Change-Id: I05018766b3c935bb84be7c1f25be06cb4afc75fa
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1490
Reviewed-by: Steve Hoenisch <shoenisch@vmware.com>
Tested-by: Steve Hoenisch <shoenisch@vmware.com>
... | ... |
@@ -8,12 +8,13 @@ |
8 | 8 |
- [The Root Account and the `sudo` and `su` |
9 | 9 |
Commands](#the-root-account-and-the-sudo-and-su-commands) |
10 | 10 |
- [Quick Start](#quick-start) |
11 |
- - [Obtaining the ISO from Bintray and Creating a Photon OS VM in |
|
12 |
- VMware |
|
11 |
+ - [Obtaining the ISO from Bintray and Creating a Photon OS VM |
|
12 |
+ in VMware |
|
13 | 13 |
Workstation](#obtaining-the-iso-from-bintray-and-creating-a-photon-os-vm-in-vmware-workstation) |
14 | 14 |
- [Installing the OVA for the Minimal Version in |
15 | 15 |
vSphere](#installing-the-ova-for-the-minimal-version-in-vsphere) |
16 |
- - [Rapidly Deploying the Photon OS OVA in VMware Workstation 12 |
|
16 |
+ - [Rapidly Deploying the Photon OS OVA in VMware Workstation |
|
17 |
+ 12 |
|
17 | 18 |
Pro](#rapidly-deploying-the-photon-os-ova-in-vmware-workstation-12-pro) |
18 | 19 |
- [Root Password Rules](#root-password-rules) |
19 | 20 |
- [Permitting Root Login with |
... | ... |
@@ -24,16 +25,18 @@ |
24 | 24 |
- [Kickstart](#kickstart) |
25 | 25 |
- [Checking the Version and Build |
26 | 26 |
Number](#checking-the-version-and-build-number) |
27 |
-- [Tiny DNF for Package Management](#tiny-dnf-for-package-management) |
|
27 |
+- [Tiny DNF for Package |
|
28 |
+ Management](#tiny-dnf-for-package-management) |
|
28 | 29 |
- [Configuration Files and |
29 | 30 |
Repositories](#configuration-files-and-repositories) |
30 | 31 |
- [Options for Commands](#options-for-commands) |
31 | 32 |
- [Commands](#commands) |
32 | 33 |
- [Adding a New Repository](#adding-a-new-repository) |
33 |
- - [Adding the Dev Repository to Get New Packages from the GitHub |
|
34 |
- Dev |
|
34 |
+ - [Adding the Dev Repository to Get New Packages from the |
|
35 |
+ GitHub Dev |
|
35 | 36 |
Branch](#adding-the-dev-repository-to-get-new-packages-from-the-github-dev-branch) |
36 |
-- [Managing Services with systemd](#managing-services-with-systemd) |
|
37 |
+- [Managing Services with |
|
38 |
+ systemd](#managing-services-with-systemd) |
|
37 | 39 |
- [Viewing Services](#viewing-services) |
38 | 40 |
- [Controlling Services](#controlling-services) |
39 | 41 |
- [Creating a Startup Service](#creating-a-startup-service) |
... | ... |
@@ -43,7 +46,8 @@ |
43 | 43 |
auditd](#auditing-system-events-with-auditd) |
44 | 44 |
- [Analyzing systemd Logs with |
45 | 45 |
journalctl](#analyzing-systemd-logs-with-journalctl) |
46 |
- - [Migrating Scripts to systemd](#migrating-scripts-to-systemd) |
|
46 |
+ - [Migrating Scripts to |
|
47 |
+ systemd](#migrating-scripts-to-systemd) |
|
47 | 48 |
- [Managing the Network |
48 | 49 |
Configuration](#managing-the-network-configuration) |
49 | 50 |
- [Use `ip` and `ss` Commands Instead of `ifconfig` and |
... | ... |
@@ -61,7 +65,8 @@ |
61 | 61 |
Names](#using-predictable-network-interface-names) |
62 | 62 |
- [Inspecting the Status of Network Links with |
63 | 63 |
`networkctl`](#inspecting-the-status-of-network-links-with-networkctl) |
64 |
- - [Turning on Network Debugging](#turning-on-network-debugging) |
|
64 |
+ - [Turning on Network |
|
65 |
+ Debugging](#turning-on-network-debugging) |
|
65 | 66 |
- [Mounting a Network File |
66 | 67 |
System](#mounting-a-network-file-system) |
67 | 68 |
- [Installing the Packages for tcpdump and netcat with |
... | ... |
@@ -80,8 +85,13 @@ |
80 | 80 |
- [Fixing Sendmail If Installed Before an FQDN Was |
81 | 81 |
Set](#fixing-sendmail-if-installed-before-an-fqdn-was-set) |
82 | 82 |
- [Changing the Locale](#changing-the-locale) |
83 |
+- [The Default Security Policy of Photon |
|
84 |
+ OS](#the-default-security-policy-of-photon-os) |
|
85 |
+ - [Default Firewall Settings](#default-firewall-settings) |
|
86 |
+ - [Default Permissions and |
|
87 |
+ umask](#default-permissions-and-umask) |
|
83 | 88 |
- [Disabling TLS 1.0 to Improve Transport Layer |
84 |
- Security](#disabling-tls-10-to-improve-transport-layer-security) |
|
89 |
+ Security](#disabling-tls-1.0-to-improve-transport-layer-security) |
|
85 | 90 |
- [Working with Repositories and |
86 | 91 |
Packages](#working-with-repositories-and-packages) |
87 | 92 |
- [Photon OS Package |
... | ... |
@@ -294,7 +304,7 @@ Save your changes in vim and then restart the sshd daemon: |
294 | 294 |
|
295 | 295 |
You can then connect to the Photon OS machine with the root account over SSH: |
296 | 296 |
|
297 |
- steve@ubuntu:~$ ssh root@192.168.137.131 |
|
297 |
+ steve@ubuntu:~$ ssh root@198.51.100.131 |
|
298 | 298 |
|
299 | 299 |
### Deploying Photon OS on a Mac with AppCatalyst |
300 | 300 |
|
... | ... |
@@ -334,7 +344,7 @@ Obtain the IP address of the VM so you can establish an SSH connection to it: |
334 | 334 |
|
335 | 335 |
You can then connect to the VM with the SSH keys included with AppCatalyst by running the following command and replacing the example IP address with the IP address of your VM: |
336 | 336 |
|
337 |
- ssh -i /opt/vmware/appcatalyst/etc/appcatalyst_insecure_ssh_key photon@192.168.137.131 |
|
337 |
+ ssh -i /opt/vmware/appcatalyst/etc/appcatalyst_insecure_ssh_key photon@198.51.100.131 |
|
338 | 338 |
|
339 | 339 |
Photon OS includes Docker. From your SSH terminal connection to the Photon OS virtual machine, you can launch a Docker container that, for example, downloads Ubuntu from the Docker repository and runs it in the Photon OS VM in AppCatalyst on your Mac: |
340 | 340 |
|
... | ... |
@@ -409,7 +419,7 @@ The repositories appear in /etc/yum.repos.d/ with `.repo` file extensions: |
409 | 409 |
photon-updates.repo |
410 | 410 |
photon.repo |
411 | 411 |
|
412 |
-You can list the the repositories by using the tdnf repolist command. Tdnf filters the results with `enabled`, `disabled`, and `all`. Running the command without specifying an argument returns the enabled repositories: |
|
412 |
+You can list the the repositories by using the `tdnf repolist` command. Tdnf filters the results with `enabled`, `disabled`, and `all`. Running the command without specifying an argument returns the enabled repositories: |
|
413 | 413 |
|
414 | 414 |
tdnf repolist |
415 | 415 |
repo id repo name status |
... | ... |
@@ -917,14 +927,14 @@ For example, instead of running `netstat` to display a list of network interface |
917 | 917 |
Using the `ip route` version of a command instead of the net-tools version often provides more complete, accurate information on Photon OS, as the following example demonstrates: |
918 | 918 |
|
919 | 919 |
ip neigh |
920 |
- 192.168.137.2 dev eth0 lladdr 00:50:56:e2:02:0f STALE |
|
921 |
- 192.168.137.254 dev eth0 lladdr 00:50:56:e7:13:d9 STALE |
|
922 |
- 192.168.137.1 dev eth0 lladdr 00:50:56:c0:00:08 DELAY |
|
920 |
+ 198.51.100.2 dev eth0 lladdr 00:50:56:e2:02:0f STALE |
|
921 |
+ 198.51.100.254 dev eth0 lladdr 00:50:56:e7:13:d9 STALE |
|
922 |
+ 198.51.100.1 dev eth0 lladdr 00:50:56:c0:00:08 DELAY |
|
923 | 923 |
|
924 | 924 |
arp -a |
925 |
- ? (192.168.137.2) at 00:50:56:e2:02:0f [ether] on eth0 |
|
926 |
- ? (192.168.137.254) at 00:50:56:e7:13:d9 [ether] on eth0 |
|
927 |
- ? (192.168.137.1) at 00:50:56:c0:00:08 [ether] on eth0 |
|
925 |
+ ? (198.51.100.2) at 00:50:56:e2:02:0f [ether] on eth0 |
|
926 |
+ ? (198.51.100.254) at 00:50:56:e7:13:d9 [ether] on eth0 |
|
927 |
+ ? (198.51.100.1) at 00:50:56:c0:00:08 [ether] on eth0 |
|
928 | 928 |
|
929 | 929 |
### Configuring Network Interfaces |
930 | 930 |
|
... | ... |
@@ -991,8 +1001,8 @@ To create a network configuration file that systemd-networkd uses to establish a |
991 | 991 |
Name=eth0 |
992 | 992 |
|
993 | 993 |
[Network] |
994 |
- Address=192.168.0.2/24 |
|
995 |
- Gateway=192.168.0.1 |
|
994 |
+ Address=198.51.0.2/24 |
|
995 |
+ Gateway=198.51.0.1 |
|
996 | 996 |
EOF |
997 | 997 |
|
998 | 998 |
Change the new file's mode bits by running the `chmod` command: |
... | ... |
@@ -1036,7 +1046,7 @@ If you open the default /etc/resolv.conf file after you deploy Photon OS, it loo |
1036 | 1036 |
# resolv.conf(5) in a different way, replace the symlink by a |
1037 | 1037 |
# static file or a different symlink. |
1038 | 1038 |
|
1039 |
- nameserver 192.168.137.2 |
|
1039 |
+ nameserver 198.51.100.2 |
|
1040 | 1040 |
|
1041 | 1041 |
To add a DNS server to your static network configuration file, insert a DNS key into the Network section of, in this example, /etc/systemd/network/10-eth0-static.network and set it to the IP address of your DNS server: |
1042 | 1042 |
|
... | ... |
@@ -1044,9 +1054,9 @@ To add a DNS server to your static network configuration file, insert a DNS key |
1044 | 1044 |
Name=e* |
1045 | 1045 |
|
1046 | 1046 |
[Network] |
1047 |
- Address=192.168.0.2/24 |
|
1048 |
- Gateway=192.168.0.1 |
|
1049 |
- DNS=192.168.0.1 |
|
1047 |
+ Address=198.51.0.2/24 |
|
1048 |
+ Gateway=198.51.0.1 |
|
1049 |
+ DNS=198.51.0.1 |
|
1050 | 1050 |
|
1051 | 1051 |
Another way of adding a DNS server is to modify /etc/systemd/resolved.conf--a method that can be particularly useful when your machine is working with DHCP. For more information, see https://www.freedesktop.org/software/systemd/man/resolved.conf.html. |
1052 | 1052 |
|
... | ... |
@@ -1206,13 +1216,13 @@ Running `networkctl` with the status command displays information that looks lik |
1206 | 1206 |
|
1207 | 1207 |
root@photon-rc [ ~ ]# networkctl status |
1208 | 1208 |
* State: routable |
1209 |
- Address: 192.168.137.131 on eth0 |
|
1209 |
+ Address: 198.51.100.131 on eth0 |
|
1210 | 1210 |
172.17.0.1 on docker0 |
1211 | 1211 |
fe80::20c:29ff:fe55:3ca6 on eth0 |
1212 | 1212 |
fe80::42:f0ff:fef7:bd81 on docker0 |
1213 | 1213 |
fe80::4c84:caff:fe76:a23f on vethb0aa7a6 |
1214 |
- Gateway: 192.168.137.2 on eth0 |
|
1215 |
- DNS: 192.168.137.2 |
|
1214 |
+ Gateway: 198.51.100.2 on eth0 |
|
1215 |
+ DNS: 198.51.100.2 |
|
1216 | 1216 |
|
1217 | 1217 |
You can then add a network link, such as the Ethernet connection, as the argument of the status command to show specific information about the link: |
1218 | 1218 |
|
... | ... |
@@ -1226,10 +1236,10 @@ You can then add a network link, such as the Ethernet connection, as the argumen |
1226 | 1226 |
Driver: e1000 |
1227 | 1227 |
HW Address: 00:0c:29:55:3c:a6 (VMware, Inc.) |
1228 | 1228 |
MTU: 1500 |
1229 |
- Address: 192.168.137.131 |
|
1229 |
+ Address: 198.51.100.131 |
|
1230 | 1230 |
fe80::20c:29ff:fe55:3ca6 |
1231 |
- Gateway: 192.168.137.2 |
|
1232 |
- DNS: 192.168.137.2 |
|
1231 |
+ Gateway: 198.51.100.2 |
|
1232 |
+ DNS: 198.51.100.2 |
|
1233 | 1233 |
CLIENTID: ffb6220feb00020000ab116724f520a0a77337 |
1234 | 1234 |
|
1235 | 1235 |
And you can do the same thing with the Docker container: |
... | ... |
@@ -1377,7 +1387,7 @@ Finally, attach the ISO to the Photon OS virtual machine as a CD-ROM and reboot |
1377 | 1377 |
|
1378 | 1378 |
### Customizing a Photon OS Machine on EC2 |
1379 | 1379 |
|
1380 |
-This section illustrates how to upload an `ami` image of Photon OS to Amazon Elastic Compute Cloud (EC2) and customize the Photon OS machine by using cloud-init with an EC2 data source. The ami version of Photon OS is available as a free download on Bintray: |
|
1380 |
+This section illustrates how to upload an `ami` image of Photon OS to Amazon Elastic Compute Cloud (EC2) and customize the Photon OS machine by using cloud-init with an EC2 data source. The Amazon machine image version of Photon OS is available as a free download on Bintray: |
|
1381 | 1381 |
|
1382 | 1382 |
https://bintray.com/vmware/photon/ |
1383 | 1383 |
|
... | ... |
@@ -1449,6 +1459,8 @@ Now check the cloud-init output log file on EC2 at `/var/log/cloud-init-output.l |
1449 | 1449 |
|
1450 | 1450 |
For more information on using cloud-init user data on EC2, see [Running Commands on Your Linux Instance at Launch](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html). |
1451 | 1451 |
|
1452 |
+An article on the Photon OS GitHub wiki demonstrates how to get Photon OS up and running on EC2 and run a containerized application in the Docker engine. See [Running Photon OS on Amazon Elastic Cloud Compute](https://github.com/vmware/photon/wiki/Running-Photon-OS-on-Amazon-Elastic-Cloud-Compute). |
|
1453 |
+ |
|
1452 | 1454 |
With Photon OS, you can also build cloud images on Google Compute Engine and other cloud providers; see [Compatible Cloud Images](https://github.com/vmware/photon/blob/master/docs/cloud-images.md). |
1453 | 1455 |
|
1454 | 1456 |
### Running a Photon OS Machine on GCE |
... | ... |
@@ -1621,6 +1633,69 @@ Finally, run the following command to set the new locale, replacing the example |
1621 | 1621 |
|
1622 | 1622 |
localectl set-locale LANG="en_US.UTF-8" LC_CTYPE="en_US.UTF-8" |
1623 | 1623 |
|
1624 |
+## The Default Security Policy of Photon OS |
|
1625 |
+ |
|
1626 |
+### Default Firewall Settings |
|
1627 |
+ |
|
1628 |
+The design of Photon OS emphasizes security. On the minimal and full versions of Photon OS, the default security policy turns on the firewall and drops packets from external interfaces and applications. As a result, you might need to add rules to iptables to permit forwarding, allow protocols like HTTP, and open ports. In other words, you must configure the firewall for your applications and requirements. |
|
1629 |
+ |
|
1630 |
+The default iptables settings on the full version look like this: |
|
1631 |
+ |
|
1632 |
+ iptables --list |
|
1633 |
+ Chain INPUT (policy DROP) |
|
1634 |
+ target prot opt source destination |
|
1635 |
+ ACCEPT all -- anywhere anywhere |
|
1636 |
+ ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED |
|
1637 |
+ ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
|
1638 |
+ |
|
1639 |
+ Chain FORWARD (policy DROP) |
|
1640 |
+ target prot opt source destination |
|
1641 |
+ |
|
1642 |
+ Chain OUTPUT (policy DROP) |
|
1643 |
+ target prot opt source destination |
|
1644 |
+ ACCEPT all -- anywhere anywhere |
|
1645 |
+ |
|
1646 |
+ |
|
1647 |
+To find out how to adjust the settings, see the man page for iptables. |
|
1648 |
+ |
|
1649 |
+Although the default iptables policy accepts SSH connections, the `sshd` configuration file on the full version of Photon OS is set to reject SSH connections. See [Permitting Root Login with SSH](#permitting-root-login-with-ssh). |
|
1650 |
+ |
|
1651 |
+If you are unable to ping a Photon OS machine, one of the first things you should do is check the firewall rules. Do they allow connectivity for the port and protocol in question? You can supplement the `iptables` commands by using `lsof` to, for instance, see the processes listening on ports: |
|
1652 |
+ |
|
1653 |
+ lsof -i -P -n |
|
1654 |
+ |
|
1655 |
+### Default Permissions and umask |
|
1656 |
+ |
|
1657 |
+The umask on Photon OS is set to `0027`. |
|
1658 |
+ |
|
1659 |
+When you create a new file with the `touch` command as root, the default on Photon OS is to set the permissions to `0640`--read-write for user, read for group, and no access for others. Here's an example: |
|
1660 |
+ |
|
1661 |
+ touch newfile.md |
|
1662 |
+ stat newfile.md |
|
1663 |
+ File: 'newfile.md' |
|
1664 |
+ Size: 0 Blocks: 0 IO Block: 4096 regular empty file |
|
1665 |
+ Device: 801h/2049d Inode: 316454 Links: 1 |
|
1666 |
+ Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root) |
|
1667 |
+ |
|
1668 |
+When you create a directory as root, Photon OS sets the permissions to `0750`: |
|
1669 |
+ |
|
1670 |
+ mkdir newdir |
|
1671 |
+ stat newdir |
|
1672 |
+ File: 'newdir' |
|
1673 |
+ Size: 4096 Blocks: 8 IO Block: 4096 directory |
|
1674 |
+ Device: 801h/2049d Inode: 316455 Links: 2 |
|
1675 |
+ Access: (0750/drwxr-x---) Uid: ( 0/ root) Gid: ( 0/ root) |
|
1676 |
+ |
|
1677 |
+Because the `mkdir` command uses the umask to modify the permissions placed on newly created files or directories, you can see `umask` at work in the permissions of the new directory: Its default permissions are set at 0750 after the umask subtracts 0027 from the full set of open permissions, 0777. |
|
1678 |
+ |
|
1679 |
+Similarly, a new file begins as 0666, which you could see if you were to set umask to 0000. But because umask is set by default to 0027, a new file's permissions are set to 0640. |
|
1680 |
+ |
|
1681 |
+So be aware of the default permissions on the directories and files that you create. Some system services and applications might require permissions other than the default. The systemd network service, for example, requires user-defined configuration files to be set to 644, not the default of 640. Thus, after you create a network configuration file with a `.network` extension, you must run the `chmod` command to set the new file's mode bits to `644`. Example: |
|
1682 |
+ |
|
1683 |
+ chmod 644 10-static-en.network |
|
1684 |
+ |
|
1685 |
+For more information on permissions, see the man pages for `stat`, `umask`, and `acl`. |
|
1686 |
+ |
|
1624 | 1687 |
## Disabling TLS 1.0 to Improve Transport Layer Security |
1625 | 1688 |
|
1626 | 1689 |
Photon OS includes GnuTLS to help secure the transport layer. [GnuTLS](http://www.gnutls.org/) is a library that implements the SSL and TLS protocols to secure communications. |
... | ... |
@@ -1687,7 +1762,6 @@ The main Photon OS repository (`photon.repo`) contains all the packages that are |
1687 | 1687 |
The updates repository (`photon-updates.repo`) is irrelevant to a major release until after the release is installed. Thereafter, the updates repository holds the updated packages for that release. The repository, that is, points to updates for the installed version, such as a version of Kubernetes that supersedes the version installed during the major release. |
1688 | 1688 |
|
1689 | 1689 |
The Photon extras repository (`photon-extras.repo`) holds Likewise Open, an open source authentication engine, and other VMware software that you can add to Photon OS for free. Photon OS supports but does not build the packages in the extras repository. |
1690 |
- |
|
1691 | 1690 |
Similarly, the Lightwave repository (`lightwave.repo`) contains the packages that make up the VMware Lightwave security suite for cloud applications, including tools for identity management, access control, and certificate management. |
1692 | 1691 |
|
1693 | 1692 |
### Examining Signed Packages |
... | ... |
@@ -1865,3 +1939,6 @@ The following technical articles and guides appear in the [Photon OS wiki](https |
1865 | 1865 |
|
1866 | 1866 |
|
1867 | 1867 |
|
1868 |
+ |
|
1869 |
+ |
|
1870 |
+ |