CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 1
CONTENTS CHAPTER
1. Linux OS, Server System maintenance and deployment. 2. Cloud Layer setup and maintenance. 3. Automation: Self-service and catalogue service. 4. Cloud Security. 5. Backup and recovery for Cloud Infrastructure. 6. Performance and tracking of resources. 7. Business continuity plan. 8. IT service management.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 2
Chapter 1: Server System maintenance and deployment
Topics covered:
1.1 Linux OS Concept
1.2 Linux Command line Interface
1.3 Linux Server Security Concept 1.4 Internal and External Threats
1.5 Different Types of Attacks 1.6 Concept of Network Storage
1.7 Scripting
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 3
1.1: Linux Operating System Concept:
Unix is an operating system developed by Ken Thompson and Dennis Ritchie at AT&T Bell Laboratories in the late 1960's.
In 1978 AT&T's Unix seventh edition was split off into Berkeley Software Distribution (BSD).
AT&T SVR5 spawned several other commercial versions of Unix including:
1. Oracle Solaris 2. HP-UX (Hewlett-Packard) 3. AIX (IBM) 4. IRIX (Silicon Graphics) 5. Digital Unix / Tru64 Unix (Digital Equipment
Corporation)
Based on Unix, Linux was born.
Linux is a freely available version of the UNIX operating system Started by Linus Torvalds in 1991 Programmers from around the world contributed codes Main portion of Linux is the Linux Kernel It can be downloaded from a number of sites (www.linux.org) as well as
purchased in packages (called distributions) from companies such as RedHat (www.redhat.com) and Suse (www.suse.com).
Runs on old Intel 486, Pentium (and better) processors, as well as Oracle Sparc, DEC Alpha and dozens of other processors.
Ways of installing/using Linux: Install Linux on a separate drive or hard drive partition Boot up and use Linux from a CD-ROM or USB Drive Run Linux from within another operating system (like Windows) using
VMware player, workstation or Microsoft Virtual PC.
Linux Advantages
Linux is free: It can be downloaded from the Internet completely for free. No registration fees, no costs per user, free updates, and freely available source code in case you want to change the behaviour of your system.
Linux is portable to any hardware platform and its documentation freely available.
Linux can run without rebooting. This property allows for Linux to be applicable also in environments where people don’t have the time or the possibility to control their systems night and day.
Linux is secure and versatile. The security model used in Linux is based on the UNIX idea of security, which is known to be robust and of proven quality.
Linux is scalable. It can be expanded. Errors are usually discovered quickly. Technical support are easily available. Open Source products are trustworthy.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 4
Linux Disadvantages
• There are too many different distributions.
• Linux is not very user-friendly, and confusing for beginners:
Linux File system
Every OS needs a file system to manage program files, data files, etc. Linux maintains a hierarchical file system, similar to what you are used to with
Windows or Mac OS. Hierarchical because directories (or folders) can be created inside other directories to create a hierarchical treelike structure.
Unlike Windows and Mac OS, this tree has only one root, called the root directory, represented by / (a forward slash).
An example of a hierarchical file system is shown in Figure 1. Each boxed name represents a directory, while the unboxed names are files.
Figure 1
Linux file names are case sensitive
File names extension like .txt or .cc or html are optional.
Extensions are rarely required for a file to be opened by a particular application. However, it is good to include an extension for a file so it is easier for you to figure out what kind of file it is. By convention, executable programs in Linux usually have no extension.
Any directory that is not the root is usually called a subdirectory. The directory above a subdirectory is known as its parent. For example, in Figure 1, - usr is a subdirectory of /, - doc is a subdirectory of usr. - usr is the parent directory of doc - / is the parent directory of usr. The root directory is the only directory without a parent; the root directory is its own parent.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 5
In a Linux file system,
- the bin subdirectory contains programs that correspond to core Linux commands. - The usr subdirectory contains many other parts of the basic Linux system. - The home subdirectory contains the home directories of all the users with accounts on the system. If your username were joe, you could store your files in the joe subdirectory of home.
The pathname of a file contains a sequence of directories to follow to reach the file. For example, the pathname of the joe subdirectory is /home/joe. The pathname of the file myfile.txt in the joe subdirectory is /home/joe/myfile.txt. The pathnames above are called absolute pathnames because they contain all the information needed to find a file. It begins with a leading forward slash. On the other hand, a relative pathname gives the information necessary to find a file from a particular point in the tree. For example, from the directory /home, the relative pathname of myfile.txt is just joe/myfile.txt. A relative pathname does not begin with a leading forward slash.
