Arvutiteaduse instituut
  1. Kursused
  2. 2020/21 kevad
  3. Süsteemihaldus (LTAT.06.003)
EN
Logi sisse

Süsteemihaldus 2020/21 kevad

  • Home
  • Practicals
  • FAQ
  • References

1. Overview of lab 2 :

Welcome to the 3rd lab. Here is a short action list that we will do during this lab:

  1. Accessing ETAIS
  2. Creating a public/private key pair
  3. Creating a new CentOS 8 virtualmachine in Cloud
  4. Configuring VPN Client
  5. Accessing Server over SSH
  6. Adding scoring account and its public key with no password for sudo commands
  7. Update dnf configuration
  8. Use Ansible to automate the previous steps
  9. Using gitlab to store your Ansible repo
  10. Knowing your Floating IP (External IP) to be configured in TLD DNS server (Will be used in the following labs)
  • Following validations have to be passed for this lab to be completed:
    • Your machine must ping from the scoring server.
    • Scoring user must be able to log into your VM using our key.
    • Scoring user must have passwordless sudo access.
    • Scoring user must not have a password set.

2. How to login to ETAIS:

For the rest of the labs we use a cloud service called ETAIS. ETAIS’s main aim is to serve Estonian students and researchers. For access, you have been sent an email with instructions how to log in. You have also been invited into the System Administration organization, and have a private project in that organization.

  • Log into ETAIS system
    • Go to the page: https://minu.etais.ee
    • And login by clicking Sign in with TAAT
    • After that choose your institution (University of Tartu) and enter your (UT) username and personal password.
      • PS! If you prefer other options might work also ID card, Mobile ID or other institution username:password and so on, but it is up to you to get them working.
  • Look for a button called "Select workspace" (up and center)
  • Select workspace and your project
    • If not available please go to your personal e-mail you provided to University as primary contact e-mail and look for a e-mail from selfservice@etais.ee and click on a link this page in it.
  • If still having problems please contact your lab instructor or Anders Martoja anders.martoja@ut.ee

If you did successfully login, you should be able to see the ETAIS Dashboard as follows:

3. Creating a public/private key pair

Before you continue we need to set up public / private key pair so you could use them to connect to machine.

Public key cryptography, or asymmetrical cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, where the public key verifies a holder of the paired private key sent the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the public key.

In a public key encryption system, any person can encrypt a message using the receiver's public key. That encrypted message can only be decrypted with the receiver's private key. To be practical, the generation of a public and private key-pair must be computationally economical. https://en.wikipedia.org/wiki/Public-key_cryptography

Make sure you do not lose this key, once Your VM has been created the only way to change the key is from inside the VM. If you lose your copy and are locked out of the VM, you will have to create a new virtual machine!

Generating key pair and uploading the public key to SSH server

To be done on personal PC/Laptop and

  • In Linux, MacOS and Linux subsystem for Windows ( PuTTy manual later):
  • Open command line
  • Use ssh-keygen command to generate the 4096 bit long RSA key (try to figure out the proper command options you want to use. If asked where to store the key use the default location of:
    • ${HOME}/.ssh/id_rsa
  • If asked about password you may consider protecting the private key using additional pass phrase for stronger security, but it is also OK to leave it empty (in this case the private key has to be kept really secret).
  • Now two files should be added into .ssh/ directory of your home folder:
    • id_rsa which is a private key and should be kept secret (by the way what are the proper permissions assigned to file ?)
    • id_rsa.pub which is a public key and may be shared (by the way what are the proper permissions assigned to file ?)
  • Once the key pair is generated we may set up the SSH server to use public key authentication:
    • Copy public key to memory and then continue with Manual on where to paste it in ETAIS:
      • $ cat ~/.ssh/id_rsa.pub
  • In Windows:

Use Puttygen application to generate the key pair:

  • Download Puttygen
  • Set the password for the private key and save it to your hard drive.
  • Take the puttygen (public key) output and copy it to the ETAIS (next part in manual).

NB! Do not save public key into a file and copy it to the server, it will not work, it has different format.

