Author Archive

Finding obsolete and unused Roles in Chef

If your Chef environment has grown and its time for a cleanup, here is an easy way to find unused and obsolete Roles.
This works as long as the roles/*.rb files are named exactly like the roles.

# in roles/ directory do
for f in *.rb; do echo $f; done | cut -d'.' -f1 | tr '\n' '\0'|xargs -0 -L1 -I '$' sh -c "echo '$:';knife search node 'role:$'|grep Node" > result.txt
# then
for f in *.rb; do echo $f; done | cut -d'.' -f1 | tr '\n' '\0'|xargs -0 -L1 -I '$' sh -c "echo '$:';knife search node 'roles:$'|grep Node" > result2.txt

This will output role name and the hosts using it. Roles not having nodes in both result files are unused and can be removed.

Sample output

auth-app:
Node Name:   auth-app2.prod1.example.lan
Node Name:   auth-app3.prod1.example.lan
Node Name:   auth-app1.prod2.example.lan
unused-role:
ch-elasticsearch:
Node Name:   ch-esearch3.prod1.example.lan
Node Name:   ch-esearch2.prod2.example.lan

Reason why you need to run it twice is first command searches for nodes having exactly that role and second one searching in expanded run lists.

Configuring Errata for Ubuntu with Spacewalk

In my last article I have shown you how to get Ubuntu servers registered and integrated with Spacewalk.

However something important is still missing: Getting Errata into Spacewalk for Ubuntu systems. Errata are security, bugfix, enhancement advisories published by distribution vendors like Debian, CentOS, RHEL, Ubuntu. These Errata can be imported to Spacewalk and show/email which systems/packages are affected along with information like CVE numbers. You can then “apply” the Errata to these systems, triggering a remote update. That way you will always know if your systems lack critical updates.

Unfortunately, there is no general source or feed getting these Errata into Spacewalk. A good source are the security mailing lists of the vendors but you still need to parse them and import via API. For CentOS / RHEL there exist a few scripts:

However for Ubuntu there didnt exist such a script so I had to do one myself. Read on where to get and how to integrate it ! Read more

Registering Ubuntu and Debian Servers with Spacewalk

You probably have heard of Spacewalk, the systems management solution for RHEL / CentOS and other RedHat-based systems.
It provides and manages content / package updates for all your servers along with some other features like kickstarting / bootstrapping nodes, audits and some simple config management if you dont run Chef or Puppet or similar.

However, did you know that you can meanwhile also (fully) manage your Debian/Ubuntu systems with Spacewalk ? Documentation on this is still sparse and you have to figure out certain things on your own.
Read on after the jump how to completly setup and configure Spacewalk 2.2 to work with Ubuntu clients. Including Errata !

Read more

GPG signing RPMs with Sigul Signing Server & Koji integration

When you are building your own RPMs and distributing them either on your own infrastructure or to the public, you should consider signing them with a GPG key. That way the client machines that install your RPMs can verify the integrity and authenticity of what they are installing.

GPG signing can either be done manually, which is fairly easy but unhandy or you can use a way more automated and solid way, using the Sigul Signing Server by Fedora.

Sigul keeps the private keys used for signing on its server and they arent accesible by the clients who want to sign RPMs. All requests by Sigul Clients to Sigul Server are sent over the Sigul Bridge which relays them. This allows signing RPMs from various machines, without having access to actual keys being used. So you never communicate directly with the Server which can and should be isolated from the rest of the world and only allow connections from/to the Bridge in the Firwall.

Read more

Getting RPM built by Koji into YUM-able repo

By following my article series about Fedoras RPM build system Koji, you should by now have a fully working setup that even builds RPMs from Git.
However, by design, the built RPMs cant be directly used as a yum repo. They need to be transformed first. Therefore the tool “mash” exists.
Luckily setting up mash is easy compared to Koji itself.

yum install mash
# create a storage path, this can also be a network mount
mkdir -p /mnt/custom-repo/{mash,rpm}
ln -s /mnt/custom-repo/mash/centos6-release/ /mnt/custom-repo/rpm/centos6

Read more

Building RPM from Git with Koji

If you have followed my other articles about Koji, you should have a fully working setup now. However its not very handy to only build local SRPM.
Fortunately Koji can build RPMs by spec-files and Makefiles which it gets from a Git repo or other SCM. Read on to learn how you get that going.

In /etc/kojid/kojid.conf

allowed_scms=github.com:/github-username/*:no

;using any other command instead of "make sources". Example showing "fedpkg sources"
;allowed_scms=github.com:/github-username/*:no:fedpkg,sources

Read more

Crypting HDD as folder on Linux with LUKS

If you want to encrypt and secure your personal confident data on Linux, here is how to do it.

The following method explains how to encrypt a harddisk or partition and mount it as a folder anywhere in your filesystem. There are also other possibilities like using a file as encrypted container or encrypting your whole system partition.
We will be using dm-crypt + LUKS (Linux Unified Key Setup-on-disk-format), which is a block device level encryption scheme just like Truecrypt.

First you need to install some dependencies:

# you need EPEL repo installed for this
yum install cryptsetup-luks pv

Read more

Compiling your own Kernel for Debian and CentOS (or alike)

For various reasons you might need to (re)-compile your own kernel. For instance if the installed kernel by your distribution does not support a certain feature you need.
I recently discovered that the kernels provided by OVH for their servers do NOT support loadable modules. Even the “original” kernels they provide dont. So you need to compile your own kernel to use things like cryptsetup (dm-crypt).

Fortunately compiling your own kernel is easy if you know howto do it.

Necessary packages

# RHEL / Fedora / CentOS
yum groupinstall "Development Tools"
yum install ncurses ncurses-devel

# Ubuntu / Debian
apt-get install lzma kernel-package debhelper fakeroot build-essential libtool automake make gcc ncurses ncurses-dev

Read more

iptables rules for NAT with FTP active / passive connections

If you have an FTP server running behind a server that acts as the gateway or firewall, here are the rules to enable full NAT for active and passive connections.

# general rules for forwarding traffic between external interface tap0 and internal interface eth0
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT

# NAT for active/passive FTP. 192.168.178.21 would be your internal ftp server
iptables -t nat -A PREROUTING  -p tcp  --dport 20 -j DNAT --to 192.168.178.21:20
iptables -t nat -A PREROUTING  -p tcp  --dport 21 -j DNAT --to 192.168.178.21:21
iptables -t nat -A PREROUTING  -p tcp  --dport 1024:65535 -j DNAT --to 192.168.178.21:1024-65535
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 1024:65535 -j ACCEPT

# allowing active/passive FTP
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

Read more

Spacewalk vs. Katello

When managing alot of systems (virtual or physical) it makes sense to centralize the package management. It also saves you alot of time.

Spacewalk does exactly that for RPM-based systems like CentOS, Fedora or SLE. Its the community and open-source version of the RedHat Network Satellite Products  (RHN). It brings you alot of nice features like

  • Systems inventory with hardware and software info (DMI)
  • Centralized package management. Installing / Updating software on systems (single/grouped/batch)
  • Errata overview for systems (security/bugfixes/enhancements)
  • Kickstart / Provision systems
  • Audit
  • basic config file distribution (better do this with puppet/chef)
  • basic monitoring (better do this with munin/graphite/ganglia..)

Read more