When I was busy with a late spring-cleaning, I thought it to be a good idea to remove some old repositories from my Git server.
At home I am running Forgejo and when I want to remove a complete organization, I need to click and type a lot.
But Forgejo, just as Gitea has a wonderful API, so, why not use that??
I saw this at Justyns site and I stole ^W borrowed this script.
As CentOS 7 is getting to the end of it’s live it’s time to start thinking about an upgrade.
On my old server I tried LEAPP a couple of times (on a clone, of course), but success was not really guaranteed. So, a complete reinstall is in order.
But, as I move from CentOS 7 to Rocky Linux 9, this automatically means
some packages are no longer available. I was using sslh to connect
though SSH and HTTPS on port 443.
As I was planning an Ansible Meetup about the Ansible Automation Platform (AAP, the successor of Ansible Tower) I was contemplating about a demo environment for the attendants. This can be done with ease as it it nothing more than clicky-di-click.
You can imagine that’s not the way I went :-). There is a simple rule in
life:
If you can automate it, automate it. The complete environment is
going to be a multipart environment, so that the attendants can
experiment and have an environment that slightly resembles real live.
When working for a customer I was installing an Ansible Automation Platform cluster and to keep track of all systems I decided to create a nice message of the day, of course with cowsay.
Something like this:
___________________________
< Member of the AAP Cluster > | Host name : thunderbolt
--------------------------- | Host alias : cn01
\ ^__^ | Function : Ansible AAP Control node
\ (oo)\_______ | Location : Amsterdam
(__)\ )\/\ | IP address : 192.168.63.194
||----w | | VMware name : EXDTONKE01
|| ||
Early this week a co-worker asked if it was possible to access the Ansible command-line in a playbook. It seems that is not the case, in a normal, clean Ansible environment.
But in the meantime I was creating a playbook that served multiple
purposes, stopping and starting services. These playbooks are completely
the same, except for the start and stop keywords. Of course I could
have solved that with a variabele, either hardcoded or as an extra
variable on the commandline. But, where is the fun in that :-)
During my stay at CfgMgmtCamp I
attended the presentation of Franziska Bühler (@bufrasch) titled Web
Application Firewall - Friend of your DevOps pipeline?. She talked
about Web Application Firewalls (WAF) and the Core Rule Set (CRS) for
owasp
Being into security and stuff like that myself, I decided I wanted to try to get the web application with ModSecurity up and running in my own test environment.
My test environment consists of a CentOS8 machine with NGINX and it turned out to be a little trickier than I thought.
In our work environment we have role-based access for passwords (of course). But as we deploy all systems with Ansible, we could end up that someone with only deploy permission ends up with access to all passwords. It’s obvious that we don’t want that, so I started checking in to Ansible’s ability to have multiple vault passwords.
Starting with Ansible 2.4 and above, vault IDs are supported.
Since Ansible version 2.5 there is a lot of discussion and confusion
about the loop syntax. There is also discussion if with_…: will be
replaced by loop: deprecating the with_… keywords. Even Ansibles
documentation is not clear about this.
Should I use loop: or with_…:, in fact nobody really knows. What
would the correct syntax be?
---
- name: Loops with with_ and lookup
hosts: localhost
connection: local
gather_facts: no
vars:
people:
- john
- paul
- mary
drinks:
- beer
- wine
- whisky
tasks:
- name: with nested
debug:
msg: "with_nested: item[0] is '{{ item[0] }}' and item[1] is '{{ item[1] }}'"
with_nested:
- "{{ people }}"
- "{{ drinks }}"
- name: nested and loop
debug:
msg: "nested_loop: item[0] is '{{ item[0] }}' and item[1] is '{{ item[1] }}'"
loop:
- "{{ people }}"
- "{{ drinks }}"I am a long time Ansible user and contributor (since 2012) and I have been struggling with a decent setup for a multi-environment case. I have been designing and re-designing a lot, until I came up with this design. And what a coincidence, a customer wanted a setup that was exactly this. So this concept is a real world setup, working in a production environment.
Did I get your attention? Read after the break, but take your time. it is a long read.
Some time ago I created a playbook to show the content of a rendered
template. When you keep digging in the Ansible documentation, you
suddenly stumble over the template lookup-plugin. And then it turns
out that my playbook is a bit clumsy.
A nicer and shorter way to do it:
---
#
# This playbook renders a template and shows the results
# Run this playbook with:
#
# ansible-playbook -e templ=<name of the template> template_test.yml
#
- hosts: localhost
become: false
connection: local
tasks:
- fail:
msg: "Bailing out. The play requires a template name (templ=...)"
when: templ is undefined
- name: show templating results
debug:
msg: "{{ lookup('template', templ) }}"
A couple of days ago a client asked me if I could solve the following problem:
[Read More]They have a large number of web servers, all running a plethora of PHP versions. These machines are locally managed with DirectAdmin, which manages the PHP configuration files as well. They are also running Ansible for all kind of configuration tasks. What they want is a simple playbook that ensures a certain line in all PHP
inifiles for all PHP versions on all webservers.
During my last Ansible training the students needed to create some Ansible templates for them selfs. As I do not want to run a testing template against some, or all, machines under Ansible control I created a small Ansible playbook to test templates.
This is the playbook:
---
#
# This playbook renders a template and shows the results
# Run this playbook with:
#
# ansible-playbook -e templ=<name of the template> template_test.yml
#
- hosts: localhost
become: false
connection: local
tasks:
- fail:
msg: "Bailing out. The play requires a template name (templ=...)"
when: templ is undefined
- name: do template
template:
src: "{{ templ }}"
dest: "/tmp/{{ templ }}"
- name: get template
command: cat "/tmp/{{ templ }}"
register: tmplt
- name: show template
debug:
msg: "{{ tmplt.stdout.split('\n') }}"
- name: remove template
file:
path: "/tmp/{{ templ }}"
state: absent
Yesterday I removed a simple package from my Fedora 23 machine and after that I got the message
error: Failed to initialize NSS library
WTF??????
Searching the interwebs I found out I wasn’t the first, and probably not the last, to run into this problem.
It seems that, one way or another, the DNF package doesn’t know about
the dependency it has on SQLite. So, when a package removal requests to
remove SQLite, DNF removes it without questions. Ans thus break itself.
This morning I was messing around with Docker and I wanted to build me a nice, clean container with Ubuntu in it, to test Ansible thingies. I’ve done that before and everything worked as a charm. Until today.
I have this Dockerfile (I’ve stripped it to the bare bones that still
fail):
FROM ubuntu:latest MAINTAINER Ton_Kersten RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list RUN apt-get -y update RUN apt-get -y upgrade RUN apt-get -y install git git-flow RUN apt-add-repository -y ppa:mozillateam/firefox-next RUN apt-get install -y firefox
Last Saturday I attended Loadays in Antwerp, Belgium.
After listening to Jan Piet Mens’s talk about Ansible, I was up for it.
At 11:30 sharp, I started my own presentation for an almost packed room. It’s called Ansible, why and how I use it and you can find it on SpeackerDeck.
It was a lovely talk, with a very knowledgeable crowd.
Please, have a look at it and if you have any questions, let me know.
Today a colleague asked me to sync some files to a server that is not
listening on SSH port 22.
I normally create a configuration entry in my ~/.ssh/config file, like
Host tosync
Hostname syncer.example.com
Port 1234
User syncuser
and then command
rsync -va --progress --inplace . tosync:
But this time I didn’t want to create the entry in my SSH configuration,
because I need this trick in a script. So I started to read the rsync
manpage and after some experimenting I found
I often have to increase the size of a virtual disk on a virtual machine. But I always seem to forget how to do it. I guess I have done it over a 100 times and I cannot remember exactly how I did it. So this blog entry is to help people on how to do this and as a reminder to myself.
This example is done on a virtual machine with CentOS 6, but it can be
done on every Linux. And in the fdisk examples I have left out some of
the not to interesting lines.
Working with git a lot I decided I needed some git status in my
prompt.
I searched the web and some solutions where almost what I wanted and this one by Sebastian Celis came very close.
But it didn’t work with my version of zsh, because that didn’t seem to
understand the =~ operator.
I also think Sebastian makes things over complicated and so I changed some things aroud.
This is what I came up with:
When installing a minimal CentOS 6 system, minimal really, really means minimal. After a reboot the network interfaces do not start, so network connectivity is non existing.
Looking into that I noticed that the file
/etc/sysconfig/network-scripts/ifcfg-eth0 contained
DEVICE=eth0 HWADDR=11:22:33:44:55:66 NM_CONTROLLED=yes ONBOOT=no BOOTPROTO=dhcp TYPE=Ethernet USERCTL=no PEERDNS=yes IPV6INIT=no
The lines that mess things up are NM_CONTROLLED=yes meaning the
interfaces are managed with NetworkManager, which isn’t actually
installed as part of a minimal install. You want a minimal install, you
get a minimal install. And ONBOOT=no, meaning do not start the interface on boot.
How stupid is that!
It often happens that I get into a situation where I need to know key
codes of pressed keys. On my Mac that’s simple. Just use the Key Codes
by Many Tricks.
But on Linux I constantly was trying to find out which key produced what.
So I ended up writing a program for that. I started of in the shell, but that ended up being rather tricky and unnecessary complicated. So I redid the whole thing in C.
I’m creating a Puppet Starter Kit with some standard manifests
included and a complete set of documentation. All documentation should
be written in Markdown
and will be served by Markdoc. But I want to
generate all Markdown files from the Puppet manifests, so I only need to
document the manifest file. Generating the Markdown is not that
difficult, except that I kept ending up with empty lines at the top of
the manifest code and I wanted to get rid of those. Of course this
should be done with sed, because the whole generation process is
written in bash. When playing around with sed I found ~ sed
`/./,$!d' filename ~ which, I think, is genius in it’s simplicity.
After you find something, do not remove. Life in UNIX and Linux is nice!
When working with Puppet and a VCS (like git and SVN) it’s nice to
have a simple way of updating the Puppet tree.
My tree is always in /etc/puppet and owned by user and group
puppet. User puppet is allowed to checkout the complete tree from
git or subversion.
I have created two one-liners to update the complete tree and make sure all rights are still correct.
update_svn ~ \{.bash} #!/bin/bash # update_svn su - puppet -c `cd
/etc/puppet; svn up; cd doc; ../bin/gendoc' ~
I’m using Pygments for quite some time now and I just noticed there was a new version available (1.5). I installed that and I was wondering if there would be a lexer included for Puppet. Well, it wasn’t, but a short Google action directed me to the Pygments lexer for the Puppet DSL.
Of course my old CentOS 5 system with Python 2.6 doesn’t want to install this, so I hacked the Puppet lexer into Pygments.
Some posts ago I wrote that I was busy to find out how a FreeBSD machine can be PXE-ed from a Linux server. Well, I found that some time ago, but I didn’t have the time to type it here, yet. Well, as always, once you know how it’s done, it’s quite simple. But because a lot of the FreeBSD documentation is very old (talking about FreeBSD 4, 5 and 6) it takes some time to find it all.
In my previous post I stipulated that I was PXE booting FreeBSD. Well this works and I will come back on that. But for the configuration I want to run Puppet. Nice and easy config management.
On my server I run Puppet from source. This because the server is a CentOS box with a very old Ruby and Puppet. So I decided to run the Puppet client from source as well. Getting the git repo is easy enough and installing Puppet should not be to hard.