  • Puttygen illustration: https://www.youtube.com/watch?v=-92wEg68SKQ, https://www.ssh.com/ssh/putty/windows/puttygen
  • Copy public key to ETAIS.
  • Log Into ETAIS
  • On the left menu (under your name) Click Details -> SSH keys
  • Right side of screen look for Add key and click on it
  • Add a name to your SSH key that should contain your Last name
  • Paste your public key and click Add key

Once the public key is successfully added, you should be able to see it in the list of SSH Keys in left-side menu in ETAIS:

4. Creating a new CentOS 8 Virtual Machine

  • Log Into ETAIS
  • From the top choose your Workspace System Administration -> Your personal project -> Select
  • On left menu go to resources -> VMs -> Add Resource -> Virtual Machine in <your project name>
    • VM name = Your university study book number (matriklinumber)
    • Image = System Administration 2021
    • Flavor = m3.nano
    • System Volume Size = 20 GB
    • System Volume Type = scratch (IOPS intensive SSD)
    • Data Volume Size = 1GB
    • Data Volume Type = scratch (IOPS intensive SSD)
    • SSH public key = Your public key
    • Security Groups = add ssh and ping (can be done by clicking in white area after default)
    • Networks = Auto-assign Floating IP
    • Description = Add your Full name, matrix number and course name (System Administration 2021)
  • Check everything twice and press Add to cart , and go through with the purchase. 
Example VM configuration will look as follows:
(WARNING: the Provider value will be specific to your project, so it will be different!)

Once the VM is successfully created it should be visible in list of VM in ETAIS (''Resources -> VMs in the left-most menu)

General Network Topology

You may notice a VM has Internal and External IP listed. Each project actually suggest a private network of 192.168.42.0/24, this your project private LAN, an IP from this network will be assigned to your VM's eth0 network interface and also listed in the Internal IP column (VM list in ETAIS). Project private LAN is connected to University Campus network (172.17.0.0) through a router device that is specific to your project (each student will get 192.168.42.0/24 private network but this is not the same one!). Router devices are created automatically once project is created and network provider is chosen. The only possible provider for our course cloud is UT Campus (172.17.0.0). Therefore router devices will get the corresponding External IP address assigned, resulting a unique address from 172.17.0.0 subnet. The Internal address of the router is always set 192.168.42.1 and this becomes a default gateway for our VM. As we only create 1 VM in our private network (192.168.42.0/24) the router applies the Source/Destination NAT (network address translation) between the IP address of a VM (192.168.42.a) and the External address of a Router (172.17.x.x). As a result all packets arriving on 172.17.x.x are sent further to 192.168.42.a (called destination NAT). Opposite way around (source NAT): all packets that are passing through router (sent from VM into world) are getting the source address rewritten (192.168.42.a -> 172.17.x.x). The last is actually a default setting for any home/small-office router. If both applied the Router becomes transparent for a VM: VM becomes accessible behind the Router's External address. This is why the Router's External IP is enlisted as VM's External IP (right next VM's Internal IP).

Network topology diagram

Question: What will happen if there is 2 VMs instead of 1 inside a private network 192.168.42.0/24

5.Configuring VPN Client

In order to access your newly created Virtual machine you need to be inside of University of Tartu network. In classroom or in University of Tartu eduroam network it might be possible to access your machine without VPN, but we do reccomend set ip up for remote access.

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network. VPNs may allow employees to securely access a corporate intranet while located outside the office. They are used to securely connect geographically separated offices of an organization, creating one cohesive network. ... https://en.wikipedia.org/wiki/Virtual_private_network

  • Please refer to University of Tartu official manual of how to set up VPN in your personal machine if you have not done this already:

https://wiki.ut.ee/pages/viewpage.action?pageId=17105590

Once the VPN connection is established, check the connection with your newly created Virtual machine. Use ping command with the External IP of your VM

  • $ ping 172.17.64.250

6. Access machine over SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.

SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. https://en.wikipedia.org/wiki/Secure_Shell

Connecting to Cloud resources (VM-s) over SSH is preferred. Therefore SSH is installed in your system by default, as the cloud infrastructure takes care of bootstrapping and installing your CentOS 8 OS.

Accessing remote shell of the VM over SSH

Command line utilities

ssh


In MacOS and Linux hosts the ssh client is by default installed and accessible in command line. In order to access remote shell of the example.com host and user test the following command should be provided:

  • $ ssh test@example.com

Try accessing the remote shell of your VM using the Floating (External) IP address of your machine. You need username (default: centos ) but you do not know password. If you are lucky all worked if not keep reading.

Desktop Applications

Putty


**Download Putty Putty is an portable executable, so just open Putty.exe and the following window will open up:

Testing the public key authentication

First of all make sure you know the IP of your newly created VM. It will be something like 172.17.XXX.XXX

Instead of username and password let use the key we generated earlier. Now you should be able to login to you VM over SSH using the private key:

  • In Linux and MacOS
  • ssh <user>@172.17.X.X
    • Where <user> is the regular user name on your VM (the default one is centos ) and X-s are the last two octets of the IP of your VM
  • The SSH server should not ask for password anymore in case you did not provide additional pass phrase on your private key id_rsa .
  • If needed use -i parameter to specify key file.
  • In Windows
  • Use the Putty application and set up a new saved session:
    • On the putty startup screen write your External IP address (172.17.64.X) into to host name field - this will be the session name (so you can reuse it later).
    • Click on the Connection (in the left vertical panel) then choose Data.
      • Write the login of your normal user (the default one is centos ).
  • Under Connection -> SSH -> AUTH, browse for the private key you generated with the Puttygen.
  • Go back to the Session submenu, add a SA-172.17.64.X name in Saved Sessions box and click Save.
  • Now the saved session can be used:
  • Use the Putty application:
    • On the putty startup screen, in the Saved Sessions box select your saved session, then click Load
    • Click Open on the main window.
  • The SSH server should not ask for password anymore in case you did not provide additional pass phrase on your private key.

7. Adding root password

VMs in ETAIS by default ship without passwords. Meaning you can only gain access to the VM if you have pasted you SSH public key into ETAIS and afterwards created the VM. Root user should have a password. It allows for more convenient disaster recovery. Also you can utilise the root password whenever you lock yourself out of your machine and want to gain access again.

As a root user set the password for the root account

  • # passwd root

You will be prompted to enter the password twice, don't be alarmed when you can't see you password being typed on the screen. It's a security feature of linux as to not give away the length of your password.

Go to ETAIS next to your VM's name choose Actions and from the drop down menu choose Open console. This will cause a pop-up to open a new tab. You might need to allow pop-ups for ETAIS in your browser (you will be propmted to do so). Click with inside the black console box to force it into focus and try to log in with user root and the password you just set.

8.Adding scoring account

Now we will add a scoring user which will be used by our lab instructors and automatic scoring virtual machine to log in and check your machine.

  • Add new user called scoring (DO NOT give it a password)
  • $ sudo adduser scoring

Now let's give our lab instructors and automated scoring system access to your VM over SSH using scoring account. There is a public key for the scoring user available for a download here https://scoring.sa.cs.ut.ee/files/id_rsa.pub.

  • Now in your VM please login to scoring account you have just created, or just switch to it using su - scoring command. (Think a bit how you're doing it - you need elevated permissions!)
  • Now download the scoring server's public key in your VM, use the wget (you might need to install it) command for that:
  • scoring@host:~$ wget https://scoring.sa.cs.ut.ee/files/id_rsa.pub
  • If that does not work, just put the URL into your browser and copy it from there.

If the file was downloaded properly you can check the content of the file

  • scoring@host:~$ cat id_rsa.pub

Now let's add the downloaded public key to the list of authorized keys for scoring account:

  • If directory .ssh does not exist in scoring's home, please create it.
    • scoring@host:~$ mkdir .ssh
  • Make sure the directory is owned by scoring user and only it can read-write-execute in it
    • # chown scoring:scoring .ssh and # chmod 700 .ssh
  • Copy the contents of id_rsa.pub into .ssh/authorized_keys
    • scoring@host:~$ cat id_rsa.pub >> .ssh/authorized_keys
  • Make sure the files are in appropriate permissions
    • .ssh folder in Read-Write-Execute only permissions for scoring user only (no permissions for others)
    • authorized_keys in Read-Write permissions only for the scoring user

If everything was done properly a remote scoring can now login using its private key. You cannot test it. You should see that in a few minutes from the scoring board.

The last thing to do is to give the scoring rights to execute command in root rights.
We need scoring user to be able to run programs that need root access, but we are not going to give root privileges to the scoring backend (root password is unknown and root user cannot login over SSH). In order to give a regular user an ability to execute a particular command in super user rights there is a tool called sudo. sudo allows to run programs with security privileges of another user, by default the root user.
For more information on sudo read short review on debian wiki.

Check that the package sudo is installed

  • Remember what command we were using for installing packages ?

Rely on sudo documentation and make changes so that the scoring user can:

  • Execute sudo command without asking for password
  • centos@mohan-test-vm:~$ sudo visudo and add 
scoring ALL=(ALL:ALL) NOPASSWD: ALL
# under where users like root are specified
  • Depending on your editor, you need to know how to save.
  • Default is vim .

Ideally the following should just list files without any additional prompts:

  • scoring@host:~$ sudo ls -l /root

9. Automating the last step with Ansible

Ansible is an automation tool for system administrators that handles routines, data gathering, config management and more. There are obvious benefits to maintaining a proper collection of Ansible scripts - maintainability, reproducibility, documentation. A proper Ansible playbook will allow you to automatically configure a blank machine to any state you like. For example, once you have written a playbook for your VM and should that VM get corrupted, you could create a new virtual machine and after running the playbook get back to the previous state.

Another bonus to Ansible is idempotency - running your playbook multiple times on the same machine means that the same state is reached each time. For example, when adding lines to a config with Ansible, a well written playbook will not add a line on each run, but will first check if it already exists. This prevents mistakes and makes sure your playbook run smoothly each time.

Now lets take a look at a typical playbook structure.

The two main components of a playbook are the tasks and the hostfile. The hostfile will determine which machine a playbook is intended to run on. While we are using a singular machine for our course, Ansible can be (and is) used to manage more than hundreds of machines in live production systems.

For the playbooks, these are written for any purpose you need. The task can be as simple as adding a user with a password, or as complex as setting up a full webserver with the neccesary configs, services and permissions. In Ansible, a task is a singular action, while a playbook contains multiple tasks to be executed.

Writing and maintaining Your Ansible is Your responsibility. Questions about the tool are welcome, but from here on we will provide some information on how to do it, but not complete code repositories - part of this course is to build your ability to solve problems on your own, a skill every administrator needs.

The incentive for you is the exam - using Ansible during the exam is not only allowed, but recommended. While the exam may not be a perfect 1-to-1 sum of the labs, it will be something very similar. In theory, you could complete Your exam in a matter of minutes if your Ansible runs smooth and does 95% of the work for you.

We will now take a look on how to set up and run your first playbooks. The official documentation (https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) covers all the different OS versions, we recommend using the Windows susbsystem for linux if you're running on Windows instead of PuTTy.

  • Installing Ansible in WSL

If you are running Windows10 and do not have the Linux subsystem installed, got to the Microsoft Store and search for Ubuntu. After installing, got to search for the windows tool named Turn Windows features on or off and and enable Windows Subsystem for Linux. After a system restart WSL is ready to use.

For installing ansible in Ubuntu/WSL (MacOS and Linux users consult the official guide and look for your OS version) All of the following will be done in your personal machine

  • Open your terminal by searching for Ubuntu from windows search
  • sudo apt-get update
  • sudo apt-get install ansible

And You should be done! Test the installation by running ansible --version, this will print you the version of Ansible you are running and confirm it is running smoothly.

