Changes

← Older edit

OPS435 Python3 Lab 8

3,164 bytes removed, 19:00, 4 July 2020

no edit summary

: On matrix, cd to your lab8 directory and create a simple fabric script file named '''fabfile.py''' (this is the default filename used by the fab command when you invoke it without the '-f' optino):

== PART 1: ~~Simplest~~ Non-privileged task example =====~~Creating~~ Create non-privileged tasks: Getting the hostname of remote machines===

: Add the following contents to the default fabric script called "fabfile.py" in your lab8 directory:<source lang="python">

from fabric.api import *

:You should get used to the above messages from the '''fab''' command. It's a lot of output but it's important to understand where every part is coming from, so you are able to debug problems when they happen.

==PART 2: Privileged Tasks Examples =~~Creating~~ ====Creat privileged tasks: install and remove rpm package on remote machines===

: Add the following two new functions to the end of the fabric script "fabfile.py" in your lab8 directory:<source lang='bash'>

[raymond.chan@mtrx-node05pd lab8]$

</source>

: If you only need to connect to the same remote machine, you can specify the host and port number in the fabfile.py to save some typing when executing the fab command. Add the following two lines after the env.user line in your fabfile.py:<source lang='bash'>

env.port = '7200' # <-- please replace with the actual value of your VM's port number

env.hosts =['myvmlab.senecacollege.ca']

</source>

: You can also store the user's password in this file so that it will respond to the "sudo password" prompt for sudo() call. It is not safe to do so as you can configure the sudo module on the remote machine not to ask for sudo password.

: Now you can run the fab command without the "--host" and "--port" option.

: Run the following two fab commands, note the results and compare their difference:<source lang='bash'>

fab installPackage

</source>

== Part 2: ~~Set up more administrative tasks==~~ ~~:Let's pretend that we need collect the disk usage on several machines so that we can plan~~ Create remote task for ~~storage maintenance. We'll set up a simple example of such a deployment here.~~ ~~=== Getting the disk usage on remote worker =~~updating rpm packages == :Add a ~~getDiskUsage()~~ new function called "updatePackage" to your fabfile.py ~~file~~according to the following requirements::* Accept optional function argument as the rpm package name:~~<source lang="python">#~~ * If no function argument was given when called, default to ~~get~~ all the ~~disk usage on remote worker~~packages installed~~def getDiskUsage()~~: The output of the updatePackage when executed, should produce similar output as shown below: ~~current_time~~ :1. Update a single package:<source lang= ~~run(~~'~~date~~bash')> ~~diskusage = run('df -H')~~ ~~header = 'Current Disk Usage at '+current_time~~ ~~print(header)~~ ~~print(diskusage)~~fab updatePackage:tree

</source>

: Sample output:<source lang='bash'>

[raymond.chan@mtrx-node05pd lab8]$ fab updatePackage:tree

[myvmlab.senecacollege.ca] Executing task 'updatePackage'

[myvmlab.senecacollege.ca] sudo: yum update tree -y

[myvmlab.senecacollege.ca] out: sudo password:

[myvmlab.senecacollege.ca] out: Loaded plugins: fastestmirror

[myvmlab.senecacollege.ca] out: Loading mirror speeds from cached hostfile

[myvmlab.senecacollege.ca] out: * base: less.cogeco.net

[myvmlab.senecacollege.ca] out: * extras: centos.mirror.ca.planethoster.net

[myvmlab.senecacollege.ca] out: * updates: less.cogeco.net

[myvmlab.senecacollege.ca] out: No packages marked for update

[myvmlab.senecacollege.ca] out:

Loaded plugins:Note that each call to "run()" will run a command on the worker. In this function we get the date/time of the remote work, and then get the disk usage. The print() function print out both the values returned. ~~:If you try to run it the same way as before:~~ ~~<pre>$ fab --fabfile=fabfile.py -H 192.168.122.169 getDiskUsage</pre>~~ ~~:You should get the following output:<source lang="bash">~~fastestmirror~~[rchan@centos7 lab8]$ fab --fabfile=fabfile.py -H 192.168.122.169 getDiskUsage~~Loading mirror speeds from cached hostfile~~[192.168.122.169] Executing task 'getDiskUsage'[192.168.122.169] run: date[192.168.122.169] out: Sun Nov 10 13:17:16 EST 2019[192.168.122.169] out:~~ ~~[192.168.122.169] run: df -H[192.168.122.169] out: Filesystem Size Used Avail Use% Mounted on[192.168.122.169] out: devtmpfs 947M 0~~ ~~947M 0% /dev[192.168.122.169] out~~* base: ~~tmpfs 964M 0 964M 0% /dev/shm[192.168.122~~less.~~169] out: tmpfs 964M 9~~cogeco.~~7M 954M 2% /run~~net~~[192.168.122.169] out: tmpfs 964M 0~~ ~~964M 0% /sys/fs/cgroup[192.168.122.169] out~~* extras: ~~/dev/mapper/~~centos~~-root 7.7G 5.6G 2.1G 73% /[192~~.~~168~~mirror.~~122~~ca.~~169] out: /dev/vda1 1~~planethoster.~~1G 298M 766M 29% /boot~~net~~[192.168.122.169] out: tmpfs 193M 17k~~ ~~193M 1% /run/user/42[192.168.122.169] out~~* updates: ~~tmpfs 193M 0 193M 0% /run/user/1000[192.168~~less.~~122~~cogeco.~~169] out:~~ net ~~Current Disk Usage at Sun Nov 10 13:17:16 EST 2019Filesystem Size Used Avail Use% Mounted ondevtmpfs 947M 0 947M 0% /devtmpfs 964M 0 964M 0% /dev/shmtmpfs 964M 9.7M 954M 2% /runtmpfs 964M 0 964M 0% /sys/fs/cgroup/dev/mapper/centos-root 7.7G 5.6G 2.1G 73% //dev/vda1 1.1G 298M 766M 29% /boottmpfs 193M 17k 193M 1% /run/user/42tmpfs 193M 0 193M 0% /run/user/1000~~No packages marked for update

Done.

Disconnecting from ~~192~~myvmlab.~~168~~senecacollege.~~122~~ca:7200.~~169~~..done. ~~done~~[raymond.chan@mtrx-node05pd lab8]$

</source>

~~===~~ :2. Update all ~~the rpm packages on remote worker ===:Let's pretend that we need to update software packages~~ installed ~~on several machines due to security patches. Let's name the task as 'performSoftwareUpdate()'~~package:<source lang=~~"python"~~'bash'>~~# to perform software update on remote workerdef performSoftwareUpdate()~~fab updatePackage: ~~status = run('yum update -y')~~ ~~print(status)~~

</source>

: ~~Do a syntax check with~~ The following output had been trimmed, only showing the ~~"fab -l" command.: When you try to run it the same way as before, you encounter some issue as shown below~~first few lines:<source lang="'bash"'>[~~rchan@centos7 lab8]$ fab --fabfile=fabfile.py -H 192.168.122.169 performSoftwareUpdate[192.168~~myvmlab.~~122~~senecacollege.~~169~~ca] Executing task '~~performSoftwareUpdate~~updatePackage'[~~192.168~~myvmlab.~~122~~senecacollege.~~169~~ca] ~~run~~sudo: yum update -y[~~192~~myvmlab.~~168~~senecacollege.~~122~~ca] out: sudo password:[myvmlab.~~169~~senecacollege.ca] out: Loaded plugins: fastestmirror~~, langpacks~~[~~192~~myvmlab.senecacollege.~~168~~ca] out: Loading mirror speeds from cached hostfile[myvmlab.~~122~~senecacollege.~~169~~ca] out: ~~You need to be root to perform this command~~ * base: less.cogeco.net[~~192~~myvmlab.~~168~~senecacollege.~~122~~ca] out: * extras: centos.~~169~~mirror.ca.planethoster.net[myvmlab.senecacollege.ca] out: * updates: less.cogeco.net...

~~Fatal error~~ Verifying : ~~run() received nonzero return code 1 while executing!~~systemd-219-73.el7_8.5.x86_64 53/54 Verifying : systemd-libs-219-73.el7_8.5.x86_64 54/54

~~Requested~~Removed: ~~yum update -yExecuted~~ kernel.x86_64 0: ~~/bin/bash -l -c "yum update~~ 3.10.0-y"862.el7

~~Aborting.~~Installed:~~Disconnecting from 192.168.122~~ kernel.~~169... done.</source>~~x86_64 0: ~~As you already know, you need superuser privilege in order to perform software update on a Linux system~~3. ~~There are two ways to do it on Fabric~~10. ~~The first one is simple~~0-1127. ~~Edit you fabfile~~13.~~py and change the env~~1.~~user line as shown below:<source lang="python">~~el7

~~env~~Updated: bind-export-libs.~~user = 'root'~~x86_64 32:9.11.4-16.P2.el7_8.6 binutils.x86_64 0:2.27-43.base.el7_8.1 ca-certificates.noarch 0:2020.2.41-70.0.el7_8 device-mapper.x86_64 7:1.02.164-7.el7_8.2 device-mapper-event.x86_64 7:1.02.164-7.el7_8.2 device-mapper-event-libs.x86_64 7:1.02.164-7.el7_8.2 device-mapper-libs.x86_64 7:1.02.164-7.el7_8.2 kernel-tools.x86_64 0:3.10.0-1127.13.1.el7 kernel-tools-libs.x86_64 0:3.10.0-1127.13.1.el7 lvm2.x86_64 7:2.02.186-7.el7_8.2 lvm2-libs.x86_64 7:2.02.186-7.el7_8.2 microcode_ctl.x86_64 2:2.1-61.10.el7_8 net-snmp.x86_64 1:5.7.2-48.el7_8.1 net-snmp-agent-libs.x86_64 1:5.7.2-48.el7_8.1 net-snmp-libs.x86_64 1:5.7.2-48.el7_8.1 net-snmp-utils.x86_64 1:5.7.2-48.el7_8.1 ntp.x86_64 0:4.2.6p5-29.el7.centos.2 ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2 python-perf.x86_64 0:3.10.0-1127.13.1.el7 rsyslog.x86_64 0:8.24.0-52.el7_8.2 selinux-policy.noarch 0:3.13.1-266.el7_8.1 selinux-policy-targeted.noarch 0:3.13.1-266.el7_8.1 systemd.x86_64 0:219-73.el7_8.8 systemd-libs.x86_64 0:219-73.el7_8.8 systemd-sysv.x86_64 0:219-73.el7_8.8 yum-plugin-fastestmirror.noarch 0:1.1.31-54.el7_8

~~</source>: Save the fabfile.py with the change and run it again.: If you see the password prompt again, make sure that you can ssh from your controller as a regular user to your worker vm as root without password.~~: The other way is to replace all the run() function calls for commands that need superuser privilege by the sudo() function calls in your fabfile.py. You are asked to investigate this in the final investigation of this lab.Complete!

~~== Part 3: Setting and Checking Security Configuration ==~~Done.Disconnecting from myvmlab.senecacollege.ca: ~~Recall that in our OPS courses we've been using iptables instead of firewalld, which is installed by default in CentOS~~7200. ~~Let's make sure that our workers have that set up as well~~. ~~In the same '''fabfile~~.~~py''' you've been using all along, add a new function like this:~~done. ~~: <source lang="python"># Will uninstall firewalld and replace it with iptablesdef setupFirewall():~~ ~~run("yum -y -d1 remove firewalld")~~ ~~run("yum~~ [raymond.chan@mtrx-~~y -d1 install iptables-services")~~ ~~run("systemctl enable iptables")~~ ~~run("systemctl start iptables")~~node05pd lab8]$

