Ceci est une ancienne révision du document !
Table des matières
Version : 2023.01
Dernière mise-à-jour : 2023/11/08 08:50
LDF705 - OHAI et Attributs Automatiques, Databags
Contenu du Module
- LDF705 - OHAI et Attributs Automatiques, Data Bags
- Contenu du Module
- Infrastructure
- LAB #1 - OHAI et Attributs Automatiques
- 1.1 - Création du Cookbook et de la Recette,
- 1.2 - Préparer les Noeuds targeta et targetb
- 1.3 - Bootstraper les Clients
- LAB #2 - Data Bags
- 2.1 - Présentation
- 2.2 - Création de Data Bags
- 2.3 - Utilisation de Data Bags
- 2.4 - Data Bags Cryptés
Infrastructure
L'infrastructure utilisée dans ce module est la suivante.
Stagiaires 11, 12, 14, 15, 16 et 17 :
Type Machine | FQDN | IP | OS | Version | CPUs | RAM (Mo) | HDD (Go) | User | MdP | MdP root |
---|---|---|---|---|---|---|---|---|---|---|
VM | workstation.ittraining.loc | 10.0.2.111 | Ubuntu | 18.04.6 LTS | 8 | 8192 | 50 | trainee | trainee | S/O |
VM | client.ittraining.loc | 10.0.2.112 | Ubuntu | 18.04.6 LTS | 4 | 4096 | 50 | trainee | trainee | S/O |
VM | targeta.i2tch.loc | 10.0.2.52 | Debian | 9.7 | 2 | 2048 | 20 | trainee | trainee | fenestros |
VM | targetb.i2tch.loc | 10.0.2.53 | CentOS | 7.6.1810 | 2 | 2048 | 20 | trainee | trainee | fenestros |
Stagiaires 18, 19, 20, 21, 22 et 23 :
Type Machine | FQDN | IP | OS | Version | CPUs | RAM (Mo) | HDD (Go) | User | MdP | MdP root |
---|---|---|---|---|---|---|---|---|---|---|
VM | workstation.ittraining.loc | 10.0.3.111 | Ubuntu | 18.04.6 LTS | 8 | 8192 | 50 | trainee | trainee | S/O |
VM | client.ittraining.loc | 10.0.3.112 | Ubuntu | 18.04.6 LTS | 4 | 4096 | 50 | trainee | trainee | S/O |
VM | targeta.i2tch.loc | 10.0.3.52 | Debian | 9.7 | 2 | 2048 | 20 | trainee | trainee | fenestros |
VM | targetb.i2tch.loc | 10.0.3.53 | CentOS | 7.6.1810 | 2 | 2048 | 20 | trainee | trainee | fenestros |
Commencez donc par modifier le fichier /etc/hosts de votre VM workstation.ittraining.loc.
Stagiaires 11, 12, 14, 15, 16 et 17 :
root@workstation:~/chef-repo/cookbooks# vi /etc/hosts root@workstation:~/chef-repo/cookbooks# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 workstation 10.0.2.110 chefserver.ittraining.loc chefserver 10.0.2.111 workstation.ittraining.loc workstation 10.0.2.112 client.ittraining.loc client 10.0.2.52 targeta.i2tch.loc targeta 10.0.2.53 targetb.i2tch.loc targetb # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Stagiaires 18, 19, 20, 21, 22 et 23 :
root@workstation:~/chef-repo/cookbooks# vi /etc/hosts root@workstation:~/chef-repo/cookbooks# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 workstation 10.0.3.110 chefserver.ittraining.loc chefserver 10.0.3.111 workstation.ittraining.loc workstation 10.0.3.112 client.ittraining.loc client 10.0.3.52 targeta.i2tch.loc targeta 10.0.3.53 targetb.i2tch.loc targetb # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
LAB #1 - OHAI et Attributs Automatiques
1.1 - Création du Cookbook
Créez un Cookbook nommé apache :
root@workstation:~/chef-repo/cookbooks# cd .. root@workstation:~/chef-repo# chef generate cookbook cookbooks/apache Generating cookbook apache - Ensuring correct cookbook content Your cookbook is ready. Type `cd cookbooks/apache` to enter it. There are several commands you can run to get started locally developing and testing your cookbook. Type `delivery local --help` to see a full list of local testing commands. Why not start by writing an InSpec test? Tests for the default recipe are stored at: test/integration/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb
A faire - Pour plus d'information concernant la commande chef generate cookbook, consultez cette page.
Lors de la création du Cookbook, une arborescence est créée dans le répertoire chef-repo/cookbooks/apache :
root@workstation:~/chef-repo# ls -l cookbooks/apache total 40 -rw-r--r-- 1 root root 150 nov. 6 10:11 CHANGELOG.md -rw-r--r-- 1 root root 1176 nov. 6 10:11 chefignore -rw-r--r-- 1 root root 741 nov. 6 10:11 kitchen.yml -rw-r--r-- 1 root root 70 nov. 6 10:11 LICENSE -rw-r--r-- 1 root root 676 nov. 6 10:11 metadata.rb -rw-r--r-- 1 root root 507 nov. 6 10:11 Policyfile.rb -rw-r--r-- 1 root root 54 nov. 6 10:11 README.md drwxr-xr-x 2 root root 4096 nov. 6 10:11 recipes drwxr-xr-x 3 root root 4096 nov. 6 10:11 spec drwxr-xr-x 3 root root 4096 nov. 6 10:11 test
Une Recette par défaut, appelé default.rb a été créée dans le sous-répertoire recipes :
root@workstation:~/chef-repo# ls -l cookbooks/apache/recipes/ total 4 -rw-r--r-- 1 root root 97 nov. 6 10:11 default.rb
Ce fichier prend la forme suivante :
root@workstation:~/chef-repo# cat cookbooks/apache/recipes/default.rb # # Cookbook:: apache # Recipe:: default # # Copyright:: 2023, The Authors, All Rights Reserved.
Étudions maintenant une Recette destinée à installer, activer et démarrer Apache sur un système CentOS et un système Debian en utilisant des Attributs Automatiques :
root@workstation:~/chef-repo# vi cookbooks/apache/recipes/default.rb root@workstation:~/chef-repo# cat cookbooks/apache/recipes/default.rb # # Cookbook:: apache # Recipe:: default # # Copyright:: 2023, The Authors, All Rights Reserved. package_name = "httpd" service_name = "httpd" doc_root = "/var/www/html" if node["platform"] == "centos" package_name = "httpd" service_name = "httpd" doc_root = "/var/www/html" elsif node["platform"] == "debian" package_name = "apache2" service_name = "apache2" doc_root = "/var/www/html" end package package_name do action :install end service service_name do action [:start, :enable] end cookbook_file "#{doc_root}/index.html" do source "index.html" mode "0644" end
Ce fichier commence avec la déclaration des valeurs par défaut de trois variables :
- package_name,
- service_name,
- doc_root“.
Important - Notez que ces variables ont une portée du Cookbook. Ces trois lignes sont necéssaires pour déclarer les variables.
Il continue avec la mise en place d'un test. Dans ce test, la valeur de l'Attribut Automatique platform est examinée. Dans le cas où la valeur est :
- centos, les valeurs de trois variables package_name, service_name et doc_root” sont fixées aux valeurs par défaut, * debian, les valeurs de trois variables package_name, service_name et doc_root“ sont modifiées à apache2, apache2 et /var/www respectivement.
Ensuite la Ressource :
- package utilise la valeur de la variable package_name pour installer le bon paquet sur le Noeud concerné,
- service utilise la valeur de la variable service_name pour activer et démarrer le bon service sur le Noeud concerné,
- cookbook_file utilise la valeur de la variable doc_root pour copier le fichier référencé par source vers la bonne destination sur le Noeud concerné.
Créez le répertoire /root/chef-repo/apache/files/ :
root@workstation:~/chef-repo# mkdir cookbooks/apache/files
Créez maintenant le fichier /root/chef-repo/apache/files/index.html :
root@workstation:~/chef-repo# vi cookbooks/apache/files/index.html root@workstation:~/chef-repo# cat cookbooks/apache/files/index.html <html> <title>OHIO et Chef</title> <body> Wow! It works!</body> </html>
Téléversez le Cookbook vers le Chef Infra Server :
root@workstation:~/chef-repo# knife cookbook upload apache Uploading apache [0.1.0] Uploaded 1 cookbook.
1.2 - Préparer les Noeuds targeta et targetb
Stagiaires **11**, **12**, **14**, **15**, **16** et **17**
Configurez les deux nouveaux clients targeta et targetb.
root@workstation:~/chef-repo# ssh -l trainee 10.0.2.52 Debian GNU/Linux 9 trainee@10.0.2.52's password: trainee Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Mar 21 08:47:45 2021 from 10.0.2.10 trainee@targeta:~$ su - Mot de passe : fenestros root@targeta:~# systemctl status apache2 Unit apache2.service could not be found. root@targeta:~#
Editez la directive PermitRootLogin du fichier /etc/ssh/sshd_config afin de permettre l'utilisateur root de se connecter au client :
root@targeta:~# vi /etc/ssh/sshd_config root@targeta:~# cat /etc/ssh/sshd_config ... PermitRootLogin yes ... root@targeta:~# systemctl restart ssh
Editez ensuite le fichier /etc/hosts :
root@targeta:~# vi /etc/hosts root@targeta:~# cat /etc/hosts 127.0.0.1 localhost 10.0.2.110 chefserver.ittraining.loc chefserver 10.0.2.111 workstation.ittraining.loc workstation 10.0.2.52 targeta.i2tch.loc targeta 10.0.2.53 targetb.i2tch.loc targetb # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Mettez à jour les dépôts des paquets :
root@targeta:~# sed -i s/ftp.fr.debian.org/archive.debian.org/g /etc/apt/sources.list root@targeta:~# sed -i '/debian-security/d' /etc/apt/sources.list root@targeta:~# sed -i '/stretch-updates/d' /etc/apt/sources.list root@targeta:~# apt update Ign:1 http://archive.debian.org/debian stretch InRelease Réception de:2 http://archive.debian.org/debian stretch Release [118 kB] Réception de:3 http://archive.debian.org/debian stretch Release.gpg [3 177 B] Réception de:4 http://archive.debian.org/debian stretch/main Sources [6 736 kB] Réception de:5 http://archive.debian.org/debian stretch/main amd64 Packages [7 080 kB] Réception de:6 http://archive.debian.org/debian stretch/main Translation-fr [1 894 kB] Réception de:7 http://archive.debian.org/debian stretch/main Translation-en [5 377 kB] 21,2 Mo réceptionnés en 6s (3 302 ko/s) Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait 226 packages can be upgraded. Run 'apt list --upgradable' to see them.
Consultez la liste des Attributs Automatiques :
root@targeta:~# ohai | more { "init_package": "systemd", "keys": { "ssh": { "host_rsa_public": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCyniXxtEUmEsWSRkTc6fbNhGVEvTmu+3YD/JleRkDSMRGy0i58Vbao2Cu7Rhg/tC6FbYOMKBvveZhFa8gphUneSqSsLdyxokubj4fO4PEW/wv0SSo2rEfuGXp6oLm4EQgWrLIOJPpRDy5kwRIU8XPc PduyiRFInMEBv62BYqpxS9DBaz40oH0bif+WgrIO01Led/mZ2A0rUzr+9gUFUcpUxX9tZC4geCxsKcW1i/FuWTrWr7f4+Zwbz89bt9eA+BK4trJ5hUhAdHUxcX3rAKGZU9ruAxciuQVzQ8f/HYNVSWg3cNB4g08+0/rHSasMFrhIkk86RX/16mGTHGKpuyId", "host_ecdsa_public": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVU5pimWmTgKKazpAyInMjuQYlCvJ2GmX68P+81m1KfypeD8N8QiQfPtgucevPfAXraDtzAZjSTRK+2DcRwnmM=", "host_ecdsa_type": "ecdsa-sha2-nistp256", "host_ed25519_public": "AAAAC3NzaC1lZDI1NTE5AAAAILL1bKUqdRZiqXicr229LWK9iKNveAbKM5UiQPA7VFoH" } }, "memory": { "swap": { "cached": "0kB", "total": "2095100kB", "free": "2095100kB" }, "hugepages": { "total": "0", "free": "0", "reserved": "0", "surplus": "0" }, "directmap": { "4k": "55160kB", "2M": "2041856kB" }, "total": "2052288kB", "free": "1460856kB", "available": "1805260kB", "buffers": "38048kB", "cached": "411952kB", "active": "213712kB", "inactive": "284764kB", "dirty": "8kB", "writeback": "0kB", "anon_pages": "48532kB", "mapped": "41324kB", "slab": "72612kB", "slab_reclaimable": "59524kB", "slab_unreclaim": "13088kB", "page_tables": "4440kB", "nfs_unstable": "0kB", "bounce": "0kB", "commit_limit": "3121244kB", "committed_as": "697488kB", "vmalloc_total": "34359738367kB", "vmalloc_used": "0kB", "vmalloc_chunk": "0kB", "hugepage_size": "2048kB" }, "network": { "interfaces": { "lo": { "mtu": "65536", --Plus--
Quittez la VM targeta :
root@targeta:~# exit déconnexion trainee@targeta:~$ exit déconnexion Connection to 10.0.2.52 closed.
Connectez-vous à la VM targetb :
root@workstation:~/chef-repo/cookbooks# ssh -l trainee 10.0.2.53 The authenticity of host '10.0.2.53 (10.0.2.53)' can't be established. ECDSA key fingerprint is SHA256:RgOsp/XI7JHNq+oIfHKw+jkHdtTnBIh+Dd7kVmHRxtU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.2.53' (ECDSA) to the list of known hosts. trainee@10.0.2.53's password: trainee Last login: Sun Mar 21 08:53:18 2021 from 10.0.2.10 [trainee@targetb ~]$ su - Password: fenestros Last login: dim. mars 21 08:53:25 CET 2021 on pts/0
Modifiez la directive PermitRootLogin du fichier /etc/ssh/sshd_config afin de permettre l'utilisateur root de se connecter au client :
[root@targetb ~]# vi /etc/ssh/sshd_config [root@targetb ~]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ... PermitRootLogin yes ... [root@targetb ~]# systemctl restart sshd
Editez ensuite le fichier /etc/hosts :
[root@targetb ~]# vi /etc/hosts [root@targetb ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.0.2.110 chefserver.ittraining.loc chefserver 10.0.2.111 workstation.ittraining.loc workstation 10.0.2.52 targeta.i2tch.loc targeta 10.0.2.53 targetb.i2tch.loc targetb
Consultez la liste des Attributs Automatiques :
[root@targetb ~]# ohai | more { "kernel": { "name": "Linux", "release": "3.10.0-957.1.3.el7.x86_64", "version": "#1 SMP Thu Nov 29 14:49:43 UTC 2018", "machine": "x86_64", "processor": "x86_64", "os": "GNU/Linux", "modules": { "ip6t_rpfilter": { "size": "12595", "refcount": "1" }, "ipt_REJECT": { "size": "12541", "refcount": "2" }, "nf_reject_ipv4": { "size": "13373", "refcount": "1" }, "ip6t_REJECT": { "size": "12625", "refcount": "2" }, "nf_reject_ipv6": { "size": "13717", "refcount": "1" }, "xt_conntrack": { "size": "12760", "refcount": "13" }, "ip_set": { "size": "45644", "refcount": "0" }, "nfnetlink": { "size": "14490", "refcount": "1" }, "ebtable_nat": { "size": "12807", "refcount": "1" }, "ebtable_broute": { "size": "12731", "refcount": "1" }, "bridge": { "size": "151336", "refcount": "1", "version": "2.3" }, "stp": { --More--
Déconnectez-vous de la VM :
[root@targetb ~]# exit déconnexion trainee@targetb:~$ exit déconnexion
Stagiaires **18**, **19**, **20**, **21**, **22** et **23**
Configurez les deux nouveaux clients targeta et targetb.
