Post on 19-Dec-2015
transcript
Unix Linux Administration II
Class 4: DNS review. Introduction to HTTPD. Scripting and Variables.
Agenda discuss Homework. Unit 1: DNS review. Unit 2: Introduction to HTTPD. Unit 3: Scripting and variables.
Homework review
Bind installs. rndc install. Domain creation Working with dig Shell one liners.
SSH certificate authentication review
ssh-keygen private key public key
authorized_keys one or more public keys # comments
known_hosts manual editing required if
data changes.
permissions $HOME/.ssh = 700 $HOME/.ssh/id_rsa = 600 $HOME/.ssh/id_rsa.pub =
644 $HOME/.ssh/
authorized_keys = 644
ssh agents Windows - pageant
GUI add keys
*nix - ssh-agent CLI ssh-add
Class 4, Unit 1
What we are going to cover: Review DNS concepts
What you should leave with from this session: Common understand of how DNS resolution
works Ability to install and manage DNS server.
DNS server typesThere are more DNS server types than listed
here but these are some common uses. Caching server Master server Slave server Proxy/Forwarding server Stealth server Authoritative only server
Domains
Domains use a tree or hierarchical name structure
This structure is similar to the UNIX file system
BIND is just one solution to the question of how to provide name services.
Technically an FQDN requires the “.” (DOT)
It all starts at the dot with the hint file….
Sub-domains A sub domain is the child of a domain with
the same root.ulcert.uw.edu = subdomainuw.edu = subdomainedu. = subdomainAlso referred to as levels
top level = net, org, edu, etcfirst level = uwsecond level = ulcert,
Top Level DomainsTop level domains are split into two parts
Generic Top Level Domains (gTLD).com, edu, .net, .org, .mil, etc
Country Code Top Level Domains (ccTLD).us, .uk, .ca, .mx
Remember the top is a DOT “.”Authority for the root domain lies with Internet Corp
for Assigned Numbers and Names (ICANN) which delegates this responsibility to a series of accredited registrars for gTLDs (generic Top-Level Domain) and ccTLDs (country code) for nations.
DNS tree overview
Root name serversRoot name servers are the responsibility of
ICANN but they are operated by a consortium under a delegation agreement.
Currently there are 13 root-servers defined in the hints file.
These servers are known to every DNS server. They are the root for each query not resolved through cached content.
Many of these 13 name servers have duplicates responding to the same IP address using a process called anycast.
http://en.wikipedia.org/wiki/Anycast
Three primary domain components*.
Name space and resource records - provide a tree structured name space to include the associated name data.
Name server – daemon that maintains the data set
Resolvers – tools used to extract information from the name server service or services.
Name some resolvers?*When using BIND but not necessarily in every DNS implementation.
To Query that is the Question.DNS servers exist to answer queries.
what is www.ulcert.uw.edu
answer: 140.142.194.151
DNS severs can be:
Authoritative for a domain
Slaves for a domain
forwarders for a domain
or a mix of all three
Query, Query, Query
Recursive query - complete answer or error
Three possible answers:
IP address and related CNAMES
Error due to domain not found
Temporary error due to technical issues.
Iterative query – complete answer or referral
Inverse query – reverse IP to name, may not work.
The Recursive QueryResolver sends query for ulcert.uw.edu.Not found in DNS server cache.Initiate DNS query to Root server.Root returns Referral to TLD server for .edu.DNS server asks referred .edu TLD server for
ulcert.uw.eduThe edu NS refers to uw.edu NS server.DNS server asks refered uw.edu for ulcert.uw.eduThe uw.edu NS returns A record for ulcert.uw.eduLocal DNS returns A record to resolverresolver open connection to address returned by uw.edu
NS.Well that was simple.
1. User wants to browse www.washington.edu
2. Browser generates a query to the Local DNS
3. Local DNS recurses:1. Ask Root for www.washington.edu,
get back NS record for .edu2. Ask .edu for www.washington.edu,
get back NS record for washington.edu
3. Ask washington.edu for www.washington.edu, get back A record
4. Return A record to client computer4. User’s computer
1. Stores A record in memory2. Response now returns to the browser
the address of www.washington.edu3. Browser opens connection to
address:80 and does a GET /4. Web page response is rendered for
the user.
DNS query overview
Public Internet
Root DNS Server(one of servers listed
in the hints file)128.95.155.135Web server for
www.washington.edu
.edu DNS Server
Hanna.cac.washington.edu DNS Server
Local DNS
A R
eco
rd f
or
ww
w.w
ash
ing
ton
.ed
u?
Go
ask
.ed
u
A Rec
ord fo
r
www.dom
ain.c
om?
Go ask
was
hingto
n.edu
A Record for
www.washington.edu?
128.95.155.135
A Record for www.washington.edu?
128.95.155.135
Named.confThe primary configuration file for named is named.conf. This
is typically found under /etc. we will discss "chroot'd" installs later.
This file needs to define the install directory and should include the pid file location. After this it may also include details on the hints file and local reverse zone.
Hint servers tell resolvers where to find TLD servers
common hint names: db.cache named.ca, named.root.hints.
Manually creating a new hint file:
dig . ns @a.root-servers.net > hint_date.txtlocalhost -> DNS returns 127.0.0.1 0.0.127.IN-ADDR.ARPA -> reverse localhost zone
Named.conf cont.
Comments can be added in C, C++, or Shell format
The named.conf is checked for syntax at startup
Problems are reported immediately to syslog
Logging can be explicitly defined elsewhere
sample caching DNS configThis server simply queries another server and
caches the response locally. Any later queries for the same request will be answered from cache until the TTL is reached.
options {directory “/var/named”;pid-file “/var/run/named/named.pid”;
};zone “.” IN {
type hint;file “hint.db”;
};
Master server
To be the master server means the zone file is stored locally. The named.conf file points to a file on disk and therefore this server is authoritative for the zone.
zone “ulcert.uw.edu” IN {type master;file “ulcert.uw.txt”;
};When a master is queried it will respond as
Authoritative
Zones and Resource Records
Zone files contain information the describes a domain or sub-domain
Zone files indicate where to find the Start of Authority (SOA)
Zone files contain Authoritative records, A records
Zone files contain global information like Name servers and Mail servers
Resource Record types include: A, AAA, NS, MX, SRV CNAME, DNSKEY, HINFO
Sample zone file
$ORIGIN ulcert.uw.edu. ; defines this zone as the default. Note trailing dot$TTL 3600 ; time to live set to one hour@ IN SOA ns1.ulcert.uw.edu. Info.ulcert.uw.edu ( 1 ; serial version of the file (usually a date) 3600 ; refresh, slaves refresh after one hour 3600 ; retry 86400 ; Expire after one day 86400 ; Minimum TTL );; NS (Name Server) records NS ns1.ulcert.uw.edu.; A (Address) recordsns1.ulcert.uw.edu. IN A 192.168.1.102
Zone files, what’s in the parenthesis?
2014011501 ; serial, zone version (date format?)
86400 ; refresh, how often slaves look for updates
1800; retry, how long after a failed update to retry
7200; expire, zone data if master is unavailable
3600; minimum, time to cache negative answers
Basic zone record types A record or authoritative records. For your
class servers your A records are something like ulc-###.ulcert.uw.edu.
ulc-188 A 140.142.194.188 CNAME or Canonical name or nickname. This
is a friendly name, something easy to remember like www.ulcert.uw.edu
mycentos CNAME ulc-188 NS or Name Server records, DNS severs.ns2 A 140.142.194.197ns3 A 140.142.194.198
Internal only zonesIt is very common to have DNS resource records that you do NOT want to expose to everyone. In this situation you might create a subdomain for internal use, you may also consider using a internal only TLD such as.local .pvt or .private. However, the only officially reserved TLD for this purpose are:.test .example .invalid .localhost.
*http://tools.ietf.org/search/rfc2606
Another option is to create specific DNS view which limits what clients can query based on ACLs.
Review:DNS server types: master, slave, forwarder…
It all starts at “.”
FQDN ends with “.”
DNS servers exist to answer questions, or punt to the next server to answer.
gTLD and ccTLD
Name space, name server, resolvers.
The primary configuration file is named.conf
chroot based under /var/named/chroot
In class lab 3a
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Class 4, Unit 2
What we are going to cover: Standard web server build and configurations.
What you should leave with from this session: How to install the yum supported web server. How to provide basic administration for this
service.
Power of the web
*image source http://xkcd.com/979/
Web Servers If we find a reason to compile our own
apache web servers we can but for now we are going to use the pre-packaged solutions.
