News items for tag computersarebetterat - Koos van den Hout

2013-08-09 (#) 7 years ago
I've been working on managing Linux systems with puppet for a while. Until now puppet was a tool to manage part of the configuration with still work to be done on each host. But the last two weeks I worked on a (test) webserver completely configured from puppet. With a complete separation of configuration (from puppet), input data (web content), output data (logging) and installed applications it is possible to reduce a webserver to a puppet recipe and an amount of storage. This means adding new webservers to a cluster or rebuilding systems in the cluster is easy. As a test I 'broke' the webserver (wiped the disk), reinstalled basic CentOS (nothing configured) and let puppet deliver a running webserver again, all within 15 minutes.

The new bit for me was using puppet templates to write centos ifcfg-ethX files and apache virtualhost configurations. Apache virtualhosts get a number of parameters (the hostname, aliases, directory index settings, needing php, needing ssl). I started with different templates for 'real' virtualhosts and 'special' virtualhosts like a host which gives a 410 Gone error on all urls but I noticed the templates were still mostly the same so now the type of virtualhost is also set using variables and one template has conditional parts depending on the type of virtualhost.

This does mean I'm learning bits of Ruby, Yet Another Scripting Language (for me).

In general, using puppet makes it very easy to install/remove packages, add scripts, schedule tasks, configure the monitoring setup (zabbix) and do other 'checklist' items to each system in a consistent way. Which in my opinion improves security and general quality.

Tags: , , ,
2013-07-29 (#) 7 years ago
I use amanda for backups, all scheduled automatically, including automatically waking up and shutting down systems for backups but I also want the effort to put in the right tape minimal. To eliminate waiting for the previous tape to rewind and eject I tried an extra check which ejects the tape when it's not the 'correct' tape.
$ amcheck -t kzdoos > /dev/null || mt -f /dev/nst0 eject 2>/dev/null
The amcheck command will give an errorlevel on the wrong tape, but also on no tape at all, so I need to ignore the errors from mt. The above commandline now has a place in the crontab for the account the backups are run on.

Tags: , ,
2013-04-29 (#) 7 years ago
We like our Linux kernels chatty during boot, seeing stuff in the startup messages like
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
00:06: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
00:07: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
is perfectly fine with us. Defaults with several linux distributions are going the other way. For CentOS we already disable the plymouth splash screen, but to disable more eyecandy and get real kernel messages the commandline options rhgb and quiet need to be removed from the kernel commandline in the grub config. Option rhgb enables 'red hat graphic boot' and option quiet disables most kernel messages.

Via How do I set the default kernel parameters in CentOS for all existing and future kernels? - Server Fault I found the right way. The next step was to turn this into a puppet recipe so this is done automatically:
class serverpackages::fixgrubconfig {
        exec { "Clean grub default options":
                path => "/sbin:/bin",
                onlyif => 'egrep -c \'(rhgb|quiet)\' /boot/grub/grub.conf',
                command => '/usr/local/sbin/normalizegrubconfig',
                require => file["normalizegrubconfig"];
        file { "normalizegrubconfig":
                path => '/usr/local/sbin/normalizegrubconfig',
                ensure => present,
                owner => 'root',
                group => 'root',
                mode => 0700,
                content => '#!/bin/sh
# reset grub config for all kernels
for KERNEL in /boot/vmlinuz-* ; do
        grubby --update-kernel="$KERNEL" --remove-args="rhgb quiet"
Problem solved, yet another thing puppet adds to the baseline configuration. The upside of using grubby to manage this is that 'creating correct grub config files' is builtin into grubby.

Tags: , , ,
2013-03-26 (#) 8 years ago
Interesting clash between the bind 9.8.2 package for CentOS 6.4 and puppet: When puppet updates /etc/named.conf it's not visible in the chroot setup for named. The named startup script uses bind mounts to make configuration files visible within the chroot environment.
root@geodns01:~# mount | grep named.conf
/etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind)
root@geodns01:~# md5sum /etc/named.conf /var/named/chroot/etc/named.conf
d028cfee6cf1a1f77993da7c769273ad  /etc/named.conf
82d1717bb34db23804f67ad855e090ea  /var/named/chroot/etc/named.conf
I first thought this was some form of caching, but a suggestion was the way the files were replaced by puppet: if puppet creates a new file and then renames the old one and the new one, the file will have a different inode after that action. I tested for this:
root@geodns01:~# mkdir test
root@geodns01:~# touch file.conf
root@geodns01:~# touch /root/test/file.conf
root@geodns01:~# mount --bind file.conf /root/test/file.conf
root@geodns01:~# ls -il /root/file.conf /root/test/file.conf
652873 -rw-r--r-- 1 root root 0 Mar 26 19:20 /root/file.conf
652873 -rw-r--r-- 1 root root 0 Mar 26 19:20 /root/test/file.conf
root@geodns01:~# vim --cmd 'set backup' file.conf
root@geodns01:~# ls -li file.conf* test/file.conf
652876 -rw-r--r-- 1 root root 7 Mar 26 19:25 file.conf
652873 -rw-r--r-- 1 root root 0 Mar 26 19:20 file.conf~
652873 -rw-r--r-- 1 root root 0 Mar 26 19:20 test/file.conf
This confirms that replace-by-rename will clash with bind mounts being actually inode based. The workaround isn't that hard: the startup script for named explicitly tests for an existing non-zero-byte /var/named/chroot/etc/named.conf and will skip the mount --bind part in that case. Time to learn puppet about this feature, puppet now manages both /etc/named.conf and /var/named/chroot/etc/named.conf.

Tags: , , ,
2013-01-02 (#) 8 years ago
GNU date can display different times than the current time, with the -d or --date parameter:
  -d, --date=STRING         display time described by STRING, not `now'
But with a bit of experimenting I found out I can use this for calculating times in other timezones too:
koos@greenblatt:~$ date --date=20:00\ UTC
Wed Jan  2 21:00:00 CET 2013
koos@greenblatt:~$ date --date=20:00\ US/Central
date: invalid date `20:00 US/Central'
koos@greenblatt:~$ date --date=20:00\ CST
Thu Jan  3 03:00:00 CET 2013
So you can use the short timezone name, but not the long version.

Or, for day calculations:
koos@greenblatt:~$ date --date="396 days"
Fri Feb 28 15:36:15 CET 2014

Tags: , ,
2012-12-18 (#) 8 years ago
I updated the zabbix ssl certificate test script to be able to use starttls services and did some other changes (tests work better in days left). Current version which can also check for smtp tls and returns the certificate time left in days which makes for easier checks:
#!/usr/bin/perl -w

# monitor the number of days left on the SSL certificate on a publicly
# reachable service
# usage in zabbix, create an item in a template
# - Type: External check
# - Key:  ssl-expiry-left.monitor[443]
#   change this for other services and use ssl-expiry-left.monitor[587,"-smtp"]
#   for smtp+tls. Yes, you will need to set up a separate item (/template)
#   for each ssl port combination
# - Type of information: Numeric (unsigned)
# - Data type: Decimal
# - Units: Days
# - Update interval (in sec): 43200
# - Application: SSL+service
# possible trigger values:
# 0: certificate already expired or invalid or not retrievable
# you can add tests for less than 30 or 60 days left

use strict;
use Date::Parse;

my $protoadd="";

if (defined $ARGV[2]){
        if ($ARGV[2] eq "-smtp"){
                $protoadd="-starttls smtp ";

my ($host,$port) = ($ARGV[0],$ARGV[1]);

open(SSLINFO,"echo \"\" | openssl s_client -connect $host:$port $protoadd 2>/dev/null | openssl x509 -enddate -noout 2>/dev/null |");

my $expiry=0;

while (<SSLINFO>){
        if (/^notAfter=(.+)\n$/){

if ($expiry>0){
        my $daysleft=($expiry-time())/86400;
        printf "%d\n",$daysleft>=0?$daysleft:0;
} else {
        print "0\n";
Assumes a reasonably recent openssl.

And yes, this script has helped me avoid embarrasment over expired certificates.

Tags: , , ,
2012-08-17 (#) 8 years ago
At my current work I am also introducing zabbix monitoring. I chose zabbix at my previous work because I like the approach: measure a lot of values and store those, and next you decide whether to draw graphs or run triggers based on those values. Monitoring, graphing and alerting in one system.

The installation of the zabbix agent got puppetized instantly. I found out the rpm from epel leaves a few things to fix, so puppet to the rescue to fix that on installation. By simply configuring those fixes to depend on the package and to notify the service the start of the service will be postponed until those fixes have been done and the agent will start correctly.

Firewall on the monitored machines still needs to be fixed by hand, this is still a problem. Bringing the firewall under puppet control would be great, but that is quite a project.

Tags: , , ,
2012-08-13 (#) 8 years ago
At work I recently introduced puppet for automated system management, after hearing about it from people with very good experiences with it.

Slowly but surely we start to manage the first tasks with puppet: system accounts, ssh configuration, ntp configuration, package removal/addition, postfix configuration and other things we want configured to our standards on all machines. Puppet helps a lot in making configurations standard and making sure (complicated) configuration tasks have been done on every system.

The fact that we are currently setting up quite a number of new virtual machines helps, lots of room to start of with a 'puppetized' config.

Configuration choices can be made based on classes assigned to nodes but also based on 'facts' derived from the machine itself. For example I install package smartmontools on machines with real hardware, it doesn't make sense to install it in virtual machines. Or I can use a variable from a fact in a configuration, which is great if you want mail from machines to be readable when it's in a big mailbox. A sample from the logwatch config:
        file { 'logwatch.conf':
                path => '/etc/logwatch/conf/logwatch.conf',
                ensure => present,
                owner => 'root',
                group => 'root',
                mode => 0444,
                content => "# This file is under puppet control
# Generated by $Id: logwatch.pp 67 2012-08-14 08:14:49Z XXXXX $
# Do not edit on this machine
MailFrom = Logwatch@$fqdn (Logwatch on $hostname)
                require => Package['logwatch'];
And the logwatch mailfolder gets more readable.

Puppetdashboard radiator view with colors denoting system states With more than a few machines to manage with puppet I like puppetdashboard to see whether all changes have been rolled out to all machines. The 'radiator view' gives a great visual hint whether you need to look at your own puppet dashboard for more info or everything is fine so we use that view on our system monitor screen. And puppetdashboard gives nice counters showing just how much configuration items you are controlling: the current count for our setup is 812 items already, and we're just getting started.

Tags: , , ,
2012-03-01 (#) 9 years ago
Even gdm has the option to allow sessions via XDMCP over the network, but it is (rightfully) disabled by default. I used Xnest to debug an issue with gdm. The configuration (at least this bit) is in /etc/gdm/custom.conf :
And now I can debug some gdm settings with
$ Xnest :1 -query thompson
And see the results in an X session in an X session.

And I debugged the problem: the minimal uid needed to get an account listed in the gdm greeter is taken from /etc/login.defs. The documentation for gdm lists the MinimalUID option but this gdm (version from ubuntu 10.04.4 LTS) ignores that option.

Tags: , ,
2011-07-13 (#) 9 years ago
Trying to clear out an old e-mailarchive (13215 messages) with the Thunderbird e-mail client (selecting all messages older than a month, pressing shift-delete) makes Thunderbird unresponsive for hours and in the end the mail is still not deleted.

Doing the same in the right place on the server with
# find . -mtime +31 | xargs rm
takes less than 30 seconds and Thunderbird rereads the folder fine.

Tags: , , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.34 2020/12/31 15:36:31 koos Exp $ in 0.022431 seconds.