The nginx webserver as HTTPS/SSL proxy

As CentOS 7 is getting to the end of it’s live it’s time to start thinking about an upgrade. On my old server I tried LEAPP a couple of times (on a clone, of course), but success was not really guaranteed. So, a complete reinstall is in order. But, as I move from CentOS 7 to Rocky Linux 9, this automatically means some packages are no longer available. I was using sslh to connect though SSH and HTTPS on port 443. [Read More]

Ansible AWX demo environment

As I was planning an Ansible Meetup about the Ansible Automation Platform (AAP, the successor of Ansible Tower) I was contemplating about a demo environment for the attendants. This can be done with ease as it it nothing more than clicky-di-click.

You can imagine that’s not the way I went :-). There is a simple rule in life:
If you can automate it, automate it.

[Read More]

Let the Cow say moo

When working for a customer I was installing an Ansible Automation Platform cluster and to keep track of all systems I decided to create a nice message of the day, of course with cowsay.

[Read More]

Getting Ansible info into your playbook

Early this week a co-worker asked if it was possible to access the Ansible command-line in a playbook. It seems that is not the case, in a “normal”, clean Ansible environment. But in the meantime I was creating a playbook that served multiple purposes, stopping and starting services. These playbooks are completely the same, except for the start and stop keywords. Of course I could have solved that with a variabele, either hardcoded or as an extra variable on the commandline. [Read More]

Web Application Firewall and CRS

During my stay at CfgMgmtCamp I attended the presentation of Franziska Bühler (@bufrasch) titled “Web Application Firewall - Friend of your DevOps pipeline?”. She talked about Web Application Firewalls (WAF) and the Core Rule Set (CRS) for owasp Being into security and stuff like that myself, I decided I wanted to try to get the web application with ModSecurity up and running in my own test environment. My test environment consists of a CentOS8 machine with NGINX and it turned out to be a little trickier than I thought. [Read More]

Ansible with multiple vault ID's

In our work environment we have role-based access for passwords (of course). But as we deploy all systems with Ansible, we could end up that someone with only deploy permission ends up with access to all passwords. It’s obvious that we don’t want that, so I started checking in to Ansible’s ability to have multiple vault passwords. Ansible Vault IDs Starting with Ansible 2.4 and above, vault IDs are supported. [Read More]

Ansible with loops or lookup

Since Ansible version 2.5 there is a lot of discussion and confusion about the loop syntax. There is also discussion if with_...: will be replaced by loop: deprecating the with_... keywords. Even Ansibles documentation is not clear about this.

[Read More]

Ansible: One Role to Rule them All

I am a long time Ansible user and contributor (since 2012) and I have been struggling with a decent setup for a multi-environment case. I have been designing and re-designing a lot, until I came up with this design. And what a coincidence, a customer wanted a setup that was exactly this. So this concept is a real world setup, working in a production environment. Did I get your attention? Read after the break, but take your time. [Read More]

Running it through Tattr (part 2)

Some time ago I created a playbook to show the content of a rendered template. When you keep digging in the Ansible documentation, you suddenly stumble over the template lookup-plugin. And then it turns out that my playbook is a bit clumsy. A nicer and shorter way to do it: --- # # This playbook renders a template and shows the results # Run this playbook with: # # ansible-playbook -e templ=<name of the template> template_test. [Read More]

Ansible, loop in loop in loop in loop in loop

A couple of days ago a client asked me if I could solve the following problem: They have a large number of web servers, all running a plethora of PHP versions. These machines are locally managed with DirectAdmin, which manages the PHP configuration files as well. They are also running Ansible for all kind of configuration tasks. What they want is a simple playbook that ensures a certain line in all PHP ini files for all PHP versions on all webservers. [Read More]

Did you run it through TAttr

During my last Ansible training the students needed to create some Ansible templates for them selfs. As I do not want to run a testing template against some, or all, machines under Ansible control I created a small Ansible playbook to test templates. This is the playbook: --- # # This playbook renders a template and shows the results # Run this playbook with: # # ansible-playbook -e templ=<name of the template> template_test. [Read More]

Stupid Fedora

Yesterday I removed a simple package from my Fedora 23 machine and after that I got the message error: Failed to initialize NSS library WTF?????? Searching the interwebs I found out I wasn’t the first, and probably not the last, to run into this problem. It seems that, one way or another, the DNF package doesn’t know about the dependency it has on SQLite. So, when a package removal requests to remove SQLite, DNF removes it without questions. [Read More]

Docker panics

This morning I was messing around with Docker and I wanted to build me a nice, clean container with Ubuntu in it, to test Ansible thingies. I’ve done that before and everything worked as a charm. Until today. I have this Dockerfile (I’ve stripped it to the bare bones that still fail): FROM ubuntu:latest MAINTAINER Ton_Kersten RUN echo "deb precise main universe" > /etc/apt/sources.list RUN apt-get -y update RUN apt-get -y upgrade RUN apt-get -y install git git-flow RUN apt-add-repository -y ppa:mozillateam/firefox-next RUN apt-get install -y firefox and when I run [Read More]

Ansible @ Loadays

Last Saturday I attended Loadays in Antwerp, Belgium. After listening to Jan Piet Mens’s talk about Ansible, I was up for it. At 11:30 sharp, I started my own presentation for an almost packed room. It’s called “Ansible, why and how I use it” and you can find it on SpeackerDeck. It was a lovely talk, with a very knowledgeable crowd. Please, have a look at it and if you have any questions, let me know. [Read More]

rsync on a not standard port

Today a colleague asked me to sync some files to a server that is not listening on SSH port 22. I normally create a configuration entry in my ~/.ssh/config file, like Host tosync Hostname Port 1234 User syncuser and then command rsync -va --progress --inplace . tosync: But this time I didn’t want to create the entry in my SSH configuration, because I need this trick in a script. So I started to read the rsync manpage and after some experimenting I found [Read More]

Resize a partition

I often have to increase the size of a virtual disk on a virtual machine. But I always seem to forget how to do it. I guess I have done it over a 100 times and I cannot remember exactly how I did it. So this blog entry is to help people on how to do this and as a reminder to myself. This example is done on a virtual machine with CentOS 6, but it can be done on every Linux. [Read More]

git status in the prompt

Working with git a lot I decided I needed some git status in my prompt. I searched the web and some solutions where almost what I wanted and this one by Sebastian Celis came very close. But it didn’t work with my version of zsh, because that didn’t seem to understand the =~ operator. I also think Sebastian makes things over complicated and so I changed some things aroud. This is what I came up with: [Read More]
git  sysadm  code  linux 

No network on CentOS 6

When installing a minimal CentOS 6 system, minimal really, really means minimal. After a reboot the network interfaces do not start, so network connectivity is non existing. Looking into that I noticed that the file /etc/sysconfig/network-scripts/ifcfg-eth0 contained DEVICE=eth0 HWADDR=11:22:33:44:55:66 NM_CONTROLLED=yes ONBOOT=no BOOTPROTO=dhcp TYPE=Ethernet USERCTL=no PEERDNS=yes IPV6INIT=no The lines that mess things up are NM_CONTROLLED=yes meaning the interfaces are managed with NetworkManager, which isn’t actually installed as part of a minimal install. [Read More]

Finding key codes on Linux

It often happens that I get into a situation where I need to know key codes of pressed keys. On my Mac that’s simple. Just use the Key Codes by Many Tricks. But on Linux I constantly was trying to find out which key produced what. So I ended up writing a program for that. I started of in the shell, but that ended up being rather tricky and unnecessary complicated. [Read More]
code  linux  sysadm 

Shell tip

During one of my teaching sessions a student asked me if it was possible to find the number of spaces in a variable. As with all questions in Linux and UNIX the answer is a simple Of course that’s possible. In UNIX and Linux everything is possible. With some sed or awk this can be done within seconds. But I wanted it done completely within the shell, in this case bash. [Read More]
code  linux  sysadm 

sed tips and tricks

I’m creating a Puppet Starter Kit with some standard manifests included and a complete set of documentation. All documentation should be written in Markdown and will be served by Markdoc. But I want to generate all Markdown files from the Puppet manifests, so I only need to document the manifest file. Generating the Markdown is not that difficult, except that I kept ending up with empty lines at the top of the manifest code and I wanted to get rid of those. [Read More]
sysadm  linux  code 

Fix a lot of rights

A customer called and wanted help with an error they made. The error was simple, they typed: chmod -R 660 / and now things broke. Of course things broke. If they would not brake that would be very weird. Luckily they had a second server and a simple one-liner stole all the rights from this second server and and we could put these on the broken one. The oneliner find / -depth -printf 'chmod %m\t\t-- "%p"\nchown %u:%g\t-- "%p"\n' > rights. [Read More]

Puppet updates

When working with Puppet and a VCS (like git and SVN) it’s nice to have a simple way of updating the Puppet tree. My tree is always in /etc/puppet and owned by user and group puppet. User puppet is allowed to checkout the complete tree from git or subversion. I have created two one-liners to update the complete tree and make sure all rights are still correct. update_svn #!/bin/bash # update_svn su - puppet -c 'cd /etc/puppet; svn up; cd doc; . [Read More]

Updated Pygments

I’m using Pygments for quite some time now and I just noticed there was a new version available (1.5). I installed that and I was wondering if there would be a lexer included for Puppet. Well, it wasn’t, but a short Google action directed me to the Pygments lexer for the Puppet DSL. Of course my old CentOS 5 system with Python 2.6 doesn’t want to install this, so I hacked the Puppet lexer into Pygments. [Read More]

Switching to tmux

Some time ago I was fighting my .screenrc again. I wanted to change the status line, but it was hardly possible to read and understand what I typed hardly half a year ago. The screen config file is not exactly poetry. While searching the web to find how to change the status line I ran into tmux and I thought: “Let’s give it a try”. And after the very simple compile I started configuring it. [Read More]