# Notizen zur LB2 M 300 **Bind9 Config Dateien sind ganz unten aufgelistet** ## A1: Docker Host ### Festplattte Vorbereiten * Verbindung via SSH von LP1 auf LS1 (192.168.70.21) ```shell ssh vmadmin@192.168.70.21 ``` ```shell # Ordner für externe Disks vorbereiten mkdir -p /data/docker mkdir -p /data/www ``` ```shell # disks auflisten lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 8G 0 disk ├─sda1 8:1 0 1M 0 part └─sda2 8:2 0 8G 0 part / sdb 8:16 0 8G 0 disk sr0 11:0 1 368K 0 rom ``` * sda1 = ? * sda2 = Root Disk * sdb = Docker Disk * sr0 = ? ```shell # Disk sdb Partitionieren sudo fdisk /dev/sdb # >n = neue Partition # >p = Primary partion # > Alles andere bei default werten lassen # Output lsblk ist jetzt sdb 8:16 0 8G 0 disk └─sdb1 8:17 0 8G 0 part ``` ```shell # Partition formatieren sudo mkfs.ext4 /dev/sdb1 # Output mke2fs 1.46.5 (30-Dec-2021) Discarding device blocks: done Creating filesystem with 2096896 4k blocks and 524288 inodes Filesystem UUID: 04273961-35c5-40a2-acfd-acd6c4cd1ad1 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done ``` ```shell # Disk Mounten sudo blkid # Output /dev/sdb1: UUID="04273961-35c5-40a2-acfd-acd6c4cd1ad1" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="199eee41-01" # in fstab mounten sudo nano /etc/fstab # Folgendes einfügen UUID=04273961-35c5-40a2-acfd-acd6c4cd1ad1 /data/docker ext4 defaults 0 0 # Disk mounten systemctl daemon-reload sudo mount -a # Mountpoint Testen lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 63.4M 1 loop /snap/core20/1974 loop1 7:1 0 63.9M 1 loop /snap/core20/2318 loop2 7:2 0 53.3M 1 loop /snap/snapd/19457 loop3 7:3 0 38.8M 1 loop /snap/snapd/21759 sda 8:0 0 8G 0 disk ├─sda1 8:1 0 1M 0 part └─sda2 8:2 0 8G 0 part / sdb 8:16 0 8G 0 disk └─sdb1 8:17 0 8G 0 part /data/docker sr0 11:0 1 368K 0 rom ``` ### Docker Installieren ```shell for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done # Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` ```shell # Docker Testen sudo docker run hello-world ``` ### Docker Test Skript ausführen ```shell docker info Client: Docker Engine - Community Version: 26.1.4 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.14.1 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.27.1 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 1 Running: 0 Paused: 0 Stopped: 1 Images: 1 Server Version: 26.1.4 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: runc io.containerd.runc.v2 Default Runtime: runc Init Binary: docker-init containerd version: d2d58213f83a351ca8f528a95fbd145f5654e957 runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 5.15.0-72-generic Operating System: Ubuntu 22.04.4 LTS OSType: linux Architecture: x86_64 CPUs: 1 Total Memory: 1.93GiB Name: vmLS1.lb2.m300.smartlearn.ch ID: cf3570a6-4923-4cd4-99ea-4bab6aa053ae Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES df Filesystem 1K-blocks Used Available Use% Mounted on tmpfs 202340 1128 201212 1% /run /dev/sda2 8170952 2961948 4815376 39% / tmpfs 1011688 0 1011688 0% /dev/shm tmpfs 5120 0 5120 0% /run/lock tmpfs 202336 4 202332 1% /run/user/1000 /dev/sdb1 8153564 24 7717780 1% /data/docker cat /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/sda2 during curtin