Answer for Kodekloud DEVOPS Questions --Puppet Manage Services

 New packages need to be installed on all app servers in Stratos Datacenter. The Nautilus DevOps team has decided to install the same using Puppet. Since jump host is already configured to run as Puppet master server and all app servers are already configured to work as puppet agent nodes, we need to create required manifests on the Puppet master server so that it can be applied on all Puppet agent nodes. Please find more details about the task below.

Create a Puppet programming file apps.pp under /etc/puppetlabs/code/environments/production/manifests directory on master node i.e Jump Server and using puppet package resource perform the tasks below.

1. Install package vsftpd through Puppet package resource and start its service through puppet service resource on all Puppet agent nodes i.e all App Servers.

Note: Please perform this task using apps.pp only, do not create any separate inventory file.

Sample Answer:

#on jump host first create the apps.pp file in the given directory ( check your question for the name of the pp file )

check below the Github link for the sample .pp file for this task 

sample-answers-kke-questions-Devops

#Now hope you edit the above .pp file with the detail from your question

#appy the puppet file 

    

    puppet apply apps.pp

#now login to ALL the app servers and pull the config file. (you can also click on + button in the top left corner and select a new host to open another jump host terminal from there you can log in to app server )

    ssh <user>@<app-server>

#switch to root user

    sudo su 

# run below command 

    puppet agent -tv 

# now check the package status 

     systemctl status vsftpd 

*Please comment on this post if you have any questions or facing any issues in the above steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Web Server Security

 During a recent security audit, the application security team of xFusionCorp Industries found security issues with the Apache web server on Nautilus App Server 1 server in Stratos DC. They have listed several security issues that need to be fixed on this server. Please apply the security settings below:

a. On Nautilus App Server 1 it was identified that the Apache web server is exposing the version number. Ensure this server has the appropriate settings to hide the version number of the Apache web server.

b. There is a website hosted under /var/www/html/media on App Server 1. It was detected that the directory /media lists all of its contents while browsing the URL. Disable the directory browser listing in Apache config.

c. Also make sure to restart the Apache service after making the changes.

Sample Answer:

#login to app server ( as given in the question, check your question)

    ssh <user>@<app_server>

# switch to root user

    sudo su 

# start and check status of the apache service 

     systemctl start httpd

     systemctl status httpd

#before doing the task, verify from the jump host  (you can open another terminal on top and check )

    curl -I http://your respective app server IP:8080

* you will see the output with the apache version 

#navigate to httpd conf directory and edit httpd.conf file as below 

    cd /etc/httpd/conf/

    vi httpd.conf

#add below line at the end 

     ServerTokens Prod

     ServerSignature Off

#now go to the section  (directory "var/www/html") and change as below 

<Directory “/var/www/html/<dir from from your  question>/”>

Options -Indexes +FollowSymLinks

AllowOverride None

Require all granted

# save conf file 

# restart the httpd 

     systemctl restart httpd

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -Install & Configure Web Application

 xFusionCorp Industries is planning to host two static websites on their infra in Stratos Datacenter. The development of these websites is still in -progress, but we want to get the servers ready. The storage server has a shared directory /data that is mounted on each app host under /var/www/html directory. Please perform the following steps to accomplish the task:

a. Install httpd package and dependencies on all app hosts.

b. Apache should serve on port 8080 within the apps.

c. There are two website's backups /home/thor/news and /home/thor/games on jump_host. Set them up on Apache in a way that news should work on link http://<<lb-url>>/news/ and games should work on link http://<<lb-url>>/games. (do not worry about load balancer configuration, as its already configured).

d. You can access the website on LBR link; to do so click on the + button on top of your terminal, select the option Select port to view on Host 1, and after adding port 80 click on Display Port.

Sample Answer:

#Login to an app server using ssh( below steps need to be done in all the app servers)

ssh <user>@<DB-server>

#login as root

sudo su

#install httpd (apache)

yum -y install httpd

#install openssh-clients

yum -y install openssh-clients

#restart sshd service

        systemctl restart sshd

#Next change Listen port to 8080 (check your question, your port might be different )

vi /etc/httpd/conf/httpd.conf

Listen 8080

* DO ALL THE ABOVE STEPS IN ALL THE APP SERVERS

# Copy mentioned folders in the question to every app server from jump host

scp -r /home/thor/<folder_from_question> <user>@<app-server-01>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-01>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-02>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-02>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-03>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-03>:/tmp

