572
edits
Changes
→Generating a Public/Private Key Pair & Sharing the Public Key
<ol><li value="2">Run the '''ifconfig''' command on your '''c7hosthost''' machine. Check and record the IPADDR for your default (dhcp) network interface card (possibly eno1) and the virtual bridge.</li><li>Issue the '''ip''' command on your '''c7hosthost''' machine to determine the IPADDR and GATEWAY information (refer to above chart). How are the result similar or different than the ifconfig command?</li><li>Issue the ifconfig command on your VMs. what happened?</li><li>Use the '''ip''' command for your VMs to list the IPADDR and GATEWAY information.</li><li>Refer to the man pages or refer to following article [http://www.tecmint.com/ip-command-examples/ 10 Useful ip Commands] to see how to issue the above commands to create a <u>temporary</u> connection to your existing network.</ol>
=== Making Persistent (Permanent) Network Setting Changes ===
<ol>
<li value="7">Edit the '''ifcfg-''interfacename''''' (most likely ifcfg-eth0) file for each of your VMs to use a static IP address (refer to previous OPS235 lab on networking: [ [http://zenit.senecac.on.ca/wiki/index.php/OPS235_Lab_6_-_CentOS7#Part_4:_Configuring_VM_Network_Setup_via_Command_Line_.28centos3.29 Network Config - CLI] ].<br> You should be configuring the BOOTPROTO ('''static''' instead of dhcp), IPADDR, PREFIX (or NETMASK), GATEWAY, HWADDR, and DNS1 for this file. Note the following information for this setup:<ul><li>Set your IPADDR for each VM with the following rules:<ol type="a"><li>Your IPADDR's third octet will use the last 2 digits in your student number.</li><li> Make certain that the 4th octet for your VMs does not start with '''1''' since that is reserved for the '''GATEWAY''' or '''DNS'''by your host machine.<br>For example, Use the forth recommended fourth octets: '''2 for vm1''', '''3 for vm2''', and '''4 for vm3'''.</li></ol></li><li>Don't forget to set the default gateway and DNS server for your VMs. You can use your host's IP address as a DNS server<br>(''libvirt'' will proxy the requests to the real DNS server).</li><li> You can refer to your previous lab to obtain information for setup of these options: [ [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Installation_Lab#Configuring_a_VM_host Configuring a VM Host] ]<br><br></li></ul><li>Make note of the files used and entries required and note them in your lab log-book.</li><li>Save your editing session, and then restart each VM and run the following command to ensure they still have the network configuration you set:<ul><li>'''ping''' (what is the purpose of this command?). Try to ping matrix and google from your host machine.<br>Try to ping matrix and google from each of your VM's to ensure you can reach the outside world.</li><li>'''ssh''' (into another server, like Matrix) </li></ul></li><li>After setting the network configuration for EACH VM, then either the the ifdown and ifup commands or reboot each VM, to verify that you can connect to the Internet with the new static IP network configuration. If you cannot connect to the Internet, then check the network configuration file and make corrections until you have a workable network connection for each VM from boot-up.</ol>
# '''IS THE NETWORK ON VM PLUGGED IN?''' On a physical network you would check whether the cable is plugged in and the link light is on on your network card. In a virtual network environment, you don't have a physical network adapter. Instead, you will need to check the NIC settings in the <u>'''virtual'''</u> machine details to view and confirm the appropriate network connection.
# '''IS THE NETWORK ENABLED?''' This is a problem more common with virtual networks than physical networks. Check in your :<br> '''VirtManager'''->'''ConnectionDetails'''->'''VirtualNetworks''' that your network is active.
# '''DO YOU HAVE AN IP ADDRESS?''' Run '''ip address''' to check.
# '''CAN YOU PING THE HOST BY IP?''' (by its internal IP address). If not - check all of the above, check if you have an IP address conflict, and check that your subnet mask is correct.
There are a number of other problems that could prevent your network connection from functioning but the above are the most common problems.
==== "Run Script to Break My Network" script Connection for Troubleshooting ====
You will now download, set execute permissions and run a Bash shell script to try to "break" the network connection for your vm1. This will provide troubleshooting practice to check your network configuration file, look and correct errors and restart your network interface connection.
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
== INVESTIGATION 2: Configuring SSH ==
===Configuring the SSH Service===
A common (if somewhat blatant ) way) to try to hack into a machine is to try to ssh as '''root''' and brute-force root's password. The root user always exists, meaning the attacker doesn't need to try guessing what user names are on your system. If they can get access to root, they can do anything. To prevent this, we will edit the configuration file for the ssh service to prevent root from ssh'ing into your host machine.
=== Generating a Public/Private Key Pair & Sharing the Public Key ===
The public/private key pair needs to be generated on and used on your '''host''' machine (i.e. the user/machine you're connecting '''from'''). The private key is the equivalent of a <u>''password''</u> (that it is why it is considered to be <u>''private''</u> - only to be used by ''<u>one</u>'' owner). That is why the private key is stored in the owner's '''~/.ssh/''' directory.
One very common mistake that students make is to either generate the key pair for the WRONG account, or copy the public key to the WRONG account on the intended remote machine.
'''Perform the following Steps:'''
# Make certain you are in your '''host ''' machine.
# You will be creating a '''key-pair on your host machine with no password''' (i.e. when generating keypair press enter for all prompts including the password).