Next up create a directory which will be the repository root for your Ansible scripts and playbooks

  • In that directory a new directory called inventory, and in that folder create a file named hosts
  • Inside the inventory file append the following 
 [sa-vm]
<external IP of your VM>

Now in your repository root directory create a folder named roles and change your working directory to the newly created folder. Here create a new folder named etais, and inside this folder a new directory tasks

  • In roles/etais/tasks/ open a file named main.yml

Now we are ready to add tasks, the following block will fully solve the problem of adding the scoring user with the correct key. 

- name: Add user scoring
  user:
    name: scoring

- name: Create .ssh directory
  file:
    path: /home/scoring/.ssh
    state: directory
    owner: scoring
    group: scoring
    mode: '0700'

- name: Download user scoring public key
  get_url:
    url: https://scoring.sa.cs.ut.ee/files/id_rsa.pub
    dest: /home/scoring/.ssh/authorized_keys
    owner: scoring
    group: scoring
    mode: '0600'

Next we will create some standard configuration for Ansible

  • In your home directory, create a hidden file (filename starts with a dot) named .ansible.cfg
  • In this file, add a section named [defaults] and in this section append the following lines 
inventory =  /path/to/your/repo/inventory/hosts
host_key_checking = false
private_key_file = ~/.ssh/id_rsa
roles_path = /path/to/your/repo/roles
  • Make sure the private_key_file value points to the ssh-keypair you generated before and that /path/to/your/repo> points to your local repository root. If you first used PuTTy to connect to your VM, generate a new key in WSL, and append the public-key part of the key under the authorized_keys file under the centos user. This way both keys will work

Now we are ready to create our first playbook. In your Ansible repository root create a file (name of your choosing) with the extension .yml Inside the file declare the inventory group and some extra parameters that dictate which user Ansible uses to manage your hosts 

---

- hosts: sa-vm
  user: centos
  become: yes
  become_method: sudo
  become_user: root

  roles:
   - { role: etais, tags: etais }

After saving the file, we will need to run the playbook as well. Execute your playbook with the following syntax ansible-playbook <name of your .yml file>

You will now see output while Ansible runs and one-by-one executes each of the configured tasks. If you have already added the scoring users, all check should be green and no tasks were changed. You can even try to rerun the whole playbook, during the second execution cycle no changes will be made.

10. Keeping your Ansible repository safe in our Gitlab

Git is a version control system you should already be familiar with from previous courses. While github is a free public repository host, we will be using a private Gitlab instance created specially for this course.

As the first step, log in to our gitlab at https://gitlab.sa.cs.ut.ee. * For the authentication method choose LDAP instead of Standard

  • Now create a blank project
    • Give it a name of you choosing or just sa2021
    • Project slug value is autogenerated and you dont have to change that
    • For the Visibility level, keep it Private
    • And finally skip Initialize repository with a README, since we will be using our Ansible repo root as the initializer.

Now we are ready to upload our repository - In the actual gitlab repo page you can also see the guide on how to do this, but this will also be mirrored here in this guide.

First initialize your global git configuration. You can also copy-paste these commands from the git repo setup instructions.

  • git config --global user.name "<your username>"
  • git config --global user.email <firstname.lastname>@ut.ee

Now we are ready to push our repository into the course gitlab. You should already be in the Ansible repository root directory, but incase you are not change your directory.

  • cd <ansible repository>
  • git init to initialise the directory as a git repo.
  • git remote add origin https://gitlab.sa.cs.ut.ee/<username>/<repository name>.git Make sure to replace the username and repository name values accordingly
  • git add .
  • git commit -m "First commit"
  • git push -u origin master

And you should be done - refresh the page in gitlab to see all of your files nicely stored in the git repository. Also from here on now, don't forget to regularly commit your changes to the repository, atleast after each lab.

11. Updating DNF:

DNF (Dandified YUM) is a new package manager for CentOS platform. This can be used to install, update, remove software and handle dependencies.

Get updates and install them:

  • # sudo dnf update
  • Use DNF to install your favourite text editor.
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused