Changes

← Older edit

OPS435 Python3 Lab 8

729 bytes removed, 19:00, 4 July 2020

no edit summary

= LAB OBJECTIVES =

:0. Review SSH setup and remote shell execution

:1. Explore the Fabric Python library and its command line tool "fab".

:2. Create Fabric scripts ~~utilize~~ utilizing Fabric's API to define tasks ~~that can be executed by~~ for the '''fab''' ~~program~~command.:3. Use the '''fab''' command to execute fabric script to perform ~~regular/administrative~~ pre-defined tasks on remote Linux machines.

== Overview ==

:[http://www.fabfile.org/]

|}

: <font color='blue'>Please note that the version of Fabric ~~we are going to use~~ installed on matrix.senecacollege.ca for this lab is 1.14 and it supports only Python version 2.</font>The Fabric script files we are going to create in this lab have to meet Python version 2.x requirements. (e.g. print is a keyword, not a built-in function in Python 2.x)

:2. You should have some experience on the following topics in OPS235 and or OPS335. Please review them to prepare for the activities in this lab:

:* create and configure a regular user on a Linux system.

: Create a new SSH key pair (one private, and one public) under your account on matrix.senecacollege.ca.

: Once you have both keys, you can use the '''ssh-copy-id''' command to copy your public key to the student account on your VM, replace the port number with the correct value for your VM:<source lang='bash'>

ssh-copy-id -i ~/.ssh/id_rsa.pub -p 7200 student@myvmlab.senecacollege.ca

</source>

: When running the fab command in ad-hoc mode, it is very similar to running the SSH with commands attached at the end.

== PART 1: running non-privileged shell commands on remote machines ==

: In the following example, we use the '''fab''' to execute the "date", "hostname", and "id" command remotely on our VM. Try the following ad-hoc fab commands and record their results for later use, replace the port number with the correct value for your VM:<source lang='bash'>

[raymond.chan@mtrx-node05pd lab8]$ fab --host=myvmlab.senecacollege.ca --port=7200 --user=student -- 'date;hostname;id'

[myvmlab.senecacollege.ca] Executing task '<remainder>'

=== Run the "yum" command on remote machine with SSH ===

: By default, your VM doesn't have the "tree" rpm package installed. You can verify this with the following SSH command(remember to replace the port number with the correct value for your VM):<source lang='bash'>

[raymond.chan@mtrx-node05pd lab8]$ ssh -p 7200 student@myvmlab.senecacollege.ca "yum list tree"

Loaded plugins: fastestmirror

fab --host=myvmlab.senecacollege.ca --port=7200 --user=student -- 'sudo yum install tree -y'

</source>

: Type in your user student's password when prompted for "sudo password", the yum install command to install the tree rpm package should be executed successfully.If the tree rpm package is already installed, you can remove it with the following ad-hoc fab command: <source lang='bash'>fab --host=myvmlab.senecacollege.ca --port=7200 --user=student -- 'sudo yum remove tree -y'</source>

: Try remove the "tree" rpm package with the appropriate ad-hoc fab command.

= INVESTIGATION 3: Running the fab command in script mode =

: From investigation 2, we can see that running '''fab''' in ad-hoc mode is quick, straight forward, and easy. However, the rich output generated can not be easily captured and processed. If you have a need to capture and process the output generated by the commands executed on the remote machines, the solution is to run the '''fab''' command in script mode.

: The first step in running the '''fab''' command in script mode is to create a fabric script file.

: On matrix, cd to your lab8 directory and create a simple fabric script file named '''fabfile.py''' (this is the default filename used by the fab command when you invoke it without the '-f' optino):

== PART 1: ~~Simplest~~ Non-privileged task example =====Create non-privileged tasks: Getting the hostname of ~~the~~ remote ~~machine~~machines===: Add the following contents to the ~~file~~ default fabric script called "fabfile.py" in your lab8 directory:<source lang="python">

from fabric.api import *

env.user = 'student'

# Define the task to get the hostname of ~~the~~ remote ~~machine~~machines:

def getHostname():

name = run("hostname")

:You should get used to the above messages from the '''fab''' command. It's a lot of output but it's important to understand where every part is coming from, so you are able to debug problems when they happen.

