Posted on

Configure a Linux Network Gateway / Firewall with DHCP & DNS

System Configuration

Configure hostname 

$ echo gateway.lab.local > /etc/hostname
$ hostname $(cat /etc/hostname)

Add the following to /etc/sysctl.conf 

# Accept packets destined for other addresses
net.ipv4.ip_forward = 1

Apply settings defined in /etc/sysctl.conf 

$ systemctl restart systemd-sysctl

Networking

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:43:e6:71 brd ff:ff:ff:ff:ff:ff
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:a6:b8:f9 brd ff:ff:ff:ff:ff:ff

Determine the WAN and LAN ports by physically removing a network connection and view “dmesg” 

[64476.759373] e1000: enp0s8 NIC Link is Down

This is the physical port connected on the LAN side, and so this will be the LAN port

Configure the relevant interface files for the WAN and LAN ports 

$ sed -i '/^ONBOOT/s/=.*$/=yes/' /etc/sysconfig/network-scripts/ ifcfg-enp0s3
$ sed -i '/^ONBOOT/s/=.*$/=yes/' /etc/sysconfig/network-scripts/ifcfg-enp0s8
$ sed -i '/^BOOTPROTO/s/=.*$/=none/' /etc/sysconfig/network-scripts/ifcfg-enp0s8
$ echo "IPADDR=172.24.10.1" >> /etc/sysconfig/network-scripts/ifcfg-enp0s8
$ echo "NETMASK=255.255.255.0" >> /etc/sysconfig/network-scripts/ifcfg-enp0s8
$ systemctl restart network
  • ONBOOT=yes Set network interface to be brought up on system boot
  • BOOTPROTO=none No protocol is used as static network details are supplied
  • IPADDR=172.24.10.1 IP address for the interface that will be used as the gateway for the local network
  • NETMASK=255.255.255.0 Netmask of the local network

Check that the new settings have been applied 

$ ip addr
[...]
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:8d:83:09 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.12/24 brd 192.168.1.255 scope global dynamic enp0s3
       valid_lft 691072sec preferred_lft 691072sec
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:74:ee:ac brd ff:ff:ff:ff:ff:ff
    inet 172.24.10.1/24 brd 172.24.10.255 scope global enp0s8
       valid_lft forever preferred_lft forever

$ ip route
default via 192.168.1.1 dev enp0s3 proto static metric 100
172.24.10.0/24 dev enp0s8 proto kernel scope link src 172.24.10.1 metric 100
192.168.1.0/24 dev enp0s3 proto kernel scope link src 192.168.1.12 metric 100

Firewall

Re-enable the traditional iptables firewall and clear the default rules 

$ systemctl disable firewalld && systemctl stop firewalld
$ yum install iptables-services
$ > /etc/sysconfig/iptables
$ systemctl enable iptables && systemctl start iptables

Define and save new rules 

$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A INPUT -i enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i enp0s3 -p tcp --dport 22 -j ACCEPT
$ iptables -P INPUT DROP
$ iptables -A FORWARD -i enp0s3 --dst 172.24.10.0/24 -j ACCEPT 
$ iptables -A FORWARD -i enp0s8 --src 172.24.10.0/24 -j ACCEPT 
$ iptables -P FORWARD DROP iptables -t nat -A POSTROUTING --src 172.24.10.0/24 -j MASQUERADE service
$ iptables save
  • iptables -A FORWARD -i enp0s3 –dst 172.24.10.0/24 -j ACCEPT Allow packets from WAN destined to LAN
  • iptables -A FORWARD -i enp0s8 –src 172.24.10.0/24 -j ACCEPT Allow packets from LAN
  • iptables -t nat -A POSTROUTING –src 172.24.10.0/24 -j MASQUERADE MASQUERADE packets originating from LAN. If WAN packets are masqueraded, the host connections will appear as “gateway”

Software Installation

  • BIND DNS
$ yum install bind bind-utils
$ sed -i '/listen-on/s/127.0.0.1;/& 172.24.10.1;/' /etc/named.conf $ sed -i '/allow-query/s/localhost/any/' /etc/named.conf
$ systemctl enable named && systemctl start named
$ iptables -A INPUT -i enp0s8 -p udp --dport 53 -j ACCEPT
  • listen-on Specify interface addresses to listen on
  • allow-query Set to “any” to allow queries on all listening interfaces
  • iptables -A INPUT -i enp0s8 -p udp –dport 53 -j ACCEPT Allow DNS queries on LAN port
  • DHCPD 
yum install dhcp

Configure /etc/dhcp/dhcpd.conf: 

authoritative; # This DHCP server is the official DHCP server for the LAN.

default-lease-time 600;
max-lease-time 7200;

subnet 172.24.10.0 netmask 255.255.255.0 {
    range 172.24.10.100 172.24.10.200;
    option domain-name-servers 172.24.10.1;
    option domain-name "lab.local";
    option routers 172.24.10.1;
    option broadcast-address 172.24.10.255;
}

Note: DHCPD matches defined subnets to the IP address assigned to an interface and will not serve any that do not match. Subnet 172.24.10.0/24 will be served on enp0s8.

Enable the system service: 

systemctl enable dhcpd && systemctl start dhcpd

Testing

Connect several clients to the LAN and activate network interfaces on boot. DHCP is enabled by default 

sed -i '/^ONBOOT/s/=.*$/=yes/' /etc/sysconfig/network-scripts/ifcfg-enp0s3
systemctl restart network

Check that DHCP is functioning correctly 

[root@gateway ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-06-20 10:16:10 BST; 8min ago
     Docs: man:dhcpd(8) man:dhcpd.conf(5)
 Main PID: 2051 (dhcpd)
   Status: "Dispatching packets..."
   CGroup: /system.slice/dhcpd.service
           └─2051 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid Jun 20

10:23:05 gateway.lab.local dhcpd[2051]: DHCPDISCOVER from 08:00:27:b7:f0:59 via enp0s8 Jun 20
10:23:06 gateway.lab.local dhcpd[2051]: DHCPOFFER on 172.24.10.101 to 08:00:27:b7:f0:59 via enp0s8 Jun 20
10:23:06 gateway.lab.local dhcpd[2051]: DHCPREQUEST for 172.24.10.101 (172.24.10.1) from 08:00:27:b7:f0:59 via enp0s8 Jun 20
10:23:06 gateway.lab.local dhcpd[2051]: DHCPACK on 172.24.10.101 to 08:00:27:b7:f0:59 via enp0s8

[root@testclient1 ~]# ip addr show enp0s3
enp0s3:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
      link/ether 08:00:27:dc:b5:90 brd ff:ff:ff:ff:ff:ff
      inet 172.24.10.100/24 brd 172.24.10.255 scope global dynamic enp0s3
         valid_lft 483sec preferred_lft 483sec

[root@testclient2 ~]# ip addrs show enp0s3
enp0s3:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
      link/ether 08:00:27:7e:75:7f brd ff:ff:ff:ff:ff:ff
      inet 172.24.10.101/24 brd 172.24.10.255 scope global dynamic enp0s3
         valid_lft 441sec preferred_lft 441sec

Forward SSH to access test clients 

iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 220 -j DNAT --to 172.24.10.100:22
iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 221 -j DNAT --to 172.24.10.101:22
                                        Gateway
                                           __
                              Modem       |==|         LAN Switch
                               ____       |  |       _______________
             Internet  <------[_..°]------|__|------[_:::::::::::::_]
                                   (enp0s3)  (enp0s8)      | |
                                                       __  | |  __
                                                 ____ |==| | | |==| ____   
                                   testclient1  |    ||  |_| |_|  ||    |  testclient2
                                 172.24.10.100  |____||__|     |__||____|  172.24.10.101
                                                /::::/             /::::/

Test Client 1 

$ ssh 192.168.1.12 -p 220
root@192.168.1.12's password:
Last login: Wed Jun 20 10:46:57 2018 from 192.168.1.19 

[root@testclient1 ~]# cat /etc/resolv.conf
# Generated by Networkmanager
search lab.local
nameserver 172.24.10.1

[root@testclient1 ~]# ip addr show enp0s3
enp0s3:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
      link/ether 08:00:27:1f:2d:84 brd ff:ff:ff:ff:ff:ff
      inet 172.24.10.100/24 brd 172.24.10.255 scope global noprefixroute dynamic enp0s3
         valid_lft 457sec preferred_lft 457sec 

[root@testclient1 ~]# ping -c3 google.com
PING google.com (216.58.198.110) 56(84) bytes of data.
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=1 ttl=56 time=6.30 ms
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=2 ttl=56 time=6.41 ms
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=3 ttl=56 time=7.43 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 6.303/6.717/7.431/0.507 ms

[root@testclient1 ~]# ping -c3 google.com
PING google.com (216.58.198.110) 56(84) bytes of data.
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=1 ttl=56 time=6.30 ms
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=2 ttl=56 time=6.41 ms
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=3 ttl=56 time=7.43 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 6.303/6.717/7.431/0.507 ms 

[root@testclient1 ~]# curl ipinfo.io/ip
212.42.180.148

Test Client 2 

$ ssh 192.168.1.12 -p 221
root@192.168.1.12's password:
Last login: Wed Jun 20 10:45:01 2018 from 192.168.1.19 

[root@testclient2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.local
nameserver 172.24.10.1

[root@testclient2 ~]# ip addr show enp0s3
2: enp0s3:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
      link/ether 08:00:27:b7:f0:59 brd ff:ff:ff:ff:ff:ff
      inet 172.24.10.101/24 brd 172.24.10.255 scope global noprefixroute dynamic enp0s3
         valid_lft 450sec preferred_lft 450sec

[root@testclient2 ~]#  ping -c3 google.com
PING google.com (216.58.198.110) 56(84) bytes of data.
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=1 ttl=56 time=7.68 ms
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=2 ttl=56 time=6.46 ms
64 bytes from lhr25s07-in-f110.1e100.net (216.58.198.110): icmp_seq=3 ttl=56 time=6.42 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 6.421/6.855/7.680/0.590 ms

# curl ipinfo.io/ip
212.42.180.148

The clients have been automatically configured via DHCP, can resolve URLs via DNS, and are sending and receiving network traffic through the gateway.

Posted on

Logical Volume Management with mdadm RAID

Logical Volume Management

/ has just run out of space, what do we do now? With a normal partition setup, increasing the size of a partition is difficult as it can’t just be resized: typically you would have to backup your files, delete the partitions, create a new partition layout, create file systems, and copy all your files back on.

That’s a lot of work to just add some room to a partition that’s running out of space. Graphical tools such as gparted make this easier, but the system would still have to be taken down for maintenance and may not be easily available for the server in question. Here is where LVM comes in:

$ lvextend -L+1G /dev/new_volume/lv_root
  Size of logical volume new_volume/lv_root changed from 2.00 GiB (512 extents) to 3.00 GiB (768 extents).
  Logical volume lv_root successfully resize

$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/new_volume-lv_root
                2.0G 3.0M 1.9G 1% /mnt

$ resize2fs /dev/mapper/new_volume-lv_root
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/mapper/new_volume-lv_root is mounted on /mnt; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/mapper/new_volume-lv_root to 786432 (4k) blocks.
The filesystem on /dev/mapper/new_volume-lv_root is now 786432 blocks long.

$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/new_volume-lv_root 2.9G 3.0M 2.8G 1% /mnt

There are no guarantees with partition resizing. Always keep full up-to-date backups of your data.

With minimal time and work the root partition has now been increased by 1GB, and the system didn’t need to be taken off-line to do it. It was all done while the system was still running.

LVM can be used on a single hard drive, but it also takes multiple hard drives and pools the available space into a single logical volume group. The space is then allocated to the logical volumes that will be used for the Linux file system. If space is running low in an LVM, additional hard drives can be added to the volume group to provide space to extend the logical volumes. Logical volumes can be extended and shrunk as required.

LVM provides the ability to dynamically allocate space, but it does not provide redundancy (although newer versions may support this). If a disk died in a volume group the entire volume would be destroyed.

LVM on Linux software RAID array

The purpose of a Redundant Array of Independent Disks (at level 1 or higher) is to provide redundancy and keep the system up and running when a hard disk fails; if this happens, the missing data is provided on-the-fly from the redundant information on the other hard disks. This allows the system to continue uninterrupted until the drive can be replaced and the missing data is rebuilt. Using LVM with a RAID allows LVM to continue working even if one of the physical disks dies.

Using a RAID array with LVM does have its disadvantages. RAID will will use the size of the smallest disk when building the array due to the need to stripe information across the drives. In the example above the smallest disk is 100GB, and so only 100GB would be used from each of the other two drives despite their larger capacity.