#Then from any app server move the folders to server html folder

mv /tmp/<folder_from_question> /var/www/html/

mv /tmp/<folder_from_question> /var/www/html/

#enable and start httpd

systemctl enable httpd

systemctl start httpd

 

#TESTING

Check from the jump host

curl http://<app-server-01>:8080/<folder_from_question>/

curl http://<app-server-01>:8080/<folder_from_question>/

curl http://<app-server-02>:8080/<folder_from_question>/

curl http://<app-server-02>:8080/<folder_from_question>/

curl http://<app-server-03>:8080/<folder_from_question>/

curl http://<app-server-03>:8080/<folder_from_question>/

click on the + button on top of your terminal, select the option Select port to view on Host 1, and after adding port 80 click on Display Port.

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -PAM Authentication For Apache

 The document root /var/www/html of all web apps is on NFS share /data on storage server in Stratos Datacenter. We have a requirement where we want to password protect a directory in the Apache web server document root. We want to password protect http://<website-url>:<apache_port>/protected URL as per the following requirements (you can use any website-url for it like localhost since there are no such specific requirements as of now):

a. We want to use basic authentication.

b. We do not want to use htpasswd file base authentication. Instead, we want to use PAM authentication, i.e Basic Auth + PAM so that we can authenticate with a Linux user.

c. We already have a user mark with password BruCStnMT5 which you need to provide access to.

d. You can access the website on LBR link. To do so click on the + button on top of your terminal, select Select port to view on Host 1, and after adding port 80 click on Display Port

Sample Answer:

#login to an app server 

    ssh <user>@<app-server-Ip>

#switch to root user 

    sudo su

#install mod_authnz_external pwauth package

    yum --enablerepo=epel -y install mod_authnz_external pwauth

#create the protected directory 

   mkdir -p  /var/www/html/protected/

#create an index.html file side the protected directory 

    vi /var/www/html/protected/index.html

#do below configuration in authnz_external.conf file for basic auth+  PAM authentication 

    vi /etc/httpd/conf.d/authnz_external.conf

    # add below lines to  the end

    <Directory /var/www/html/protected>

         AuthType Basic

        AuthName "PAM Authentication"

        AuthBasicProvider external

        AuthExternal pwauth

        require valid-user

    </Directory>

  #save the file 

# restart the httpd services 

    systemctl restart httpd

*AS PER THE QUESTION YOU MUST TO ABOVE STEPS FOR ALL THE APP SERVER

#TESTING

    curl -u <user>:<password> http://localhost:8080/protected/

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -Linux Firewalld Setup

 To secure our Nautilus infrastructure in Stratos Datacenter we have decided to install and configure firewalld on all app servers. We have Apache and Nginx services running on these apps. Nginx is running as a reverse proxy server for Apache. We might have more robust firewall settings in the future, but for now, we have decided to go with the given requirements listed below:

a. Allow all incoming connections on Nginx port.

b. Allow incoming connections from LB host only on Apache port and block for all others.

c. All rules must be permanent.

d. Zone should be public.

e. If Apache or Nginx services aren't running already, please make sure to start them.

Sample Answer:

##first let's start with apache and nginx service, ports verification 

#login to app server

    ssh <user>@<server>

#switch to root user

    sudo su

#check the apache service status 

systemctl status httpd

#check the nginx service status

systemctl status nginx

# if the above services not running you can start it using the below command otherwise ignore it.

systemctl start httpd

systemctl start nginx

# now we will get the apache Listen port  by using the below command (note down the port number we will use for later configuration)

    cat /etc/httpd/conf/httpd.conf | grep Listen

output will looks liks: 
Listen 5003

# now we will get ngnix Listen port  by using the below command (note down the port number we will use for later configuration)

cat /etc/nginx/nginx.conf | grep listen

output will looks like this:

listen       8096 default_server;

#now let's install firewalld service 

yum install -y firewalld

# enable and start the firewalld service and check the status using below comands 

    systemctl enable firewalld
    systemctl start firewalld
    systemctl status firewalld

#before doing the any firewall changes do some pre-check using these commands 

firewall-cmd --state

        firewall-cmd --get-default-zone

        firewall-cmd --zone=public --list-all 
firewall-cmd --zone=public --list-ports
firewall-cmd --get-active-zones