== ~~Part~~ PART 2: ~~Set up more administrative~~ Privileged Tasks Examples =====Creat privileged tasks: install and remove rpm package on remote machines===: Add the following two new functions to the end of the fabric script "fabfile.py" in your lab8 directory:<source lang='bash'>

def installPackage(pkg='dummy'):~~Let~~ cmd = 'yum install ' + pkg + '~~s pretend that we need collect the disk usage on several machines so that we can plan for storage maintenance. We~~-y'~~ll set up a simple example of such a deployment here.~~ status = sudo(cmd) print(status)

def removePackage(pkg): if pkg =='': cmd = ~~Getting~~ 'yum remove dummy -y' else: cmd = 'yum remove ' + pkg + ' -y' status = sudo(cmd) print(status)</source>: Note that both functions take one function argument in different ways. However, if no function argument is passed when calling the function, both will default to a string value of "dummy". Both functions call the sudo() from the fabric.api to execute the command contained in the ~~disk usage~~ "cmd" object on the remote ~~worker =~~machine via sudo.: To check for any syntax error in your updated fabric script, run the following command in the same directory as the fabfile.py:<source lang='bash'>fab -l</source>: You should get a list of tasks defined similar to the following:<source lang='bash'>[raymond.chan@mtrx-node05pd lab8]$ fab -lAvailable commands:

~~:Add a getDiskUsage() function to your fabfile.py file:~~ ~~:<source lang="python"># to get the disk usage on remote workerdef getDiskUsage():~~ ~~current_time = run('date')~~getHostname ~~diskusage = run('df -H')~~installPackage ~~header = 'Current Disk Usage at '+current_time~~removePackage ~~print(header)~~ ~~print(diskusage)~~[raymond.chan@mtrx-node05pd lab8]$

</source>

:~~Note that each call~~ If you only need to connect to ~~"run()" will run a command on the worker. In this function we get the date/time of~~ the same remote ~~work~~machine, you can specify the host and ~~then get~~ port number in the ~~disk usage~~fabfile. ~~The print() function print out both~~ py to save some typing when executing the ~~values returned~~fab command. ~~:If you try to run it~~ Add the following two lines after the ~~same way as before:~~ ~~<pre>$ fab --fabfile=~~env.user line in your fabfile.py ~~-H 192.168.122.169 getDiskUsage</pre>~~ ~~:You should get the following output~~:<source lang="'bash"'>~~[rchan@centos7 lab8]$ fab --fabfile~~env.port =~~fabfile.py -H 192.168.122.169 getDiskUsage[192.168.122.169] Executing task~~ '~~getDiskUsage~~7200'~~[192.168.122.169] run: date[192.168.122.169] out: Sun Nov 10 13:17:16 EST 2019[192.168.122.169] out:~~ ~~[192.168.122.169] run: df~~ # <-H~~[192.168.122.169] out: Filesystem Size Used Avail Use% Mounted on[192.168.122.169] out: devtmpfs 947M 0 947M 0% /dev[192.168.122.169] out: tmpfs 964M 0 964M 0% /dev/shm[192.168.122.169] out: tmpfs 964M 9.7M 954M 2% /run[192.168.122.169] out: tmpfs 964M 0 964M 0% /sys/fs/cgroup[192.168.122.169] out: /dev/mapper/centos~~-~~root 7.7G 5.6G 2.1G 73% /~~please replace with the actual value of your VM's port number~~[192~~env.~~168.122.169] out: /dev/vda1 1.1G 298M 766M 29% /boot~~hosts =[~~192~~'myvmlab.~~168~~senecacollege.~~122.169] out: tmpfs 193M 17k 193M 1% /run/user/42[192.168.122.169~~ca'] ~~out: tmpfs 193M 0 193M 0% /run/user/1000[192.168.122.169] out:~~ ~~Current Disk Usage at Sun Nov 10 13:17:16 EST 2019Filesystem Size Used Avail Use% Mounted ondevtmpfs 947M 0 947M 0% /devtmpfs 964M 0 964M 0% /dev/shmtmpfs 964M 9.7M 954M 2% /runtmpfs 964M 0 964M 0% /sys/fs/cgroup/dev/mapper/centos-root 7.7G 5.6G 2.1G 73% //dev/vda1 1.1G 298M 766M 29% /boottmpfs 193M 17k 193M 1% /run/user/42tmpfs 193M 0 193M 0% /run/user/1000~~ ~~Done.Disconnecting from 192.168.122.169... done.~~

</source>

: You can also store the user's password in this file so that it will respond to the "sudo password" prompt for sudo() call. It is not safe to do so as you can configure the sudo module on the remote machine not to ask for sudo password.

: Now you can run the fab command without the "--host" and "--port" option.

: Run the following two fab commands, note the results and compare their difference:<source lang='bash'>

fab installPackage

~~=== Update all the rpm packages on remote worker ===~~fab installPackage:~~Let's pretend that we need to update software packages installed on several machines due to security patches. Let's name the task as 'performSoftwareUpdate()':<source lang="python"># to perform software update on remote workerdef performSoftwareUpdate():~~ ~~status = run('yum update -y')~~ ~~print(status)~~tree

</source>

: ~~Do a syntax check with~~ Run the "following two fab ~~-l" command.: When you try to run it~~ commands, note the ~~same way as before, you encounter some issue as shown below~~results and compare their difference:<source lang="'bash"'>~~[rchan@centos7 lab8]$~~ fab ~~--fabfile=fabfile.py -H 192.168.122.169 performSoftwareUpdate[192.168.122.169] Executing task 'performSoftwareUpdate'[192.168.122.169] run: yum update -y[192.168.122.169] out: Loaded plugins: fastestmirror, langpacks[192.168.122.169] out: You need to be root to perform this command.[192.168.122.169] out:~~ ~~Fatal error: run() received nonzero return code 1 while executing!~~removePackage

~~Requested~~fab removePackage: ~~yum update -yExecuted: /bin/bash -l -c "yum update -y"~~ ~~Aborting.Disconnecting from 192.168.122.169... done.~~tree

</source>

: As you already know, you need superuser privilege in order to perform software update on a Linux system. There are two ways to do it on Fabric. The first one is simple. Edit you fabfile.py and change the env.user line as shown below:<source lang="python">

~~env.user = 'root'~~

== Part 2: Create remote task for updating rpm packages ==

: Add a new function called "updatePackage" to your fabfile.py according to the following requirements:

:* Accept optional function argument as the rpm package name

:* If no function argument was given when called, default to all the packages installed

: The output of the updatePackage when executed, should produce similar output as shown below:

:1. Update a single package:<source lang='bash'>

fab updatePackage:tree

</source>

: ~~Save the fabfile~~Sample output:<source lang='bash'>[raymond.~~py with the change and run it again~~chan@mtrx-node05pd lab8]$ fab updatePackage:tree[myvmlab.senecacollege.ca] Executing task 'updatePackage'[myvmlab.senecacollege.ca] sudo: yum update tree -y[myvmlab.senecacollege.ca] out: ~~If you see the~~ sudo password ~~prompt again, make sure that you can ssh~~ :[myvmlab.senecacollege.ca] out: Loaded plugins: fastestmirror[myvmlab.senecacollege.ca] out: Loading mirror speeds from ~~your controller as a regular user to your worker vm as root without password~~cached hostfile[myvmlab.senecacollege.ca] out: * base: less.cogeco.net[myvmlab.senecacollege.ca] out: * extras: centos.mirror.ca.planethoster.net[myvmlab.senecacollege.ca] out: * updates: less.cogeco.net[myvmlab.senecacollege.ca] out: ~~The other way is to replace all the run() function calls~~ No packages marked for ~~commands that need superuser privilege by the sudo() function calls in your fabfile~~update[myvmlab.~~py. You are asked to investigate this in the final investigation of this lab~~senecacollege.ca] out:

~~== Part 3~~Loaded plugins: ~~Setting and Checking Security Configuration ==~~fastestmirrorLoading mirror speeds from cached hostfile * base: less.cogeco.net * extras: centos.mirror.ca.planethoster.net * updates: less.cogeco.netNo packages marked for update

Done.Disconnecting from myvmlab.senecacollege.ca: ~~Recall that in our OPS courses we've been using iptables instead of firewalld, which is installed by default in CentOS~~7200.. ~~Let's make sure that our workers have that set up as well~~. ~~In the same '''fabfile~~done.~~py''' you've been using all along, add a new function like this:~~ ~~: <source lang="python"># Will uninstall firewalld and replace it with iptablesdef setupFirewall():~~ ~~run("yum -y -d1 remove firewalld")~~ ~~run("yum~~ [raymond.chan@mtrx-~~y -d1 install iptables-services")~~ ~~run("systemctl enable iptables")~~ ~~run("systemctl start iptables")~~node05pd lab8]$

</source>

: ~~That should by now look pretty obvious. On the worker you're going to uninstall firewalld, install iptables, and make sure that the iptables service is running~~2. ~~: Execute the function for worker1 and double-check that it worked.~~Update all installed package: <~~font color~~source lang='red'>'''**Warning**bash'~~'' </font~~>~~Do not do this on your vm on myvmlab. If you do, you may lock yourself out for good.~~ ~~=== Check firewall configuration ===~~ fab updatePackage: To check your firewall configuration your remote worker, you can retrieve its current configuration by creating another Fabric task called "getFirewallConfigure(). Let's put the following code to your fabfile.py:<source lang="python">~~def getFirewallConfig():~~ ~~fw_config = run("iptables -L -n -v")~~ ~~print(fw_config)~~

</source>

: The following output had been trimmed, only showing the first few lines:<source lang='bash'>

[myvmlab.senecacollege.ca] Executing task 'updatePackage'

[myvmlab.senecacollege.ca] sudo: yum update -y

[myvmlab.senecacollege.ca] out: sudo password:

[myvmlab.senecacollege.ca] out: Loaded plugins: fastestmirror

[myvmlab.senecacollege.ca] out: Loading mirror speeds from cached hostfile

[myvmlab.senecacollege.ca] out: * base: less.cogeco.net

[myvmlab.senecacollege.ca] out: * extras: centos.mirror.ca.planethoster.net

[myvmlab.senecacollege.ca] out: * updates: less.cogeco.net

...

Verifying : ~~Try to run the getFirewallConfig() task the same way as before~~systemd-219-73.el7_8.5.x86_64 53/54 Verifying : ~~Troubleshoot if you encounter any issue~~systemd-libs-219-73.el7_8.5.x86_64 54/54

~~= INVESTIGATION~~ Removed: kernel.x86_64 0:3~~: Multiplying your work =~~.10.0-862.el7

Installed: ~~After completing all the previous parts of the lab~~ kernel.x86_64 0:3.10.0- ~~you should have a working fabfile~~1127.~~py with three working functions: getDiskUsage(), performSoftwareUpdate() and getFirewallConfig()~~13.1.el7

~~'''** Optional **'''You were asked to test them on worker1~~Updated: bind-export-libs.x86_64 32:9.11.4-16.P2.el7_8.6 binutils.x86_64 0:2.27-43.base.el7_8.1 ca-certificates.noarch 0:2020.2.41-70.0.el7_8 device-mapper.x86_64 7:1.02.164-7.el7_8.2 device-mapper-event.x86_64 7:1.02.164-7.el7_8.2 device-mapper-event-libs.x86_64 7:1.02.164-7.el7_8.2 device-mapper-libs.x86_64 7:1.02.164-7.el7_8.2 kernel-tools.x86_64 0:3.10.0-1127.13.1.el7 kernel-tools-libs.x86_64 0:3.10.0-1127.13.1.el7 lvm2.x86_64 7:2.02.186-7.el7_8.2 lvm2-libs.x86_64 7:2.02.186-7.el7_8.2 microcode_ctl.x86_64 2:2.1-61.10.el7_8 net-snmp.x86_64 1:5.7.2-48.el7_8.1 net-snmp-agent-libs.x86_64 1:5.7.2-48.el7_8.1 net-snmp-libs.x86_64 1:5.7.2-48.el7_8.1 net-snmp-utils.x86_64 1:5.7.2-48.el7_8.1 ntp.x86_64 0:4.2.6p5-29.el7.centos.2 ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2 python-perf.x86_64 0:3.10.0-1127.13.1.el7 rsyslog.x86_64 0:8.24.0-52.el7_8.2 selinux-policy.noarch 0:3.13.1-266.el7_8.1 selinux-policy-targeted.noarch 0:3.13.1-266.el7_8.1 systemd.x86_64 0:219-73. ~~Now let's run these three functions on all your workers at the same time~~el7_8. ~~The command is almost the same, except for the list of IP addresses~~8 systemd-libs.x86_64 0:219-73.el7_8.8 systemd-sysv.x86_64 0:219-73.el7_8.8 yum-plugin-fastestmirror.noarch 0:1.1.31-54.el7_8

~~<source lang="bash">fab --fabfile=fabfile.py -H 192.168.122.169,192.168.122.170,192.168.122.171,192.168.122.172 getDiskUsage</source>~~Complete!

~~: Again - your IP addresses will be different but the command will be the same~~Done. ~~: You can also run all three tasks on all the workers at the same time, by adding any task to your fabfile~~Disconnecting from myvmlab.senecacollege.~~py:<source lang="python">def doAllThree():~~ ~~getDiskUsage()~~ ~~getFirewallConfig()~~ ~~performSoftwareUpdate()</source>~~ca: ~~And run the following command on your controller:~~ ~~<source lang="bash">fab --fabfile=fabfile.py -H 192.168.122.169,192.168.122.170,192.168.122.171,192~~7200.~~168~~.~~122~~.~~172 doAllThree</source>~~ ~~And imagine that you might have 10 tasks to be~~ done ~~on 10, 50, 100 servers - could you do it without the automation?~~ ~~= INVESTIGATION 4 - Apply fabfile.py to your VM on myvmlab === Replace run() function calls with sudo() ==: Since your account on your vm on myvmlab is a regular user with sudo privilege. You need to make the following changes to your fabfile~~.~~py before applying it to your vm on myvmlab::* Change env~~[raymond.~~user from 'root' to your account on your vm in myvmlab.~~:* Change all the commands that need super user privilege from calling the run() function to instead calling the sudo() function. Here is an example on replacing run() with sudo():<source lang="python"> ~~def getFirewallConfig():~~ ~~fw_config = sudo("iptables~~ chan@mtrx-~~L -n -v")~~ ~~print(fw_config)~~node05pd lab8]$

</source>

= Lab Exercise: ~~Test your updated fabfile.py until you get the same result as when you apply it to your own worker VM.~~ == Create a Fabric task called makeUser() ==: Study the Fabric API run(), sudo(), and put() and utilize them to create a new task called makeUser()

: The makeUser() function should perform the following:

::* create a new user called "ops435p" with home directory "/home/ops435p".::* add it to the sudo group called "wheel". ::* ~~add~~ ask your professor's for a ssh public key and add it to the file named "authorized_keys" in the ~ops435p/.ssh directory. Make sure that you set the proper permissions on both the directory ~ops435p/.ssh and the file "~ops435p/.ssh/authorized_keys.

:Add the makeUser() to your final version of fabfile.py.

:~~Test~~ Run the new task makeUser() on your ~~local~~ VM ~~first, and deploy to your vm on myvmlab~~.:~~After the successful deployment of the~~ Verify and confirm that your new makeUser() task ~~on your vm on myvmlab, ask your professor to verify and confirm that the new user account "ops435p" on myvmlab has been created~~ is working correctly.

= LAB 8 SIGN-OFF (SHOW INSTRUCTOR) =

:~~'''Have Ready to Show Your Instructor:'''~~* Complete all the parts of the lab and upload the version of your fabfile.py ~~which works on your vm on myvmlab~~ to Blackboardby the due date.

[[Category:OPS435-Python]][[Category:rchan]]

Rchan

1,760

edits

Changes

OPS435 Python3 Lab 8

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools