Chapter 12: Appendix

This chapter presents a set of solutions for all the questions that were asked in the previous chapters. If you have already answered these questions, you can check the accuracy of your answers. If you were unable to find a solution at the time, you can refer to the answers given here for the respective chapters.

Chapter 1: Exploring the Microsoft Azure Cloud

1. You can virtualize compute, network, and storage resources. Of course, at the end of the day, you'll still need hardware somewhere in the world to run the hypervisors, and possibly a cloud platform on top of that.
2. Virtualization emulates hardware, and containers emulate an operating system where multiple containers run on an underlying operating system. In virtualization, each virtual machine has its own kernel; they don't use the hypervisor/hardware kernel. In hardware virtualization, everything is transformed into software. In container virtualization, only processes are isolated.
3. It depends; do you develop your application on the same platform? If so, then PaaS is the service type for you; otherwise, use IaaS. SaaS provides an application; it's not a hosting platform.
4. It depends. Azure is compliant with and helps you to comply with legal rules and security/privacy policies. Plus, there is the concept of different regions if there are concerns about having data in other parts of the world. But there are always exceptions—most of the time, company policies or governmental rulings.
5. It is very important for scalability, performance, and redundancy.
6. It's a cloud-based identity management service for controlling access to your cloud and on-premises hybrid environment. It lets you sign in and access both cloud and on-premises environments instead of using your own AD servers and managing them.

Chapter 2: Getting Started with the Azure Cloud

1. It helps with automation. Besides that, the web-based portal changes frequently, and the command-line interface is much more stable. In our opinion, it also gives you a better understanding of the underlying technology, thanks to its more or less strict workflow.
2. It provides access for storing all your data objects. You'll need one for boot diagnostics and data for Azure Cloud Shell. More details can be found in Chapter 4, Managing Azure.
3. The storage account must be globally unique in Azure.
4. An offer is a group of related images offered by a publisher, such as Ubuntu Server. An image is a specific image.
5. A stopped Azure virtual machine keeps resources allocated, such as dynamic public IP addresses, and incurs costs, whereas a deallocated virtual machine frees all resources so it stops incurring resource costs. However, both incur storage costs.
6. Key-based authentication helps in automation as it can be used without exposing secrets/passwords in your scripts.
7. Both a public and a private key will be created (if they are still necessary) and stored in your home directory (~/.ssh); the public key will be added to the authorized_keys file in the virtual machine

Chapter 3: Basic Linux Administration

1. for user in Lisa John Karel Carola; useradd $user; done.
2. Execute passwd <user> and enter welc0meITG and it will ask you to enter the password again to confirm, so enter welc0meITG again.
3. getent<user>.
4. groupadd finance; groupadd staff.
5. groupmems -g <group_name> -a <user_name>; alternatively, usermod –a –G <group_name> <user_name>.
6. To create the directory and set group ownership, execute the following:

   mkdir /home/staff

   chown staff /home/staff

   chgrp staff /home/staff

   Similarly, for finance, execute these commands:

   mkdir /home/finance

   chown finance /home/finance

   chgrp finance /home/finance

7. chmod –R g+r /home/finance.
8. The default get access control list (getfacl -d) will list the ACL of a user.

Chapter 4: Managing Azure

1. You don't need anything when you create a virtual machine using the Azure portal. When you use the command line, you need virtual networks with the following:

   A resource group

   Azure Virtual Network (VNet)

   A configured subnet

   A network security group

   A public IP address

   A network interface

2. You need name services such as Diagnostics and Monitoring, which require a storage account.
3. Sometimes (for instance, for a storage account), the name must be unique. A prefix combined with a randomly generated number is a nice way to make the name recognizable and unique.
4. To define the IP range that can be used within a virtual network.
5. To create one or more subnets within the virtual network that can be isolated or routed to each other, without going outside the virtual network.
6. A network security group provides ACLs for the network and provides port-forwarding to the virtual machines or containers.
7. Traffic from the virtual machine to the internet is sent via Source Network Address Translation (SNAT). This means that the IP address of the originating packet is replaced with the public IP address, which is required for TCP/IP for outbound and inbound routing.
8. A dynamically allocated public IP address will be released when the virtual machine is deallocated. When the virtual machine starts again, it will get another IP address. You can create and assign static public IP address when it is mandatory to keep the same IP address even after the service IP address changes.

Chapter 5: Advanced Linux Administration

1. The Linux kernel.
2. systemd-udevd.
3. ls /sys/class/net and ip link show.
4. The Azure agent for Linux.
5. ls /sys/class/net and lsblk. The lsscsi command can be helpful as well.
6. It is a good idea to use RAID0 to improve performance and allow improved throughput compared to using just a single disk.
7. At the filesystem level, using B-Tree File System (BTRFS) or the Z File System (ZFS), or at the block level using Linux Software RAID (mdadm) or Logical Volume Manager (LVM) (not covered in this chapter).
8. Create the RAID, format it, and make a mount point:

   mdadm --create /dev/md127 --level 0 --raid-devices 3     /dev/sd{c,d,e}mkfs.xfs -L myraid /dev/md127 mkdir /mnt/myraid

   Create a unit file, /etc/systemd/system/mnt-myraid.mount:

   [Unit]Description = myRaid volume [Mount]Where = /mnt/myraid What = /dev/md127 Type = xfs [Install]WantedBy = local-fs.mount

   Start and enable it at boot:

   systemctl enable --now mnt-myraid.mount

Chapter 6: Managing Linux Security and Identities

1. Using the firewall-cmd file or by deploying Extensible Markup Language (XML) files in the /etc/firewalld directory.
2. The --permanent parameter makes it persistent across reboots and executes during start up configuration.
3. In Linux, you can restrict access using ACLs in systemd. Some applications also provide other host allow/deny options. In Azure, you have network security groups and the Azure Firewall service.
4. Discretionary access control (DAC) is used for restricting access based on users/groups and permissions on files. Mandatory access control (MAC) further restricts access based on classification labels for each resource object.
5. If someone gained access illegally to an application or system, with DAC, there is no way to prevent further access, especially for files with the same user/group owner and files with permissions for others.
6. Every device will have a unique MAC address and you can find your virtual machine's MAC address using ipconfig/ all and then look for Physical Address.

   MAC frameworks that utilize Linux Security Modules are as follows:

   SELinux: Red Hat–based distributions and SUSE

   AppArmor: Ubuntu and SUSE

   The lesser-known TOMOYO (SUSE): Not covered in this book

7. Besides the fact that SELinux can protect more resource objects, AppArmor works directly with paths, while SELinux protects the whole system with fine-grained access control.
8. You need the following prerequisites before joining an AD domain:

   Kerberos client for authorization

   System Security Services Daemon (SSSD): A backend that is responsible for the configuration and utilization of features such as using and caching credentials

   Samba libraries to be compatible with Windows features/options

   Some utilities to join and manage the domain, such as realm, adcli, and the net command

Chapter 7: Deploying Your Virtual Machines

1. We use automated deployment to save time, to get a reproducible environment quickly up and running, and to avoid manual errors.
2. Besides the answer to the previous question, a standardized working environment makes team-based application development possible.
3. Scripting is very flexible. Scripts are easier to create and can be invoked manually anytime. The automation process can be triggered by events such as adding code to Git using git push or the stopping/starting of your virtual machines.
4. Azure Resource Manager is the most important one. In addition, you can use Terraform, Ansible, and PowerShell.
5. Vagrant deploys a workload in Azure; Packer creates a custom image that you can deploy.
6. For multiple reasons, the most important ones are the following:

   Security, to harden the image using CIS standards

   When customization is needed for a standard image

   Not dependent on the offerings of a third party

   Capture an existing virtual machine

   Convert a snapshot to an image

7. You can create your own image by building your own VHD file. The following are the options for doing so:

   Create a virtual machine in Hyper-V or VirtualBox, which is a free hypervisor available for Windows, Linux, and macOS.

   Create your virtual machine in VMware Workstation or KVM and use it in Linux qemu-img to convert the image.

Chapter 8: Exploring Continuous Configuration Automation

Example scripts are available on GitHub at https://github.com/PacktPublishing/Hands-On-Linux-Administration-on-Azure---Second-Edition/tree/master/chapter12/solutions_chapter08.

Chapter 9: Container Virtualization in Azure

1. You can use containers for packaging and distributing your applications, which can be platform-independent. Containers remove the need for virtual machine and operating system management and help you achieve high availability and scalability.
2. Containers are not suitable if you have a huge monolithic application that requires all the resources of the underlying virtual machines.
3. Linux containers (LXCs) are an optimal solution that can be provisioned in Azure.
4. Tools such as Buildah make it possible to create virtual machines that can be used in every solution. Rkt (pronounced "rocket") also supports the Docker format. The Open Container Initiative is working very hard to create standards to make the creation of virtual machines even easier.
5. You can develop everything in Azure or you can develop locally and then push to a remote environment.
6. It's container platform–agnostic, and the Buildah tool is easier to use than other tools. You can explore further at https://github.com/containers/buildah.
7. Containers can be built, replaced, stopped, and destroyed on demand without any impact upon the application or data, so it's not recommended to store any data in the container. Instead, store it in a volume.

Chapter 10: Working with Azure Kubernetes Service

1. A pod is a group of containers with shared resources, such as storage and network, as well as a specification for how to run the containers.
2. A good reason to create a multiple-container pod is to support co-located, co-managed helper processes for your primary application.
3. There are multiple methods available, including Draft and Helm, which were discussed in the chapter in addition to Azure Kubernetes Service (AKS).
4. You can use kubectl to update your application in AKS. In addition, you can also use Helm and Draft.
5. You don't need to do it yourself manually; it will be done automatically by AKS.
6. You will need an iSCSI solution and a clustered filesystem when you want to read/write simultaneously from multiple containers.
7. Example code is provided on GitHub at https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/aks/azure-disks-dynamic-pv.md.

Chapter 11: Troubleshooting and Monitoring Your Workloads

1. You can access your virtual machine using Azure Serial Console as root without a password unless it's specifically blocked.
2. To collect all the standard output, syslog messages, and related messages from the kernel, systemd processes, and units.
3. syslog uses the following list of severities (per application):

   Alert: Action must be taken immediately.

   Critical: Critical conditions.

   Error: Error conditions.

   Warning: Warning conditions.

   Notice: Normal but significant conditions.

   Informational: Informational messages.

   Debug: Debug-level messages.

4. 0-Emergency, 1-Alert, 2-Critical, 3-Error, 4-Warning, 5-Notice, 6-Informational, 7-Debug.
5. Use logger or systemd-cat. You can use it if an application or script doesn't have syslog support. Another option is to add logging entries as a part of your change management.
6. The Azure Log Analytics service is used to view the metrics of a virtual machine.
7. There are several shortcomings of the top utility; for instance, you can't see short-lived processes. The atop and dstat utilities are solutions to this problem.
8. sysstat utilities provide historical data; dstat provides real-time monitoring.
9. It makes the collection of data coming from tcpdump of your Azure virtual machine (workstation) easier to read and it has great analysis potential.