Tag: system-administrator

New Ansible Role uploaded to Ansible Galaxy

2015/01/30 No Comments

Reading time: 3 – 5 minutes

A long time ago I wrote an entry post about how to set up the SMTP in linux boxes using a relay system you can find the post here: Relay mail from your server without MTA. Remember that SSMTP is not a SMTP service for your system but it’s more than enough for all servers that don’t work as a mail servers. Historically Unix/Linux uses sendmail command to send system notifications but usually this mails are lost because system configurations are not completed. My advice in this sense is use SSMTP.

In the past I used to use SSMTP with a GMail account but security constraints in Google mail services make it difficult to configure today. The new alternative is set up a free Mandrill account as a relay host. Mandrill is a Mailchimp service that allows you to send a lot of emails without problems and there is a free account that allows to send up to 12.000 mails per month free, more than enough usually. If you don’t know how to set up a Mailchimp account the best option to learn how to do it is follow the support documentation it’s very good IMHO.

When you have a lot of linux machines to administer you need something fastly replicable. As you know use Ansible is a very good option. Then I developed a new Ansible role to set up Mandrill accounts to SSMTP services massively using Ansible.

The Ansible role has been uploaded here: ssmtp-mandrill and the source code of the roles is in my github. Remember to install the role in your Ansible is easy:

ansible-galaxy install oriol.rius.ssmtp-mandrill

Then you only need to create your own playbook using the role and don’t forget to setup the variables with the Mandrill account settings.

Ansible and Windows Playbooks

2015/01/29 No Comments

Reading time: 33 – 54 minutes

Firstly let me introduce a Windows service called: “Windows Remote Manager” or “WinRM”. This is the Windows feature that allows remote control of Windows machines and many other remote functionalities. In my case I have a Windows 7 laptop with SP1 and PowerShell v3 installed.

Secondly don’t forget that Ansible is developed using Python then a Python library have to manage the WinRM protocol. I’m talking about “pywinrm“. Using this library it’s easy to create simple scripts like that:

#!/usr/bin/env python

import winrm

s = winrm.Session('10.2.0.42', auth=('the_username', 'the_password'))
r = s.run_cmd('ipconfig', ['/all'])
print r.status_code
print r.std_out
print r.std_err

This is a remote call to the command “ipconfig /all” to see the Windows machine network configuration. The output is something like:

$ ./winrm_ipconfig.py 
0

Windows IP Configuration

   Host Name . . . . . . . . . . . . : mini7w
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ymbi.net

Ethernet adapter GigaBit + HUB USB:

   Connection-specific DNS Suffix  . : ymbi.net
   Description . . . . . . . . . . . : ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 00-23-56-1C-XX-XX
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::47e:c2c:8c25:xxxx%103(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.2.0.42(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Lease Obtained. . . . . . . . . . : mi�rcoles, 28 de enero de 2015 12:41:41
   Lease Expires . . . . . . . . . . : mi�rcoles, 28 de enero de 2015 19:17:56
   Default Gateway . . . . . . . . . : 10.2.0.1
   DHCP Server . . . . . . . . . . . : 10.2.0.1
   DHCPv6 IAID . . . . . . . . . . . : 2063606614
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-F7-BF-36-xx-C5-xx-03-xx-xx
   DNS Servers . . . . . . . . . . . : 10.2.0.27
                                       10.2.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
...

Of course, it’s possible to run Powershell scripts like the next one which shows the system memory:

$strComputer = $Host
Clear
$RAM = WmiObject Win32_ComputerSystem
$MB = 1048576

"Installed Memory: " + [int]($RAM.TotalPhysicalMemory /$MB) + " MB"

The Python code to run that script is:

#!/usr/bin/env python

import winrm

ps_script = open('scripts/mem.ps1','r').read()
s = winrm.Session('10.2.0.42', auth=('the_username', 'the_password'))
r = s.run_ps(ps_script)
print r.status_code
print r.std_out
print r.std_err

and the output:

$ ./winrm_mem.py 
0
Installed Memory: 2217 MB

In the end it’s time to talk about how to create an Ansible Playbook to deploy anything in a Windows machine. As always the first thing that we need is a hosts file. In the next example there are several ansible variables needed to run Ansible Windows modules on WinRM, all of them are self-explanatory:

[all]
10.2.0.42

[all:vars]

ansible_ssh_user=the_username ansible_ssh_pass=the_password ansible_ssh_port=5985 #winrm (non-ssl) port ansible_connection=winrm

The first basic example could be a simple playbook that runs the ‘ipconfig’ command and registers the output in an Ansible variable to be showed later like a debug information:

- name: test raw module
  hosts: all
  tasks:
    - name: run ipconfig
      raw: ipconfig
      register: ipconfig
    - debug: var=ipconfig

The command and the output to run latest example:

$ ansible-playbook -i hosts ipconfig.yml 

PLAY [test raw module] ******************************************************** 

GATHERING FACTS *************************************************************** 
ok: [10.2.0.42]

TASK: [run ipconfig] ********************************************************** 
ok: [10.2.0.42]

TASK: [debug var=ipconfig] **************************************************** 
ok: [10.2.0.42] => {
    "ipconfig": {
        "invocation": {
            "module_args": "ipconfig", 
            "module_name": "raw"
        }, 
        "rc": 0, 
        "stderr": "", 
        "stdout": "\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter GigaBit 
...
        ]
    }
}

PLAY RECAP ******************************************************************** 
10.2.0.42                  : ok=3    changed=0    unreachable=0    failed=0

As always Ansible have several modules, not only the ‘raw’ module. I committed two examples in my Github account using a module to download URLs and another one that runs Powershell scripts.

My examples are done using Ansible 1.8.2 installed in a Fedora 20. But main problems I’ve found are configuring Windows 7 to accept WinRM connections. Next I attach some references that helped me a lot:

pywinrm Github project notes., easy to trace errors than Ansible.
Ansible notes about Windows.
How to enable WinRM via Group Policy by Alan Burchill

If you want to use my tests code you can connect to my Github: Basic Ansible playbooks for Windows.

Using Ansible like library programming in Python

2015/01/21 7 Comments

Reading time: 22 – 36 minutes

Ansible is a very powerful tool. Using playbooks, something like a cookbook, is very easy to automate maintenance tasks of systems. I used Puppet and other tools like that but IMHO Ansible is the best one.

In some cases you need to manage dynamic systems and take into advantage of Ansible like a Python library is a very good complement for your scripts. This is my last requirement and because of that I decided to share some simple Python snippets that help you to understand how to use Ansible as a Python library.

Firstly an example about how to call an Ansible module with just one host in the inventory (test_modules.py):

#!/usr/bin/python 
import ansible.runner
import ansible.playbook
import ansible.inventory
from ansible import callbacks
from ansible import utils
import json

# the fastest way to set up the inventory

# hosts list
hosts = ["10.11.12.66"]
# set up the inventory, if no group is defined then 'all' group is used by default
example_inventory = ansible.inventory.Inventory(hosts)

pm = ansible.runner.Runner(
    module_name = 'command',
    module_args = 'uname -a',
    timeout = 5,
    inventory = example_inventory,
    subset = 'all' # name of the hosts group 
    )

out = pm.run()

print json.dumps(out, sort_keys=True, indent=4, separators=(',', ': '))

As a second example, we’re going to use a simple Ansible Playbook with that code (test.yml):

- hosts: sample_group_name
  tasks:
    - name: just an uname
      command: uname -a

The Python code which uses that playbook is (test_playbook.py):

#!/usr/bin/python 
import ansible.runner
import ansible.playbook
import ansible.inventory
from ansible import callbacks
from ansible import utils
import json

### setting up the inventory

## first of all, set up a host (or more)
example_host = ansible.inventory.host.Host(
    name = '10.11.12.66',
    port = 22
    )
# with its variables to modify the playbook
example_host.set_variable( 'var', 'foo')

## secondly set up the group where the host(s) has to be added
example_group = ansible.inventory.group.Group(
    name = 'sample_group_name'
    )
example_group.add_host(example_host)

## the last step is set up the invetory itself
example_inventory = ansible.inventory.Inventory()
example_inventory.add_group(example_group)
example_inventory.subset('sample_group_name')

# setting callbacks
stats = callbacks.AggregateStats()
playbook_cb = callbacks.PlaybookCallbacks(verbose=utils.VERBOSITY)
runner_cb = callbacks.PlaybookRunnerCallbacks(stats, verbose=utils.VERBOSITY)

# creating the playbook instance to run, based on "test.yml" file
pb = ansible.playbook.PlayBook(
    playbook = "test.yml",
    stats = stats,
    callbacks = playbook_cb,
    runner_callbacks = runner_cb,
    inventory = example_inventory,
    check=True
    )

# running the playbook
pr = pb.run()  

# print the summary of results for each host
print json.dumps(pr, sort_keys=True, indent=4, separators=(',', ': '))

If you want to download example files you can go to my github account: github.com/oriolrius/programming-ansible-basics

I hope it was useful for you.

OpenAM: some ssoadm commands for reference

2014/10/21 No Comments

Reading time: 18 – 29 minutes

OpenAM is as much powerful as complicated sometimes. In this case I spent a lot of time understanding how to set simple settings because of that I decide to take note about that in this blog entry.

First of all don’t forget to set the environment variables and go to ssoadm path:

export JAVA_HOME="/usr/lib/jvm/java-6-openjdk-amd64/jre"
export CLASSPATH="/var/lib/tomcat7/webapps/openam/WEB-INF/lib/policy-plugins.jar::/var/lib/tomcat7/webapps/openam/WEB-INF/lib/openam-core-11.0.0.jar"

cd /opt/openam/ssoadmin/openam/bin

Getting the list of user identities:

./ssoadm list-identities -u amadmin -f /tmp/oam.pwd -e / -t User -x "*"

anonymous (id=anonymous,ou=user,dc=openam)
demo (id=demo,ou=user,dc=openam)
serviceusername (id=serviceusername,ou=user,dc=openam)
amAdmin (id=amAdmin,ou=user,dc=openam)
Search of Identities of type User in realm, / succeeded.

another useful query would be:

./ssoadm list-identities -u amadmin -f /tmp/oam.pwd -e / -t Role -x "*"

No plug-ins configured for this operation

But as you can see it doesn’t work and I don’t know how to solve it.

Taking a look to GUI get to identities list with: Access Control > / (Top Level Realm) > Privileges

In this webpage you have a list of role identities, in my case I have only this: “All Authenticated Users”. Inside this identity I can set different privileges:

REST calls for Policy Evaluation (EntitlementRestAccess)
Read and write access to all log files (LogAdmin)
REST calls for searching entitlements (PrivilegeRestReadAccess)
Read access to all log files (LogRead)
Read and write access to all federation metadata configurations (FederationAdmin)
Read and write access only for policy properties (PolicyAdmin)
Read and write access to all configured Agents (AgentAdmin)
Read and write access to all realm and policy properties (RealmAdmin)
REST calls for managing entitlements (PrivilegeRestAccess)
Write access to all log files (LogWrite)

If we want to remove a privilege:

root@vm:/opt/openam/ssoadmin/openam/bin# ./ssoadm remove-privileges -u amAdmin -f /tmp/oam.pwd -e / -g EntitlementRestAccess -i "All Authenticated Users" -t role

Privileges were removed from identity, All Authenticated Users of type, role in realm, /.

or adding a privilege:

root@vm:/opt/openam/ssoadmin/openam/bin# ./ssoadm add-privileges -u amAdmin -f /tmp/oam.pwd -e / -g EntitlementRestAccess -i "All Authenticated Users" -t role

Talking about policies, exporting:

./ssoadm list-policies -u amadmin -f /tmp/oam.pwd -e / -o /tmp/policies.xml

and if we want to import the policies:

./ssoadm create-policies -u amAdmin -f /tmp/oam.pwd -e / --xmlfile /tmp/policies.xml

creating a user:

./ssoadm create-identity -u amadmin -f /tmp/oam.pwd  -e / -i serviceusername -t User --attributevalues "userpassword=servicepassword"

Useful references:

sslsnoop – hacking OpenSSH

2014/07/08 No Comments

Reading time: 3 – 5 minutes

Using sslsnoop you can dump SSH keys used in a session and decode ciphered traffic. Supported algorithms are: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc.

Basic sslsnoop information:

 $ sudo sslsnoop # try ssh, sshd and ssh-agent... for various things
 $ sudo sslsnoop-openssh live `pgrep ssh` # dumps SSH decrypted traffic in outputs/
 $ sudo sslsnoop-openssh offline --help # dumps SSH decrypted traffic in outputs/ from a pcap file
 $ sudo sslsnoop-openssl `pgrep ssh-agent` # dumps RSA and DSA keys

Take a look into the project in sslsnoop github page.

Enabling linux kernel to open LOTS of concurrent connections

2014/06/30 No Comments

Reading time: 14 – 22 minutes

Just a small recipe about how to enable linux kernel to open tons of concurrent connections. Really simple and useful post entry.

<span style="font-style: italic; color: #656565;">echo “10152 65535″ > /proc/sys/net/ipv4/ip_local_port_range</span><br style="font-style: italic; color: #656565;"><span style="font-style: italic; color: #656565;">sysctl -w fs.file-max=128000</span><br style="font-style: italic; color: #656565;"><span style="font-style: italic; color: #656565;">sysctl -w net.ipv4.tcp_keepalive_time=300</span><br style="font-style: italic; color: #656565;"><span style="font-style: italic; color: #656565;">sysctl -w net.core.somaxconn=250000</span><br style="font-style: italic; color: #656565;"><span style="font-style: italic; color: #656565;">sysctl -w net.ipv4.tcp_max_syn_backlog=2500</span><br style="font-style: italic; color: #656565;"><span style="font-style: italic; color: #656565;">sysctl -w net.core.netdev_max_backlog=2500</span><br style="font-style: italic; color: #656565;"><span style="font-style: italic; color: #656565;">ulimit -n 10240</span>

timegrep: Very useful grep tool

2012/12/21 No Comments

Reading time: < 1 minute Specially when you have to look up inside Postfix logs or Syslog in general it could be the swiss knife tool you need: timegrep.

You have to know that the tool is developed using Python. And is very easy to upgrade or fork the code.

ssh-copy-id

2012/03/11 No Comments

Reading time: < 1 minute Really useful command of ssh package to add public key of your user account to a remote SSH server and then access there with passwordless authentication method. ssh-copy-id [-i [identity_file]] [user@]machine In the past I wrote a simple cookbook to explain this process but now this is as simple as possible. Don't forget ssh-copy-id is the most easy way to add your ssh public key in remote servers.

Getting help to configure spamassassin.conf

2012/03/08 No Comments

Reading time: 2 – 3 minutes

Configure spamassassin is never easy to do. But when you look for information in Google usually you will be mad . The most common help method in linux is use ‘man command’ but it doesn’t work or information is not enough usually.

After a lucky search I found this command to get an extended information about how to configure spamassassin.conf file.

perldoc Mail::SpamAssassin::Conf

CLI de Xen

2011/11/18 No Comments

Reading time: 14 – 23 minutes

Aquesta setmana he tingut un expedient X’s amb el servidor d’oriolrius.cat que tinc virtualitzat en un servidor de Xen. La qüestió és que segons Xen la màquina estava corrent normal però encanvi no podia accedir ni a la consola ni enlloc. Ja que la màquina no estava a la llista de processesos del sistema. Així doncs, després de més d’1any he hagut d’aprendre alguna comanda de Xen CLI per poder solucionar el problema.

Per obtenir la llista de màquines virtuals que té el sistema:

xe vm-list

amb aquesta comanda podem obtenir el uuid, aquest identificador ens serà útil per poder forçar la màquina perquè es pari. Això ho podem fer així:

xe vm-reset-powerstate uuid=XXXXXXXXXXXXXXX force=true

En cas de que la comandi falli, per exemple, amb un error de:

The operation could not be performed because a domain still exists for the specified VM.                                                               
vm: XXXXXXXXXXXXXXX (nom_servidor)
domid: 1

Llavors podem eliminar el domini que ens causa problemes així:

/opt/xensource/debug/destroy_domain -domid 1

Si la comanda no retorna error vol dir que hem pogut eliminar el domini i ja podem tornar a executar la comanda xe vm-reset-powerstate.

Gràcies a això he pogut fer-li entendre al Xen server que la màquina estava parada i des de la GUI he tornat a iniciar la màquina sense problemes. En el meu cas aquesta anomalia s’havia donat degut a que el sistema s’havia quedat sense memòria, o sigui, que entenc que hi hauria alguna part del hypervisor que tindria leaks de memòria.