Groesbeek, view of the 'National Liberation Museum 1944-1945' in Groesbeek. © Ton Kersten
Fork me on GitHub

Ansible with multiple vault ID's

2019-07-22 (151) by Ton Kersten, tagged as ansible sysadm

In our work environment we have role-based access for passwords (of course). But as we deploy all systems with Ansible, we could end up that someone with only deploy permission ends up with access to all passwords. It’s obvious that we don’t want that, so I started checking in to Ansible’s ability to have multiple vault passwords.

Ansible Vault IDs

Starting with Ansible 2.4 and above, vault IDs are supported.

Vault IDs help in encrypting different files with different passwords to be referenced inside a playbook. Prior to Ansible 2.4, only one vault password could be used in each Ansible run, forcing to encrypt all files using the same vault password.

First and foremost, Vault IDs need to be pre-created and referenced (best practice) inside your ansible.cfg file

[defaults]
vault_identity_list = apple@prompt, pear@prompt

In this example there are two vault IDs, called apple and pear and in this configuration Ansible will prompt for the needed passwords.

It’s also possible to supply the vault password files, like

[defaults]
vault_identity_list = apple@~/.vault_apple, pear@~/.vault_pear

Read more »

Ansible with loops or lookup

2019-02-23 (150) by Ton Kersten, tagged as ansible, sysadm

Since Ansible version 2.5 there is a lot of discussion and confusion about the loop syntax. There is also discussion if with_...: will be replaced by loop: deprecating the with_... keywords. Even Ansibles documentation is not clear about this.

Should I use loop: or with_...:, in fact nobody really knows. What would the correct syntax be?

---
- name: Loops with with_ and lookup
  hosts: localhost
  connection: local
  gather_facts: no
  vars:
    people:
      - john
      - paul
      - mary
    drinks:
      - beer
      - wine
      - whisky

  tasks:
    - name: with nested
      debug:
        msg: "with_nested: item[0] is '{{ item[0] }}' and item[1] is '{{ item[1] }}'"
      with_nested:
        - "{{ people }}"
        - "{{ drinks }}"

    - name: nested and loop
      debug:
        msg: "nested_loop: item[0] is '{{ item[0] }}' and item[1] is '{{ item[1] }}'"
      loop:
        - "{{ people }}"
        - "{{ drinks }}"

Read more »

Ansible: One Role to Rule them All

2019-02-07 (149) by Ton Kersten, tagged as ansible, sysadm

I am a long time Ansible user and contributor (since 2012) and I have been struggling with a decent setup for a multi-environment case. I have been designing and re-designing a lot, until I came up with this design. And what a coincidence, a customer wanted a setup that was exactly this. So this concept is a real world setup, working in a production environment.

Did I get your attention? Read after the break, but take your time. it is a long read.

Read more »

Running it through Tattr (part 2)

2018-08-08 (148) by Ton Kersten, tagged as ansible, sysadm

Some time ago I created a playbook to show the content of a rendered template. When you keep digging in the Ansible documentation, you suddenly stumble over the template lookup-plugin. And then it turns out that my playbook is a bit clumsy.

A nicer and shorter way to do it:

---
#
# This playbook renders a template and shows the results
# Run this playbook with:
#
#       ansible-playbook -e templ=<name of the template> template_test.yml
#
- hosts: localhost
  become: false
  connection: local

  tasks:
    - fail:
        msg: "Bailing out. The play requires a template name (templ=...)"
      when: templ is undefined

    - name: show templating results
      debug:
        msg: "{{ lookup('template', templ) }}"

Ansible, loop in loop in loop in loop in loop

2018-06-08 (147) by Ton Kersten, tagged as ansible, loop, sysadm

A couple of days ago a client asked me if I could solve the following problem:

They have a large number of web servers, all running a plethora of PHP versions. These machines are locally managed with DirectAdmin, which manages the PHP configuration files as well. They are also running Ansible for all kind of configuration tasks. What they want is a simple playbook that ensures a certain line in all PHP ini files for all PHP versions on all webservers.

All the PHP directories match the pattern /etc/php[0-9][0-9].d.

Thinking about this, I came up with this solution (took me some time, though) smiley

---
- name: find all ini files in all /etc/php directories
  hosts: webservers
  user: ansible
  become: True
  become_user: root

  tasks:
    - name: get php directories
      find:
        file_type: directory
        paths:
          - /etc
        patterns:
           - php[0-9][0-9].d
      register: dirs

    - name: get files in php directories
      find:
        paths:
          - "{{ item.path }}"
        patterns:
          - "*.ini"
      loop: "{{ dirs.files }}"
      register: phpfiles

    - name: show all found files
      debug:
        msg: "Files is {{ item.1.path }}"
      with_subelements:
        - "{{ phpfiles.results }}"
        - files

The part with the with_subelements did the trick. Of course this line can be written as:

loop: "{{ query('subelements', phpfiles.results, files) }}"

Ditched Disqus

2018-05-31 (146) by Ton Kersten, tagged as gdpr, privacy

As the new GDPR finds its way all over Europe I decided to have a closer look at my website. I have been using the Disqus comment system for some time now, but hardly ever someone really takes the time to comment.

As the Disqus systems uses a lot of Javascript and cookies, I decided it was time to get rid of these tools and make my site fly, again.

At Disqus: So long and thanks for all the fish.

Did you run it through TAttr

2017-08-15 (145) by Ton Kersten, tagged as ansible, sysadm

During my last Ansible training the students needed to create some Ansible templates for them selfs. As I do not want to run a testing template against some, or all, machines under Ansible control I created a small Ansible playbook to test templates.

Read more »

Stupid Fedora

2016-05-26 (144) by Ton Kersten, tagged as sysadm

Yesterday I removed a simple package from my Fedora 23 machine and after that I got the message

error: Failed to initialize NSS library

WTF??????

Searching the interwebs I found out I wasn’t the first, and probably not the last, to run into this problem.

It seems that, one way or another, the DNF package doesn’t know about the dependency it has on SQLite. So, when a package removal requests to remove SQLite, DNF removes it without questions. Ans thus break itself.

But how to fix this? DNF doesn’t work, but RPM doesn’t either, so there is no way to reinstall the SQLite packages.

Tinkering and probing I found this solution:

#!/bin/bash
url="http://ftp.nluug.nl/os/Linux/distr/fedora/linux/updates/23/x86_64/s/"
ver="3.11.0-3"

wget ${url}/sqlite-${ver}.fc23.x86_64.rpm
wget ${url}/sqlite-libs-${ver}.fc23.x86_64.rpm
rpm2cpio sqlite-${ver}.fc23.x86_64.rpm | cpio -idmv
rpm2cpio sqlite-libs-${ver}.fc23.x86_64.rpm | cpio -idmv
cp -Rp usr /
dnf --best --allowerasing install sqlite.x86_64

This downloads the SQLite package and SQLite library packages, extracts them and copies the missing files to their /usr destination. After doing that, DNF and RPM get working again. It could be that I downloaded an older version of the SQLite stuff, so to make sure I have a current version I reinstall SQLite again.

Maybe a good idea to fix that in DNF!

Building an Ergodox

2015-03-03 (143) by Ton Kersten, tagged as news

After a lot of thought I decided it was time for a new project, one I would enjoy and a project that would be useful for a long time.

Searching the web and reading articles I found the ErgoDox.

The ErgoDox is a split-hand ergonomic keyboard with mechanical switches and open source, layer-based firmware running on a Teensy microcontroller. While other keyboards offer dip-switches or GUI config tools, the firmware and layouts can be built from source on the command line or through a layout configuration tool. Flashing a new build onto the ErgoDox is easy with the multi-platform Teensy loader.

I immediately got interested and after searching a bit more I ordered the kit at Falbatech. Unfortunately they do not supply the keycaps, so I ordered them from Signature Plastics.

Read more »

Stable Internet

2014-10-01 (142) by Ton Kersten, tagged as internet

My stable internet connection

Since a couple of years I’m running a fiber connection to the Internet, supplied by XMS-Net.

I also have an Atlas probe to do some internet measurements for RIPE.

Today I got a status email from RIPE with the connection status of last month. I guess I can say I have a stable internet connection. smiley

This is your monthly availability report for probe xxxx (TonKs Atlas).

Calculation interval    : 2014-09-01 00:00:00 - 2014-10-01 00:00:00
Total Connected Time    :  30d 00:00
Total Disconnected Time :   0d 00:00
Total Availability      :    100.00%

+---------------------+---------------------+------------+--------------+
| Connected (UTC)     | Disconnected (UTC)  | Connected  | Disconnected |
|---------------------+---------------------+------------+--------------+
| 2014-08-26 07:09:17 | Still up            |  30d 00:00 |     0d 00:00 |
+---------------------+---------------------+------------+--------------+