Open essie-chiang opened 9 months ago
Oct 3
login with ssh-private-key 600 or 400 https://docs.rackspace.com/docs/logging-in-with-an-ssh-private-key-on-linuxmac
ocpadmin add to wheel group https://linuxconcept.com/how-to-create-a-sudo-user-on-rhel-red-hat-enterprise-linux-operating-system/
有问题,sudo 输入 password 总是不正确
Workaround https://developers.redhat.com/blog/2018/08/15/how-to-enable-sudo-on-rhel
参考rh文档,设置每次不输入密码
Further trougle-shooting
可能是sudo 的权限,以及其他的配置造成的 https://cloud.tencent.com/developer/article/1400857
然后修改另外两台机器,发现密码没有问题。再更新一下bastion node的密码,居然忽然可以工作了。。。Workaround 也是不错了,以免以后再出现这种诡异的问题。。。
mkdir /home/ocpadmin/.ssh
cp /root/.ssh/authorized_keys /home/ocpadmin/.ssh
chown -R ocpadmin: ~ocpadmin/.ssh
chmod 700 ~ocpadmin/.ssh
chmod 600 ~ocpadmin/.ssh/authorized_keys
PasswordAuthentication no
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard Last login: Wed Oct 4 08:32:16 2023 from 10.242.0.45
可以 disable吗,
真的不用可以这样删除`rm -f /etc/issue.d/cockpit.issue /etc/motd.d/cockpit`,还没有试过
或者安装上cockpit 试试?
https://cockpit-project.org/running
web server 1 已经有25G device,创建文件系统, 挂载 https://www.scaleway.com/en/docs/storage/block/how-to/mount-and-use-volume/
fstab sudo bash -c 'echo "UUID=$(blkid --output value /dev/vdd | head -n1) /data ext4 defaults 0 0" >> /etc/fstab'
https://access.redhat.com/solutions/5324121
https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/
Step 1: Install Apache (httpd)
You can install Apache (httpd) using the package manager. On Red Hat-based systems like RHEL, you can use yum:
sudo yum install httpd
Step 2: Start and Enable Apache
Start the Apache service and enable it to start automatically at boot:
bash
sudo systemctl start httpd
sudo systemctl enable httpd
Step 3: Create the HTML Directory and Page
Create a directory on /data where you'll store your HTML files. You can name it, for example, webcontent:
bash
sudo mkdir -p /data/webcontent
Create an HTML file with the content you want. For example, you can use the following command to create an index.html file:
bash
echo "Welcome to Apache web server on web server1!" | sudo tee /data/webcontent/index.html
Step 4: Configure Apache
Create a new Apache configuration file for your website:
sudo grep -iR DocumentRoot /etc/httpd/
/etc/httpd/conf/httpd.conf:# DocumentRoot: The directory out of which you will serve your
/etc/httpd/conf/httpd.conf:DocumentRoot "/var/www/html"
/etc/httpd/conf/httpd.conf: # access content that does not live under the DocumentRoot.
/etc/httpd/conf/httpd.conf
以下步骤是否生效 sudo nano /etc/httpd/conf.d/mywebsite.conf
In the configuration file, add the following content:
apache
<VirtualHost *:80> DocumentRoot /data/webcontent ServerName webserver1.example.com
Replace webserver1.example.com with your server's actual hostname or domain name. This configuration tells Apache to serve content from the /data/webcontent directory.
Save the file and exit the text editor.
Step 5: Allow Apache Through the Firewall
If you have a firewall enabled, make sure to allow HTTP traffic through:
bash
sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --reload
Step 6: Test Apache
Restart Apache to apply the configuration changes:
bash
sudo systemctl restart httpd
Step 7: Access Your Website
You can now access your Apache web server in a web browser by entering your server's hostname or IP address. You should see the "Welcome to Apache web server on web server1!" message from the index.html file you created.
For example, if your server's IP address is 192.168.1.100, you can access it by entering http://192.168.1.100 in a web browser.
That's it! You've successfully installed and configured Apache to serve a static HTML page from a directory on /data.
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details. [ocpadmin@web-server-1-zwvof9pw srv]$ sudo systemctl restart httpd Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
tail /var/log/audit/audit.log
tail -n 100 /var/log/messages
在 /var/log/messages 里面找到失败的命令,httpd 的命令,sealert -l a9593449-ba1a-4348-88e9-a9f97995056c
,执行了以后可以看到报错的更多信息。。。 httpd 的dir 没有权限
SELinux is preventing /usr/sbin/httpd from write access on the directory httpd.