In a RAID 5 array, the equivalent space of one drive will be used for redundancy which means that 1 drive will not be available for storage. The space issue can be mitigated by using more hard drives, but more hard drives also increase the risk of drive failures. If you have plenty of hard drives and can afford the space, RAID 6 may be a better choice.

Total available space in a RAID 5 array = “size of smallest device” x (number of disks – 1)

100GB x (3 – 1) = 200GB. With LVM the entire 550GB was available for use in the volume group, but with a RAID 5 array only 200GB out of the 550GB would be available for use due to the mismatched device sizes. To make better use of the disk space the drive sizes should be matched more closely.

Example Setup

I have used a virtual machine with 5 partitions to create an mdadm RAID 5 array. Normally the RAID setup would be done with multiple disks but the concept works for this example. The mdadm RAID array is then used to create a volume group from which the logical volumes can be created.

$ mdadm --create /dev/md0 --raid-devices=5 --level=5 /dev/xvdb5 \\\\
> /dev/xvdb6 /dev/xvdb7 /dev/xvdb8 /dev/xvdb9
[...]
md0: WARNING: xvdb9 appears to be on the same physical disk as xvdb8.
[...]
md0: WARNING: xvdb5 appears to be on the same physical disk as xvdb8.
True protection against single-disk failure might be compromised. 
md/raid:md0: device xvdb8 operational as raid disk 3
md/raid:md0: device xvdb7 operational as raid disk 2
md/raid:md0: device xvdb6 operational as raid disk 1
md/raid:md0: device xvdb5 operational as raid disk 0
md/raid:md0: allocated 0kB
md/raid:md0: raid level 5 active with 4 out of 5 devices, algorithm 2
md0: detected capacity change from 0 to 6476005376
[...]
mdadm: array /dev/md0 started.
 md0: unknown partition table

$ cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md0 : active raid5 xvdb9[5] xvdb8[3] xvdb7[2] xvdb6[1] xvdb5[0]       
6324224 blocks super 1.2 level 5, 512k chunk, algorithm 2 [5/5] [UUUUU]
unused devices:

The RAID device is now created and ready to be used. Now to create the LVM volume on the RAID device.

$ pvcreate /dev/md0   Physical volume "/dev/md0" successfully created

$ vgcreate new_volume /dev/md0   Volume group "new_volume" successfully created

$ lvcreate -L 500M -n lv_swap new_volume   Logical volume "lv_swap" created.

$ lvcreate -L 2G -n lv_root new_volume   Logical volume "lv_root" created.

$ lvcreate -l 100%FREE -n lv_home new_volume   Logical volume "lv_home" created.

$ mkfs.ext4 /dev/mapper/new_volume-lv_root
[…]
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

$ mkfs.ext4 /dev/mapper/new_volume-lv_home
[…]
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
Posted on

Ansible Configuration Management

What is it?

Ansible is a Configuration Management tool designed to automate the deployment of defined configurations from a single host to many hosts. It allows one to define hosts into specific groups, and then run a specific set of tasks against those hosts, allowing one to set up a web server or a mail server quickly and perfectly configured every time. These qualities are essential for productivity in a large server environment.

Ansible is similar to Puppet and Chef in terms of configuration management, but Ansible does not require a client to be installed on the target server in order to perform its job. Instead, Ansible accesses each server through SSH and then performs all its commands through the command line — just like a regular user would — in order to leave as little mark on the system as possible; in fact, as Ansible uses an unobtrusive method of control, it can be used alongside Puppet and Chef.

Installation

The first step is to get Ansible installed on the ‘master’ system (the system you plan to control all of your defined servers from). In this case, all of our servers will be CentOS 6.7 Minimal based. As root:

yum install epel-release
yum install ansibl

Ansible is available from the ‘Extra Packages for Enterprise Linux’ repository (commonly known as epel), and so this needs to be installed first. Ansible is now installed on the system and is ready to be configured.