</source>

~~: That should by now look pretty obvious. On the worker you're going to uninstall firewalld, install iptables, and make sure that the iptables service is running.~~ ~~: Execute the function for worker1 and double-check that it worked.: <font color~~=~~'red'>'''**Warning**''' </font>Do not do this on your vm on myvmlab. If you do, you may lock yourself out for good.~~ ~~=== Check firewall configuration ===~~ Lab Exercise: ~~To check your firewall configuration your remote worker, you can retrieve its current configuration by creating another~~ Create a Fabric task called ~~"getFirewallConfigure~~makeUser()~~. Let's put the following code to your fabfile.py:<source lang~~=~~"python">def getFirewallConfig()~~: ~~fw_config =~~ Study the Fabric API run(~~"iptables -L -n -v"~~) ~~print(fw_config)</source>~~ ~~: Try to run the getFirewallConfig() task the same way as before.: Troubleshoot if you encounter any issue.~~ ~~= INVESTIGATION 3: Multiplying your work =~~ ~~: After completing all the previous parts of the lab - you should have a working fabfile.py with three working functions: getDiskUsage~~, sudo(), ~~performSoftwareUpdate~~and put() and ~~getFirewallConfig().~~ ~~'''** Optional **'''You were asked to test~~ utilize them ~~on worker1. Now let's run these three functions on all your workers at the same time. The command is almost the same, except for the list of IP addresses:~~ ~~<source lang="bash">fab --fabfile=fabfile.py -H 192.168.122.169,192.168.122.170,192.168.122.171,192.168.122.172 getDiskUsage</source>~~ ~~: Again - your IP addresses will be different but the command will be the same.~~ ~~: You can also run all three tasks on all the workers at the same time, by adding any task~~ to ~~your fabfile.py:<source lang="python">def doAllThree():~~ ~~getDiskUsage()~~ ~~getFirewallConfig()~~ ~~performSoftwareUpdate()</source>: And run the following command on your controller:~~ ~~<source lang="bash">fab --fabfile=fabfile.py -H 192.168.122.169,192.168.122.170,192.168.122.171,192.168.122.172 doAllThree</source>~~ ~~And imagine that you might have 10 tasks to be done on 10, 50, 100 servers - could you do it without the automation?~~ ~~= INVESTIGATION 4 - Apply fabfile.py to your VM on myvmlab === Replace run() function calls with sudo() ==: Since your account on your vm on myvmlab is~~ create a ~~regular user with sudo privilege. You need to make the following changes to your fabfile.py before applying it to your vm on myvmlab::* Change env.user from 'root' to your account on your vm in myvmlab.~~:* Change all the commands that need super user privilege from calling the run() function to instead calling the sudo() function. Here is an example on replacing run() with sudo():<source lang="python"> ~~def getFirewallConfig():~~ ~~fw_config = sudo("iptables -L -n -v")~~ ~~print(fw_config)</source>~~ ~~: Test your updated fabfile.py until you get the same result as when you apply it to your own worker VM.~~ ~~== Create a Fabric~~ new task called makeUser() ==

: The makeUser() function should perform the following:

::* create a new user called "ops435p" with home directory "/home/ops435p".::* add it to the sudo group called "wheel". ::* ~~add~~ ask your professor's for a ssh public key and add it to the file named "authorized_keys" in the ~ops435p/.ssh directory. Make sure that you set the proper permissions on both the directory ~ops435p/.ssh and the file "~ops435p/.ssh/authorized_keys.

:Add the makeUser() to your final version of fabfile.py.

:~~Test~~ Run the new task makeUser() on your ~~local~~ VM ~~first, and deploy to your vm on myvmlab~~.:~~After the successful deployment of the~~ Verify and confirm that your new makeUser() task ~~on your vm on myvmlab, ask your professor to verify and confirm that the new user account "ops435p" on myvmlab has been created~~ is working correctly.

= LAB 8 SIGN-OFF (SHOW INSTRUCTOR) =

:~~'''Have Ready to Show Your Instructor:'''~~* Complete all the parts of the lab and upload the version of your fabfile.py ~~which works on your vm on myvmlab~~ to Blackboardby the due date.

[[Category:OPS435-Python]][[Category:rchan]]

Rchan

1,760

edits

Changes

OPS435 Python3 Lab 8

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools