janvier 2015 ~ Computer Tutorials

I. Introduction

Le « cloud computing » désigne un modèle informatique selon lequel des ressources adaptables dynamiquement sont fournies sous forme de service par le biais de technologies Internet. Ces services de cloud computing reposent généralement sur un modèle de paiement à l'utilisation.

II. Les modèles

Cloud privé/privatif : Il peut s’agir d’un « nuage » interne à la DSI ou d’un Cloud entièrement dédié et accessible via des réseaux sécurisés, hébergé chez un tiers, mutualisé entre les différentes entités d’une seule et même entreprise. Ouvert aux partenaires privilégiés de l’entreprise (fournisseurs, bureaux d’études, grands clients, institutions financières, prestataires-clés…) voire à un groupement professionnel, le Cloud peut être également de type « communautaire ».

Cloud public : Il est externe à l’organisation, accessible via Internet, géré par un prestataire externe propriétaire des infrastructures, avec des ressources partagées entre plusieurs sociétés.

Salesforce.com, Google App Engine et le moteur de recherche Google, Microsoft Azure et l'essaim de services Web d'Amazon, tel EC2.

Cloud hybride : Ici, il s’agit de la conjonction de deux ou plusieurs Cloud (public+privé) amenés à « coopérer », à partager entre eux applications et données.

III. Les services du Cloud Computing

1. IAAS

Le modèle IaaS consiste à pouvoir disposer d’une infrastructure informatique hébergée. L’accès à la ressource est complet et sans restriction, équivalent de fait à la mise à disposition d’une infrastructure physique réelle.

Une entreprise pourra par exemple louer des serveurs Linux, Windows ou autres systèmes, qui tourneront en fait dans une machine virtuelle chez le fournisseur de l’IaaS.

2. PAAS

Fournit une plate-forme gérée par le fournisseur externe pour créer et déployer des applications et des services. Ce modèle prévoit généralement des outils de développement (tels que des bases de données et des studios de développement) pour travailler avec les cadres fournis, ainsi que l'infrastructure nécessaire pour héberger l'application développée. Force.com, Microsoft Azure et Engine.Google App. Ce dernier permet entre autres la création de base de données (appelées datastore) et la gestion des utilisateurs.

Exemple : Application web QRDecode :

- Décoder des codes barre à deux dimensions

- Afficher les coordonnées des contacts auxquels correspondent ces codes barres

- Positionner ces contacts sur une carte.

3. SAAS

Il s’agit de la mise à disposition d’un logiciel non pas sous la forme d'un produit que le client installe en interne sur ses serveurs, mais en tant qu'application accessible à distance comme un service, par le biais d'Internet et du Web. Les clients ne payent pas pour posséder le logiciel en lui-même mais plutôt pour l’utiliser. Ils l’utilisent soit directement via l’interface disponible, soit via des API fournies. L’utilisation reste transparente pour les utilisateurs, qui ne ce soucient ni de la plateforme, ni du matériel qui sont mutualisés avec d’autres entreprises. Deux principales différences avec l’ASP traditionnel sont qu’une simple interface web est utilisée côté client dans tous les cas (pas de client lourd), et que le SaaS propose une seule instance de logiciel qui évolue indépendamment des clients.

IV. Les enjeux du Cloud Computing

1. Avantages

En effet, le coût est en fonction de la durée de l'utilisation du service rendu et ne nécessite aucun investissement préalable (homme ou machine).

L’élasticité du nuage permet de fournir des services évolutifs et donc de supporter les montées de charges.

Fiables car basés sur des infrastructures performantes possédant des politiques efficaces de tolérance aux pannes (notamment des répliques).

Avec comme argument phare : soulager les développeurs des tâches d'hébergement, de load-balancing et des divers problèmes liés au support matériel des applications.

2. Inconvénients

- La sécurisation des accès à l'application entre le client et le serveur distant,

- Les entreprises perdent la maîtrise de l'implantation de leurs données.

What is a system administrator?

-System Admin Tasks and Duties:

-Install systems (including clients/servers): hardware, software and o.s.

-Upgrade systems: hardware, software and o.s.

-Backups

-Start/stop system (reboot)

Other duties:

- Create accounts (add/delete), account management

- Job scheduling

- Security

- Performance monitoring and tuning

- Disk space management (formatting, partitions, quotas)

- Writing/modifying scripts (perl, shell, C, etc..)

- Running specialized services/servers (email server, web server, DNS etc..)

- Problem resolution

Last duties:

• Training (others and oneself)

• Fixing Bugs

• Automate Tasks

• Maintain system files

• Analysis of logs/systems, collect stats, reports

• Planning and Recommendations

• Work with vendors, customers

• Research New Technologies

Task of Linux Admin:

- managing hardware

- managing the kernel

- managing filesystems

- managing user account

- managing network and security

- managing backup/installation/archiving

File System in Linux:

Built-in hierarchical file structure
Common directories

- /bin : essential command binaries which may be used by the system administrator and by ordinary users, required for system boot

- /boot : kernel image and configuration files used by boot loader

- /dev : device files

- /etc : host-specific configuration files

- /home: user home directories

- /lib: essential shared lib and kernel modules

- /mnt : mount point for temporarily mounting files system such as those on a CDROM or floppy disk

- /opt : add-on application software packages

- /root : the root user’s home directory

- /sbin : system binaries, essential for system administration, but not for system boot

- /tmp : location of temporary files

- /usr : secondary hierarchy, intended as sharable, read-only data

- /var : variable data such as spool directories & log file

in unix, a filesystem is some device that is formatted to store files. It can be found on hard drives, floppies, CD-ROMs and others
the exact format and means the files are stored are not important;
based on second extended filesystem, ext2fs
provide a common interface for all filesystem types that it recognizes

In Linux 7.2, ext2 is the default file system

- Require check for consistency (e2fsck) when system is not properly shut down

- Ext => ext2 =>ext3

- Support 256 char filenames, 4 Tbyte max filesize

- Others MS-Dos, FAT32, NTFS, ISO9660

Starting from Linux 7.3, ext3 is the default file system

- Provide stronger data integrity in event of unclean shutdown

- Check for consistency is needed only on rare hardware failure

- Higher throughput, as it is optimizes hard drive head motion

- Provide easy transition from ext2 to ext3

- other common filesystem are MS-DOS (FAT32, NTFS, ISO9660)

Creating user account:

w manage users and group accounts and related system files

w passwd and group

ü user account information is stored in /etc/passwd

- each line in /etc/passwd contain a username, password, UID, GID, user’s name, home directory and default shell

ü group information is stored in /etc/group

- each line in /etc/group contain a group name, group password, GID and group member list

w to prevent users from obtaining encrypted passwords from passwd and group, shadow files are implemented

w encrypted passwords are moved to a new file, which is readable only by root

w the shadow file for /etc/passwd is /etc/shadow

w the shadow file for /etc/group is /etc/gshadow

w Three methods

ü modify the files directly, not recommended

- Login in as root

w Create a record for the user in /etc/passwd

w Set the user’s password

w Specify a login shell for the user

w Create a home directory for the user

ü Use command line

- useradd [-D] [-g default_group] [-b default_home] [-s default_shell]

- Donald:x:503:503:unka Donald: home/donald:/bin/bash

ü Alternatively, use GUI (most recommended)

Configuration files:

w bash uses a number of configuration to set its operating environment when it starts

w /etc/profile:

- system wide initiation files, execute during log in, contains environment variables, such as initial PATH, and startup program

w /etc/bashrc:

- system wide initiation files for a user, contains alias

Who use the files?

w There are 3 sets of permissions for every file or directory -- owner, group, and others

- The owner permissions are for the owner of the file or directory

- The group permissions are for everyone in the group

- Others: The global permissions are for anyone

w What is the command to see the permission and who own the files?

w answer: ls -l

w r -- file can be read

w w -- file can be written and modified

w x -- file can be executed (if it is a program)

w chmod is a standard command that allows you to change the permissions of a file or directory.

w There are two arguments for chmod:

- the permissions : based on numbers

w 1 stands for execute.
2 stands for write.
4 stands for read.

- the file/directory name. The permission argument for chmod.

w chmod 777 lab2file will allow EVERYBODY full access to read, write and execute.

w chmod 644 lab2file will all the owner (you) read and write access, the group read access, and everybody else (world) read access too.

w chmod 700 lab2file will give yourself full access while giving everybody

Setting up a secure system:

w There are some very basic things that you have to do in order to secure your system

w Shutting down the redundant services

- You have to disable all network daemons (services) that are not needed by the system

- Any network port that is listening for connections can be vulnerable to attacks due to probable exploits against running daemon

- To find out the ports that are opened type: # netstat -an

w Looking in /etc/services or by passing -p to netstat we can tell which service is running per port

w Check each port that looks like unnecessary

w Examples vulnerable services:

- telnetd, sendmail, ftpd: Send clear passwords through the web. Instead of telnet use ssh

w Shutting down services involves editing the appropriate files on your system

w On RedHat based systems daemons are started by scripts in the /etc/rc.d/init.d directory

w Depending on the runlevel each daemon/services in linked to the appropriate rcX.d directory where 0<X<6

w What to have in mind all the time:

- Never use simple passwords. Try to make them complex by mixing letters,symbols and numbers

- Do NOT work on the root account unless absolutely necessary

- Do not ignore the log files

- Update your system in a regular basis

Tcp wrapper configuration:

w A simple and effective way to protect the system

w TCP Wrappers “wrap” a service access (e.g. apache web server)monitoring the connections to it and refusing unauthorised sites

w It is used in conjunction with inetd and xinetd

w It's a good way to control the access to services that do not provide any native access control mechanism

w TCP Wrapper is the first thing encounter when a connection is established with a service protected by the wrapper

w TCP Wrapper is responsible for determining whether the connection comes from a source host that it is allowed to do so

w Depending on whether you are using TCP Wrappers with inetd or xinetd there are two different approaches

w If the system is using the inetd daemon you have to edit the /etc/inetd.conf file to use the TCP wrapper

w Using TCP wrappers requires just a small change to /etc/inetd.conf

w E.g. for the finger daemon

finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd

has to be changed to:

finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd

This cause the tcpd command, representing the TCP wrapper, to be executed instead of the in.fingerd and protect the daemon

w xinetd is the replacement of inetd adopted by some distros

w In most cases xinetd has built-in support for TCP wrappers

w You need to modify the TCP wrapper configuration files (/etc/hosts.allow, /etc/hosts.deny)

w /etc/hosts.allow and /etc/hosts.deny specify the access rules that are applied in daemon protection

w When a TCP wrapper is invoked it obtains the IP address of the connecting host and its hostname

w If the IP of the host is specified in the /etc/hosts.allow then access is permitted to the daemon/service

w If no match is found, the /etc/hosts.deny is consulted. If the IP is described there then the connection is closed

w If no much exists both of the files then access is granted

w The syntax of those two files is simple

w Each file contains a set of rules

w General rule form:

daemon_list : client_list : shell_command

where daemon_list is comma separated list of daemons to which the rule applies, the client_list is comma separated list of the hostnames or IP addresses where the rule applies and shell_command is optional, specifying the command to be executed when rule matches

w Example rules:

1. /etc/hosts.deny

ALL:ALL # Deny everything from everywhere

In case that nothing is specified in the /etc/hosts.allow then this rule will refuse connection to any service by anyone

2. /etc/hosts.deny

ALL: ALL EXCEPT localhost

3. /etc/hosts.allow

in.fingerd: ALL

Rechercher dans ce blog

Archives du blog

Libellés

Signaler un abus

Articles les plus consultés

Qui êtes-vous ?

vendredi 30 janvier 2015

Cloud computing