When I was busy with a late spring-cleaning, I thought it to be a good idea to remove some old repositories from my Git server.
At home I am running Forgejo and when I want to remove a complete organization, I need to click and type a lot.
But Forgejo, just as Gitea has a wonderful API, so, why not use that??
I saw this at Justyns site and I stole ^W borrowed this script.
As CentOS 7 is getting to the end of it’s live it’s time to start thinking about an upgrade.
On my old server I tried LEAPP a couple of times (on a clone, of course), but success was not really guaranteed. So, a complete reinstall is in order.
But, as I move from CentOS 7 to Rocky Linux 9, this automatically means
some packages are no longer available. I was using sslh to connect
though SSH and HTTPS on port 443.
A couple of days ago we where debugging an Ansible AAP problem, when a
co-worker mentioned something weird in our Hashicorp Vault.
Nothing major, just weird.
He told me that sometimes and not with all entries he only could see the JSON blob of the entry and the switch to go back to normal was greyed out.
Searching Github it turned out that this is related to pull-request 4913 (https://github.com/hashicorp/vault/pull/4913), when an entry is not a string, Vault switches to the display of the JSON blob. (Thanks Chris) But, the main problem is, what is not a string??
As I was planning an Ansible Meetup about the Ansible Automation Platform (AAP, the successor of Ansible Tower) I was contemplating about a demo environment for the attendants. This can be done with ease as it it nothing more than clicky-di-click.
You can imagine that’s not the way I went :-). There is a simple rule in
life:
If you can automate it, automate it. The complete environment is
going to be a multipart environment, so that the attendants can
experiment and have an environment that slightly resembles real live.
When working for a customer I was installing an Ansible Automation Platform cluster and to keep track of all systems I decided to create a nice message of the day, of course with cowsay.
Something like this:
___________________________
< Member of the AAP Cluster > | Host name : thunderbolt
--------------------------- | Host alias : cn01
\ ^__^ | Function : Ansible AAP Control node
\ (oo)\_______ | Location : Amsterdam
(__)\ )\/\ | IP address : 192.168.63.194
||----w | | VMware name : EXDTONKE01
|| ||
Early this week a co-worker asked if it was possible to access the Ansible command-line in a playbook. It seems that is not the case, in a normal, clean Ansible environment.
But in the meantime I was creating a playbook that served multiple
purposes, stopping and starting services. These playbooks are completely
the same, except for the start and stop keywords. Of course I could
have solved that with a variabele, either hardcoded or as an extra
variable on the commandline. But, where is the fun in that :-)
During my stay at CfgMgmtCamp I
attended the presentation of Franziska Bühler (@bufrasch) titled Web
Application Firewall - Friend of your DevOps pipeline?. She talked
about Web Application Firewalls (WAF) and the Core Rule Set (CRS) for
owasp
Being into security and stuff like that myself, I decided I wanted to try to get the web application with ModSecurity up and running in my own test environment.
My test environment consists of a CentOS8 machine with NGINX and it turned out to be a little trickier than I thought.
In our work environment we have role-based access for passwords (of course). But as we deploy all systems with Ansible, we could end up that someone with only deploy permission ends up with access to all passwords. It’s obvious that we don’t want that, so I started checking in to Ansible’s ability to have multiple vault passwords.
Starting with Ansible 2.4 and above, vault IDs are supported.
Since Ansible version 2.5 there is a lot of discussion and confusion
about the loop syntax. There is also discussion if with_…: will be
replaced by loop: deprecating the with_… keywords. Even Ansibles
documentation is not clear about this.
Should I use loop: or with_…:, in fact nobody really knows. What
would the correct syntax be?
---
- name: Loops with with_ and lookup
hosts: localhost
connection: local
gather_facts: no
vars:
people:
- john
- paul
- mary
drinks:
- beer
- wine
- whisky
tasks:
- name: with nested
debug:
msg: "with_nested: item[0] is '{{ item[0] }}' and item[1] is '{{ item[1] }}'"
with_nested:
- "{{ people }}"
- "{{ drinks }}"
- name: nested and loop
debug:
msg: "nested_loop: item[0] is '{{ item[0] }}' and item[1] is '{{ item[1] }}'"
loop:
- "{{ people }}"
- "{{ drinks }}"I am a long time Ansible user and contributor (since 2012) and I have been struggling with a decent setup for a multi-environment case. I have been designing and re-designing a lot, until I came up with this design. And what a coincidence, a customer wanted a setup that was exactly this. So this concept is a real world setup, working in a production environment.
Did I get your attention? Read after the break, but take your time. it is a long read.
Some time ago I created a playbook to show the content of a rendered
template. When you keep digging in the Ansible documentation, you
suddenly stumble over the template lookup-plugin. And then it turns
out that my playbook is a bit clumsy.
A nicer and shorter way to do it:
---
#
# This playbook renders a template and shows the results
# Run this playbook with:
#
# ansible-playbook -e templ=<name of the template> template_test.yml
#
- hosts: localhost
become: false
connection: local
tasks:
- fail:
msg: "Bailing out. The play requires a template name (templ=...)"
when: templ is undefined
- name: show templating results
debug:
msg: "{{ lookup('template', templ) }}"
A couple of days ago a client asked me if I could solve the following problem:
[Read More]They have a large number of web servers, all running a plethora of PHP versions. These machines are locally managed with DirectAdmin, which manages the PHP configuration files as well. They are also running Ansible for all kind of configuration tasks. What they want is a simple playbook that ensures a certain line in all PHP
inifiles for all PHP versions on all webservers.
As the new GDPR finds its way all over Europe I decided to have a closer look at my website. I have been using the Disqus comment system for some time now, but hardly ever someone really takes the time to comment.
As the Disqus systems uses a lot of Javascript and cookies, I decided it was time to get rid of these tools and make my site fly, again.
During my last Ansible training the students needed to create some Ansible templates for them selfs. As I do not want to run a testing template against some, or all, machines under Ansible control I created a small Ansible playbook to test templates.
This is the playbook:
---
#
# This playbook renders a template and shows the results
# Run this playbook with:
#
# ansible-playbook -e templ=<name of the template> template_test.yml
#
- hosts: localhost
become: false
connection: local
tasks:
- fail:
msg: "Bailing out. The play requires a template name (templ=...)"
when: templ is undefined
- name: do template
template:
src: "{{ templ }}"
dest: "/tmp/{{ templ }}"
- name: get template
command: cat "/tmp/{{ templ }}"
register: tmplt
- name: show template
debug:
msg: "{{ tmplt.stdout.split('\n') }}"
- name: remove template
file:
path: "/tmp/{{ templ }}"
state: absent
Yesterday I removed a simple package from my Fedora 23 machine and after that I got the message
error: Failed to initialize NSS library
WTF??????
Searching the interwebs I found out I wasn’t the first, and probably not the last, to run into this problem.
It seems that, one way or another, the DNF package doesn’t know about
the dependency it has on SQLite. So, when a package removal requests to
remove SQLite, DNF removes it without questions. Ans thus break itself.
After a lot of thought I decided it was time for a new project, one I would enjoy and a project that would be useful for a long time.
Searching the web and reading articles I found the ErgoDox.
The ErgoDox is a split-hand ergonomic keyboard with mechanical switches and open source, layer-based firmware running on a Teensy microcontroller. While other keyboards offer dip-switches or GUI config tools, the firmware and layouts can be built from source on the command line or through a layout configuration tool. Flashing a new build onto the ErgoDox is easy with the multi-platform Teensy loader.
Since a couple of years I’m running a fiber connection to the Internet, supplied by XMS-Net.
I also have an Atlas probe to do some internet measurements for RIPE.
Today I got a status email from RIPE with the connection status of last month. I guess I can say I have a stable internet connection. ;-)
This is your monthly availability report for probe xxxx (TonKs Atlas). Calculation interval : 2014-09-01 00:00:00 - 2014-10-01 00:00:00 Total Connected Time : 30d 00:00 Total Disconnected Time : 0d 00:00 Total Availability : 100.00% +---------------------+---------------------+------------+--------------+ | Connected (UTC) | Disconnected (UTC) | Connected | Disconnected | |---------------------+---------------------+------------+--------------+ | 2014-08-26 07:09:17 | Still up | 30d 00:00 | 0d 00:00 | +---------------------+---------------------+------------+--------------+
For my job I do a lot of Puppet and I thought it was about time to write some tips and tricks down.
First part of this post is about my environment setup. In my test setup
I use a lot of environments. They are not at all useful, but that’s not
the point. It’s my lab environment so things need to break once in a
while. But with multiple environments Puppetlabs says that you should
switch to directory environments
(PuppetDoc)
but some way or another I cannot get that to work in a good way with my
PE version (3.4.3 (Puppet Enterprise 3.2.3)). So I started
implementing dynamic environments, which is a simple way of specifying
the directories for your environments.
This morning I was messing around with Docker and I wanted to build me a nice, clean container with Ubuntu in it, to test Ansible thingies. I’ve done that before and everything worked as a charm. Until today.
I have this Dockerfile (I’ve stripped it to the bare bones that still
fail):
FROM ubuntu:latest MAINTAINER Ton_Kersten RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list RUN apt-get -y update RUN apt-get -y upgrade RUN apt-get -y install git git-flow RUN apt-add-repository -y ppa:mozillateam/firefox-next RUN apt-get install -y firefox
Last Saturday I attended Loadays in Antwerp, Belgium.
After listening to Jan Piet Mens’s talk about Ansible, I was up for it.
At 11:30 sharp, I started my own presentation for an almost packed room. It’s called Ansible, why and how I use it and you can find it on SpeackerDeck.
It was a lovely talk, with a very knowledgeable crowd.
Please, have a look at it and if you have any questions, let me know.
Last couple of days I attended Configuration Managememt Camp in Ghent, Belgium. On Monday morning we started of with presentations of Mark Burgess (CFEngine), Luke Kanies (Puppet) and Adam Jacob (Chef). Good talks about the future of things.
After lunch it got nerdy ans I joined the Ansible room, to see how things went and at 17:00 I started my own presentation for a completely packed room. It’s called `Ansible, why and how I use it' and you can find it on SpeackerDeck.
It’s been a while since the last post, but I’ve been very, very busy.
And in the meantime I also found some time to take the LPI-102 exam. This resulted in a Pass and now I’m officially LPI1 certified.
Well, let’s see what’s next. Puppet exam, Ansible training, LPI2, Python ………
So much to learn, so little time.
Look at me, I made a Puppet Facter Fact!!!
With a lot of thanks to Andrew Beresford who started the initial code. I just tweaked it.
What it does is rather simple, it finds the expiration date of the SSL
certificate of this host and returns the expiration date and time when
there are less than 30 days left. Otherwise it just returns a --sign.
In the Puppet manifest I check if it’s this --sign and if not I
generate a warning.
Today I’m attending the first full day Ansible configuration meeting. This meeting is in Antwerp, Belgium, a drive of almost 2 hours. Thanks to Multi Mho (Maurice Verheesen) I didn’t need to drive, he wanted to try out his nice, new car. It drives perfectly and we arrived about 30 minutes early.
For a first meeting of a new tool there where a lot of attendants, amongst others (and I don’t want to forget anybody, so I won’t even try to give a complete list), but below are the people I think that where there.
Yesterday I attended the first meet up of the Dutch Puppet User Group and I gave a talk about how to start with Puppet.
It was called: Puppet deployment, an introduction and the PDF slideshow can be viewed or downloaded from speakerdeck.
If you have any comment, please send me an email.