root@workstation:~/chef-repo# ssh -l trainee 10.0.3.52 Debian GNU/Linux 9 trainee@10.0.3.52's password: trainee Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Mar 21 08:47:45 2021 from 10.0.3.10 trainee@targeta:~$ su - Mot de passe : fenestros root@targeta:~# systemctl status apache2 Unit apache2.service could not be found. root@targeta:~#
Editez la directive PermitRootLogin du fichier /etc/ssh/sshd_config afin de permettre l'utilisateur root de se connecter au client :
root@targeta:~# vi /etc/ssh/sshd_config root@targeta:~# cat /etc/ssh/sshd_config ... PermitRootLogin yes ... root@targeta:~# systemctl restart ssh
Editez ensuite le fichier /etc/hosts :
root@targeta:~# vi /etc/hosts root@targeta:~# cat /etc/hosts 127.0.0.1 localhost 10.0.3.110 chefserver.ittraining.loc chefserver 10.0.3.111 workstation.ittraining.loc workstation 10.0.3.52 targeta.i2tch.loc targeta 10.0.3.53 targetb.i2tch.loc targetb # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Mettez à jour les dépôts des paquets :
root@targeta:~# sed -i s/ftp.fr.debian.org/archive.debian.org/g /etc/apt/sources.list root@targeta:~# sed -i '/debian-security/d' /etc/apt/sources.list root@targeta:~# sed -i '/stretch-updates/d' /etc/apt/sources.list root@targeta:~# apt update Ign:1 http://archive.debian.org/debian stretch InRelease Réception de:2 http://archive.debian.org/debian stretch Release [118 kB] Réception de:3 http://archive.debian.org/debian stretch Release.gpg [3 177 B] Réception de:4 http://archive.debian.org/debian stretch/main Sources [6 736 kB] Réception de:5 http://archive.debian.org/debian stretch/main amd64 Packages [7 080 kB] Réception de:6 http://archive.debian.org/debian stretch/main Translation-fr [1 894 kB] Réception de:7 http://archive.debian.org/debian stretch/main Translation-en [5 377 kB] 21,2 Mo réceptionnés en 6s (3 302 ko/s) Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait 226 packages can be upgraded. Run 'apt list --upgradable' to see them.
Consultez la liste des Attributs Automatiques :
root@targeta:~# ohai | more { "init_package": "systemd", "keys": { "ssh": { "host_rsa_public": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCyniXxtEUmEsWSRkTc6fbNhGVEvTmu+3YD/JleRkDSMRGy0i58Vbao2Cu7Rhg/tC6FbYOMKBvveZhFa8gphUneSqSsLdyxokubj4fO4PEW/wv0SSo2rEfuGXp6oLm4EQgWrLIOJPpRDy5kwRIU8XPc PduyiRFInMEBv62BYqpxS9DBaz40oH0bif+WgrIO01Led/mZ2A0rUzr+9gUFUcpUxX9tZC4geCxsKcW1i/FuWTrWr7f4+Zwbz89bt9eA+BK4trJ5hUhAdHUxcX3rAKGZU9ruAxciuQVzQ8f/HYNVSWg3cNB4g08+0/rHSasMFrhIkk86RX/16mGTHGKpuyId", "host_ecdsa_public": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVU5pimWmTgKKazpAyInMjuQYlCvJ2GmX68P+81m1KfypeD8N8QiQfPtgucevPfAXraDtzAZjSTRK+2DcRwnmM=", "host_ecdsa_type": "ecdsa-sha2-nistp256", "host_ed25519_public": "AAAAC3NzaC1lZDI1NTE5AAAAILL1bKUqdRZiqXicr229LWK9iKNveAbKM5UiQPA7VFoH" } }, "memory": { "swap": { "cached": "0kB", "total": "2095100kB", "free": "2095100kB" }, "hugepages": { "total": "0", "free": "0", "reserved": "0", "surplus": "0" }, "directmap": { "4k": "55160kB", "2M": "2041856kB" }, "total": "2052288kB", "free": "1460856kB", "available": "1805260kB", "buffers": "38048kB", "cached": "411952kB", "active": "213712kB", "inactive": "284764kB", "dirty": "8kB", "writeback": "0kB", "anon_pages": "48532kB", "mapped": "41324kB", "slab": "72612kB", "slab_reclaimable": "59524kB", "slab_unreclaim": "13088kB", "page_tables": "4440kB", "nfs_unstable": "0kB", "bounce": "0kB", "commit_limit": "3121244kB", "committed_as": "697488kB", "vmalloc_total": "34359738367kB", "vmalloc_used": "0kB", "vmalloc_chunk": "0kB", "hugepage_size": "2048kB" }, "network": { "interfaces": { "lo": { "mtu": "65536", --Plus--
Quittez la VM targeta :
root@targeta:~# exit déconnexion trainee@targeta:~$ exit déconnexion Connection to 10.0.3.52 closed.
Connectez-vous à la VM targetb :
root@workstation:~/chef-repo/cookbooks# ssh -l trainee 10.0.3.53 The authenticity of host '10.0.3.53 (10.0.3.53)' can't be established. ECDSA key fingerprint is SHA256:RgOsp/XI7JHNq+oIfHKw+jkHdtTnBIh+Dd7kVmHRxtU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.3.53' (ECDSA) to the list of known hosts. trainee@10.0.3.53's password: trainee Last login: Sun Mar 21 08:53:18 2021 from 10.0.3.10 [trainee@targetb ~]$ su - Password: fenestros Last login: dim. mars 21 08:53:25 CET 2021 on pts/0
Modifiez la directive PermitRootLogin du fichier /etc/ssh/sshd_config afin de permettre l'utilisateur root de se connecter au client :
[root@targetb ~]# vi /etc/ssh/sshd_config [root@targetb ~]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ... PermitRootLogin yes ... [root@targetb ~]# systemctl restart sshd
Editez ensuite le fichier /etc/hosts :
[root@targetb ~]# vi /etc/hosts [root@targetb ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.0.3.110 chefserver.ittraining.loc chefserver 10.0.3.111 workstation.ittraining.loc workstation 10.0.3.52 targeta.i2tch.loc targeta 10.0.3.53 targetb.i2tch.loc targetb
Consultez la liste des Attributs Automatiques :
[root@targetb ~]# ohai | more { "kernel": { "name": "Linux", "release": "3.10.0-957.1.3.el7.x86_64", "version": "#1 SMP Thu Nov 29 14:49:43 UTC 2018", "machine": "x86_64", "processor": "x86_64", "os": "GNU/Linux", "modules": { "ip6t_rpfilter": { "size": "12595", "refcount": "1" }, "ipt_REJECT": { "size": "12541", "refcount": "2" }, "nf_reject_ipv4": { "size": "13373", "refcount": "1" }, "ip6t_REJECT": { "size": "12625", "refcount": "2" }, "nf_reject_ipv6": { "size": "13717", "refcount": "1" }, "xt_conntrack": { "size": "12760", "refcount": "13" }, "ip_set": { "size": "45644", "refcount": "0" }, "nfnetlink": { "size": "14490", "refcount": "1" }, "ebtable_nat": { "size": "12807", "refcount": "1" }, "ebtable_broute": { "size": "12731", "refcount": "1" }, "bridge": { "size": "151336", "refcount": "1", "version": "2.3" }, "stp": { --More--
Déconnectez-vous de la VM :
[root@targetb ~]# exit déconnexion trainee@targetb:~$ exit déconnexion
1.3 - Bootstraper les Clients
Stagiaires **11**, **12**, **14**, **15**, **16** et **17**
Commmencez avec la VM targeta :
root@workstation:~/chef-repo# knife bootstrap 10.0.2.52 --ssh-user root --ssh-password fenestros --node-name targeta --ssh-user: This flag is deprecated. Use -U/--connection-user instead. --ssh-password: This flag is deprecated. Use -P/--connection-password instead. Connecting to 10.0.2.52 The authenticity of host '10.0.2.52 ()' can't be established. fingerprint is SHA256:Tk/PXJFmWnE96DhFsYAaFqgHQXPJhw+ArPP/GG9IJTw. Are you sure you want to continue connecting ? (Y/N) y Connecting to 10.0.2.52 Creating new client for targeta Creating new node for targeta Bootstrapping 10.0.2.52 [10.0.2.52] -----> Installing Chef Omnibus (stable/15) downloading https://omnitruck.chef.io/chef/install.sh to file /tmp/install.sh.1583/install.sh trying wget... [10.0.2.52] debian 9 x86_64 Getting information for chef stable 15 for debian... downloading https://omnitruck.chef.io/stable/chef/metadata?v=15&p=debian&pv=9&m=x86_64 to file /tmp/install.sh.1587/metadata.txt [10.0.2.52] trying wget... [10.0.2.52] sha1 168e534c58f9e17394bc9ba7112ee2280fecdd79 sha256 a50884a3c0be26875c329de9a1cea854eacb0a0a1ed031301ee6c29aad0f19ed url https://packages.chef.io/files/stable/chef/15.17.4/debian/9/chef_15.17.4-1_amd64.deb version 15.17.4 [10.0.2.52] [10.0.2.52] downloaded metadata file looks valid... [10.0.2.52] downloading https://packages.chef.io/files/stable/chef/15.17.4/debian/9/chef_15.17.4-1_amd64.deb to file /tmp/install.sh.1587/chef_15.17.4-1_amd64.deb [10.0.2.52] trying wget... [10.0.2.52] Comparing checksum with sha256sum... [10.0.2.52] Installing chef 15 installing with dpkg... [10.0.2.52] Sélection du paquet chef précédemment désélectionné. [10.0.2.52] (Lecture de la base de données... 91215 fichiers et répertoires déjà installés.) [10.0.2.52] Préparation du dépaquetage de .../chef_15.17.4-1_amd64.deb ... [10.0.2.52] Dépaquetage de chef (15.17.4-1) ... [10.0.2.52] Paramétrage de chef (15.17.4-1) ... [10.0.2.52] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io [10.0.2.52] Starting the first Chef Infra Client Client run... [10.0.2.52] +---------------------------------------------+ ✔ 2 product licenses accepted. +---------------------------------------------+ [10.0.2.52] Starting Chef Infra Client, version 15.17.4 [10.0.2.52] [10.0.2.52] resolving cookbooks for run list: [] [10.0.2.52] [10.0.2.52] Synchronizing Cookbooks: [10.0.2.52] [10.0.2.52] Installing Cookbook Gems: Compiling Cookbooks... [2023-11-07T12:51:58+01:00] WARN: Node targeta has an empty run list. [10.0.2.52] Converging 0 resources [10.0.2.52] [10.0.2.52] [10.0.2.52] [10.0.2.52] Running handlers: [10.0.2.52] [10.0.2.52] Running handlers complete [10.0.2.52] Chef Infra Client finished, 0/0 resources updated in 01 seconds [10.0.2.52] [10.0.2.52] [2023-11-07T12:51:58+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.