installation /dev/disk/by-uuid/7860ac43-69f7-45bf-bebd-e37600691499 / ext4 defaults 0 1 # Docker Data UUID=04273961-35c5-40a2-acfd-acd6c4cd1ad1 /data/docker ext4 defaults 0 0 ls -laR /data |head -n 50 /data: total 12 drwxr-xr-x 3 root root 4096 Jun 11 11:04 . drwxr-xr-x 20 root root 4096 Jun 11 11:04 .. drwxr-xr-x 3 root root 4096 Jun 11 11:00 docker /data/docker: total 24 drwxr-xr-x 3 root root 4096 Jun 11 11:00 . drwxr-xr-x 3 root root 4096 Jun 11 11:04 .. drwx------ 2 root root 16384 Jun 11 11:00 lost+found /data/docker/lost+found: total 20 drwx------ 2 root root 16384 Jun 11 11:00 . drwxr-xr-x 3 root root 4096 Jun 11 11:00 .. ls -laR /var/lib/docker |head -n 50 /var/lib/docker: total 52 drwx--x--- 12 root root 4096 Jun 11 11:08 . drwxr-xr-x 42 root root 4096 Jun 11 11:08 .. drwx--x--x 4 root root 4096 Jun 11 11:08 buildkit drwx--x--- 3 root root 4096 Jun 11 11:09 containers -rw------- 1 root root 36 Jun 11 11:08 engine-id drwx------ 3 root root 4096 Jun 11 11:08 image drwxr-x--- 3 root root 4096 Jun 11 11:08 network drwx--x--- 6 root root 4096 Jun 11 11:09 overlay2 drwx------ 4 root root 4096 Jun 11 11:08 plugins drwx------ 2 root root 4096 Jun 11 11:08 runtimes drwx------ 2 root root 4096 Jun 11 11:08 swarm drwx------ 2 root root 4096 Jun 11 11:09 tmp drwx-----x 2 root root 4096 Jun 11 11:08 volumes /var/lib/docker/buildkit: total 112 drwx--x--x 4 root root 4096 Jun 11 11:08 . drwx--x--- 12 root root 4096 Jun 11 11:08 .. -rw------- 1 root root 32768 Jun 11 11:08 cache.db -rw-r--r-- 1 root root 16384 Jun 11 11:08 containerdmeta.db drwxr-xr-x 3 root root 4096 Jun 11 11:08 content drwx--x--x 2 root root 4096 Jun 11 11:08 executor -rw------- 1 root root 32768 Jun 11 11:08 history.db -rw------- 1 root root 16384 Jun 11 11:08 metadata_v2.db -rw------- 1 root root 16384 Jun 11 11:08 snapshots.db /var/lib/docker/buildkit/content: total 12 drwxr-xr-x 3 root root 4096 Jun 11 11:08 . drwx--x--x 4 root root 4096 Jun 11 11:08 .. drwxr-xr-x 2 root root 4096 Jun 11 11:08 ingest /var/lib/docker/buildkit/content/ingest: total 8 drwxr-xr-x 2 root root 4096 Jun 11 11:08 . drwxr-xr-x 3 root root 4096 Jun 11 11:08 .. /var/lib/docker/buildkit/executor: total 8 drwx--x--x 2 root root 4096 Jun 11 11:08 . drwx--x--x 4 root root 4096 Jun 11 11:08 .. /var/lib/docker/containers: total 12 drwx--x--- 3 root root 4096 Jun 11 11:09 . drwx--x--- 12 root root 4096 Jun 11 11:08 .. drwx--x--- 4 root root 4096 Jun 11 11:09 04c92bcae4eccfb1ac57d1da261e3f442d9577119a63547c29a0ec411e2df806 ``` --- ## A2: DNS-Server ### Task * DNS auf vmLS1 * Zone "lb2.m300.smartlearn.ch" erstellen * Einträge zu Zone hinzufügen * Firewall: 192.168.70.1 (DMZ), 192.168.150.1 (LAN) * vmLS1: 192.168.70.21 * Reverse Zone für "192.168.70.0/24" * PTR Record für Jede IP Adresse: * Firewall: 192.168.70.1 * vmLS1: 192.168.70.21 * DNS Server auf LP1 und LS1 konfigurieren * Interne und externe DNS Auflösung Testen * Konfig mit `testen_dns` Befehl Testen * Für Test Skript env Variable `$dnsip` updaten * --> `echo 'export dnsip="192.168.70.21"' > ~/.bashrc && source ~/.bashrc` * Config Dateien abgeben: * `named.conf.local` * `named.conf.options` * Zonen Datei von `lb2.m300.smartlearn.ch` ### Installation und Konfiguration