***** Plugin httpd_write_content (92.2 confidence) suggests ***************
If you want to allow httpd to have write access on the httpd directory
Then you need to change the label on 'httpd'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'httpd'
# restorecon -v 'httpd'
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1
***** Plugin catchall (1.41 confidence) suggests **************************
If you believe that httpd should be allowed write access on the httpd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects httpd [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host web-server-1-zwvof9pw
Source RPM Packages httpd-2.4.51-7.el9_0.5.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.3.noarch
Local Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name web-server-1-zwvof9pw
Platform Linux web-server-1-zwvof9pw
5.14.0-70.50.2.el9_0.x86_64 #1 SMP PREEMPT Wed Mar
15 20:04:37 EDT 2023 x86_64 x86_64
Alert Count 1
First Seen 2023-10-04 10:55:40 EDT
Last Seen 2023-10-04 10:55:40 EDT
Local ID a9593449-ba1a-4348-88e9-a9f97995056c
Raw Audit Messages
type=AVC msg=audit(1696431340.512:7941): avc: denied { write } for pid=49295 comm="httpd" name="httpd" dev="vdd" ino=262146 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
最后的结果
夏令营的老师帮忙看到接近半夜11点,还好他们是欧洲的时间。。。
virtualhosts section 里面 log 的两条去掉后,httpd 可以启动啦,httpd 的路径缺乏权限应该说的就是/data/log/httpd 下面的
完全去掉virtualhosts,使用DocumentRoot 来配置
selinux 配置不能死套路径 doc 里面用 /srv/example.com,自己用的就要切换到自己的路径呀 /data/www/example.com
semanage fcontext -a -t httpd_sys_content_t "/data/www/example.com(/.*)?" # attention to the recurrsive
restorecon -Rv /data/www/example.com/
为啥要用 8080 而不是 80,注意inbound,outbound,security group rules。老师说的时候很不情愿,因为是要自己发现的。。。好吧,我就是不懂这些呢,只好告诉我一下了。
虽然跟着redhat doc 有解决 selinux 问题的步骤,但是呢,因为缺乏知识,最后还是配置的有些问题。。。很好的学习机会,啦啦
Step 5: Allow Apache Through the Firewall
If you have a firewall enabled, make sure to allow HTTP traffic through:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload
Implement Permanent Firewall Rules to Allow Traffic on Ports 80 and 22
Open port 80:
sudo firewall-cmd --add-port=80/tcp --permanent
Open port 22:
sudo firewall-cmd --add-port=22/tcp --permanent
podman run --name podman-nginx -p 8080:80 -d -v /data/nginx/html:/usr/share/nginx/html nginx
scp nginx.tar ocpadmin@10.242.0.44:~
semanage fcontext -a -t httpd_sys_content_t "/data/nginx/html(/.*)?"
restorecon -Rv /data/nginx/html/
Relabeled /data/nginx/html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0 Relabeled /data/nginx/html/index.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
# firewall-cmd --permanent --add-port={80/tcp,443/tcp}
sudo firewall-cmd --permanent --add-port=8080/tcp
# firewall-cmd --reload
以上试了都不成功
chcon -Rt svirt_sandbox_file_t /data/nginx/html/
==== 最后同学的帮助 podman run --name podman-nginx -p 8080:80 -d -v /data/nginx/html:/usr/share/nginx/html:Z nginx 以及挂载的路径和文件都配置成了755的权限
podman exec n1 service nginx status podman exec n1 service nginx start podman run -it -d --name n1 -p 8080:80 nginx /bin/bash
17) rootless containers exit once the user session exits
You need to set lingering mode through loginctl to prevent user processes to be killed once the user session completed. Symptom
Once the user logs out all the containers exit. Solution
You'll need to either:
# loginctl enable-linger $UID
still need setup as a systemd unit to restart after reboot. This redhat doc is golden. https://www.redhat.com/sysadmin/container-systemd-persist-reboot
In the role of a Unix sysadmin, you are asked to perform various tasks to access the systems and configure them to support the web server and load balancer setup. Good Luck!
The objective of this week's exercise is to put your Unix skills to the test.