Important - Notez l'avertissement [2023-11-07T12:51:58+01:00] WARN: Node targeta has an empty run list.. Cet avertissment est du au fait qu'aucune Recette n'a été précisée lors de l'exécution de la commande.
Ré-exéctuez la commande knife bootstrap en y ajoutant -r 'recipe[apache]' :
root@workstation:~/chef-repo# knife bootstrap 10.0.2.52 --ssh-user root --ssh-password fenestros --node-name targeta -r 'recipe[apache]' --ssh-user: This flag is deprecated. Use -U/--connection-user instead. --ssh-password: This flag is deprecated. Use -P/--connection-password instead. Connecting to 10.0.2.52 The authenticity of host '10.0.2.52 ()' can't be established. fingerprint is SHA256:Tk/PXJFmWnE96DhFsYAaFqgHQXPJhw+ArPP/GG9IJTw. Are you sure you want to continue connecting ? (Y/N) Y Connecting to 10.0.2.52 Node targeta exists, overwrite it? (Y/N) Y Client targeta exists, overwrite it? (Y/N) Y Creating new client for targeta Creating new node for targeta Bootstrapping 10.0.2.52 [10.0.2.52] -----> Existing Chef Infra Client installation detected [10.0.2.52] Starting the first Chef Infra Client Client run... [10.0.2.52] Starting Chef Infra Client, version 15.17.4 [10.0.2.52] [10.0.2.52] resolving cookbooks for run list: ["apache"] [10.0.2.52] [10.0.2.52] Synchronizing Cookbooks: [10.0.2.52] [10.0.2.52] [10.0.2.52] - apache (0.1.0) [10.0.2.52] [10.0.2.52] Installing Cookbook Gems: [10.0.2.52] Compiling Cookbooks... [10.0.2.52] [10.0.2.52] Converging 3 resources [10.0.2.52] [10.0.2.52] Recipe: apache::default [10.0.2.52] [10.0.2.52] [10.0.2.52] * apt_package[apache2] action install [10.0.2.52] - install version 2.4.25-3+deb9u9 of package apache2 * service[apache2] action start [10.0.2.52] (up to date) * service[apache2] action enable [10.0.2.52] (up to date) [10.0.2.52] * cookbook_file[/var/www/html/index.html] action create [10.0.2.52] [10.0.2.52] [10.0.2.52] - create new file /var/www/html/index.html [10.0.2.52] [10.0.2.52] [10.0.2.52] - update content in file /var/www/html/index.html from none to 10664a [10.0.2.52] [10.0.2.52] [10.0.2.52] --- /var/www/html/index.html 2023-11-07 13:13:02.181522947 +0100 [10.0.2.52] [10.0.2.52] [10.0.2.52] +++ /var/www/html/.chef-index20231107-2029-1nw15nc.html 2023-11-07 13:13:02.177522927 +0100 [10.0.2.52] [10.0.2.52] [10.0.2.52] @@ -1 +1,5 @@ [10.0.2.52] [10.0.2.52] [10.0.2.52] +<html> [10.0.2.52] [10.0.2.52] [10.0.2.52] +<title>OHIO et Chef</title> [10.0.2.52] [10.0.2.52] [10.0.2.52] +<body> Wow! It works!</body> [10.0.2.52] [10.0.2.52] [10.0.2.52] +</html> [10.0.2.52] [10.0.2.52] [10.0.2.52] - change mode from '' to '0644' [10.0.2.52] [10.0.2.52] [10.0.2.52] [10.0.2.52] Running handlers: [10.0.2.52] [10.0.2.52] Running handlers complete [10.0.2.52] Chef Infra Client finished, 2/4 resources updated in 17 seconds [10.0.2.52] [10.0.2.52] [2023-11-07T13:13:02+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates
Connectez-vous à la VM targeta et vérifiez l'installation du paquet apache2 :
root@workstation:~/chef-repo# ssh -l trainee 10.0.2.52 Debian GNU/Linux 9 trainee@10.0.2.52's password: trainee Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Nov 7 13:25:32 2023 from 10.0.2.111 trainee@targeta:~$ su - Mot de passe : fenestros root@targeta:~# systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-11-07 13:13:00 CET; 14min ago Main PID: 2717 (apache2) CGroup: /system.slice/apache2.service ├─2717 /usr/sbin/apache2 -k start ├─2719 /usr/sbin/apache2 -k start └─2721 /usr/sbin/apache2 -k start nov. 07 13:13:00 targeta.i2tch.loc systemd[1]: Starting The Apache HTTP Server... nov. 07 13:13:00 targeta.i2tch.loc systemd[1]: Started The Apache HTTP Server. root@targeta:~# exit déconnexion trainee@targeta:~$ exit déconnexion Connection to 10.0.2.52 closed.
Procédez ensuite avec la VM targetb :
root@workstation:~/chef-repo# knife bootstrap 10.0.2.53 --ssh-user root --ssh-password fenestros --node-name targetb -r 'recipe[apache]' --ssh-user: This flag is deprecated. Use -U/--connection-user instead. --ssh-password: This flag is deprecated. Use -P/--connection-password instead. Connecting to 10.0.2.53 The authenticity of host '10.0.2.53 ()' can't be established. fingerprint is SHA256:PokJEptX8i3G+Qdy2WFX9xWby1d+l/0FhVyN1onGXnQ. Are you sure you want to continue connecting ? (Y/N) Y Connecting to 10.0.2.53 Creating new client for targetb Creating new node for targetb Bootstrapping 10.0.2.53 [10.0.2.53] -----> Installing Chef Omnibus (stable/15) downloading https://omnitruck.chef.io/chef/install.sh to file /tmp/install.sh.21113/install.sh trying wget... [10.0.2.53] el 7 x86_64 Getting information for chef stable 15 for el... downloading https://omnitruck.chef.io/stable/chef/metadata?v=15&p=el&pv=7&m=x86_64 to file /tmp/install.sh.21123/metadata.txt [10.0.2.53] trying wget... [10.0.2.53] sha1 9e066d888611971a1dceb7c3eaf0375a6c61ebd0 sha256 0aaf56d149bdddc73b501322777ac378e2ffb63aa6eb714d93b16714e166e4f0 url https://packages.chef.io/files/stable/chef/15.17.4/el/7/chef-15.17.4-1.el7.x86_64.rpm version 15.17.4 [10.0.2.53] [10.0.2.53] downloaded metadata file looks valid... [10.0.2.53] downloading https://packages.chef.io/files/stable/chef/15.17.4/el/7/chef-15.17.4-1.el7.x86_64.rpm to file /tmp/install.sh.21123/chef-15.17.4-1.el7.x86_64.rpm [10.0.2.53] trying wget... [10.0.2.53] Comparing checksum with sha256sum... [10.0.2.53] Installing chef 15 installing with rpm... [10.0.2.53] warning: /tmp/install.sh.21123/chef-15.17.4-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY [10.0.2.53] Preparing... [10.0.2.53] ######################################## [10.0.2.53] Updating / installing... chef-15.17.4-1.el7 [10.0.2.53] # ... [10.0.2.53] # [10.0.2.53] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io [10.0.2.53] Starting the first Chef Infra Client Client run... [10.0.2.53] +---------------------------------------------+ ✔ 2 product licenses accepted. +---------------------------------------------+ [10.0.2.53] Starting Chef Infra Client, version 15.17.4 [10.0.2.53] resolving cookbooks for run list: ["apache"] [10.0.2.53] Synchronizing Cookbooks: [10.0.2.53] - apache (0.1.0) [10.0.2.53] Installing Cookbook Gems: Compiling Cookbooks... [10.0.2.53] Converging 3 resources Recipe: apache::default * yum_package[httpd] action install [10.0.2.53] - install version 0:2.4.6-99.el7.centos.1.x86_64 of package httpd * service[httpd] action start [10.0.2.53] - start service service[httpd] * service[httpd] action enable [10.0.2.53] - enable service service[httpd] * cookbook_file[/var/www/html/index.html] action create [10.0.2.53] - create new file /var/www/html/index.html - update content in file /var/www/html/index.html from none to 10664a --- /var/www/html/index.html 2023-11-07 13:09:34.001959916 +0100 +++ /var/www/html/.chef-index20231107-23588-8oklnl.html 2023-11-07 13:09:34.001959916 +0100 @@ -1 +1,5 @@ +<html> +<title>OHIO et Chef</title> +<body> Wow! It works!</body> +</html> - change mode from '' to '0644' [10.0.2.53] - restore selinux security context [10.0.2.53] Running handlers: Running handlers complete Chef Infra Client finished, 4/4 resources updated in 32 seconds [10.0.2.53] [2023-11-07T13:09:34+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.
Connectez-vous à la VM targetb et vérifiez l'installation du paquet httpd :
root@workstation:~/chef-repo# ssh -l trainee 10.0.2.53 trainee@10.0.2.53's password: trainee Last login: Tue Nov 7 13:22:36 2023 from workstation.ittraining.loc [trainee@targetb ~]$ su - Password: fenestros Last login: mar. nov. 7 13:22:46 CET 2023 on pts/0 [root@targetb ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-11-07 13:09:33 CET; 20min ago Docs: man:httpd(8) man:apachectl(8) Main PID: 24003 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─24003 /usr/sbin/httpd -DFOREGROUND ├─24004 /usr/sbin/httpd -DFOREGROUND ├─24005 /usr/sbin/httpd -DFOREGROUND ├─24006 /usr/sbin/httpd -DFOREGROUND ├─24007 /usr/sbin/httpd -DFOREGROUND └─24008 /usr/sbin/httpd -DFOREGROUND Nov 07 13:09:33 targetb.i2tch.loc systemd[1]: Starting The Apache HTTP Server... Nov 07 13:09:33 targetb.i2tch.loc systemd[1]: Started The Apache HTTP Server. [root@targetb ~]# exit logout [trainee@targetb ~]$ exit logout Connection to 10.0.2.53 closed.
Stagiaires **18**, **19**, **20**, **21**, **22** et **23**
Commmencez avec la VM targeta :
root@workstation:~/chef-repo# knife bootstrap 10.0.3.52 --ssh-user root --ssh-password fenestros --node-name targeta --ssh-user: This flag is deprecated. Use -U/--connection-user instead. --ssh-password: This flag is deprecated. Use -P/--connection-password instead. Connecting to 10.0.3.52 The authenticity of host '10.0.3.52 ()' can't be established. fingerprint is SHA256:Tk/PXJFmWnE96DhFsYAaFqgHQXPJhw+ArPP/GG9IJTw. Are you sure you want to continue connecting ? (Y/N) y Connecting to 10.0.3.52 Creating new client for targeta Creating new node for targeta Bootstrapping 10.0.3.52 [10.0.3.52] -----> Installing Chef Omnibus (stable/15) downloading https://omnitruck.chef.io/chef/install.sh to file /tmp/install.sh.1583/install.sh trying wget... [10.0.3.52] debian 9 x86_64 Getting information for chef stable 15 for debian... downloading https://omnitruck.chef.io/stable/chef/metadata?v=15&p=debian&pv=9&m=x86_64 to file /tmp/install.sh.1587/metadata.txt [10.0.3.52] trying wget... [10.0.3.52] sha1 168e534c58f9e17394bc9ba7112ee2280fecdd79 sha256 a50884a3c0be26875c329de9a1cea854eacb0a0a1ed031301ee6c29aad0f19ed url https://packages.chef.io/files/stable/chef/15.17.4/debian/9/chef_15.17.4-1_amd64.deb version 15.17.4 [10.0.3.52] [10.0.3.52] downloaded metadata file looks valid... [10.0.3.52] downloading https://packages.chef.io/files/stable/chef/15.17.4/debian/9/chef_15.17.4-1_amd64.deb to file /tmp/install.sh.1587/chef_15.17.4-1_amd64.deb [10.0.3.52] trying wget... [10.0.3.52] Comparing checksum with sha256sum... [10.0.3.52] Installing chef 15 installing with dpkg... [10.0.3.52] Sélection du paquet chef précédemment désélectionné. [10.0.3.52] (Lecture de la base de données... 91215 fichiers et répertoires déjà installés.) [10.0.3.52] Préparation du dépaquetage de .../chef_15.17.4-1_amd64.deb ... [10.0.3.52] Dépaquetage de chef (15.17.4-1) ... [10.0.3.52] Paramétrage de chef (15.17.4-1) ... [10.0.3.52] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io [10.0.3.52] Starting the first Chef Infra Client Client run... [10.0.3.52] +---------------------------------------------+ ✔ 2 product licenses accepted. +---------------------------------------------+ [10.0.3.52] Starting Chef Infra Client, version 15.17.4 [10.0.3.52] [10.0.3.52] resolving cookbooks for run list: [] [10.0.3.52] [10.0.3.52] Synchronizing Cookbooks: [10.0.3.52] [10.0.3.52] Installing Cookbook Gems: Compiling Cookbooks... [2023-11-07T12:51:58+01:00] WARN: Node targeta has an empty run list. [10.0.3.52] Converging 0 resources [10.0.3.52] [10.0.3.52] [10.0.3.52] [10.0.3.52] Running handlers: [10.0.3.52] [10.0.3.52] Running handlers complete [10.0.3.52] Chef Infra Client finished, 0/0 resources updated in 01 seconds [10.0.3.52] [10.0.3.52] [2023-11-07T12:51:58+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.
Important - Notez l'avertissement [2023-11-07T12:51:58+01:00] WARN: Node targeta has an empty run list.. Cet avertissment est du au fait qu'aucune Recette n'a été précisée lors de l'exécution de la commande.
Ré-exéctuez la commande knife bootstrap en y ajoutant -r 'recipe[apache]' :
root@workstation:~/chef-repo# knife bootstrap 10.0.3.52 --ssh-user root --ssh-password fenestros --node-name targeta -r 'recipe[apache]' --ssh-user: This flag is deprecated. Use -U/--connection-user instead. --ssh-password: This flag is deprecated. Use -P/--connection-password instead. Connecting to 10.0.3.52 The authenticity of host '10.0.3.52 ()' can't be established. fingerprint is SHA256:Tk/PXJFmWnE96DhFsYAaFqgHQXPJhw+ArPP/GG9IJTw. Are you sure you want to continue connecting ? (Y/N) Y Connecting to 10.0.3.52 Node targeta exists, overwrite it? (Y/N) Y Client targeta exists, overwrite it? (Y/N) Y Creating new client for targeta Creating new node for targeta Bootstrapping 10.0.3.52 [10.0.3.52] -----> Existing Chef Infra Client installation detected [10.0.3.52] Starting the first Chef Infra Client Client run... [10.0.3.52] Starting Chef Infra Client, version 15.17.4 [10.0.3.52] [10.0.3.52] resolving cookbooks for run list: ["apache"] [10.0.3.52] [10.0.3.52] Synchronizing Cookbooks: [10.0.3.52] [10.0.3.52] [10.0.3.52] - apache (0.1.0) [10.0.3.52] [10.0.3.52] Installing Cookbook Gems: [10.0.3.52] Compiling Cookbooks... [10.0.3.52] [10.0.3.52] Converging 3 resources [10.0.3.52] [10.0.3.52] Recipe: apache::default [10.0.3.52] [10.0.3.52] [10.0.3.52] * apt_package[apache2] action install [10.0.3.52] - install version 2.4.25-3+deb9u9 of package apache2 * service[apache2] action start [10.0.3.52] (up to date) * service[apache2] action enable [10.0.3.52] (up to date) [10.0.3.52] * cookbook_file[/var/www/html/index.html] action create [10.0.3.52] [10.0.3.52] [10.0.3.52] - create new file /var/www/html/index.html [10.0.3.52] [10.0.3.52] [10.0.3.52] - update content in file /var/www/html/index.html from none to 10664a [10.0.3.52] [10.0.3.52] [10.0.3.52] --- /var/www/html/index.html 2023-11-07 13:13:02.181522947 +0100 [10.0.3.52] [10.0.3.52] [10.0.3.52] +++ /var/www/html/.chef-index20231107-2029-1nw15nc.html 2023-11-07 13:13:02.177522927 +0100 [10.0.3.52] [10.0.3.52] [10.0.3.52] @@ -1 +1,5 @@ [10.0.3.52] [10.0.3.52] [10.0.3.52] +<html> [10.0.3.52] [10.0.3.52] [10.0.3.52] +<title>OHIO et Chef</title> [10.0.3.52] [10.0.3.52] [10.0.3.52] +<body> Wow! It works!</body> [10.0.3.52] [10.0.3.52] [10.0.3.52] +</html> [10.0.3.52] [10.0.3.52] [10.0.3.52] - change mode from '' to '0644' [10.0.3.52] [10.0.3.52] [10.0.3.52] [10.0.3.52] Running handlers: [10.0.3.52] [10.0.3.52] Running handlers complete [10.0.3.52] Chef Infra Client finished, 2/4 resources updated in 17 seconds [10.0.3.52] [10.0.3.52] [2023-11-07T13:13:02+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates
Connectez-vous à la VM targeta et vérifiez l'installation du paquet apache2 :
root@workstation:~/chef-repo# ssh -l trainee 10.0.3.52 Debian GNU/Linux 9 trainee@10.0.3.52's password: trainee Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Nov 7 13:25:32 2023 from 10.0.3.111 trainee@targeta:~$ su - Mot de passe : fenestros root@targeta:~# systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-11-07 13:13:00 CET; 14min ago Main PID: 2717 (apache2) CGroup: /system.slice/apache2.service ├─2717 /usr/sbin/apache2 -k start ├─2719 /usr/sbin/apache2 -k start └─2721 /usr/sbin/apache2 -k start nov. 07 13:13:00 targeta.i2tch.loc systemd[1]: Starting The Apache HTTP Server... nov. 07 13:13:00 targeta.i2tch.loc systemd[1]: Started The Apache HTTP Server. root@targeta:~# exit déconnexion trainee@targeta:~$ exit déconnexion Connection to 10.0.3.52 closed.
Procédez ensuite avec la VM targetb :
root@workstation:~/chef-repo# knife bootstrap 10.0.3.53 --ssh-user root --ssh-password fenestros --node-name targetb -r 'recipe[apache]' --ssh-user: This flag is deprecated. Use -U/--connection-user instead. --ssh-password: This flag is deprecated. Use -P/--connection-password instead. Connecting to 10.0.3.53 The authenticity of host '10.0.3.53 ()' can't be established. fingerprint is SHA256:PokJEptX8i3G+Qdy2WFX9xWby1d+l/0FhVyN1onGXnQ. Are you sure you want to continue connecting ? (Y/N) Y Connecting to 10.0.3.53 Creating new client for targetb Creating new node for targetb Bootstrapping 10.0.3.53 [10.0.3.53] -----> Installing Chef Omnibus (stable/15) downloading https://omnitruck.chef.io/chef/install.sh to file /tmp/install.sh.21113/install.sh trying wget... [10.0.3.53] el 7 x86_64 Getting information for chef stable 15 for el... downloading https://omnitruck.chef.io/stable/chef/metadata?v=15&p=el&pv=7&m=x86_64 to file /tmp/install.sh.21123/metadata.txt [10.0.3.53] trying wget... [10.0.3.53] sha1 9e066d888611971a1dceb7c3eaf0375a6c61ebd0 sha256 0aaf56d149bdddc73b501322777ac378e2ffb63aa6eb714d93b16714e166e4f0 url https://packages.chef.io/files/stable/chef/15.17.4/el/7/chef-15.17.4-1.el7.x86_64.rpm version 15.17.4 [10.0.3.53] [10.0.3.53] downloaded metadata file looks valid... [10.0.3.53] downloading https://packages.chef.io/files/stable/chef/15.17.4/el/7/chef-15.17.4-1.el7.x86_64.rpm to file /tmp/install.sh.21123/chef-15.17.4-1.el7.x86_64.rpm [10.0.3.53] trying wget... [10.0.3.53] Comparing checksum with sha256sum... [10.0.3.53] Installing chef 15 installing with rpm... [10.0.3.53] warning: /tmp/install.sh.21123/chef-15.17.4-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY [10.0.3.53] Preparing... [10.0.3.53] ######################################## [10.0.3.53] Updating / installing... chef-15.17.4-1.el7 [10.0.3.53] # ... [10.0.3.53] # [10.0.3.53] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io [10.0.3.53] Starting the first Chef Infra Client Client run... [10.0.3.53] +---------------------------------------------+ ✔ 2 product licenses accepted. +---------------------------------------------+ [10.0.3.53] Starting Chef Infra Client, version 15.17.4 [10.0.3.53] resolving cookbooks for run list: ["apache"] [10.0.3.53] Synchronizing Cookbooks: [10.0.3.53] - apache (0.1.0) [10.0.3.53] Installing Cookbook Gems: Compiling Cookbooks... [10.0.3.53] Converging 3 resources Recipe: apache::default * yum_package[httpd] action install [10.0.3.53] - install version 0:2.4.6-99.el7.centos.1.x86_64 of package httpd * service[httpd] action start [10.0.3.53] - start service service[httpd] * service[httpd] action enable [10.0.3.53] - enable service service[httpd] * cookbook_file[/var/www/html/index.html] action create [10.0.3.53] - create new file /var/www/html/index.html - update content in file /var/www/html/index.html from none to 10664a --- /var/www/html/index.html 2023-11-07 13:09:34.001959916 +0100 +++ /var/www/html/.chef-index20231107-23588-8oklnl.html 2023-11-07 13:09:34.001959916 +0100 @@ -1 +1,5 @@ +<html> +<title>OHIO et Chef</title> +<body> Wow! It works!</body> +</html> - change mode from '' to '0644' [10.0.3.53] - restore selinux security context [10.0.3.53] Running handlers: Running handlers complete Chef Infra Client finished, 4/4 resources updated in 32 seconds [10.0.3.53] [2023-11-07T13:09:34+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.
Connectez-vous à la VM targetb et vérifiez l'installation du paquet httpd :
root@workstation:~/chef-repo# ssh -l trainee 10.0.3.53 trainee@10.0.3.53's password: trainee Last login: Tue Nov 7 13:22:36 2023 from workstation.ittraining.loc [trainee@targetb ~]$ su - Password: fenestros Last login: mar. nov. 7 13:22:46 CET 2023 on pts/0 [root@targetb ~]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-11-07 13:09:33 CET; 20min ago Docs: man:httpd(8) man:apachectl(8) Main PID: 24003 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─24003 /usr/sbin/httpd -DFOREGROUND ├─24004 /usr/sbin/httpd -DFOREGROUND ├─24005 /usr/sbin/httpd -DFOREGROUND ├─24006 /usr/sbin/httpd -DFOREGROUND ├─24007 /usr/sbin/httpd -DFOREGROUND └─24008 /usr/sbin/httpd -DFOREGROUND Nov 07 13:09:33 targetb.i2tch.loc systemd[1]: Starting The Apache HTTP Server... Nov 07 13:09:33 targetb.i2tch.loc systemd[1]: Started The Apache HTTP Server. [root@targetb ~]# exit logout [trainee@targetb ~]$ exit logout Connection to 10.0.3.53 closed.