Linux Disks and Partitions
Disks: Linux treats its devices as files. The special directory where these "files" are maintained is "/dev".
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 6
A standard IDE disk is "hdx", ‘hda’ - if the disk is connected to the primary IDE controller as master “hdb" if the disk is connected to the primary IDE controller as a slave device. ‘hdc’ - if the disk is connected to the secondary IDE controller as master “hdd" if the disk is connected to the secondary IDE controller as a slave device.
Before a file system on devices can be used, they must be mounted. The mount command attaches a filesystem, located on a device, to the file tree.
Linux File Permissions
Every file or folder in Linux has access permissions. There are three types of permissions:
• read access • write access • execute access
Permissions are defined for three types of users:
• the owner of the file • the group that the owner belongs to • other users
Linux file permissions are nine bits of information (3 types x 3 type of users), each of them may have just one of two values: allowed or denied.
It is used in Linux long directory listings. It consists of 10 characters. The first character shows the file type. Next 9 characters are permissions, consisting of three groups: owner, group, others. Each group consists of three symbols: rwx (in this order)
a dash "-" is used to show permission denied, eg, r—rwx,r-x
Symbols in positions 1 to 3 ("rwx") are permissions for the owner of the file. Symbols in positions 4 to 6 ("rwx") are permissions for the group. Symbols in positions 7 to 9 ("rwx") are permissions for others.
Example:
d rwx rwx rwx
0123 456 789
owner others
group
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 7
(r=read, w=write & x=execute d=directory)
The first letter can be:
“d” = directory, eg, d rwx,rwx,rwx “-“ = regular file, eg, - rwx,rwx,rwx “l” = symbolic link, eg, l rwx,rwx,rwx “s” = Unix domain socket, eg, s rwx,rwx,rwx “p” = named pipe, eg, p rwx,rwx,rwx “c” = character device file, eg, c rwx,rwx,rwx “b” = block device file, eg, b rwx,rwx,rwx
In the above example, “chem” is a directory with the following permission:
Owner = rwx, group=rwx and others=r-x
r Read access is allowed
w Write access is allowed
x Execute access is allowed
- Replaces "r", "w" or "x" if according access type is denied
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 8
With 3 binary bits, the corresponding binary value of the file permissions are shown:
Text equivalent Binary value Meaning
0 --- 000 All types of access are denied
1 --x 001 Execute access is allowed only
2 -w- 010 Write access is allowed only
3 -wx 011 Write and execute access are allowed
4 r-- 100 Read access is allowed only
5 r-x 101 Read and execute access are allowed
6 rw- 110 Read and write access are allowed
7 rwx 111 Everything is allowed
Linux Users and Groups
Linux is a multi-user operating system. This means more than one "users" can make use of the system's resources at the same time
Resources include: Disk, memory, processing time on the CPU, etc. resources are shared among the users
Linux Username
Each user has an associated Linux username.
This Linux username is also given a unique identifier called the user id (or uid for short).
Files and directories on disk, and processes (executing programs) are stamped with their owner's uid.
The uid is also used for security purposes. To see what your uid is enter the command,
‘$ id username’ It will reveal uid=500(username) gid=500(username) groups=500(username).
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 9
Root User or Super user
There is a special user on each Linux system called the root user. Also called the "Super user".
The root user acts as the system administrator and has the authority (and privileges) to create users, directories, modify any file, and so on.
Two ways to user root privileges: - Log in as root user, or - use the sudo program ("Super User Do")
Groups in Linux
In Linux, a group is a collection of users. Each user belongs to one or more groups. A group is identified by a Group id (gid for short). The gid of the owner (user) is also stamped on each file and process. To see what your gid is, try the id program: ‘$ id username’
Directories
Linux "folders" are called directories. The top-level, root directory is called /. Your home directory is /home/username. From anywhere you can get back there by typing simply “cd” command.
Some frequently used command is as follows:
Command Function Examples
cd Change directory cd, cd .., cd /home/catyp
pwd Print working directory
pwd
mkdir Make a new subdirectory
mkdir newdirectory
rmdir Remove a directory rmdir emptydirectory
ls List files in a directory
ls, ls –l
mv Rename (move) a file
mv oldname newname
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 10
cp Copy a file cp oldname newname cp oldname dirname/
rm Delete (remove) a file
rm filename rm file1 file2 file3 rm -r dirname
cat Output the contents of a file to the screen
cat filename
file Identify the type of file
file filename
chmod Change access permissions on file(s)
chmod mode filename
passwd Change your password.
Passwd
kill Stop a process by passing its process-id (shown by ps as PID).
kill –TERM process-id kill -9 process-id
tar Create / expand / query archives.
tar cfv arch.tar somedir/ tar xfv arch.tar
mount Make a device visible in the filesystem. For users, this is typically used to access CD-ROMs or USB drive or floppies.
mount /mnt/floppy
umount Un-mount a device from a given point in the filesystem.
umount floppy
df Reports on used disk space on the partition containing file.
df file
find Find files in the file system hierarchy
find path expression
grep Print lines in file containing the search pattern.
grep PATTERN file
ifconfig Configures a network interface
ifconfig
exit or logout Leave this session Exit
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 11
Using the vi Editor
vi (pronounced " v - i”) is short for "vi"sual editor. It displays a window into the file being edited that shows 24 lines of text. vi is a text editor, not a "what you see is what you get" word processor. vi lets you add, change, and delete text, but does not provide such formatting capabilities as centring lines or indenting paragraphs The following explains the basics of vi:
Open an existing file - vi filename, where "filename" is the name of the existing file.
To create a new file : vi newname, where "newname" is the name you wish to give the new file.
On-screen, you will see blank lines, each with a tilde (~) at the left, and a line at the bottom giving the name and status of the new file:
~ "newname" [New file]
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 12
Text editing command keys
Press “i” = insert mode Press “esc” = command mode Press “esc” then “j” = move cursor down Press “esc” then “K” = move cursor up Press “esc” then “l” = move cursor right Press “esc” then “h” = move cursor left Press “esc” then “x” = delete one character Press “esc” then “dw” = delete one word Press “esc” then “dd” = delete one line Press “esc” then “a” = append text after the cursor Press “esc” then “o” = insert a blank line below the current line Press “esc” then “u” = undo your most recent edit Press “esc” then “:w” = save changes you have made Press “esc” then “:wq” = save changes and exit vi Press “esc” then “:q” = exit vi without saving the changes
Linux system configuration and setting
Every Linux program is an executable file. It holds a the list of opcodes the CPU executes. For instance, the ls executable file is provided by the file /bin/ls. It holds the list of machine instructions needed to display the list of files in the current directory onto the screen.
Is there a standard configuration file format in Linux? No. Each programmer is free to choose the configuration file format he or she prefers. One example is the /etc/shells file, which contains a list of possible shells separated by a newline.
What are system configuration files? The kernel needs to know the list of users and groups in the system, and manage file permissions. These files are read by a function provided by a system library, and used by the kernel. For instance, a program needing the (encrypted) password of a user should call the system library function getpw(). This kind of function is also known as a system call.
Most of the configuration files in the Red Hat Linux system are in the /etc directory unless otherwise specified. The configuration files can be classified into the following categories.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 13
Cat 1 : Access files
Example:
/etc/host.conf Tells the network domain server how to look up hostnames. (Normally /etc/hosts, then name server; it can be changed through netconf.)
/etc/hosts
Contains a list of known hosts (in the local network). Can be used if the IP of the system is not dynamically generated. For simple hostname resolution (to dotted notation), /etc/hosts.conf normally tells the resolver to look here before asking the network nameserver, DNS or NIS.
Cat 2 : Dummy File system
The kernel provides an interface to display some of its data structures is provided as a ummy filesystem known as the /proc filesystem. Many system utilities use the values present in this filesystem or displaying the system statistics.
/etc/mtab
This change continuously as the file /proc/mount changes. In other words, when filesystems are mounted and unmounted, the change is immediately reflected in this file.
/etc/fstab
Lists the filesystems currently "mountable" by the computer. This is important because when the computer boots, it runs the command mount -a, which takes care of mounting every file system marked with a "1" in the next-to-last column of fstab.
/etc/mtools.conf Configuration for all the operations (mkdir, copy, format, etc.) on a DOS-type filesystem.
Cat 3 : System administration Files
/etc/group
Contains the valid group names and the users included in the specified groups. A single user can be present in more than one group if he performs multiple tasks. For example, is a "user" is the administrator as well as a member of the project group "project 1", then his entry in the group file will look like: user: * : group-id : project1
/etc/nologin If the file /etc/nologin exists, login(1) will allow access only to root. Other users will be shown the contents of this file and their logins refused.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 14
etc/passwd See "man passwd". Holds some user account info including passwords (when not "shadowed").
/etc/usertty /etc/shadow
Contains the encrypted password information for users' accounts and optionally the password aging information. Included fields are:
Login name Encrypted password Days since Jan 1, 1970 that password was last changed Days before password may be changed Days after which password must be changed Days before password is to expire that user is warned Days after password expires that account is disabled Days since Jan 1, 1970 that account is disabled
/etc/shells Holds the list of possible "shells" available to the system.
/etc/motd Message Of The Day; used if an administrator wants to convey some message to all the users of a Linux server.
Cat 4 : Networking Files
/etc/networks Lists names and addresses of networks accessible from the network to which the machine is connected. Used by route command. Allows use of name for network.
/etc/resolv.conf Tells the kernel which name server should be queried when a program asks to "resolve" an IP Address.
/etc/exports The file system to be exported (NFS) and permissions for it.
/etc/services Translates network service names to port number/protocol. Read by inetd, telnet, tcpdump, and some other programs. There are C access routines.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 15
Cat 5 : System commands
System commands are meant to control the system, and make everything work properly. Examples are login (performing the authentication phase of a user on the console and bash (providing the interaction between a user and the computer) are system commands. The files associated with them are therefore particularly important. This category has the following files of interest to users and administrators.
/etc/lilo.conf
Contains the system's default boot command line parameters and also the different images to boot with. You can see this list by pressing Tab at the LILO prompt.
/etc/logrotate.conf Maintains the log files present in the /var/log directory.
/etc/inittab
This is chronologically the first configuration file in UNIX. The first program launched after a UNIX machine is switched on is init, which knows what to launch, thanks to inittab. It is read by init at run level changes, and controls the startup of the main process.
Cat 6 : Daemons
A daemon is a program running in non-interactive mode. Typically, daemon tasks are related to the networking area: they wait for connections, so that they can provide services through them. Many daemons are available for Linux, ranging from Web servers to FTP servers.
Common ones are in.ftpd (ftp server daemon) in.telnetd (telnet server daemon), syslogd (system logging daemon).
Some daemons, while running, and reload configuration files automatically when they change, but most don’t. Some services must be used to manually restart the files.
Cat 7 : The kernel
When any configuration file is changed, the whole Linux system it affected. For example, changing the passwd file to add a user immediately enables that user.
Cat 8 : User programs
A user or system program reads its configuration file every time it is launched. So, the first time a user program is started, the default configuration is read from the files
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 16
present in the /etc/ directory. Later, the user can customise the programs by using rc and . (dot) files as explained in the next section.
Basic Server Security Concept
A firewall is a network device with two or more network interfaces —one connected to the protected internal network and the other connected to unprotected networks, such as the Internet. The firewall controls access to and from the protected internal network.
The firewall runs software that examines the network packets arriving at its network interfaces and takes appropriate action based on a set of rules. It allows only authorized network traffic to flow between the two interfaces. Configuring the firewall involves setting up the rules properly. A configuration strategy is to reject all network traffic and then enable only a limited set of network packets to go through the firewall. The authorized network traffic would include the connections necessary to enable internal users to do things such as visit Web sites and receive electronic mail. To be useful, a firewall has the following general characteristics:
It must control the flow of packets between the Internet and the internal network.
It must not provide dynamic routing because dynamic routing tables are subject to route spoofing — the use of fake routes by intruders. Instead, the firewall uses static routing tables (which you can set up with the route command on Linux systems).
It must not allow any external user to log in as root. That way, even if the firewall system is compromised, the intruder is blocked from using root privileges from a remote login.
It must be kept in a physically secure location.
It must distinguish between packets that come from the Internet and packets that come from the internal protected network. This feature allows the firewall to reject packets that come from the Internet but have the IP address of a trusted system on the internal network.
Its user accounts are limited to a few user accounts for those internal users who need access to external systems. External users who need access to the internal network should use SSH for remote.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 17
It keeps a log of all system activities, such as successful and unsuccessful login attempts.
It provides DNS name-lookup service to the outside world to resolve any hostnames that are known to the outside world.
It provides good performance so that it doesn’t hinder the internal users’ access to specific Internet services (such as HTTP and FTP).
A firewall can take many different forms. Here are three common forms of a firewall: Form 1 : Packet filter firewall: This simple firewall uses a router capable of filtering (blocking or allowing) packets according to a number of their characteristics, including, - the source and destination IP addresses, - the network protocol (TCP or UDP), - and the source and destination port numbers. Packet filter firewalls, - are usually placed at the outermost boundary with an untrusted network. They form the first line of defence. - are fast and flexible, but they can’t prevent attacks that exploit application-specific vulnerabilities or functions. - can log only a minimal amount of information, such as source IP address, destination IP address, and traffic type. - are vulnerable to attacks and exploits that take advantage of flaws within the TCP/IP protocol, such as IP address spoofing. Form 2 : Stateful inspection firewall: This type of firewall, - keeps track of the network connections that network applications are using. When an application on an internal system uses a network connection to create a session with a remote system, a port is also opened in the internal system. Opening up many ports to incoming traffic creates a risk of intrusion by unauthorized users. - creats a state table of outbound network connections, along with each session’s corresponding internal port. This “state table” is then used to validate any inbound packets. - more secure than a packet filter because it tracks internal ports individually rather than opening all internal ports for external access. Form 3 : Application-proxy gateway firewall: This firewall acts as an intermediary between internal applications that attempt to communicate with external servers such as a Web server. No direct network connection is ever made from the inside client host to the external Web server. - are better than packet filter and stateful inspection firewalls - spends more time reading and interpreting each packet. Not well suited to high bandwidth or real-time applications.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 18
Choice of firewall Most firewalls implement a combination of these firewall functionalities. For example, many vendors of packet filter firewalls or stateful inspection firewalls have also implemented basic application-proxy functionality to offset some of the weaknesses associated with their firewalls. In most cases, these vendors implement application proxies to provide better logging of network traffic and stronger user authentication. Nearly all major firewall vendors have introduced multiple firewall functions into their products in some manner.
Linux system security best practices
Practice 1 : Scanning for malware
To keep your system safe and healthy, you should consider using a scanner to probe your system for nefarious changes. There are lots of free utilities that can do a decent job to keep your system safe on the internet.
Practice 2 :Anti-virus
Anti-virus software will act as another layer of protection for your system. In Linux, there's ClamAV (including Klam for KDE), as well as a number of commercial products that have started shipping solution for Linux.
With the anti-virus installed, you can scan files that you receive from your friends before forwarding them to other users. That way, you may break the chain of accidental malware spreading.
Practice 3 : Startup applications and services
Some undesired processes might be left running, hogging resources and possibly exposing your machine to threats. By optimizing your startup application and services, you could potentially reduce your system exposure to risk.
Practice 4 : Read your logs > /var/log/messages
This is the system log. Almost everything goes in there. Reading the log will give you an indication of possible system issues, including software errors, as well as possible security-related items.
Practice 5 : /var/log/secure
You can configure your machine to log ssh and sudo attempts to a separate file, like /var/log/secure. Then, you can examine the log for any privilege escalation attempts or remote connection attempts.
Practice 6 : Examine logged in users
There are many ways of doing this. The most accurate one is to parse the output of the ps command. But you can also use w and who and lastlog. Manually dumping utmp and wtmp can also work.
CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8 Page 19
Practice 7 : Other tools
You also have a range of other utilities available, like netstat or nmap, which can help you examine your machine network visibility.
Internal and External threats
Threats to any computer network arise from both external and internal entities.
External threats include unauthorized access by outsiders such as hackers, virus
attacks etc. Among internal threats is exploitation of the network by its users -
knowingly or unknowingly. Internal threats arise due to malicious intentions and/or
ignorance of the users of your computer network. For example, a person can leave
the computer unattended exposing it to others who are not authorized to access the
information. Another example of internal threat can be a person downloading
something from the Internet that results in a malware attack.
Hackers and External threats can disrupt your business by sending a malicious
code or a Trojan horse, which conceals itself inside a known or seemingly safe
program. The user opens the attachment or clicks on the link and in the blink of an
eye a malicious hacker has entered your server, database and network. Disgruntled
ex-employee who wants personal revenge decides to spam every inbox in your
network in another form of an external threat. No matter the reason, if you use the
Internet at all, these “bad guys” have an “in” into your network and the only way to
keep the garbage out is to fully protect your system and network.
Internal threats and accidents are similar in that an employee can unknowingly
misuse secure access privileges and leave important passwords and security
questions open to someone monitoring your system through spyware. This can be a
simple mistake, an accident or an intentional act that occurred when a program re-
starts but either way, important and confidential information is at risk. Employees
have to use the Internet while working and during their searches may enter sites that
are not work-related and can have harmful software on it that needs only a split-
second to gain access into your network and begin a series of chaotic actions that
could in some extreme cases shut the whole network down. Once you know the
dangers that exist, you can take proactive steps to try and prevent them. You should
protect your computers, servers, database and network through a variety of security
solutions. Network monitoring support, managed Microsoft security patches, firewall
installation, intrusion detection programs, managed anti-virus and anti-spyware
software, all take a part in securing your line-of-business applications and in some
cases restricting use of the Internet to only work-related.