## let's do the firewall configuration

#allow the nginx port (make sure, you have to use your nginx port, which you find from our earlier steps, check those steps)

firewall-cmd --permanent --zone=public --add-port=8096/tcp 

#allow services http and https

firewall-cmd --permanent --zone=public --add-service={http,https}

#allow the appache port (make sure, you have to use your LB host ip and apache port,which you find from our earlier steps, check those steps)

     firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source                                address="<LB-host-IP>" port protocol=tcp port=5003 accept'

#add interface

    firewall-cmd --permanent --zone=public --change-interface=wan

#relaod firewalld service to take effect

    firewall-cmd --reload

#now do the post-check using these commands 

        firewall-cmd --zone=public --list-all 
firewall-cmd --zone=public --list-ports
firewall-cmd --get-active-zones

#last step, you have to do the Nginx reverse proxy configuration as below 

(you have to give the correct port and server IP as per your question ) 

vi /etc/nginx/nginx.conf

server {

  listen          <nginx-port>;

  listen          [::]:<nginx-port>;

  server_name     <App-server-IP>;

  root            /usr/share/nginx/html;

}

location / {

   proxy_pass http://<app-server-IP>:<apache-port>/;

}

#save the configuration and restart nginx and apache services 

    systemctl  restart nginx

    systemctl restart apache

* YOU MUST DO ALL THE ABOVE steps in ALL THE APPLICATION SERVERS.

##final Testing 

# From Jump Host

    curl -I  <app-server-IP-01>:<nginx_port>

    curl -I  <app-server-IP-02>:<nginx_port>

    curl -I  <app-server-IP-03>:<nginx_port>

# From LB host

    

    curl -I  <app-server-IP-01>:<nginx_port>

    curl -I  <app-server-IP-02>:<nginx_port>

    curl -I  <app-server-IP-03>:<nginx_port>

    curl -I  <app-server-IP-01>:<apache_port>

    curl -I  <app-server-IP-02>:<apche_port>

    curl -I  <app-server-IP-03>:<apache_port>

*Please comment on this post if you facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Application Security

 We have a backup management application UI hosted on Nautilus's backup server in Stratos DC. That backup management application code is deployed under Apache on the backup server itself, and Nginx is running as a reverse proxy on the same server. Apache and Nginx ports are 8087 and 8091, respectively. We have iptables firewall installed on this server. Make the appropriate changes to fulfill the requirements mentioned below:

We want to open all incoming connections to Nginx's port and block all incoming connections to Apache's port. Also, make sure rules are permanent.

Sample Answer:

#login to backup server 

    ssh <user>@<server>

#switch to root user 

    sudo su 

#verify the iptables before doing any chnages 

    cat /etc/sysconfig/iptables

#run below commands in terminal ( you MUST make sure the correct ports of Nginx and Apache from your question)

    iptables -A INPUT -p tcp --dport 8091 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 8087 -m conntrack --ctstate NEW -j REJECT

# to save above entries run below comand in terminal

    iptables-save > /etc/sysconfig/iptables

#verify ( you can see your entries inside )

    cat /etc/sysconfig/iptables

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Configure protected directories in Apache

 xFusionCorp Industries has hosted several static websites on Nautilus Application Servers in Stratos DC. There are some confidential directories on document root that need to be password protected. Because they are using Apache for hosting the websites, the production support team has decided to use .htaccess with basic auth. There is a website that needs to be uploaded to /var/www/html/sysops on Nautilus App Server 1. However, we need to set up the authentication before that.

1. Create /var/www/html/sysops direcotry if doesn't exist.

2. Add a user mark in htpasswd and set its password to ksH85UJjhb.

3. There is a file /tmp/index.html placed on Jump Server. Copy the same to new directory you created, please make sure default document root should remain /var/www/html. Also website should work on URL http://<app-server-hostname>:<port>/sysops

Sample Answer:

# login to the given server in the question 

    ssh <user>@<server>

#switch to root user

    sudo su 

#create /var/www/html/sysops directory (check your question)

    mkdir /var/www/html/sysops

#Add a user and set password ( check your question username and password)

    htpasswd -c /etc/httpd/.htpasswd mark

* above command will ask for a new password for the user, paste the password given in question 

#Go to sysops directory and create .htaccess file

     vi .htaccess

#paste below configurationlines

    AuthType Basic

    AuthName "Password Required"