LAB #2 - Data Bags
2.1 - Présentation
2.2 - Création de Data Bags
root@workstation:~/chef-repo# mkdir -p data_bags/users
root@workstation:~/chef-repo# knife data bag --help FATAL: Cannot find subcommand for: 'data bag --help' Available data bag subcommands: (for details, knife SUB-COMMAND --help) ** DATA BAG COMMANDS ** knife data bag create BAG [ITEM] (options) knife data bag delete BAG [ITEM] (options) knife data bag edit BAG ITEM (options) knife data bag from file BAG FILE|FOLDER [FILE|FOLDER..] (options) knife data bag list (options) knife data bag show BAG [ITEM] (options)
root@workstation:~/chef-repo# knife data bag list
root@workstation:~/chef-repo# knife data bag create users Created data_bag[users]
root@workstation:~/chef-repo# vi data_bags/users/user1.json root@workstation:~/chef-repo# cat data_bags/users/user1.json { "id": "user1", "comment": "This is user1", "uid": "1001", "gid": "100", "home": "/home/user1", "shell": "/bin/bash", "platform": "centos" } root@workstation:~/chef-repo# vi data_bags/users/user2.json root@workstation:~/chef-repo# cat data_bags/users/user2.json { "id": "user2", "comment": "This is user2", "uid": "1002", "gid": "100", "home": "/home/user2", "shell": "/bin/bash", "platform": "centos" }
root@workstation:~/chef-repo# knife data bag from file users data_bags/users/user1.json data_bags/users/user2.json Updated data_bag_item[users::user1] Updated data_bag_item[users::user2]
root@workstation:~/chef-repo# knife data bag list users
root@workstation:~/chef-repo# knife data bag show users user1 user2
root@workstation:~/chef-repo# knife data bag show users/user1 comment gid home id platform shell uid
root@workstation:~/chef-repo# knife search users "*:*" 2 items found chef_type: data_bag_item comment: This is user1 data_bag: users gid: 100 home: /home/user1 id: user1 platform: centos shell: /bin/bash uid: 1001 chef_type: data_bag_item comment: This is user2 data_bag: users gid: 100 home: /home/user2 id: user2 platform: centos shell: /bin/bash uid: 1002
root@workstation:~/chef-repo# knife search users "comment:This*" 2 items found chef_type: data_bag_item comment: This is user1 data_bag: users gid: 100 home: /home/user1 id: user1 platform: centos shell: /bin/bash uid: 1001 chef_type: data_bag_item comment: This is user2 data_bag: users gid: 100 home: /home/user2 id: user2 platform: centos shell: /bin/bash uid: 1002
root@workstation:~/chef-repo# knife search users "platform:centos" -a comment 2 items found : comment: This is user1 : comment: This is user2
root@workstation:~/chef-repo# mkdir data_bags/groups
root@workstation:~/chef-repo# knife data bag create groups Created data_bag[groups]
root@workstation:~/chef-repo# vi data_bags/groups/group1.json root@workstation:~/chef-repo# cat data_bags/groups/group1.json { "id": "100", "gid": "100", "members": ["user1", "user2"] }
root@workstation:~/chef-repo# knife data bag from file groups data_bags/groups/group1.json Updated data_bag_item[groups::100]
root@workstation:~/chef-repo# knife data bag show groups 100
root@workstation:~/chef-repo# knife data bag show groups 100 gid: 100 id: 100 members: user1 user2
2.3 - Utilisation de Data Bags
root@workstation:~/chef-repo# chef generate cookbook cookbooks/users Generating cookbook users - Ensuring correct cookbook content Your cookbook is ready. Type `cd cookbooks/users` to enter it. There are several commands you can run to get started locally developing and testing your cookbook. Type `delivery local --help` to see a full list of local testing commands. Why not start by writing an InSpec test? Tests for the default recipe are stored at: test/integration/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb
root@workstation:~/chef-repo# apt install tree Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: gir1.2-goa-1.0 gir1.2-snapd-1 Use 'apt autoremove' to remove them. The following NEW packages will be installed: tree 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 40,7 kB of archives. After this operation, 105 kB of additional disk space will be used. Get:1 http://fr.archive.ubuntu.com/ubuntu bionic/universe amd64 tree amd64 1.7.0-5 [40,7 kB] Fetched 40,7 kB in 1s (66,2 kB/s) Selecting previously unselected package tree. (Reading database ... 223000 files and directories currently installed.) Preparing to unpack .../tree_1.7.0-5_amd64.deb ... Unpacking tree (1.7.0-5) ... Setting up tree (1.7.0-5) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
root@workstation:~/chef-repo# tree cookbooks/users cookbooks/users ├── CHANGELOG.md ├── chefignore ├── kitchen.yml ├── LICENSE ├── metadata.rb ├── Policyfile.rb ├── README.md ├── recipes │ └── default.rb ├── spec │ ├── spec_helper.rb │ └── unit │ └── recipes │ └── default_spec.rb └── test └── integration └── default └── default_test.rb 7 directories, 11 files
root@workstation:~/chef-repo# vi cookbooks/users/recipes/default.rb root@workstation:~/chef-repo# cat cookbooks/users/recipes/default.rb # # Cookbook:: users # Recipe:: default # # Copyright:: 2023, The Authors, All Rights Reserved. search("users", "platform:centos").each do |user_data| user user_data['id'] do comment user_data['comment'] uid user_data['uid'] gid user_data['gid'] home user_data['home'] shell user_data['shell'] end end
Stagiaires 11, 12, 14, 15, 16 et 17 :
root@workstation:~/chef-repo# ssh -l trainee 10.0.2.52 Debian GNU/Linux 9 trainee@10.0.2.52's password: trainee Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Nov 7 16:34:29 2023 from 10.0.2.111 trainee@targeta:~$ su - Mot de passe : fenestros root@targeta:~# chef-client Starting Chef Infra Client, version 15.17.4 resolving cookbooks for run list: ["apache", "users"] Synchronizing Cookbooks: - apache (0.1.0) - users (0.1.0) Installing Cookbook Gems: Compiling Cookbooks... Converging 5 resources Recipe: apache::default * apt_package[apache2] action install (up to date) * service[apache2] action start (up to date) * service[apache2] action enable (up to date) * cookbook_file[/var/www/html/index.html] action create (up to date) Recipe: users::default * linux_user[user1] action create - create user user1 * linux_user[user2] action create - create user user2 Running handlers: Running handlers complete Chef Infra Client finished, 2/6 resources updated in 02 seconds [2023-11-07T16:45:51+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates. root@targeta:~# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false rtkit:x:105:109:RealtimeKit,,,:/proc:/bin/false dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false avahi-autoipd:x:107:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false messagebus:x:108:111::/var/run/dbus:/bin/false usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin lightdm:x:112:115:Light Display Manager:/var/lib/lightdm:/bin/false pulse:x:113:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false avahi:x:114:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false saned:x:115:120::/var/lib/saned:/bin/false trainee:x:1000:1000:trainee,,,:/home/trainee:/bin/bash ntp:x:116:121::/home/ntp:/bin/false user1:x:1001:100:This is user1:/home/user1:/bin/bash user2:x:1002:100:This is user2:/home/user2:/bin/bash root@targeta:~# exit déconnexion trainee@targeta:~$ exit déconnexion Connection to 10.0.2.52 closed.
root@workstation:~/chef-repo# ssh -l trainee 10.0.2.53 trainee@10.0.2.53's password: trainee Last login: Tue Nov 7 16:35:22 2023 from workstation.ittraining.loc [trainee@targetb ~]$ su - Password: fenestros Last login: mar. nov. 7 13:37:44 CET 2023 on pts/0 [root@targetb ~]# chef-client Starting Chef Infra Client, version 15.17.4 resolving cookbooks for run list: ["apache", "users"] Synchronizing Cookbooks: - apache (0.1.0) - users (0.1.0) Installing Cookbook Gems: Compiling Cookbooks... Converging 5 resources Recipe: apache::default * yum_package[httpd] action install (up to date) * service[httpd] action start (up to date) * service[httpd] action enable (up to date) * cookbook_file[/var/www/html/index.html] action create (up to date) Recipe: users::default * linux_user[user1] action create - create user user1 * linux_user[user2] action create - create user user2 Running handlers: Running handlers complete Chef Infra Client finished, 2/6 resources updated in 05 seconds [2023-11-07T16:48:07+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates. [root@targetb ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:997:995:User for polkitd:/:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin colord:x:996:993:User for colord:/var/lib/colord:/sbin/nologin libstoragemgmt:x:995:992:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin chrony:x:993:990::/var/lib/chrony:/sbin/nologin unbound:x:992:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin geoclue:x:991:988:User for geoclue:/var/lib/geoclue:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sssd:x:990:987:User for sssd:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin gnome-initial-setup:x:989:984::/run/gnome-initial-setup/:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin trainee:x:1000:1000:trainee:/home/trainee:/bin/bash vboxadd:x:988:1::/var/run/vboxadd:/bin/false saned:x:987:981:SANE scanner daemon user:/usr/share/sane:/sbin/nologin gluster:x:986:980:GlusterFS daemons:/run/gluster:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin user1:x:1001:100:This is user1:/home/user1:/bin/bash user2:x:1002:100:This is user2:/home/user2:/bin/bash [root@targetb ~]# exit logout [trainee@targetb ~]$ exit logout Connection to 10.0.2.53 closed.
Stagiaires 18, 19, 20, 21, 22 et 23 :
root@workstation:~/chef-repo# ssh -l trainee 10.0.3.52 Debian GNU/Linux 9 trainee@10.0.3.52's password: trainee Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Nov 7 16:34:29 2023 from 10.0.3.111 trainee@targeta:~$ su - Mot de passe : fenestros root@targeta:~# chef-client Starting Chef Infra Client, version 15.17.4 resolving cookbooks for run list: ["apache", "users"] Synchronizing Cookbooks: - apache (0.1.0) - users (0.1.0) Installing Cookbook Gems: Compiling Cookbooks... Converging 5 resources Recipe: apache::default * apt_package[apache2] action install (up to date) * service[apache2] action start (up to date) * service[apache2] action enable (up to date) * cookbook_file[/var/www/html/index.html] action create (up to date) Recipe: users::default * linux_user[user1] action create - create user user1 * linux_user[user2] action create - create user user2 Running handlers: Running handlers complete Chef Infra Client finished, 2/6 resources updated in 02 seconds [2023-11-07T16:45:51+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates. root@targeta:~# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false rtkit:x:105:109:RealtimeKit,,,:/proc:/bin/false dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false avahi-autoipd:x:107:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false messagebus:x:108:111::/var/run/dbus:/bin/false usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin lightdm:x:112:115:Light Display Manager:/var/lib/lightdm:/bin/false pulse:x:113:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false avahi:x:114:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false saned:x:115:120::/var/lib/saned:/bin/false trainee:x:1000:1000:trainee,,,:/home/trainee:/bin/bash ntp:x:116:121::/home/ntp:/bin/false user1:x:1001:100:This is user1:/home/user1:/bin/bash user2:x:1002:100:This is user2:/home/user2:/bin/bash root@targeta:~# exit déconnexion trainee@targeta:~$ exit déconnexion Connection to 10.0.3.52 closed.
root@workstation:~/chef-repo# ssh -l trainee 10.0.3.53 trainee@10.0.3.53's password: trainee Last login: Tue Nov 7 16:35:22 2023 from workstation.ittraining.loc [trainee@targetb ~]$ su - Password: fenestros Last login: mar. nov. 7 13:37:44 CET 2023 on pts/0 [root@targetb ~]# chef-client Starting Chef Infra Client, version 15.17.4 resolving cookbooks for run list: ["apache", "users"] Synchronizing Cookbooks: - apache (0.1.0) - users (0.1.0) Installing Cookbook Gems: Compiling Cookbooks... Converging 5 resources Recipe: apache::default * yum_package[httpd] action install (up to date) * service[httpd] action start (up to date) * service[httpd] action enable (up to date) * cookbook_file[/var/www/html/index.html] action create (up to date) Recipe: users::default * linux_user[user1] action create - create user user1 * linux_user[user2] action create - create user user2 Running handlers: Running handlers complete Chef Infra Client finished, 2/6 resources updated in 05 seconds [2023-11-07T16:48:07+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates. [root@targetb ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:997:995:User for polkitd:/:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin colord:x:996:993:User for colord:/var/lib/colord:/sbin/nologin libstoragemgmt:x:995:992:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin chrony:x:993:990::/var/lib/chrony:/sbin/nologin unbound:x:992:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin geoclue:x:991:988:User for geoclue:/var/lib/geoclue:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sssd:x:990:987:User for sssd:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin gnome-initial-setup:x:989:984::/run/gnome-initial-setup/:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin trainee:x:1000:1000:trainee:/home/trainee:/bin/bash vboxadd:x:988:1::/var/run/vboxadd:/bin/false saned:x:987:981:SANE scanner daemon user:/usr/share/sane:/sbin/nologin gluster:x:986:980:GlusterFS daemons:/run/gluster:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin user1:x:1001:100:This is user1:/home/user1:/bin/bash user2:x:1002:100:This is user2:/home/user2:/bin/bash [root@targetb ~]# exit logout [trainee@targetb ~]$ exit logout Connection to 10.0.3.53 closed.
2.4 - Data Bags Cryptés
root@workstation:~/chef-repo# openssl rand -base64 512 | tr -d '\r\n' > secret.key root@workstation:~/chef-repo# ls cookbooks data_bags groups README.md roles secret.key
root@workstation:~/chef-repo# knife data bag create secret-users --secret-file secret.key Created data_bag[secret-users]
root@workstation:~/chef-repo# knife data bag list groups secret-users users
root@workstation:~/chef-repo# knife data bag from file secret-users data_bags/users/user1.json --secret-file secret.key Updated data_bag_item[secret-users::user1]
root@workstation:~/chef-repo# knife data bag show secret-users user1
root@workstation:~/chef-repo# knife data bag show secret-users user1 WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data. comment: auth_tag: iJISCqTLO9YCeTfXXQ3GMw== cipher: aes-256-gcm encrypted_data: 2h3z057qS837n28peJgau72e6jAex4jRxWuhxX8UAm4= iv: g5iYCldnxsdnwbhs version: 3 gid: auth_tag: xXjGcMe0eagiBmJSuNhxwA== cipher: aes-256-gcm encrypted_data: lqzRYH/jentz4lQ7uf37fiN+knypDA== iv: r1xKr2yqpDesrf7V version: 3 home: auth_tag: Eog/Q9hdRakkJecxev3kBQ== cipher: aes-256-gcm encrypted_data: KsU8l/1gkfV06zHiJ/k5/b16N+QrJiJLdirNCm3g iv: Fftm8pXUXecILNoI version: 3 id: user1 platform: auth_tag: Z3qppY9e9/96hP63E2fSCQ== cipher: aes-256-gcm encrypted_data: U++OOEn5iv9yLjviKzHaO4ZE+AVkTnI6dA== iv: rjKccpgF91Ou+Vkm version: 3 shell: auth_tag: aoRh+XxNEFEcCt7nhjqoBw== cipher: aes-256-gcm encrypted_data: 5DcNDaX6oeQDE7mQSmM/efJ451Eorw+Hyt7EXw== iv: Ttg9HlPH8OmMjLEv version: 3 uid: auth_tag: tSan3VvGegSVUWq97MOWhA== cipher: aes-256-gcm encrypted_data: 3f6x4Xcb60aXtfG9M1/ZN/RG3av0VIY= iv: C1+YZeWp5OQHonPq version: 3
root@workstation:~/chef-repo# knife data bag show secret-users user1 --secret-file secret.key Encrypted data bag detected, decrypting with provided secret. comment: This is user1 gid: 100 home: /home/user1 id: user1 platform: centos shell: /bin/bash uid: 1001
Copyright © 2023 Hugh Norris.