Differences
This shows you the differences between two versions of the page.
|
scgc:laboratoare:07 [2020/04/06 21:23] darius.mihai Add ex. 8 about two-factor authentication for SSH |
scgc:laboratoare:07 [2021/10/27 14:09] (current) maria.mihailescu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Laboratory 07. Configuration Management: Puppet, Ansible ====== | + | ====== Configuration Management: Puppet, Ansible ====== |
| ===== Lab Setup ===== | ===== Lab Setup ===== | ||
| - | * We will be using a virtual machine in the [[http://cloud.curs.pub.ro/|faculty's cloud]]. | + | * We will be using a virtual machine in the [[http://cloud.grid.pub.ro/|faculty's cloud]]. |
| - | * When creating a virtual machine follow the steps in this [[https://cloud.curs.pub.ro/about/tutorial-for-students/|tutorial]]. | + | |
| * When creating a virtual machine in the Launch Instance window: | * When creating a virtual machine in the Launch Instance window: | ||
| - | * For **Availability zone**, choose **CAMPUS**, **CI** or **hp** | ||
| * Select **Boot from image** in **Instance Boot Source** section | * Select **Boot from image** in **Instance Boot Source** section | ||
| * Select **SCGC Template** in **Image Name** section | * Select **SCGC Template** in **Image Name** section | ||
| Line 31: | Line 29: | ||
| ===== Tasks ====== | ===== Tasks ====== | ||
| - | ==== 1. [20p] Puppet Resources ==== | + | ==== 1. [10p] Puppet Resources ==== |
| Puppet is a configuration management tool. In order to describe the necessary configurations, Puppet uses its own declarative language. Puppet can manage both Linux and Windows systems. | Puppet is a configuration management tool. In order to describe the necessary configurations, Puppet uses its own declarative language. Puppet can manage both Linux and Windows systems. | ||
| Line 150: | Line 148: | ||
| Chech the **/etc/passwd** file to see if the user was actually removed. | Chech the **/etc/passwd** file to see if the user was actually removed. | ||
| - | ==== 2. [20p] Puppet Manifests ==== | + | ==== 2. [10p] Puppet Manifests ==== |
| Even though we can create, modify or remove resources from the command line, using **puppet resource** commands, this is not a scalable approach and not appropriate for complex scenarios. | Even though we can create, modify or remove resources from the command line, using **puppet resource** commands, this is not a scalable approach and not appropriate for complex scenarios. | ||
| Line 238: | Line 236: | ||
| <note important>If it doesn't already exist, the key pair for the **student** user must be generated beforehand. | <note important>If it doesn't already exist, the key pair for the **student** user must be generated beforehand. | ||
| - | Then, run the command ''ssh-add ~/.ssh.id_rsa''</note> | + | Then, run the command ''ssh-add ~/.ssh/id_rsa''</note> |
| <note>Use the Puppet documentation for the resource type [[https://puppet.com/docs/puppet/5.5/types/ssh_authorized_key.html|ssh_authorized_key]].</note> | <note>Use the Puppet documentation for the resource type [[https://puppet.com/docs/puppet/5.5/types/ssh_authorized_key.html|ssh_authorized_key]].</note> | ||
| Line 297: | Line 295: | ||
| ensure => file, | ensure => file, | ||
| mode => '0600', | mode => '0600', | ||
| - | source => '/root/examples/sshd_config', | + | source => '/root/config-files/sshd_config', |
| } | } | ||
| service { 'sshd': | service { 'sshd': | ||
| Line 439: | Line 437: | ||
| } | } | ||
| </code> | </code> | ||
| + | |||
| + | <note important> | ||
| + | Puppet has a modular implementation, and some functionality is provided through classes, some of which may be provided by certain modules. To use the ''%%str2bool%%'' function, you must install the ''%%puppet-module-puppetlabs-stdlib%%'' module using the ''%%apt%%'' package manager. | ||
| + | </note> | ||
| + | |||
| Apply the manifest and notice the state of the NTP service. | Apply the manifest and notice the state of the NTP service. | ||
| Line 461: | Line 464: | ||
| </note> | </note> | ||
| - | ==== 6. [BONUS - 5p] Ansible Install & Configuration ==== | + | ==== 6. [10p] Ansible Install & Configuration ==== |
| Ansible is a configuration management and provisioning tool, similar to Puppet. It uses SSH to connect to servers and run the configured tasks. | Ansible is a configuration management and provisioning tool, similar to Puppet. It uses SSH to connect to servers and run the configured tasks. | ||
| Line 472: | Line 475: | ||
| student@scgc:~$ sudo apt install -y ansible | student@scgc:~$ sudo apt install -y ansible | ||
| # Required to use password authentication. By default, ansible requires authentication through SSH keys | # Required to use password authentication. By default, ansible requires authentication through SSH keys | ||
| - | student@scgc:~$ sudo apt install -y ansible | + | student@scgc:~$ sudo apt install -y sshpass |
| </code> | </code> | ||
| Line 534: | Line 537: | ||
| * ''%%--ask-pass --user=student%%'' - SSH connection parameters: interactive password input, login as **student** user | * ''%%--ask-pass --user=student%%'' - SSH connection parameters: interactive password input, login as **student** user | ||
| - | ==== 7. [BONUS - 5p] Ansible Facter ==== | + | ==== 7. [10p] Ansible Facter ==== |
| Ansible has a fact gathering system similar to Puppet. To extract facts about the remote host we can use the ''%%setup%%'' module. The information is returned as Python dictionaries, where values can be strings, arrays, or other dictionaries. | Ansible has a fact gathering system similar to Puppet. To extract facts about the remote host we can use the ''%%setup%%'' module. The information is returned as Python dictionaries, where values can be strings, arrays, or other dictionaries. | ||
| Line 577: | Line 580: | ||
| student@scgc:~$ mkdir config-files | student@scgc:~$ mkdir config-files | ||
| student@scgc:~$ cd config-files | student@scgc:~$ cd config-files | ||
| - | student@scgc:~/config-files$ cp /home/student/.google-authenticator . | + | student@scgc:~/config-files$ cp /home/student/.google_authenticator . |
| student@scgc:~/config-files$ cp /etc/pam.d/sshd . | student@scgc:~/config-files$ cp /etc/pam.d/sshd . | ||
| student@scgc:~/config-files$ cp /etc/ssh/sshd_config . | student@scgc:~/config-files$ cp /etc/ssh/sshd_config . | ||
| Line 728: | Line 731: | ||
| 10.0.0.2 : ok=8 changed=5 unreachable=0 failed=0 | 10.0.0.2 : ok=8 changed=5 unreachable=0 failed=0 | ||
| </code> | </code> | ||
| + | |||
| + | You should now be able to login using the password and the Google Authenticator. | ||
| + | <code bash> | ||
| + | student@scgc:~$ ssh student@10.0.0.2 | ||
| + | Password: | ||
| + | Verification code: | ||
| + | Password: | ||
| + | Verification code: | ||
| + | Linux puppet 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 | ||
| + | |||
| + | The programs included with the Debian GNU/Linux system are free software; | ||
| + | the exact distribution terms for each program are described in the | ||
| + | individual files in /usr/share/doc/*/copyright. | ||
| + | |||
| + | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent | ||
| + | permitted by applicable law. | ||
| + | student@puppet:~$ | ||
| + | </code> | ||
| + | |||
| + | <note important> | ||
| + | After adding two-factor authentication, Ansible will no longer be able to access the VM using password authentication, since the password is read by ansible before actually attempting to access the server, and ''%%sshpass%%'' is not aware it is required. | ||
| + | </note> | ||