Configuration

SSH keys are necessary to allow access from the ‘master’ server (the server one wishes to control the other machines from) to each ‘client’ machine without requiring a password. Passwords can be defined in Ansible, but keys make life a lot easier.

ssh-keygen

And then a quick loop to copy the new SSH public key on to the target machines

[root@server1 ~]# for i in {2..4}; do
> ssh-copy-id server$i
> done
The authenticity of host 'server2 (10.44.16.152)' can't be established.
RSA key fingerprint is 12:7e:90:4b:af:11:bb:56:40:84:4e:84:e6:78:b8:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,10.44.16.152' (RSA) to the list of known hosts.
root@server2's password: 
Now try logging into the machine, with "ssh 'server2'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

The authenticity of host 'server3 (10.44.16.153)' can't be established.
RSA key fingerprint is 12:7e:90:4b:af:11:bb:56:40:84:4e:84:e6:78:b8:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server3,10.44.16.153' (RSA) to the list of known hosts.
root@server3's password: 
Now try logging into the machine, with "ssh 'server3'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

The authenticity of host 'server4 (10.44.16.154)' can't be established.
RSA key fingerprint is 12:7e:90:4b:af:11:bb:56:40:84:4e:84:e6:78:b8:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server4,10.44.16.154' (RSA) to the list of known hosts.
root@server4's password: 
Now try logging into the machine, with "ssh 'server4'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

All of the required configuration files are available from /etc/ansible. The one that is the most important at this point is the hosts file; this allows hosts to be defined in groups in order to run particular sets of Ansible playbooks against them.

[root@server1 ~]# cat /etc/ansible/host
[group1]
server3

[group2]
server2
server4

[servers:children]
group1
group2

[servers:vars]
ansible_ssh_user=root

The group names are arbitrary and can be anything that the user chooses, such as ‘webservers’, ‘mailservers’, ‘dbservers’, etc.

CentOS uses SELinux, and this tends to get in the way when changes are made to the system. To get around this, a necessary package is installed on the clients that allows such changes to be made

ansible servers -m yum -a "name=libselinux-python state=latest"

Ansible should now be ready for full usage.

Using Ansible

Now everything is in place to start doing interesting things with Ansible. The following is an example of what can be done

[root@server1 ~]# ansible group2 -m command -a "df -h"
server2 | success | rc=0 >>
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_server-lv_root
                      8.3G  628M  7.3G   8% /
tmpfs                 499M     0  499M   0% /dev/shm
/dev/sda1             477M   30M  422M   7% /boot

server4 | success | rc=0 >>
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_server-lv_root
                      8.3G  627M  7.3G   8% /
tmpfs                 499M     0  499M   0% /dev/shm
/dev/sda1             477M   30M  422M   7% /boot

[root@server1 ~]# ansible servers -m service -a "name=ntpd state=restarted"
server3 | success >> {
     "changed": true,
     "name": "ntpd",
     "state": "started"
}

server4 | success >> {
     "changed": true,
     "name": "ntpd",
     "state": "started"
}

server2 | success >> {
     "changed": true,
     "name": "ntpd",
     "state": "started"
}

Referring back to the /etc/ansible/hosts file one can see that Ansible is executing the commands only on the servers specified within particular groups. You may have noticed a parent group ‘servers’ which all available groups have been specified as children of. This allows much tighter control over which commands are run on which servers.

Ansible Playbooks

The above doesn’t save much time if we have 40 packages to install and a bunch of configuration files to copy across. Sure, it saves us ‘time of configuration’ x ‘amount of servers to configure’, but what if new servers are constantly added which require identical configurations? We’d be back to square one of having to type things out command by command for every server. This is where the power of playbooks comes in.

To demonstrate this, let’s start with a simple playbook that creates a MOTD on our servers. In this example, I’ve created a group in /etc/ansible/hosts called maintenance that contain all the servers that will suffer downtime due to planned maintenance.

[root@server1 playbooks]# cat /etc/ansible/hosts | grep -A4 maintenance
[maintenance]
server2
server3

[servers:children]

[root@server1 playbooks]

[root@server1 playbooks]# cat /etc/ansible/hosts | grep -A4 maintenance
[maintenance]
server2
server3

[servers:children]

[root@server1 playbooks]# cat test_playbook.yml
---
- hosts: maintenance
  user: root  
  vars:
    motd_warning: '\\nWARNING! The system will be shut down for maintenance at 17:00 on 16/11/15\\n\\n'
  tasks:
    - name: setup a MOTD
      copy: dest=/etc/motd content="{{ motd_warning }}"

[root@server1 playbooks]# ansible-playbook test_playbook.yml

PLAY [maintenance] ************************************************************
 
GATHERING FACTS ***************************************************************
ok: [server3]
ok: [server2]

TASK: [setup a MOTD] **********************************************************  
changed: [server3]
changed: [server2]

PLAY RECAP ********************************************************************
server2                    : ok=2    changed=1    unreachable=0    failed=0
server3                    : ok=2    changed=1    unreachable=0    failed=0

[root@server1 playbooks]# ssh server3
Last login: Thu Nov 12 01:40:01 2015 from 10.44.16.151

WARNING! The system will be shut down for maintenance at 17:00 on 16/11/15

[root@server3 ~]#

If more servers require maintenance, just add them to the group and re-run the playbook.

[root@server1 playbooks]# cat /etc/ansible/hosts | grep -A4 maintenance
[maintenance]
server2
server3
server4

[root@server1 playbooks]# ansible-playbook test_playbook.yml

PLAY [maintenance] ************************************************************  

GATHERING FACTS ***************************************************************
ok: [server3]
ok: [server2]
ok: [server4]

TASK: [setup a MOTD] **********************************************************
ok: [server3]
ok: [server2]
changed: [server4]

PLAY RECAP ********************************************************************
server2                    : ok=2    changed=0    unreachable=0    failed=0
server3                    : ok=2    changed=0    unreachable=0    failed=0
server4                    : ok=2    changed=1    unreachable=0    failed=0

More Complex Ansible Playbooks

Now that the essence of Ansible playbooks has been established, we’ll design a playbook to take care of all of the common tasks that are necessary when a new server is set up.

In this example, there are a series of templates for Ansible to copy to the target systems in order to configure things the way we want them. Here is one such template

[root@server1 playbooks]# cat ssh_banner.j2

****************************************************************************

 WARNING! This is a private server. The use of this system is restricted to
 authorized users only. Unauthorized access is forbidden. All information
 and communications on this system are monitored.

****************************************************************************

Now for the playbook

[root@server1 playbooks]# cat common_setup.yml
---
- hosts: servers
  user: root
  tasks:
  - name: Install latest version of libselinux-python
    yum: name=libselinux-python state=latest

  - name: Update server to latest package versions
    yum: name=* state=latest

  - name: Add hosts file
    template: src=hosts.j2 dest=/etc/hosts mode=644 owner=root group=root

  - name: Add SSHD config file
    template: src=sshd_config.j2 dest=/etc/ssh/sshd_config mode=644 owner=root group=root

  - name: Add SSH banner
    template: src=ssh_banner.j2 dest=/etc/ssh/banner.txt mode=644 owner=root group=root

  - name: Restart SSH Service
    service: name=sshd state=restarted

  - name: Add motd.sh file
    template: src=motd.sh.j2 dest=/etc/motd.sh mode=755 owner=root group=root

  - name: Update /etc/profile
    template: src=profile.j2 dest=/etc/profile mode=644 owner=root group=root

[root@server1 playbooks]# ansible-playbook common_setup.yml

PLAY [servers] ****************************************************************

GATHERING FACTS ***************************************************************
ok: [server3]
ok: [server4]
ok: [server2]

TASK: [Install latest version of libselinux-python] ***************************
ok: [server3]
ok: [server4]
ok: [server2]

TASK: [Update server to latest package versions] ******************************
ok: [server4]
ok: [server2]
ok: [server3]

TASK: [Add hosts file] ********************************************************
changed: [server2]
changed: [server3]
changed: [server4]

TASK: [Add SSHD config file] **************************************************
changed: [server4]
changed: [server2]
changed: [server3]

TASK: [Add SSH banner] ********************************************************
changed: [server2]
changed: [server4]
changed: [server3]

TASK: [Restart SSH Service] ***************************************************
changed: [server4]
changed: [server3]
changed: [server2]

TASK: [Add motd.sh file] ******************************************************
changed: [server3]
changed: [server4]
changed: [server2]

TASK: [Update /etc/profile] ***************************************************
changed: [server2]
changed: [server3]
changed: [server4]

PLAY RECAP ********************************************************************
server2                    : ok=9    changed=6    unreachable=0    failed=0
server3                    : ok=9    changed=6    unreachable=0    failed=0
server4                    : ok=9    changed=6    unreachable=0    failed=0

And finally just check that the new configurations have done what you expected them to do. Once you know that a playbook does everything you expect it to you should be able to trust it.

[root@server1 playbooks]# ssh server2

****************************************************************************

WARNING! This is a private server. The use of this system is restricted to
authorized users only. Unauthorized access is forbidden. All information 
and communications on this system are monitored.

****************************************************************************

Last login: Thu Nov 12 12:13:17 2015 from 10.44.16.151

WARNING! The system will be shut down for maintenance at 17:00 on 16/11/15

      Host: server2.hostname.com
    Uptime: 12:25:19 up 4:29, 1 user, load average: 0.08, 0.02, 0.01
    Memory: 105MB used / 890MB free
      Disk: 791M used / 7.1G free

[root@server2 ~]# logout
Connection to server2 closed.
[root@server1 playbooks]# ssh server3

****************************************************************************

WARNING! This is a private server. The use of this system is restricted to
authorized users only. Unauthorized access is forbidden. All information 
and communications on this system are monitored.

****************************************************************************

Last login: Thu Nov 12 03:41:27 2015 from 10.44.16.151

WARNING! The system will be shut down for maintenance at 17:00 on 16/11/15

      Host: server3.hostname.com
    Uptime: 03:53:35 up 4:30, 2 users, load average: 0.00, 0.00, 0.00
    Memory: 105MB used / 890MB free
      Disk: 887M used / 7.0G free
Posted on

Calculating IPv4 Subnets

To truly understand subnets it’s far easier to understand them from the perspective of the computer. Most people will be used to seeing a subnet written as, for example, 255.255.255.0, but decimal octets are purely for the readability of human eyes. Computers work with subnets on a binary level, and where a human sees 255.255.255.0, a computer sees 11111111111111111111111100000000.

So how does a subnet translate to network division? Well, every IP address has a network portion and a host portion, such as 192.168.2.128. In this example — if a subnet of 255.255.255.0 is used — 192.168.2 is the network and 128 is the host. The first question a computer asks itself is, “is the device I’m sending data to on the same network as me?”, and then proceeds to compare the destination IP address against its own IP address. If 192.168.2.128 is sending data to 192.168.2.206, then it can see by comparing it to the subnet 255.255.255.0 that they are both on the same network, and therefore the data only needs to be sent via the local network.

All of the 1’s in a subnet represent the network, and all of the 0’s represent the host; the computer aligns the subnet with the IP address to determine which numbers represent the network and which represents the host:

ipbinaries

Here, anything which shares the network address of 11000000.10101000.00000010 is on the same network. If bits are borrowed from the host portion of the address, then for every bit that’s borrowed the available hosts per network is halved.

IP Binaries2

If a subnet of 11111111.11111111.11111111.10000000 is used, then the address space is halved into binary addresses that start with 0 and addresses that start with 1, and there would now be 2 networks under 192.168.2 with 126 hosts each.

If a subnet of 11111111.11111111.11111111.11110000 is used, then the following happens:

IP Binaries3

The network has now been cut in to 16ths and has 14 hosts per network. Thus with a subnet of 255.255.255.240, all of the addresses from 1 to 14 are in one network, and 17 to 30 are in another.

It’s important to remember that where one see’s all 1’s as the host address, this is the broadcast address, and all 0’s is the network ID. In the above example, all host addresses of 0000 are the network ID, and 1111 are the broadcast address. With an 8 bit host address this is 255 (e.g. 192.168.2.255) and 0 (e.g. 192.168.2.0) respectively, and as the amount of bits change so do these boundaries.

Working in binary makes life a lot easier once one gets used to it. By having a list of binary IP addresses handy, one can immediately see which addresses are going to fall into which network. Additionally by keeping in mind how many bits are being borrowed for the subnet, it is easy to mentally calculate how many hosts there will be per network.

With 11111111.11111111.11111111.10000000 there are 7 bits for the host, and so 2^7 = 128 – 2 = 126 hosts per network.

To calculate the subnet, the following table is needed:

subnet

Add up the columns that have the number 1 under them, and the subnet is converted. 11111111 = 255, and so the subnet is 255.255.255.240. Keep in mind that a subnet must be a series of 1’s in a row, and so there are only 8 possible values for each octet.