!--===Andrew's sections=== You may choose to:* Submit screenshots of your work on Blackboard, in which case you don't need to come to the lab.* Or come to the lab, show me your work, and talk to me about it. I want to hear what you've learned and answer any questions you have. You'll get the same grade regardless of how you choose to submit your work. Expected results of this lab are: ::<span style="color:green;font-size:1.5em;">✓</span> Each of your VMs should now boot to a command prompt (no graphical interface), and should be using a static IP address.::<span style="color:green;font-size:1.5em;">✓</span> Each of your VMs should have a working network connection and a static IP address.::<span style="color:green;font-size:1.5em;">✓</span> Each of your VMs should have an SSH server running.::<span style="color:green;font-size:1.5em;">✓</span> should be able to ssh from your host to each VM as the root user without a password.::<span style="color:green;font-size:1.5em;">✓</span> Display contents of backup script called: '''/root/bin/fullbackup.bash'''::<span style="color:green;font-size:1.5em;">✓</span> Full and incremental backups of your 3 VMs.::<span style="color:green;font-size:1.5em;">✓</span> You have notes in your lab-book about what you've learned in this lab.::<span style="color:green;font-size:1.5em;">✓</span> Run a shell script : http://matrix.senecac.on.ca/~murray.saul/ops335/labcheck_network_backup.sh--> == EXPLORATION QUESTIONS == # Explain the major different between the '''ip''' and '''ifconfig''' commands.# List the steps to create a '''temporary static IP network connection''' for your vm1 machine to connect to your host machine.# List the steps to create a '''persistent static IP network connection''' for your vm1 machine to connect to your host machine.# List at least '''3 trouble-shooting techniques''' to check or verify a network connection from a vm to a host machine.# List at least '''5 reasons''' (from networking trouble-shooting) that can break a network connection.# List the tools (commands) how to configure / stop / start the ssh service.# Explain why it is important to know how to manage network services if you intend to configure ("tweak") the service.# Briefly explain the purpose of the '''tar''', '''cpio''', '''dump''', '''restore''' commands.# Explain how the '''rsync''' command differs from the ''tar'', ''cpio'', ''dump'', and ''restore'' commands.# List the steps to create a '''crontab''' entry to run the program '''/bin/clean-out.bash''' every half day.# What is the purpose of using '''crontabs''' for backing up your virtual machines' data to your host machine?