Architecure of this
Public Security Group Rules
Inbound Protocol Source Type Source Value
TCP Any 0.0.0.0/0 Ports 22,80,443,9000
ICMP Any 0.0.0.0/0 Type: 8, Code: Any
All Security Group public-sg -
Outbound Protocol Source Type Destination Value
All Any 0.0.0.0/0 -
Private Security Group Rules Inbound Protocol Source Type Source Value TCP IP Address bastion-ip Ports 22,8080,8443 ICMP Any 0.0.0.0/0 Type: 8, Code: Any All Security Group private-sg - Outbound Protocol Source Type Destination Value All Security Group private-sg - All CIDR block 161.26.0.0/16 - All CIDR block 166.9.0.0/16
Bastion private IP 10.242.0.45 Bastion public IP 158.175.183.249 Web server 1 private IP 10.242.0.46 Web server 2 private IP 10.242.0.44
1.On all servers create user ocpadmin, this user must be able to log in and have sudo privileges to run commands as user root.
adduser ocpadmin
passwd ocpadmin
# add to wheel group to get sudo privilege
usermod -aG wheel ocpadmin
su - ocpadmin
sudo whoami
# output - root
/etc/sudoers
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
How To Configure SSH Key-Based Authentication on a Linux Server? First check the environment, from bastion node to ws1 and ws2 no password, it is SSH Key-Based Ahthentication.
# on bastion node
ls /root/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts known_hosts.old
Check SSH public key is not for root user only, it can be used for ocpadmin user.
The SSH client will not recognize private keys that are not kept in restricted directories. The key itself must also have restricted permissions (read and write only available for the owner). This means that other users on the system cannot snoop.
mkdir /home/ocpadmin/.ssh
cp /root/.ssh/authorized_keys /home/ocpadmin/.ssh
chown -R ocpadmin: ~ocpadmin/.ssh
chmod 700 ~ocpadmin/.ssh
chmod 600 ~ocpadmin/.ssh/authorized_keys
Change /etc/ssh/sshd_config parameter: PasswordAuthentication no
will close the password login to this node.
Access web server 1 and configure the extra 25 GB disk so that you can use it to host your data. You will need to configure it and mount it on /data, which will be where you store your data for these exercises.
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
vda 252:0 0 100G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 200M 0 part /boot/efi
├─vda3 252:3 0 500M 0 part /boot
└─vda4 252:4 0 99.3G 0 part /
vdb 252:16 0 392K 0 disk
vdc 252:32 0 44K 0 disk
vdd 252:48 0 25G 0 disk
Use /dev/vdd as it is the storage specified
mkfs.ext4 /dev/vdd
$ lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
vda
├─vda1
├─vda2 vfat FAT16 7B77-95E7 192.8M 3% /boot/efi
├─vda3 xfs boot 02a3ca57-ae22-421e-9fe3-46915c463837 354M 28% /boot
└─vda4 xfs root c5dd534b-5287-4106-942a-30c01582770d 96.3G 3% /
vdb iso9660 Joliet Extension cidata 2023-10-03-05-03-00-00
vdc swap 1 SWAP-xvdb1 dcba601c-44ab-4dc0-ad7f-5cbf8cd3870e
vdd ext4 1.0 e6d1f00b-eba9-46b3-b3f7-18f1f52ba78c 23.2G 0%
sudo mkdir /data
mount -o defaults /dev/vdd /data
With the current configuration, the block device will not be mounted automatically upon reboot. Use the fstab file to make sure the reboot does not impact your file system.
Add this line to the /etc/fstab file of your Instance:
echo "UUID=$(blkid --output value /dev/sda | head -n1) /mnt/block-volume ext4 defaults 0 0" >> /etc/fstab
https://access.redhat.com/solutions/5324121
https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd
Config /etc/httpd/conf/httpd.conf
Attention for the listen port 80 must be changed to 8080 because of the security group inbound is allowed 8080 from bastion ip.
DocumentRoot "/data/www/example.com"
Listen 8080
<Directory "/data/www/example.com">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
sudo mkdir /data/www/example.com/
# write own index.html
echo "Welcome to Apache web server on web server1!" | sudo tee /data/www/example.com/index.html
Allow apache through firewall
sudo firewall-cmd --permanent --add-service=http
# This is for port: sudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload
Get this from RHEL 9 Doc
semanage fcontext -a -t httpd_sys_content_t "/data/www/example.com(/.*)?" # attention to the recurrsive
restorecon -Rv /data/www/example.com/
Test by curl localhost:8080
on web-server-1 node
On web server 2, sudo yum install podman
works.
But for docker images, only bastion node can do podman pull, why, still because of security group?
So must mirror by bastion node.
# bastion node
podman pull docker.io/library/nginx:latest
podman save -o nginx.tar docker.io/library/nginx:latest
scp nginx.tar ocpadmin@10.242.0.44:~
# web server 2
podman load -i nginx.tar
podman ps
mkdir /data/nginx/html
chmod -R 755 /data/nginx/html
podman run --name podman-nginx -p 8080:80 -d -v /data/nginx/html:/usr/share/nginx/html:Z nginx
podman run --restart --name podman-nginx -p 8080:80 -d -v /data/nginx/html:/usr/share/nginx/html:Z docker.io/library/nginx
Need test this part
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload
semanage fcontext -a -t httpd_sys_content_t "/data/nginx/html(/.*)?"
restorecon -Rv /data/nginx/html/
chcon -Rt svirt_sandbox_file_t /data/nginx/html/
set linger mode to prevent the container exit after logout
loginctl enable-linger $UID
Install and configure a load balancer on your bastion server that forwards traffic to the web servers. It should "round-robin" the traffic. You should be able to hit your public IP address in a browser and see your Apache web server page. When you refresh the browser it should show your Nginx server page. Basically, it should toggle back and forth between the two pages. You should be able to use the standard HTTP ports (80/443) in the browser.
Haproxy
sudo yum install haproxy
rpm -qi haproxy
sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.bak
sudo vi /etc/haproxy/haproxy.cfg
Config /etc/haproxy/haproxy.cfg
frontend load_balancer
bind *:443
bind *:80
default_backend webservers
default_backend webservers
backend webservers
balance roundrobin
server web-1 10.242.0.46:8080 check
server web-2 10.242.0.44:8080 check
sudo setsebool -P haproxy_connect_any 1
$ sudo systemctl start haproxy
$ sudo systemctl enable haproxy
$ sudo firewall-cmd --add-port=80/tcp --permanent
$ sudo firewall-cmd --reload
# loginctl show-user ocpadmin | grep ^Linger
Linger=no
# loginctl enable-linger ocpadmin
# loginctl show-user webuser | grep ^Linger
Linger=yes
$ podman generate systemd --new --files --name httpd
/home/webuser/container-httpd.service
$ ls
container-httpd.service
$ cat container-httpd.service
# container-httpd.service
# autogenerated by Podman 4.3.1
# Wed Feb 1 16:06:04 -03 2023
[Unit]
Description=Podman container-httpd.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm \
-f %t/%n.ctr-id
ExecStart=/usr/bin/podman run \
--cidfile=%t/%n.ctr-id \
--cgroups=no-conmon \
--rm \
--sdnotify=conmon \
--replace \
--name=httpd \
--hostname=httpd \
-p 8081:80 \
-v /var/local/httpd:/usr/local/apache2/htdocs:Z \
-d docker.io/library/httpd
ExecStop=/usr/bin/podman stop \
--ignore -t 10 \
--cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
-f \
--ignore -t 10 \
--cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
podman stop podman-nginx && podman rm -a && podman volume prune
httpd
podman generate systemd --new --files --name podman-nginx
/home/ocpadmin/container-podman-nginx.service
$ mkdir -p ~/.config/systemd/user/
$ cp -Z container-podman-nginx.service ~/.config/systemd/user/
$ ls ~/.config/systemd/user/
container-podman-nginx.service
$ systemctl --user daemon-reload
systemctl --user start container-podman-nginx.service
systemctl --user status container-podman-nginx.service
systemctl --user enable container-podman-nginx.service
login with ssh-private-key 600 or 400 https://docs.rackspace.com/docs/logging-in-with-an-ssh-private-key-on-linuxmac
[x] 2. On all servers create user ocpadmin, this user must be able to log in and have sudo privileges to run commands as user root
[x] 3. Access web server 1 and configure the extra 25 GB disk so that you can use it to host your data. You will need to configure it and mount it on /data, which will be where you store your data for these exercises.
[x] 4. Install the OpenShift Command Line Interface (oc) and the OpenShift installer (openshift-install) on web server 1.
[x] 5. Install and configure Apache web server (httpd) on web server 1. Make sure it serves up its content from a directory you create on /data. It should serve up a static HTML page that says Welcome to 's Apache web server!
[x] 6. Install Podman on web server 2
[x] 7. Install and configure Nginx on web server 2. Run it as a rootless container. Make sure it serves up its content from a directory you create on /data. It should serve up a static HTML page that says Welcome to 's Nginx web server!
[x] 8. Install and configure a load balancer on your bastion server that forwards traffic to the web servers. It should "round-robin" the traffic. You should be able to hit your public IP address in a browser and see your Apache web server page. When you refresh the browser it should show your Nginx server page. Basically, it should toggle back and forth between the two pages. You should be able to use the standard HTTP ports (80/443) in the browser.