# You generate Make certain you are logged on as '''root''' on your host machine.# Generate the key-pair by issuing the command:<br><source lang="bash">ssh-keygen -t rsa</source>
'''NOTE:''' When issuing this command, you will end up with the files: '''~/.ssh/id_rsa''' and '''~/.ssssh/id_rsa.pub''' (private and public keys). So far, this topic is generally a repeat of OPS235 lab7. What you may '''<u>not</u>''' know is that by using a '''"trick"''' (the ''magic'' of public key cryptography), you can SSH to a Linux machine without using a password!<br>Learning to perform this trick is <u>'''essential'''</u> in this course and in the industry in general. SSH keys are used everywhere that Linux servers are used.
If you have the private key, you can prove to someone who has your public key that you are indeed the '''actual owner of that public key'''. That is how ssh key authentication works. You are then only required to transfer your public key to a remote server.
<ol><li value="45">You are going to share the public key from the '''root user in your host machine''' with the '''root user of your vm1 machine'''.</li><li>Make certain you are logged on as '''root'''.</li><li>Copy the contents of your '''~/.ssh/id_rsa.pub''' from your host machine, and append the contents to '''~/.ssh/authorized_keys''' on each of your Virtual Machine serversMachines. In your case, you will issue the following command 3 times (for each vm IPADDR):</libr><lisource>Simply issue the Linux command '''ssh-copy-id -i ~/.ssh/id_rsa.pub usernameroot@serverIPADDR_for_vm</source>'''<br><br>In your caseNOTE: ssh-copy-id ''' Press ENTER for all prompted information including the password (although this may seen counter-i ~/.ssh/id_rsaintuitive!).pub root@IPADDR_for_vm1</libr><libr>Make certain to copy the public key for root on your host to your vm2 and vm3 machines as well.</li><li>Use the ssh command to test each ssh connection between your host and each virtual machine that you can connect to the VMs without having to use a password. This is essential to create backups from VMs to your hostmachine without being prompted for password.</li></ol>
'''NOTE:''' Always remember that these keys are '''per-user, <u>not</u> per machine'''. This means that sharing a user's public key will only work for that specific user.
== INVESTIGATION 3: PERFORMING & AUTOMATING BACKUPS ==
A full backup represents backing up of all of the files of a computer machine (in our case, a VM). A full backup should be performed at the end of each lab or assignment working session.
In OPS235, you learned to use the command '''gzip''', '''gunzip''', and (plus'''virsh dumpxml''' / '''virsh define''' commands if backing up to external storage device like a usb key) to backup your virtual machines and the '''tar''' command as an archiving tool.We will use the same method to perform a full backup for these labs and assignments.
'''Perform the following steps:'''
#Make certain that your virtual machines are NOT running.
#Make certain that you are logged in as '''root ''' user on your host machine.
#Refer to OPS235 lab2 on backing up your VMs using the '''gzip''' command [https://wiki.cdot.senecacollege.ca/wiki/OPS235_Lab_2_-_CentOS7_-_HD2#Part_1:_Backing_Up_Virtual_Machines OPS235 Lab2 - Backing up VMs]
#Make certain that you have performed a full backup for '''vm1''', '''vm2''', and '''vm3'''.
It is recommended to create a Bash shell script to automate the backing up of ALL your VMs in sequence. You can do this by running a for loop using a list for vm1, vm2, and vm3image file pathnames.
=== Performing Incremental Backups ===
An incremental backup is a backup of only files that have changed since the last backup. In your case, it may be a good idea to perform incremental backups of your '''/etc/ ''' directory for your VMs upon startup. We will be using the '''rsync''' command to perform incremental backups for all of your VMs.
'''Rsync''' is a very versatile backup tool. As the name suggests, rsync is used for <u>synchronizing</u> files typically across a network. It works over the '''SSH''' protocol, which is useful in our situation since we are running ssh on our server and VMs. You are going to use your ''host machine'' to backup files from the ''virtual machines''.
# On your '''host machine''', run the following commands:
<source lang=bash>mkdir -p /backup/incremental/vm1
rsync -avz 192.168.x.x:/etc /backup/incremental/vm1/ # where 192.168.x.x is the IPADDR of your vm1</source>
# Edit your crontab entry to run same command every two minutes, save and exit, and then confirm by viewing '''/tmp/cron.log''' and '''/var/log/cron''' files.
# Perform a Net-search to see how to run a cron for a command for every hour.
# Edit your crontab to '''make automatic backups using the rsync command''' of the '''/etc''' directory from '''vm1''', '''vm2''', and '''vm3''' into '''/backup/incremental/vm1''', '''/backup/incremental/vm2''', and '''/backup/incremental/vm3''' every hour and overwrite the previous backup.
'''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
== COMPLETING THE LAB ==
===Online Submission===
Follow the instructions for lab 1 on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===
[[Image:lab1_signoff.png|thumb|right|300px|Students should be prepared with '''all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff'''.]]
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
:::Issue the following command to download the bash shell script:<br>'''wget http://matrix.senecac.on.ca/~murray.saul/ops335/labcheck_network_backup.sh'''
::::*Assign execute permissions, and run the script to check your work: '''labcheck_network_backup.sh'''
::::*When prompted for the network interface, use the '''virtual bridge interface'''with IP 192.168.x.1 (where '''x''' is your last 2 digits of your student number).
== EXPLORATION QUESTIONS ==
