1,760
edits
Changes
→Part 2: Set up the firewall
: If you see the password prompt again, make sure that you can ssh from your controller as a regular user to your worker vm as root without password.
== Part 23: Set up the firewall Setting and Checking Security Configuration ==
: Recall that in our OPS courses we've been using iptables instead of firewalld, which is installed by default in CentOS. Let's make sure that our workers have that set up as well. In the same '''fabfile.py''' you've been using all along, add a new function like this:
</source>
: That should by now look prett pretty obvious. On the worker you're going to uninstall firewalld, install iptables, and make sure that the iptables service is running.
: Execute the function for worker1 and double-check that it worked.
: <font color='red'>'''**Warning**''' </font>Do not do this on your vm on myvmlab. If you do, you may lock yourself out for good.
=== Allow access to Apache through the Check firewall configuration ===
: The default setup of iptables also doesn't allow access to our web server. We'll need to add some more to our function to allow it. This would probably make more sense in setupWebServerTo check your firewall configuration your remote worker, you can retrieve its current configuration by creating another Fabric task called "getFirewallConfigure() but for now let. Let's put it into setupFirewall(): the following code to your fabfile.py: <source lang="python"> rundef getFirewallConfig("iptables -I INPUT -p tcp --dport 80 -j ACCEPT"): fw_config = run("iptables-save > /etc/sysconfig/iptables")</source> : Easy enough, but there's on problem - if we run this more than once, we're going to end up with duplicate iptables rules for port 80 (check with iptables -L). : In order to avoid that - we have to first check whether the rule exists before we add it. We can do that like this: : <source lang="bash">iptables -C INPUT n -p tcp --dport 80 -j ACCEPTv"</source> : Unfortunately that command answers "yes" or "no" by succeeding or failing depending on whether that rule exists. In Fabric when a command fails - the entire fab file execution stops, assuming that it's an unrecoverable error. We need to prevent that with another with statement: : <source lang="python">) with settingsprint(warn_only=True): firewallAlreadySetUp = run("iptables -C INPUT -p tcp --dport 80 -j ACCEPT"fw_config) if firewallAlreadySetUp.return_code == 1: ... move your iptables rules setup here ...
</source>
: Test your new setupFirewall function on worker1, and make sure it opens access Try to Apache but does not create duplicate rules every time it's runthe getFirewallConfig() task the same way as before.: Troubleshoot if you encounter any issue.
= INVESTIGATION 3: Multiplying your work =