Linux Challenge 5 - PAM configuration | Create a Cron job script to start & stop Docker container

Ticker

6/recent/ticker-posts

Linux Challenge 5 - PAM configuration | Create a Cron job script to start & stop Docker container

 

Question : Create a bash script called "container-stop.sh" under "/home/bob/" which should be able to stop the "myapp" container. It should also display a message "myapp container stopped!"

Add a cron job for the "root" user which should run "container-stop.sh" script at "12am" everyday.

Add a cron job for the "root" user which should run "container-start.sh" script at "8am" everyday.

Create a bash script called "container-start.sh" under "/home/bob/" which should be able to "start" the "myapp" container. It should also display a message "myapp container started!"

The "root" account is currently locked on "centos-host", please unlock it.

Make user "root" a member of "wheel" group

Add a local DNS entry for the database hostname "mydb.kodekloud.com" so that it can resolve to "10.0.0.50" IP address.

Set a password for mysql root user to "S3cure#321"

Install "mariadb" database server on this server and "start/enable" its service.

Add an extra IP to "eth1" interface on this system: 10.0.0.50/24

Pull "nginx" docker image.

Create and run a new Docker container based on the "nginx" image. The container should be named as "myapp" and the port "80" on the host should be mapped to the port "80" on the container.

Edit the PAM configuration file for the "su" utility so that this utility only accepts the requests from the users that are part of the "wheel" group and the requests from the users should be accepted immediately, without asking for any password.



Solution:  

1. At first  switch to root user and Add a local DNS entry for the database hostname "mydb.kodekloud.com" so that it can resolve to "10.0.0.50" IP address

[bob@centos-host ~]$ sudo su -

[root@centos-host ~]#

[root@centos-host ~]# vi /etc/hosts

[root@centos-host ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

127.0.1.1 centos-host centos-host

10.0.0.50    mydb.kodekloud.com

[root@centos-host ~]#

2. Add an extra IP to "eth1" interface on this system: 10.0.0.50/24

[root@centos-host ~]# ip address add 10.0.0.50/24 dev eth1

[root@centos-host ~]#

[root@centos-host ~]# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

    link/ether 52:54:00:68:21:b5 brd ff:ff:ff:ff:ff:ff

    inet 192.168.121.71/24 brd 192.168.121.255 scope global dynamic noprefixroute eth0

       valid_lft 2981sec preferred_lft 2981sec

    inet6 fe80::5054:ff:fe68:21b5/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

    link/ether 52:54:00:43:63:9b brd ff:ff:ff:ff:ff:ff

    inet 172.28.128.2/24 brd 172.28.128.255 scope global dynamic noprefixroute eth1

       valid_lft 2926sec preferred_lft 2926sec

    inet 10.0.0.50/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::5054:ff:fe43:639b/64 scope link

       valid_lft forever preferred_lft forever

4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default

    link/ether 02:42:31:e0:fa:df brd ff:ff:ff:ff:ff:ff

    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0

       valid_lft forever preferred_lft forever

[root@centos-host ~]#

3. Install "mariadb" database server on this server and "start/enable" its service.

[root@centos-host ~]# yum install mariadb-server –y

Installed:

  libaio-0.3.112-1.el8.x86_64                                                      mariadb-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                                

  mariadb-backup-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                    mariadb-common-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                         

  mariadb-connector-c-3.1.11-2.el8_3.x86_64                                        mariadb-connector-c-config-3.1.11-2.el8_3.noarch                                      

  mariadb-errmsg-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                    mariadb-gssapi-server-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                  

  mariadb-server-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                    mariadb-server-utils-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                   

  perl-Carp-1.42-396.el8.noarch                                                    perl-DBD-MySQL-4.046-3.module_el8.3.0+419+c2dec72b.x86_64                             

Complete!

[root@centos-host ~]#

[root@centos-host ~]# systemctl enable mariadb

Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.

Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.

Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.

[root@centos-host ~]# systemctl start mariadb

[root@centos-host ~]#

[root@centos-host ~]# systemctl status mariadb

● mariadb.service - MariaDB 10.3 database server

   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)

   Active: active (running) since Sun 2022-11-13 15:35:49 UTC; 7s ago

     Docs: man:mysqld(8)

           https://mariadb.com/kb/en/library/systemd/

  Process: 28628 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)

  Process: 28493 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mariadb.service (code=exited, status=0/SUCCESS)

  Process: 28469 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)

 Main PID: 28596 (mysqld)

   Status: "Taking your SQL requests now..."

    Tasks: 30 (limit: 5970)

   Memory: 77.2M

   CGroup: /system.slice/mariadb.service

           └─28596 /usr/libexec/mysqld --basedir=/usr

 Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: See the MariaDB Knowledgebase at http://mariadb.com/kb or the

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: MySQL manual for more instructions.

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: Please report any problems at http://mariadb.org/jira

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: The latest information about MariaDB is available at http://mariadb.org/.

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: You can find additional information about the MySQL part at:

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: http://dev.mysql.com

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: Consider joining MariaDB's strong and vibrant community:

Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: https://mariadb.org/get-involved/

Nov 13 15:35:48 centos-host mysqld[28596]: 2022-11-13 15:35:48 0 [Note] /usr/libexec/mysqld (mysqld 10.3.28-MariaDB) starting as process 28596 ...

Nov 13 15:35:49 centos-host systemd[1]: Started MariaDB 10.3 database server.

[root@centos-host ~]#

4. Set a password for mysql root user to "S3cure#321"

[root@centos-host ~]# mysqladmin -u root password 'S3cure#321'

[root@centos-host ~]#

5. The "root" account is currently locked on "centos-host", please unlock it.

Make user "root" a member of "wheel" group

[root@centos-host ~]# usermod -U root

[root@centos-host ~]# usermod -G wheel root

[root@centos-host ~]#

6. Create and run a new Docker container based on the "nginx" image. The container should be named as "myapp" and the port "80" on the host should be mapped to the port "80" on the container

[root@centos-host ~]# docker ps

CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

[root@centos-host ~]#

[root@centos-host ~]# docker pull nginx

Using default tag: latest

latest: Pulling from library/nginx

e9995326b091: Pull complete

71689475aec2: Pull complete

f88a23025338: Pull complete

0df440342e26: Pull complete

eef26ceb3309: Pull complete

8e3ed6a9e43a: Pull complete

Digest: sha256:943c25b4b66b332184d5ba6bb18234273551593016c0e0ae906bab111548239f

Status: Downloaded newer image for nginx:latest

docker.io/library/nginx:latest

[root@centos-host ~]#

 [root@centos-host ~]# docker run -d -p 80:80 --name myapp nginx

48d28aaed8b6731d678c1ccfeed51c1888f104efdd350a0c9049538a0c10800b

[root@centos-host ~]#

[root@centos-host ~]# docker ps

CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                               NAMES

48d28aaed8b6   nginx     "/docker-entrypoint.…"   5 seconds ago   Up 4 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp   myapp

[root@centos-host ~]#

7. Create a bash script called "container-start.sh" under "/home/bob/" which should be able to "start" the "myapp" container. It should also display a message "myapp container started!"

[root@centos-host ~]# vi /home/bob/container-start.sh

[root@centos-host ~]# cat /home/bob/container-start.sh

#!/usr/bin/env bash

docker start myapp

echo "myapp container started!"

[root@centos-host ~]#

[root@centos-host ~]# chmod +x /home/bob/container-start.sh

[root@centos-host ~]#

[root@centos-host ~]# vi /home/bob/container-stop.sh

[root@centos-host ~]# cat /home/bob/container-stop.sh

#!/usr/bin/env bash

docker stop myapp

echo "myapp container stopped!"

[root@centos-host ~]#

[root@centos-host ~]# chmod +x /home/bob/container-stop.sh

[root@centos-host ~]#

8. Add a cron job for the "root" user which should run "container-stop.sh" script at "12am" everyday.

Add a cron job for the "root" user which should run "container-start.sh" script at "8am" everyday.

[root@centos-host ~]# crontab -l

no crontab for root

[root@centos-host ~]#

[root@centos-host ~]# crontab -e

no crontab for root - using an empty one

crontab: installing new crontab

[root@centos-host ~]# crontab -l

0 0 * * * /home/bob/container-stop.sh

0 8 * * * /home/bob/container-start.sh

[root@centos-host ~]#

9. Edit the PAM configuration file for the "su" utility so that this utility only accepts the requests from the users that are part of the "wheel" group and the requests from the users should be accepted immediately, without asking for any password.

[root@centos-host ~]# vi /etc/pam.d/su

[root@centos-host ~]# cat /etc/pam.d/su

#%PAM-1.0

auth            required        pam_env.so

auth            sufficient      pam_rootok.so

# Uncomment the following line to implicitly trust users in the "wheel" group.

auth            sufficient      pam_wheel.so trust use_uid

# Uncomment the following line to require a user to be in the "wheel" group.

auth            required        pam_wheel.so use_uid

auth            substack        system-auth

auth            include         postlogin

account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet

account         [success=1 default=ignore] \

                                pam_succeed_if.so user = vagrant use_uid quiet

account         required        pam_succeed_if.so user notin root:vagrant

account         include         system-auth

password        include         system-auth

session         include         system-auth

session         include         postlogin

session         optional        pam_xauth.so

[root@centos-host ~]#

10. Click on check & Confirm to complete the task successfully

Script that automate the entire lab task 

you can copy form gitlab  https://gitlab.com/nb-tech-support/devops.git

Happy Learning!!!!


Apart from this if you need more clarity,  I have made a  tutorial video on this , please go through and share your comments. Like and share the knowledge





Post a Comment

0 Comments

Latest Posts

KodeKloud Kubernetes Security CKS  Lab Challenge 4 |  Audit-policy | Install & configure falco utility | Inspect the API server audit logs and identify the user