DNS ssh verbindung besteht noch zu vmLS1 ```shell # Bind9 Installieren sudo apt update sudo apt install bind9 bind9utils bind9-doc -y ``` ```shell # Forward Zone sudo nano /etc/bind/db.lb2.m300.smartlearn.ch # Inhalt $TTL 604800 @ IN SOA ns.lb2.m300.smartlearn.ch. root.lb2.m300.smartlearn.ch. ( 2024010101 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.lb2.m300.smartlearn.ch. ns IN A 192.168.70.21 www IN A 192.168.70.21 vmls1 IN A 192.168.70.21 applikation IN A 192.168.70.21 vmlf1 IN A 192.168.70.1 ``` ```shell # Zonenbeschreibung sudo nano /etc/bind/named.conf.local # Inhalt zone "lb2.m300.smartlearn.ch" { type master; file "/etc/bind/db.lb2.m300.smartlearn.ch"; }; ``` ```shell # DNS Restart & Testen sudo systemctl restart bind9 dig @localhost firewall-dmz.lb2.m300.smartlearn.ch dig @localhost firewall-lan.lb2.m300.smartlearn.ch dig @localhost vmls1.lb2.m300.smartlearn.ch ``` ```shell # Reverse Zone sudo nano /etc/bind/db.192.168.70 # Inhalt $TTL 604800 @ IN SOA ns.lb2.m300.smartlearn.ch. root.lb2.m300.smartlearn.ch. ( 2024010101 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.lb2.m300.smartlearn.ch. 1 IN PTR vmlf1.lb2.m300.smartlearn.ch. 21 IN PTR vmls1.lb2.m300.smartlearn.ch. 22 IN PTR vmws1.lb2.m300.smartlearn.ch. ``` ```shell # Zonenbeschreibung sudo nano /etc/bind/named.conf.local # Inhalt zone "lb2.m300.smartlearn.ch" { type master; file "/etc/bind/db.lb2.m300.smartlearn.ch"; }; zone "70.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.70"; }; ``` ```shell # DNS Restart & Testen sudo systemctl restart bind9 dig @localhost -x 192.168.70.1 dig @localhost -x 192.168.70.21 ``` ```shell # Externe Auflösung aktivieren sudo nano /etc/bind/named.conf.options # Inhalt options { directory "/var/cache/bind"; // Forwarders to public DNS servers forwarders { 1.1.1.1; 1.1.0.1; }; // Allow recursive queries allow-recursion { any; }; // If you want to restrict recursive queries to your internal network only: // allow-recursion { 192.168.0.0/16; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; ``` ```shell # DNS Restart & Testen sudo systemctl restart bind9 dig @localhost google.com ``` ### DNS auf Server und Client Konfigurieren ```shell # Server sudo nano /etc/netplan/00-eth0.yaml # Inhalt network: version: 2 renderer: networkd ethernets: eth0: addresses: [ 192.168.70.21/24 ] dhcp4: false routes: - to: default via: 192.168.70.1 nameservers: addresses: [ 192.168.70.21 ] search: [ lb2.m300.smartlearn.ch ] # Änderungen übernehmen sudo netplan apply ``` ```shell # Client sudo nano /etc/netplan/00-eth0.yaml # Inhalt network: version: 2 renderer: NetworkManager ethernets: eth0: dhcp4: yes routes: - to: default via: 192.168.150.1 nameservers: addresses: [ 192.168.70.21 ] search: [ lb2.m300.smartlearn.ch ] # Änderungen übernehmen sudo netplan apply # resolf.conf noch diese Zeile nameserver 192.168.70.21 ``` ### DNS Konfig von vmLP1 aus Testen ```shell # $> testen_dns nslookup vmlf1.lb2.m300.smartlearn.ch 192.168.70.21 Server: 192.168.70.21 Address: 192.168.70.21#53 Name: vmlf1.lb2.m300.smartlearn.ch Address: 192.168.70.1 nslookup www.lb2.m300.smartlearn.ch 192.168.70.21 Server: 192.168.70.21 Address: 192.168.70.21#53 Name: www.lb2.m300.smartlearn.ch Address: 192.168.70.21 nslookup applikation.lb2.m300.smartlearn.ch 192.168.70.21 Server: 192.168.70.21 Address: 192.168.70.21#53 Name: applikation.lb2.m300.smartlearn.ch Address: 192.168.70.21 nslookup 192.168.70.22 192.168.70.21 22.70.168.192.in-addr.arpa name = vmws1.lb2.m300.smartlearn.ch. nslookup www.gibb.ch 192.168.70.21 Server: 192.168.70.21 Address: 192.168.70.21#53 Non-authoritative answer: Name: www.gibb.ch Address: 194.124.129.15 nslookup vmls1.lb2.m300.smartlearn.ch Server: 192.168.70.21 Address: 192.168.70.21#53 Name: vmls1.lb2.m300.smartlearn.ch Address: 192.168.70.21 nslookup www Server: 192.168.70.21 Address: 192.168.70.21#53 ** server can't find www: NXDOMAIN ``` --- ## A3: Applikation - Wordpress * Wordpress auf dem Server ### Apps installieren und Wordpress vorbereiten ```shell sudo apt update sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql cd /tmp wget https://wordpress.org/latest.tar.gz tar -xzvf latest.tar.gz sudo mv /tmp/wordpress/* /var/www/html/ sudo cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php sudo chown -R www-data:www-data /var/www/html/ ``` ### Mysql db vorbereiten ```shell sudo mysql_secure_installation ``` ```shell sudo mysql -u root -p CREATE DATABASE wordpress; CREATE USER 'wordpressuser'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpressuser'@'localhost'; FLUSH PRIVILEGES; EXIT; ``` ### WP Konfig anpassen ```shell sudo nano /var/www/html/wp-config.php ``` ```php define('DB_NAME', 'wordpress'); define('DB_USER', 'wordpressuser'); define('DB_PASSWORD', 'password'); define('DB_HOST', 'localhost'); ``` ### Apache vorbereiten ```shell sudo systemctl restart apache2 sudo nano /etc/apache2/sites-available/applikation.lb2.m300.smartlearn.ch.conf ``` ```conf <VirtualHost *:80> ServerAdmin admin@example.com DocumentRoot /var/www/html/ ServerName applikation.lb2.m300.smartlearn.ch <Directory /var/www/html/> Options FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> ``` ### Webseite aktivieren ```shell sudo a2ensite applikation.lb2.m300.smartlearn.ch.conf sudo a2enmod rewrite sudo systemctl restart apache2 ``` --- ## A4: Web Inhalt ### Task: * HTTP-Dienst auf vmLS1 installieren * Download Link für Webseite: https://smartlearn.gibb.ch/media/e8a8e4d47dd0cc3a6796ab.gz * Entpacken mit `tar -xvzf www.lb2.ch.tar.gz` * Folgende URl für Web Dienst: http://www.lb2.m300.smartlearn.ch * Apache Site-Konfigurationsdatei soll den Namen "www.lb2.conf" haben * Zweite Hardisk formatieren und unter /data/www mounten * Lösung Dokumentieren und Screenshot einfügen ### Disk Formatieren ```shell # Disk sdc Partitionieren sudo fdisk /dev/sdc # >n = neue Partition # >p = Primary partion # > Alles andere bei default werten lassen # Output lsblk ist jetzt sda 8:16 0 8G 0 disk └─sda1 8:17 0 8G 0 part # Partition formatieren und Mounten sudo mkfs.ext4 /dev/sda1 sudo nano /etc/fstab # Inhalt UUID=825c1d3f-6846-4429-959d-4e29f5ff3873 /data/www ext4 defaults 0 0 systemctl daemon-reload sudo mount -a ``` ### Webseite * Auf vmLS1 ```shell cd /tmp wget https://smartlearn.gibb.ch/media/e8a8e4d47dd0cc3a6796ab.gz tar -xvzf e8a8e4d47dd0cc3a6796ab.gz mv /tmp/www/* /data/www/ ``` ### Apache ```shell sudo nano /etc/apache2/sites-available/www.lb2.conf ``` ```conf <VirtualHost *:80> ServerAdmin admin@example.com ServerName www.lb2.m300.smartlearn.ch DocumentRoot /data/www ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> ``` * Aktivieren ```shell sudo a2ensite www.lb2.conf sudo systemctl restart apache2 ``` --- ## Zusatz: Option C - login mit ssh keys ```shell # auf lp1 ssh-keygen ssh-copy-id vmadmin@192.168.70.21 # testen mit touch test scp test vmadmin@192.168.70.21 ``` --- ## Test Skripts ### Testen Docker * /usr/local/bin/testen_docker ```shell #!/bin/bash bold=$(tput bold) normal=$(tput sgr0) echo -e "${bold}docker info${normal}" docker info echo -e "${bold}docker ps${normal}" docker ps echo -e "${bold}df${normal}" df echo -e "${bold}cat /etc/fstab${normal}" cat /etc/fstab echo -e "${bold}ls -laR /data |head -n 50${normal}" ls -laR /data |head -n 50 echo -e "${bold}ls -laR /var/lib/docker |head -n 50${normal}" ls -laR /var/lib/docker |head -n 50 ``` ### Testen DNS * /usr/local/bin/testen_dns ```shell #!/bin/bash bold=$(tput bold) normal=$(tput sgr0) echo -e "${bold}nslookup vmlf1.lb2.m300.smartlearn.ch 192.168.70.21${normal}" nslookup vmlf1.lb2.m300.smartlearn.ch 192.168.70.21 echo -e "${bold}nslookup www.lb2.m300.smartlearn.ch 192.168.70.21${normal}" nslookup www.lb2.m300.smartlearn.ch 192.168.70.21 echo -e "${bold}nslookup applikation.lb2.m300.smartlearn.ch 192.168.70.21${normal}" nslookup applikation.lb2.m300.smartlearn.ch 192.168.70.21 echo -e "${bold}nslookup 192.168.70.22 192.168.70.21${normal}" nslookup 192.168.70.22 192.168.70.21 echo -e "${bold}nslookup www.gibb.ch 192.168.70.21${normal}" nslookup www.gibb.ch 192.168.70.21 echo -e "${bold}nslookup vmls1.lb2.m300.smartlearn.ch${normal}" nslookup vmls1.lb2.m300.smartlearn.ch echo -e "${bold}nslookup www${normal}" nslookup www ``` --- ## Bind9 Konfigurationsdateien ### Forward Zone `db.lb2.m300.smartlearn.ch` ``` #/etc/bind/db.lb2.m300.smartlearn.ch $TTL 604800 @ IN SOA ns.lb2.m300.smartlearn.ch. root.lb2.m300.smartlearn.ch. ( 2024010101 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.lb2.m300.smartlearn.ch. ns IN A 192.168.70.21 www IN A 192.168.70.21 vmls1 IN A 192.168.70.21 applikation IN A 192.168.70.21 vmlf1 IN A 192.168.70.1 ``` ### Reverse Zone `db.192.168.70` ``` #/etc/bind/db.192.168.70 TTL 604800 @ IN SOA ns.lb2.m300.smartlearn.ch. root.lb2.m300.smartlearn.ch. ( 2024010101 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.lb2.m300.smartlearn.ch. 1 IN PTR vmlf1.lb2.m300.smartlearn.ch. 21 IN PTR vmls1.lb2.m300.smartlearn.ch. 22 IN PTR vmws1.lb2.m300.smartlearn.ch. ``` ### Bind9 Konfiguration `named.conf.local` ``` #/etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "lb2.m300.smartlearn.ch" { type master; file "/etc/bind/db.lb2.m300.smartlearn.ch"; }; zone "70.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.70"; }; ``` ### Bind9 Optionen `named.conf.options` ``` #/etc/bind/named.conf.options options { directory "/var/cache/bind"; // Forwarders to public DNS servers forwarders { 1.1.1.1; 1.1.0.1; }; // Allow recursive queries allow-recursion { any; }; // If you want to restrict recursive queries to your internal network only: // allow-recursion { 192.168.0.0/16; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; ```