Linux Challenge 5 - PAM configuration | Create a Cron job script to start & stop Docker container

 

Question : Create a bash script called "container-stop.sh" under "/home/bob/" which should be able to stop the "myapp" container. It should also display a message "myapp container stopped!"

Add a cron job for the "root" user which should run "container-stop.sh" script at "12am" everyday.

Add a cron job for the "root" user which should run "container-start.sh" script at "8am" everyday.

Create a bash script called "container-start.sh" under "/home/bob/" which should be able to "start" the "myapp" container. It should also display a message "myapp container started!"

The "root" account is currently locked on "centos-host", please unlock it.

Make user "root" a member of "wheel" group

Add a local DNS entry for the database hostname "mydb.kodekloud.com" so that it can resolve to "10.0.0.50" IP address.

Set a password for mysql root user to "S3cure#321"

Install "mariadb" database server on this server and "start/enable" its service.

Add an extra IP to "eth1" interface on this system: 10.0.0.50/24

Pull "nginx" docker image.

Create and run a new Docker container based on the "nginx" image. The container should be named as "myapp" and the port "80" on the host should be mapped to the port "80" on the container.

Edit the PAM configuration file for the "su" utility so that this utility only accepts the requests from the users that are part of the "wheel" group and the requests from the users should be accepted immediately, without asking for any password.

Solution:  

1. At first  switch to root user and Add a local DNS entry for the database hostname "mydb.kodekloud.com" so that it can resolve to "10.0.0.50" IP address

[bob@centos-host ~]$ sudo su - [root@centos-host ~]# [root@centos-host ~]# vi /etc/hosts [root@centos-host ~]# cat /etc/hosts 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 127.0.1.1 centos-host centos-host 10.0.0.50    mydb.kodekloud.com [root@centos-host ~]#

2. Add an extra IP to "eth1" interface on this system: 10.0.0.50/24

[root@centos-host ~]# ip address add 10.0.0.50/24 dev eth1 [root@centos-host ~]# [root@centos-host ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00     inet 127.0.0.1/8 scope host lo        valid_lft forever preferred_lft forever     inet6 ::1/128 scope host        valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000     link/ether 52:54:00:68:21:b5 brd ff:ff:ff:ff:ff:ff     inet 192.168.121.71/24 brd 192.168.121.255 scope global dynamic noprefixroute eth0        valid_lft 2981sec preferred_lft 2981sec     inet6 fe80::5054:ff:fe68:21b5/64 scope link        valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000     link/ether 52:54:00:43:63:9b brd ff:ff:ff:ff:ff:ff     inet 172.28.128.2/24 brd 172.28.128.255 scope global dynamic noprefixroute eth1        valid_lft 2926sec preferred_lft 2926sec     inet 10.0.0.50/24 scope global eth1        valid_lft forever preferred_lft forever     inet6 fe80::5054:ff:fe43:639b/64 scope link        valid_lft forever preferred_lft forever 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default     link/ether 02:42:31:e0:fa:df brd ff:ff:ff:ff:ff:ff     inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0        valid_lft forever preferred_lft forever [root@centos-host ~]#

3. Install "mariadb" database server on this server and "start/enable" its service.

[root@centos-host ~]# yum install mariadb-server –y Installed:   libaio-0.3.112-1.el8.x86_64                                                      mariadb-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                                   mariadb-backup-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                    mariadb-common-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                            mariadb-connector-c-3.1.11-2.el8_3.x86_64                                        mariadb-connector-c-config-3.1.11-2.el8_3.noarch                                         mariadb-errmsg-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                    mariadb-gssapi-server-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                     mariadb-server-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                    mariadb-server-utils-3:10.3.28-1.module_el8.3.0+757+d382997d.x86_64                      perl-Carp-1.42-396.el8.noarch                                                    perl-DBD-MySQL-4.046-3.module_el8.3.0+419+c2dec72b.x86_64                              Complete! [root@centos-host ~]# [root@centos-host ~]# systemctl enable mariadb Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service. Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service. Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service. [root@centos-host ~]# systemctl start mariadb [root@centos-host ~]# [root@centos-host ~]# systemctl status mariadb ● mariadb.service - MariaDB 10.3 database server    Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)    Active: active (running) since Sun 2022-11-13 15:35:49 UTC; 7s ago      Docs: man:mysqld(8)            https://mariadb.com/kb/en/library/systemd/   Process: 28628 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)   Process: 28493 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mariadb.service (code=exited, status=0/SUCCESS)   Process: 28469 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)  Main PID: 28596 (mysqld)    Status: "Taking your SQL requests now..."     Tasks: 30 (limit: 5970)    Memory: 77.2M    CGroup: /system.slice/mariadb.service            └─28596 /usr/libexec/mysqld --basedir=/usr  Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: See the MariaDB Knowledgebase at http://mariadb.com/kb or the Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: MySQL manual for more instructions. Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: Please report any problems at http://mariadb.org/jira Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: The latest information about MariaDB is available at http://mariadb.org/. Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: You can find additional information about the MySQL part at: Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: http://dev.mysql.com Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: Consider joining MariaDB's strong and vibrant community: Nov 13 15:35:48 centos-host mysql-prepare-db-dir[28493]: https://mariadb.org/get-involved/ Nov 13 15:35:48 centos-host mysqld[28596]: 2022-11-13 15:35:48 0 [Note] /usr/libexec/mysqld (mysqld 10.3.28-MariaDB) starting as process 28596 ... Nov 13 15:35:49 centos-host systemd[1]: Started MariaDB 10.3 database server. [root@centos-host ~]#

4. Set a password for mysql root user to "S3cure#321"

[root@centos-host ~]# mysqladmin -u root password 'S3cure#321' [root@centos-host ~]#

5. The "root" account is currently locked on "centos-host", please unlock it.

Make user "root" a member of "wheel" group

[root@centos-host ~]# usermod -U root [root@centos-host ~]# usermod -G wheel root [root@centos-host ~]#

6. Create and run a new Docker container based on the "nginx" image. The container should be named as "myapp" and the port "80" on the host should be mapped to the port "80" on the container

[root@centos-host ~]# docker ps CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES [root@centos-host ~]# [root@centos-host ~]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx e9995326b091: Pull complete 71689475aec2: Pull complete f88a23025338: Pull complete 0df440342e26: Pull complete eef26ceb3309: Pull complete 8e3ed6a9e43a: Pull complete Digest: sha256:943c25b4b66b332184d5ba6bb18234273551593016c0e0ae906bab111548239f Status: Downloaded newer image for nginx:latest docker.io/library/nginx:latest [root@centos-host ~]#  [root@centos-host ~]# docker run -d -p 80:80 --name myapp nginx 48d28aaed8b6731d678c1ccfeed51c1888f104efdd350a0c9049538a0c10800b [root@centos-host ~]# [root@centos-host ~]# docker ps CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                               NAMES 48d28aaed8b6   nginx     "/docker-entrypoint.…"   5 seconds ago   Up 4 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp   myapp [root@centos-host ~]#

7. Create a bash script called "container-start.sh" under "/home/bob/" which should be able to "start" the "myapp" container. It should also display a message "myapp container started!"

[root@centos-host ~]# vi /home/bob/container-start.sh [root@centos-host ~]# cat /home/bob/container-start.sh #!/usr/bin/env bash docker start myapp echo "myapp container started!" [root@centos-host ~]# [root@centos-host ~]# chmod +x /home/bob/container-start.sh [root@centos-host ~]# [root@centos-host ~]# vi /home/bob/container-stop.sh [root@centos-host ~]# cat /home/bob/container-stop.sh #!/usr/bin/env bash docker stop myapp echo "myapp container stopped!" [root@centos-host ~]# [root@centos-host ~]# chmod +x /home/bob/container-stop.sh [root@centos-host ~]#

8. Add a cron job for the "root" user which should run "container-stop.sh" script at "12am" everyday.

Add a cron job for the "root" user which should run "container-start.sh" script at "8am" everyday.

[root@centos-host ~]# crontab -l no crontab for root [root@centos-host ~]# [root@centos-host ~]# crontab -e no crontab for root - using an empty one crontab: installing new crontab [root@centos-host ~]# crontab -l 0 0 * * * /home/bob/container-stop.sh 0 8 * * * /home/bob/container-start.sh [root@centos-host ~]#

9. Edit the PAM configuration file for the "su" utility so that this utility only accepts the requests from the users that are part of the "wheel" group and the requests from the users should be accepted immediately, without asking for any password.

[root@centos-host ~]# vi /etc/pam.d/su [root@centos-host ~]# cat /etc/pam.d/su #%PAM-1.0 auth            required        pam_env.so auth            sufficient      pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. auth            sufficient      pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth            required        pam_wheel.so use_uid auth            substack        system-auth auth            include         postlogin account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet account         [success=1 default=ignore] \                                 pam_succeed_if.so user = vagrant use_uid quiet account         required        pam_succeed_if.so user notin root:vagrant account         include         system-auth password        include         system-auth session         include         system-auth session         include         postlogin session         optional        pam_xauth.so [root@centos-host ~]#

10. Click on check & Confirm to complete the task successfully

Script that automate the entire lab task 

you can copy form gitlab  https://gitlab.com/nb-tech-support/devops.git

Happy Learning!!!!

Apart from this if you need more clarity,  I have made a  tutorial video on this , please go through and share your comments. Like and share the knowledge