Your Inner SysAdmin
Overall this talk was a pretty good intro to DevOps for developers. I feel like it provided a good starting point for people but didn’t go into enough details (time prohibiting) for someone to walk away and be able to run a server. If nothing else it was a glimpse for people to at least understand the scope of what they will need to learn to effectively take on a DevOpps role. I personally found the tools mentioned in the talk to be the most useful part of the talk. Chris was a good presenter and I would attend his talks again.
Below are the notes I captured from the session:
- PHP programmer for over 10 years
- SysAdmin/DevOps for around 8 years
- Using Linux for 15 years
- On GitHub
- His talk is mostly his opinions
- Most of his talk is targeted at Linux
- Web server (Apache) and database (MySQL) and programming language (PHP)
Common folders on Linux system
- /bin – essential executables
- /boot – stuff that makes the OS run
- /dev – special device stuff you probably won’t touch
- /etc – configuration files
- /home – user home directories
- /sbin – system binaries
- /usr – multi-user Apps and utilities
- /var – data usually lives here
Installing software
- compile software from source/scratch
- use a package manager (yum/apt/brew)
- Learn to use and love the command line interface
- production servers shouldn’t have a GUI installed
- interact with servers via SSH
- learn CLI text editor like vi/vim, emacs, or nano
Authentication and authorization (security)
- No one should need access to the root password if they need to do root processes users should be given sudo permission
- If necessary restrict which commands users can run and from where
- sudo will log who elevated their permissions and what they did.
- It is safer to give people only the permissions they need rather than remove permissions they don’t need.
- jailing users – keep users from accessing content they don’t need access to (protect them from themselves)
- jailed shells – gives users full shell access but not access to the entire file system. “jailkit” makes this process simple
- you can also jail ssh and sftp
- Docker is a container system (another talk about it at the conference)
Learn a scripting language
- PHP is a scripting language but not the best language for system admin processes
- Bash is a good option. Most systems use it as their default shell
- Python is another good option because it is install on a lot of systems already
- PHP could be an option and there are some libraries such as symfony console component or Aura CLI
Locking down your code
- run web server as a different user.
- there are several ways to do it in apache MPM-ITK and MOD_RUID2
- MOD_RUID2 effectively allows you to “jail” apache and php
- PHP-FPM can be used to change the user that PHP runs as.
Logs
- logs will fill up the server
- logrotate rotate log files for organization and other purposes
- logwatch scans logs at regular intervals and send a summary via email
- ossec is an intrusion detection system which alerts you when it detects issues
Preventing intruders
- hosts.deny and hosts.allow file sets access to the machine or certain apps/ports on the machine
- iptables is a firewall that is generally available on linux machines that can be configured in many different ways to allow, block, or mangle traffic. The syntax is fairly complicated.
- ossec will watch the log files and automatically interact with deny/allow files and iptables to automatically block intruders and then alert you
Configuration management
- process of figuring out what goes on your servers and how things are configured.
- keep track of when files are changed
- roll back changes
- push changes to multiple changes
- configure multiple servers exactly the same way.
- puppet, chef, ansible (easiest syntax)
- https://serversforhackers.com/getting-started-with-ansible
- https://erikaheidi.com/page/vagrant (puppet stuff is really good)
Server Monitoring
- Is your sever up? Is everything running? Are there enough resources?
- Monit is a small monitoring server
- Icinga is a monitoring server for multiple systems (nicer version of Ngios)
- If you are running systems in the cloud (AWS) use the tools they provide
Software Tools
- screen multiplexer (tmux/screen) – keep sessions running
- tail will allow you to look and follow the end of log files
- curl for performing HTTP requests
- iftop displays breakdown of badwidth usage by host
- htop displays breakdown of system information like memory and CPU usage
- tcpdump sniffs traffic coming over an interface (do not install on production machines)
Some Resources
- Chris Fidao @fideoper https://serversforhackers.com
- Evan Courey