We can install just the httpd server or a common collection of services along with the httpd server. This time we will install the "Web Server" group package.sudo yum “grouplist” install using “groupinstall”
Default configuration information
The default httpd.conf file is under /etc/httpd/conf
Additional configuration files are under /etc/httpd/conf.d/
The default web root directory is under /var/www
Manage your webserver instance withsudo /sbin/service httpd start|stop|graceful|status
Default configuration information Adding an index.html file under /var/www/html
will remove the default web page.<html><head><title>ulc-###.ulcert.uw.edu</title><body>Default home page for ulc-###</body></html>
Virtual hostingOne instance of apache can serve multiple
web sites. You could host to servers from the same server like:
www.books.ulcert.uw.edu andwww.my.books.ulcert.uw.edu
Apache allows the virtual web servers to inherit permissions from the main server. They can all leverage for example the same scriptalias
Name based or IP based Virtual hosts Name based virtual hosts
Leverages the same ip for all serversRecommended solution in most casesBased on host header valuesPossible conflicts with web browsers that do
not support http 1.1 IP based virtual hosts
Allocates one ip per hostRequires of course multiple interfaces defined
on host also
Problems with virtual hosting
Restarting one webserver means restarting them all
Problems with providing granular access to config files for various depts
Potential problems with clients that are not http 1.1 capable.
HTTPD logsThe HTTPD logs by default are under
/var/log/httpd
The permissions for this folder are set to only allow the root use access. I would suggest you change this to allow a group you are a member of access to the directory.
By default you will find access and error logs for both http and https traffic
Review: web serversYou can compile your webservers from
source.“groupinstall” will provide a standard yum
managed webserver.Related files can be found under: /etc/httpd/, /etc/httpd/conf.d/ /var/www/./var/log/httpd
Lab 3b
Lab notes for this session can be found here: http://www.ulcert.uw.edu/class/ -> Home -> Labs ->
Class 4, Unit 3
What we are going to cover: Scripting; variables
What you should leave this session with: Script syntax (review) Valid variable names. How to rename and re-assign variables
Scripting: Variables, expression & quotes
Shell scripting is very similar to what we have been doing so far except that we get to record our actions.
Something simple like ps –ef | wc -l can be scripted and then repeated by creating a script containing these commands.
Review: Basic script syntaxAll your shell scripts should start with a line
defining the shell to use. Meaing bourne (sh) bourne again shell (bash) korn shell (ksh) etc.
Your script files should have read and execute permissions set (chmod u+rx <file>)
For this class your scripts should also include a few other default comment lines:
Title:Date:Author:Purpose:
Template script filesWe may improve upon this as we continue
here is the basic template I would like you to use for your shell scripts.
#!/bin/sh# Title: <script>.sh# Date: 00/00/2013# Author: # Purpose:Start script here…
* remember using vi you can use :r to read in a file
Comments, comments, commentsThe key to good scripting is good commenting,
the script you write today may seem very simple but not so simple in the future.
Comments are pre-pended with a hash (#).
This can come as the first character in a line or after the command
# clear screen
clear
clear # clear screen
Adding blank lines to your output
To make the output easier to read you might want to add blank lines.
This can be done using echo
echo # insert blank line
echo “Total processes on host:”
/bin/ps –ef | /usr/bin/wc -l
VariablesIn the previous example it might be handy to
know the host where the processes were running.
Variables are defined using the = sign
No spaces are allowed between variable, =, and value
*myhost=ulc-231_q2
echo $myhost
Variables can be defined in the shellFrom the command line you can define
variables also:
myhost=ulc-231-b
echo $myhost
Now type bash
echo $myhost
What happened?
Pre defined variablesYour shell often has pre-defined variables
Type env
What do you see?
Type:
echo $SHELL ; echo $HOSTNAME; echo $HOME
The semi colon lets you string commands together.
How is this different from a | (pipe)
Defining UNIX utilities as variables.
You can define UNIX utilities as variables also
list=ls
*best practice to define the full path.
list=/bin/ls
options=-la
# list all files in current directory
echo “Files in current directory are: ”
$list $options
Valid variable names
Must start with alphabetic or underscore character followed by zero or more alphanumeric or underscore characters. Variable names ARE case sensitive.
$var $__ # two underscores. $a
Any others?
Re-assigning variables
If you want to you can re-assign variables
options=-la
newoptions=$options
Shell order of operations Variable substitution Filename substitution Parse command line into arguments
So if you assign * to x
x=*
What happens when you enter: echo $x
How to rename variable values
If you have variable value you want to rename you may need to use the ${variable}new construct
For example to rename /etc/resolv.conf to /etc/resolv.conf.bk you might use
resolv=/etc/resolv.conf
bkresolv=${resolv}.bk
echo $bkresolv
Review:
Script templates - :r template.shVariables start with _ or alphabetic characterVariables assignment
var1=valueRe-assign var2=$var1Rename var3=${var2}.bkOrder of operations; variable substitution, file
substitution, parse command line.
In class lab 4c
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Homework
homework for this week posted later tonight.