1,760
edits
Changes
no edit summary
<font color= THIS LAB IS 'red'>'''** DO NOT READY YET!!! = PLEASE WAIT UNTIL THE LAB IS PUBLISHED. IT IS CURRENTLY UNDER CONSTRUCTIONUSE - TO BE UPDATED FOR CENTOS 8.0 **'''</font>
= LAB OBJECTIVES =
= INVESTIGATION 1: Extra VM Setup =
In order to experience Fabric's features in a realistic way, we're going to set up several virtual machines. To begin with they are all going to have the same configuration. Please make sure that each VM has direct network connect with other VMs you wish to control and configure.
== PART 1 - Set up your controller ==
There is something weird in the code above that you haven't seen before but it's required for some uses of Fabric: the '''with''' statement.
The problem is that separate '''run''' commands each execute in a brand new session, each with its own shell. They are not like separate lines in a single shell script even though they look like they should be.
That means if you run a cd command and then a tar command separately - the tar command will not run in the directory where you think it will. In order to fix this you have to nest commands inside a '''with''' - it's like a '''run''' but with persistant results.
Except you won't be able to access it because of the firewall. We'll deal with that in the next section.
== Part 2: Set up the firewall ==
Recall that in our OPS courses we've been using iptables instead of firewalld, which is installed by default in CentOS. Let's make sure that our workers have that set up as well. In the same '''fabfile.py''' you've been using all along, add a new function like this:
<source lang="python">
# Will uninstall firewalld and replace it with iptables
def setupFirewall():
run("yum -y -d1 remove firewalld")
run("yum -y -d1 install iptables-services")
run("systemctl enable iptables")
run("systemctl start iptables")
</source>
That should by now look prett obvious. On the worker you're going to uninstall firewalld, install iptables, and make sure that the iptables service is running.
Execute the function for worker1 and double-check that it worked.
=== Allow access to Apache through the firewall ===
The default setup of iptables also doesn't allow access to our web server. We'll need to add some more to our function to allow it. This would probably make more sense in setupWebServer() but for now let's put it into setupFirewall():
<source lang="python">
run("iptables -I INPUT -p tcp --dport 80 -j ACCEPT")
run("iptables-save > /etc/sysconfig/iptables")
</source>
Easy enough, but there's on problem - if we run this more than once, we're going to end up with duplicate iptables rules for port 80 (check with iptables -L).
In order to avoid that - we have to first check whether the rule exists before we add it. We can do that like this:
<source lang="bash">iptables -C INPUT -p tcp --dport 80 -j ACCEPT"</source>
Unfortunately that command answers "yes" or "no" by succeeding or failing depending on whether that rule exists. In Fabric when a command fails - the entire fab file execution stops, assuming that it's an unrecoverable error. We need to prevent that with another with statement:
<source lang="python">
with settings(warn_only=True):
firewallAlreadySetUp = run("iptables -C INPUT -p tcp --dport 80 -j ACCEPT")
if firewallAlreadySetUp.return_code == 1:
... move your iptables rules setup here ...
</source>
Test your new setupFirewall function on worker1, and make sure it opens access to Apache but does not create duplicate rules every time it's run.
= INVESTIGATION 3: Multiplying your work =
After completing all the previous parts of the lab - you should have a working fabfile.py with two working functions: setupFirewall() and setupWebServer().
You were asked to test them on worker1. Now let's run these two functions on all your workers at the same time. The command is almost the same, except for the list of IP addresses:
<source lang="bash">fab --fabfile=fabfile.py -H 192.168.56.11,192.168.56.12,192.168.56.13,192.168.56.14,192.168.56.15 setupWebServer</source>
Again - your IP addresses will be different but the command will be the same.
You can also reconfigure the firewall on all the workers at the same time, using a command like this on your controller:
<source lang="bash">fab --fabfile=fabfile.py -H 192.168.56.11,192.168.56.12,192.168.56.13,192.168.56.14,192.168.56.15 setupFirewall</source>
And imagine that you might have 10, 50, 100 servers to do this on - could you do it without the automation?
= LAB 8 SIGN-OFF (SHOW INSTRUCTOR) =
:'''Have Ready to Show Your Instructor:'''
* Complete all the parts of the lab and show your fabfile.py as well as Apache working on all five virtual machines.
= LAB REVIEW =
[[Category:OPS435-Python]]
