Anno nuovo, configuration management nuovo…

Buon anno a tutti i lettori di devopsrecipes.info ūüôā

Qualche giorno fa, approfittando dell’apparente calma lavorativa tipica delle feste natalizie, ho deciso di studiare GO (https://golang.org/).

Molto figo, ma soprattutto, usare i puntatori mi ha fatto tornare indietro nel tempo quando “smanettavo” pesantemente¬†in C.

Quel che √® uscito fuori, tra un p√≤ i programmi pieni di “foo” e “foobar” senza senso, √® stato Congruit. Un nuovo configuration management tool scritto in GO ma che opera prettamente in Bash…

Link al repo Github

logomakr_9879lg

Naturalmente √® molto minimale ma ha un non so che di “Bash” che lo colora molto di Sys-admin.

Diciamo che nell’ottica Devops √® un p√≤ pi√Ļ Ops. Pull request al repo sono benvenute ūüėČ

Saluti

Advertisements

Install Chef Server on Suse Linux Enterprise 11

Hi Folks!

Today I dealt with a problem… and I found a solution because Chef is a great tool!

At moment there is not an RPM for Suse Linux available from the official website, but this does not matter ūüôā

Problem: Install Chef Server, Chefdk, Chef-manage into a Suse Linux Enterprise 11 virtual machine without installing the rpm packages of RHEL systems.

Screen Shot 2016-08-02 at 19.02.17.png

This is what you can do:

  1. Dowload the following packages:
    • chef-server-core-12.8.0-1.el6.x86_64.rpm,
    • chefdk-0.16.28-1.el6.x86_64.rpm,
    • chef-manage-2.4.1-1.el6.x86_64.rpm
  2. Extract all stuff from RPM with:
    • rpm2cpio ¬†chef-manage-2.4.1-1.el6.x86_64.rpm ¬† | cpio -idmv

  3. Move content of the extraction to the correct folders: /opt/{chef,chef-manage,opscoode}
  4. Set PATH=”/opt/opscode/bin:/opt/chefdk/bin/:/data/opt/chef-manage/bin:$PATH” in your profile login script
  5. chef-server-ctl reconfigure
  6. chef-manage-ctl reconfigure
  7. again chef-server-ctl reconfigure

At the end all services are up and running

Screen Shot 2016-08-02 at 19.12.35.png

and my workstation too ūüôā

Autoscaling with EC2 and Chef

Dear all,

It has been a long time since my last post and here I am with a new one, just to keep track of my current¬†study case…

I would like to put in place an auto-scaling mechanism for my lab platform.

Currently I have one Ha-Proxy load balancer with 2 backends. I will perform stress test on my front-end  with Jmeter and create automatically a virtual machine joined to my Chef infrastructure in order to increase resources.

In this post I will describe just how to set ¬†up¬†an initial configuration of autoscaling-group + Chef ( today it is¬†Friday… on Monday I will do the rest ūüėČ

Let’s start ¬†with the needed components:

  1. a Chef server
  2. one HaProxy load balancer
  3. two tomcat backend

Now I try the script for the unattended bootstrap. This script adds a new node under the Chef Server. I tried it on a simple virtual machine locally, using a Centos 7 running in Virtualbox.

[ ! -e /etc/chef ] && mkdir /etc/chef

cat <<EOF > /etc/chef/validation.pem
-----BEGIN RSA PRIVATE KEY-----
your super secret private key :)
-----END RSA PRIVATE KEY-----
EOF

cat <<EOF > /etc/chef/client.rb
log_location STDOUT
chef_server_url "https://mychefserver.goofy.goober/organizations/myorg"
ssl_verify_mode :verify_none
validation_client_name "myorg-validator"
EOF

cat <<EOF > /etc/chef/first-boot.json


{
 "run_list": ["role[tomcat_backend]"]
}


EOF

curl -L https://www.opscode.com/chef/install.sh | \
bash -s -- -v 12.9.41 &> /tmp/get_chef.log
chef-client -E amazon_demo -j /etc/chef/first-boot.json  \
&> /tmp/chef.log 


If things have done correctly you will see the new node into your Chef server dashboard..Check the logs on the new node in case of problems..

/tmp/chef.log
/tmp/get_chef.log

Now let’s create the autoscaling-group in Amazon¬†EC2

Screen Shot 2016-05-06 at 13.43.35.png

Then select your preferred instance… I am using RHEL 7.2

Screen Shot 2016-05-06 at 13.44.48.png

Insert the bootstrap script “User data file” (the one we just created)

Screen Shot 2016-05-06 at 13.49.17.png

I have no instances running on my cloud, so the following configuration will generate a virtual machine due to the min required is 1.

Screen Shot 2016-05-06 at 17.42.56.png

After a minute I got an email saying:

Description: Launching a new EC2 instance: $my_id_istance
Cause: At 2016-05-06T15:10:17Z an instance was started in response to a 
difference between desired and actual

Finally I have a new configured node in my Chef server.. . which is the autoscaling_node01.

Screen Shot 2016-05-06 at 16.00.44.png

That’s all folks!

Bye for now…

Eugenio Marzo
DevOps Engineer at SourceSense

 

Install Linux Centos 7 with kickstart on Virtualbox

Hi guys,

let’s see how to install the new version of Centos using a kickstart file.

  1. Preparing a web-server for publish a simple kickstart file (nodeA). We will use Virtuabox with an internal network 192.168.56.0 and install the OS on nodeB
  2. After the installation on nodeA will be generated a kickstart /root/anaconda-fs.cfg
  3. Assign the IP address 192.168.56.2  on NODE A  ( `yum install net-tools` for install ifconfig). Please remember to use a virtual network interface bound to the internal network 192.168.56.0  

ip_main_server

3. Stop the firewall on NODE A  and install Apache with `yum install httpd`stop_firewall

4. Check if the web server is running with `systemctl status httpd.service`

5. Copy anaconda-ks.cfg (the kickstart generated during the installation of nodeA) and copy it on the document root directory of Apache.

anaconda_copy

6. Try to dowload the kickstart file using  `wget http://192.168.56.2/ks.cfg`

7. Create a second node on Virtualbox and add a network interface (type Host-Only Adapter for contact 192.168.56.2).   In this case the virtual network card will be named enp0s9interfacenodeb

 

8. start and boot from Centos 7 installation CD-ROM, once appear the menu press TAB and configure your network options and kickstart location

kickstart

9. press enter..  youR virtual machine will be installed in few minutes, the root password will be foobar.123

In the next post we will see more details about kickstart syntax and options.

 

 

 

Configure Samba with Active Directory integration (Centos 6)

Let’s see how to integrate your samba server with Microsoft Active Diretory.

Domain: NOODLES   (NETBIOS name)
FQDN: noodles.foo.org
Domain controller 1: dc01.noodles.foo.org
Domain controller 2: dc02.noodles.foo.org
Local Unix account: puppet
Domain Account: NOODLES\puppet

Packages to install via yum: [ krb5-libs , krb5-devel , samba , samba-common , samba-winbind , samba-client , samba-winbind-client ]

  • create unix local user named “puppet”
  • Install package using yum
  • map “puppet” with “NOODLES\puppet” editing /etc/samba/smbusers:
  • puppet = NOODLES\puppet

  • Make sure that you can reach the domain controllers by the Linux server
  • Configure Kerberos. ¬†Example:[root@mylinuxbox puppet]# cat /etc/krb5.conf

[libdefaults]
default_realm = NOODLES.FOO.ORG[realms]
NOODLES.FOO.ORG = {
kdc = dc01.noodles.foo.org
kdc = dc02.noodles.foo.org

admin_server = dc01.noodles.foo.org
}

  • Configure Samba (/etc/samba/smb.conf)

  • [global]
    nameresolveorder = hosts wins bcast
    maxlogsize = 1500
    passwordserver = dc01 dc02
    usernamemap = /etc/samba/smbusers
    clientntlmv2auth = yes
    dnsproxy = no
    disablespoolss = yes
    printcapname = /dev/null
    realm = NOODLES.FOO.ORG
    logfile = /var/log/samba/smbd.log
    preferredmaster = no
    loadprinters = no
    printing = bsd
    socketoptions = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    localmaster = no
    workgroup = NOODLES
    serverstring = Samba Server
    security = ADS
    # auth methods = guest, sam, winbind
    restrict anonymous = 2

    follow symlinks = yes
    wide links = yes
    unix extensions = no

    [share]
    path=/usr/local/
    writable=yes
    browsable=yes
    create mask = 0766
    valid users= puppet
    force user = puppet

  • Join Linux server to the domain
  • net ads join -U puppetadmin@NOODLES.FOO.ORG

    print details of connection with active directory

    [puppet@mylinuxbox puppet]# net ads info

    LDAP server: [ ip address of dc01]
    LDAP server name: DC01.noodles.foo.org
    Realm: NOODLES.FOO.ORG
    Bind Path: dc=NOODLES,dc=FOO,dc=ORG
    LDAP port: 389
    Server time: Thu, 10 Apr 2014 10:52:59 CEST
    KDC server: [ ip address of dc01]
    Server time offset: 0

    restart samba
    Try access to //mylinuxbox/share using NOODLES\puppet

    use Haproxy to publish an internal SFTP server

    Hi guys,
    In this post we will see how to publish safely on internet an internal SFTP server passing trough Haproxy.
    In the example we will allow only a particular external IP increasing the security.

    Image

    Let’s prepare the internal backend

    An example of my SSH configuration  (edit the file  /etc/ssh/sshd_config )

    ChrootDirectory none
    # override default of no subsystems
    #Subsystem      sftp    /usr/libexec/openssh/sftp-server
    Subsystem       sftp    internal-sftp

    #All users of our internal LAN can try to access, only the user “puppet” can try to access from 10.12.21.32 (our HAPROXY server)
    AllowUsers *@192.168.0*
    AllowUsers puppet@10.12.21.32

    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #       X11Forwarding no
    #       AllowTcpForwarding no
    #       ForceCommand cvs server
    Match User puppet
    ChrootDirectory /home/puppet
    ForceCommand internal-sftp

    As you can see we have put the user puppet in a chroot jail. In this way the user cannot navigate freely into the file-system.

    Remember to:
    1. configure correctly the permission for /home/puppet.  Since is a chroot jail must have these permissions:
    drwxr-xr-x 5 root root 4096 Aug 28 2013 puppet
    the owner must be root
    Inside /home/puppet we will create folders owned by puppet.

    2. Disable a login shell for the user puppet. In this way he will be able only to upload and download files but not to use a terminal

    [root@myfileserver home]# cat /etc/passwd | grep puppet
    puppet:x:2408:2408::/home/puppet:/sbin/nologin

    Ok, now the Haproxy configuration. We need only a LISTEN and a BACKEND sections:


    listen sftp-server
    bind :2121
    mode tcp
    acl white_list src 8.8.8.8 8.8.8.9
    tcp-request content accept if white_list
    tcp-request content reject
    default_backend sftp-server01

    backend sftp-server01
    mode tcp
    server ftp01 myfileserver.foo.org:22 check port 22

    some explanations..
    bind :2121 # HAPROXY will listen on port 2121
    mode tcp #set TCP protocol
    acl white_list src 8.8.8.8 8.8.8.9 #define an ACL.Is like an array of IP addresses
    tcp-request content accept if white_list #the function “tcp-request content accept” will run only if whit_list is TRUE. So, only 8.8.8.8 and 8.8.8.9 can ask to access to the backend
    tcp-request content reject #the others IPs are not allowed
    default_backend sftp-server01 #redirect the call to the sftp backend

    FINAL RESULT:

    let’s assume that you external haproxy is known as noodles.foo.org by the DNS.
    In order to connect to the SFTP, open a client ( like FileZilla ) and point to:

     

    SFTP://noodles.foo.org:2121 username:puppet password:puppet.123