    Require valid-user

    AuthUserFile /etc/httpd/.htpasswd

#copy the index file from jump server

    scp /tmp/index.html <user>@<server>:/tmp

#now from the your app server copy the file to the correct location 

    cp /tmp/index.html /var/www/html/sysops/

# verification ( you need to submit the newly created user and user's password to access the file )

     curl -u mark http://<appserver IP>:8080/sysops/

*Please comment on this post if you facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Linux Ngnix as Reverse Proxy

Nautilus system admin's team is planning to deploy a front end application for their backup utility on Nautilus Backup Server, so that they can manage the backups of different websites from a graphical user interface. They have shared requirements to set up the same; please accomplish the tasks as per detail given below:

a. Install Apache Server on Nautilus Backup Server and configure it to use 6100 port (do not bind it to 127.0.0.1 only, keep it default i.e let Apache listen on server's IP, hostname, localhost, 127.0.0.1 etc).

b. Install Nginx webserver on Nautilus Backup Server and configure it to use 8094.

c. Configure Nginx as a reverse proxy server for Apache.

d. There is a sample index file /home/index.html on Jump Host, copy that file to Apache's document root.

e. Make sure to start Apache and Nginx services.

f. You can test final changes using curl command, e.g curl http://<backup server IP or Hostname>:8094.

Sample Answer:

##Read questions, We will do one by one

# login to backup server ( user and server IP of backup server)

ssh <user>@<server>

# switch to root user

sudo su 

##first install apache(httpd) annd nginx ( we wil do the configuration part later )

# install apache

yum install -y httpd

#install epel-release ( need for nginx)

yum install epel-release

#install ngnix

yum install nginx

#we can verify by using rpm command 

rpm -aq httpd

rpm -aq nginx

# now do the apache(httpd) configuration part 

cd /etc/httpd/conf

vi httpd.conf

#change the Listen port from 80 to 6100 ( which is given in question a, check your question )

Listen 6100

#Go to ServerName and and remove # change as it below 

    ServerName 172.16.238.16:6100

Now save the config file

#now will do the chnage on nginx.conf ( change the port as given in the question)

    vi /etc/nginx/nginx.conf

#edit as below 

server {

    listen 8094 default_server;

    listen [::]:8094 default_server; 

    server_name 172.16.238.16;

}

location / {

proxy_pass http://172.16.238.16:6100;

}

save the file 

#now from the jump host copy the index.html

    scp /home/index.html clint@172.16.238.16:/tmp/

#now login back to the backup server and copy the index.html file from /tmp/ to the apache document root location

cp /tmp/index.html /var/www/html/

# start the httpd and nginx services 

        systemctl start httpd

systemctl start nginx

# verify by using curl 

curl http://172.16.238.16:8094

curl http://172.16.238.16:6100

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Apache Troubleshooting

 xFusionCorp Industries utilizes monitoring tools to check the status of every service, application, etc. running on the systems. The monitoring system identified that Apache service is not running on some of the Nautilus Application Servers in Stratos Datacenter.

1. Identify the faulty Nautilus Application Servers and fix the issue. Also, make sure Apache service is up and running on all Nautilus Application Servers. Do not try to stop any kind of firewall that is already running.

2. Apache is running on 3002 port on all Nautilus Application Servers and its document root must be /var/www/html on all app servers.

3. Finally you can test from jump host using curl command to access Apache on all app servers and it should work fine. E.g. curl http://172.16.238.10:3002/

Answer:

#First read each question section carefully 

#login to server 

    ssh <user>@<server>

# swithc to root user

    sudo su 

# check apache service running  in all 3 app servers 

    systemctl status httpd

#check the httpd.conf in (/etc/httpd/conf/httpd.conf)

    as you can see below #ServerName www.example.com:80 need to be edited as per the details 

#Edit httpd.conf file 

    ServerName 172.16.238.10:3002

# Save the file and restart the httpd service

 

    systemctl restart httpd 

# here is the important point, once you started the httpd service sometimes it got failed you need to check the reason for its failure by issuing the status command 

    systemctl status httpd

#There can be many errors/reasons but below 3 errors can be possible as per this question 

    Invalid server root directory httpd.conf file 

    Invalid document root error in httpd.conf file

    Listen to port entry error in httpd conf file 

check above three section in the httpd.conf file and correct it 

# start the apache service again

    systemctl restart httpd

# test using below curl command from jump host to each app server

    curl http://172.16.238.10:3002/ 

    curl http://172.16.238.11:3002/

    curl http://172.16.238.12:3002/

Note: Commands are correct but based on your question the server and user name might differ so please do check.