Commit 347a0584 authored by Daniele Santoro's avatar Daniele Santoro
Browse files

Release lab lesson 2

parent 5526b49d
* Exercise 04 - Generate and upload your SSH key
- Time :: 10 minutes
- Try by yourself and ask for support
- Give an hack when completed succesfully
- Description :: If you do not have already one, generate an ssh key and save it on your laptop. Then move the key on the lab virtual-machine in order to use public/private authentication. Check that you are able to login on the lab VM without typing your password.
* Solutions and Instructions
** Generate an ssh key
Generate an ssh key, for example using the following, self explaining command. Please replace the variables with:
- your unitn email
- your last name as in unitn platform
- your name as in unitn platform
The passphrase to protect your key is optional, this course is not about real word security, my suggestion is to set up and use an ssh agent, but this is up to you.
You must backup (and be able to restore) your private key.
#+begin_src sh
ssh-keygen \
-t rsa \
-b 4096 \
-C "${EMAIL:=a@example.com} ${SNAME:=P. Liddell}, ${FNAME:=Alice W.}" \
-f "${EMAIL}.key"
#+end_src
If this is your first and unique ssh key, you can use it as default (on UNIX system):
#+begin_src sh
mv -i "${EMAIL}.key" "${HOME}/.ssh/id_rsa"
#+end_src
In other systems (eg: Windows) the default path may be different, try with [[https://www.scammell.co.uk/2017/09/18/ssh-keygen-best-practice-for-cmder/][this]] or store the keys in a place in order to be confortable to use every time you login on the lab VM.
If you do not have access to =ssh-keygen=, use any other tool that can generate an ssh key and then convert it into the openssh rsa format and add the appropriate comment manually.
A quick and dirty check of the public key, if your name is not something like =Robert'); DROP TABLE students;–= follows:
#+begin_src sh
grep -q "ssh-rsa [a-zA-Z0-9/=+]\+ ${EMAIL} ${SNAME}, ${FNAME}" ${EMAIL}.key.pub \
&& echo OK || echo KO
#+end_src
Study a bit the ssh command line =-i= option and the =IdentityFile= config option in order to be able to use the key, and optionally you may setup your ssh server to do some testing with the ssh key using your own resources.
** Upload the key on the Lab VM
After checking the correctness, upload the public part of the key into lab VM. There are multiple ways to do that.
*** Manually
Output the public part of the key into the clipboard
#+begin_src sh
cat a@example.com.key.pub
#+end_src
SSH into the Lab VM
#+begin_src sh
ssh -p LAB_VM_PORT disi@LAB_VM_URL
#+end_src
Copy the public key and, using an editor, append it on a new line in the =~/.ssh/authorized_keys= file, then save and exit
#+begin_src sh
vim ~/.ssh/authorized_keys
#+end_src
*** Using an home-made trick
Use a combination of =pipe=, =cat= and =bash output redirect= to append the content of a file on your local machine to another file on the remote machine
#+begin_src sh
cat a@example.com.key.pub | ssh -p LAB_VM_PORT disi@LAB_VM_URL 'cat >> ~/.ssh/authorized_keys'
#+end_src
*** Using a proper SSH tool
Use the ==ssh-copy-id= tool, which is smarted and does a check before adding the key which is better in respect to the previous proposed method
#+begin_src sh
ssh-copy-id -p LAB_VM_PORT -i ./a@example.com.key.pub disi@LAB_VM_URL
#+end_src
** Check that you can login wihtout password
Simply use the login command, the lab VM should now ask you for a password
#+begin_src sh
ssh -p LAB_VM_PORT disi@LAB_VM_URL
#+end_src
or with a more sophisticated way
#+begin_src sh
ssh -p LAB_VM_PORT disi@LAB_VM_URL -n && echo OK || echo KO
#+end_src
If the ssh key is not in a default location, specify it using the =-i= flag and specifying the path of the private part
#+begin_src sh
ssh -i a@example.com.key -p LAB_VM_PORT disi@LAB_VM_URL
#+end_src
* Exercise 05 - Setup an SSH tunnel and use it as a socks proxy in a web Browser
- Time :: 15 minutes
- 10 minutes: /Try by yourself and ask for support/
- Give an hack when completed succesfully
- 5 mintues: /Cross check and Verify/
- Description :: Setup a browser to use SSH based Socks Proxy tunnel. Create a tunnel from your laptop to the Lan VM. Finally verify that you, and only you, are able to reach your VM behind the firewall using this setup.
* Solutions and Instructions
** Configure a browser to use a socks proxy
This section depends heavily on your browser and even on your browser version, alternatively you can use an extensions, see below.
*** Using a browser
The examples are for a modern version of firefox.
We need another variable, is up to you to select a value in the high unprivileged port range, eg: =4444= or =8888=.
#+begin_src sh
${SOCKS_PORT:=8888}
#+end_src
Optionally, you can create a profile in your preferred browser, for firefox starts with:
#+begin_src sh
firefox --no-remote --ProfileManager
#+end_src
In Firefox under the network setting add a socks proxy with the address =${SOCKS_ADDR:=localhost}= and port =${SOCKS_PORT}=
[[file:ff-socks.png]]
In very recent version of firefox you will also need to set =network.proxy.allow_hijacking_localhost= to =true= in =about:config=, see [[https://bugzilla.mozilla.org/show_bug.cgi?id=1535581][https://bugzilla.mozilla.org/show_bug.cgi?id=1535581]]
[[file:ff-settings.png]]
*** Using an extension
Jump [[https://addons.mozilla.org/en-US/firefox/addon/switchyomega/][here]], install the extension and confgiure a new entry similarly as explained for Firefox above.
** Launch the tunnel
Launch an ssh connection with the socks support
#+begin_src sh
ssh -D ${SOCKS_ADDR}:${SOCKS_PORT} -p LAB_VM_PORT disi@LAB_VM_URL
#+end_src
** Create a dummy service on the Lab VM
This simple command will expose a web server that shows the content of the file=system path where it has ben executed
#+begin_src sh
python3 -m http.server
#+end_src
Identify the exposed port and open on your modified browser the following URL: http://localhost:8000.
What do you see?
* Exercise 06 - Advanced deployment: Provision with Vagrant and Configure with Ansible
- Time :: 20 minutes
- 10 minutes: /Try by yourself and ask for support/
- Give an hack when completed succesfully
- 10 mintues: /Cross check and Verify/
- Description :: Provision a Virtual Machine using Vagrant as you did in [[file:../e02][e02]]. This time the provisioner in not of type =shell= but of type =Ansible=, so first look at the =Vagrantfile= and then at the =provision.yml= file and try to understand what is going on this time.
Provision the VM using this new system multiple times, check the VM and inspect virtualbox VMs using CLI.
* Solutions and Instructions
Of course update the repository on your lab VM, if not already done
#+begin_src sh
cd FCC_REPO_FOLDER
git pull
#+end_src
** Provision
As asual provision with Vagrant and look at the output
#+begin_src sh
cd e06
vargant up
#+end_src
When finished provision again and look at the output
#+begin_src sh
vagrant provision
#+end_src
** Check the new virtual-machine
#+begin_src sh
vagrant ssh
#+end_src
** View virtualbox VMs usign CLI
List all VMs
#+begin_src sh
vboxmanage list vms
#+end_src
List only running VMs
#+begin_src sh
vboxmanage list runningvms
#+end_src
Check other CLI commands
#+begin_src sh
vboxmanage --help | less
#+end_src
# -*- mode: ruby -*-
# vi: set ft=ruby :
ANSIBLE_LOGLEVEL = ENV['ANSIBLE_LOGLEVEL'] || "v"
ANSIBLE_PLAYBOOK = ENV['ANSIBLE_PLAYBOOK'] || "provision.yml"
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "ubuntu/focal64"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.10"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# Customize the amount of memory on the VM:
vb.memory = "2048"
end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
# Shared configuration
config.vm.provision :ansible do |ansible|
ansible.verbose = ANSIBLE_LOGLEVEL
ansible.playbook = ANSIBLE_PLAYBOOK
end
end
---
# File: provision.yml - Example fcc e06 provision with vagrant and deploy with ansible
- hosts: all
become: true
tasks:
- name: Upgrade the OS (apt-get dist-upgrade)
apt:
upgrade: dist
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
- name: Install required packages
apt:
pkg:
- htop
- snapd
- figlet
- name: Install yq via snap
snap:
name:
- yq
- name: Add a figlet customisation to our login
ansible.builtin.lineinfile:
path: /home/vagrant/.bashrc
line: figlet FCC Course, by Ansible
create: yes
\ No newline at end of file
* Exercise 07 - Deploy a webserver and access the main page via a browser
- Time :: 20 minutes
- 10 minutes: /Try by yourself and ask for support/
- Give an hack when completed succesfully
- 10 mintues: /Cross check and Verify/
- Description :: Provision a Virtual Machine using Vagrant as you did in [[file:../e06][e06]]. This time you should install an =Apache2 Web Server= on the VM. Moreover, once the new service is installed you must check it is working: first via CLI inside the VM and then using a browser from your laptop. Is the laptop allopwed to reach the VM using the SSH Socks Proxy configured so far?
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment