Ravelin Code Test For DevOps - Sanket Deshpande Working Steps
Setup Tools and environment
- Setup gcloud tool locally
- Successfully created VM with the correct ravelin image
- Setup http and https ingress from ALL
- VM instance external IP 35.237.228.128 and internal IP is 10.142.0.2
- Last login: Thu Jun 14 15:26:40 2018 from 88.98.211.9
Problem 1:
- Created self signed SSL cert and key
- Added a new ravelinsite to nginx site-available and symlink to site-enabled. Added the correct site block i.e.
server { listen 443 ssl; server_name 10.142.0.2; ssl_certificate /etc/ssl/certs/selfsigned.crt; ssl_certificate_key /etc/ssl/private/selfsigned.key; }
- Run nginx -t Test
- Restarted nginx
- Tested ssl with curl -k --ipv4 https://localhost:443
<title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style>Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.
For online documentation and support please refer to nginx.org.
>
Commercial support is available at nginx.com.Thank you for using nginx.
PROBLEM 2:
- First collect the server certificates by using the below commands. They yield different results.
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null openssl s_client -connect api.ravelin.com:443 -CApath /etc/ssl/certs -servername api.ravelin.com openssl s_client -CApath /etc/ssl/certs/ -connect ravelin.com:443
- Collected certificate for *.ravelin.com, Gandi Standard SSL CA 2, DigiCert High Assurance EV Root CA, USERTRUST RSA Cert Authority
- Also collected cacert.pem from https://curl.haxx.se/docs/sslcerts.html
- Added various .crt files to /usr/share/ca-certificates/
- Added various .crt files to /etc/ca-certificates.conf
- Ran update-ca-certificates --fresh. The stdout shows 130 certs updated
- Check .crt have been added to /etc/ssl/certs/ca-certificates.crt. They are successfully added. !!!
- Realised that my local machine was pointing to a different host for api.ravelin.com. Thus lead me to discovering a hard coded /etc/hosts mapping to an unwanted host ip. Commenting out the /etc/hosts api url fixed the issue.
PROBLEM 3:
- Adduser sudo user no password. Ssh public key added to /home/ravelin/.ssh/authorized_keys
- Sudo adduser ravelin
- Sudo usermod -aG sudo ravelin
- Sudo visudo - add line "ravelin ALL=(ALL) NOPASSWD:ALL"
- As root user - "passwd -d ravelin"
- As ravelin user - run cmd - ls /root/ not allowed, then try sudo ls /root/ allowed. which is what we want i.e. sudo without password.
PROBLEM 4: High CPU
- Identify process called stress-ng. Kill -9 PID
- Pstree -s PID. shows stress-ng-cpu is started by systemd. But could not find the service config to prevent systemd from starting the service again