Programming – Page 5 – A nice guy's view on life

A brief guide to using vagrant-aws

2017-12-212017-12-21 JonTheNiceGuy Leave a comment

CCHits was recently asked to move it’s media to another host, and while we were doing that we noticed that many of the Monthly shows were broken in one way or another…

Cue a massive rebuild attempt!

We already have a “ShowRunner” script, which we use with a simple Vagrant machine, and I knew you can use other hypervisor “providers”, and I used to use AWS to build the shows, so why not wrap the two parts together?

Firstly, I installed the vagrant-aws plugin:

vagrant plugin install vagrant-aws

Next I amended my Vagrantfile with the vagrant-aws values mentioned in the plugin readme:

Vagrant.configure(2) do |config| config.vm.provider :aws do |aws, override| config.vm.box = "ShowMaker" aws.tags = { 'Name' => 'ShowMaker' } config.vm.box_url = "https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box" # AWS Credentials: aws.access_key_id = "DECAFBADDECAFBADDECAF" aws.secret_access_key = "DeadBeef1234567890+AbcdeFghijKlmnopqrstu" aws.keypair_name = "TheNameOfYourSSHKeyInTheEC2ManagementPortal" # AWS Location: aws.region = "us-east-1" aws.region_config "us-east-1", :ami => "ami-c29e1cb8" # If you pick another region, use the relevant AMI for that region aws.instance_type = "t2.micro" # Scale accordingly aws.security_groups = [ "sg-1234567" ] # Note this *MUST* be an SG ID not the name aws.subnet_id = "subnet-decafbad" # Pick one subnet from https://console.aws.amazon.com/vpc/home # AWS Storage: aws.block_device_mapping = [{ 'DeviceName' => "/dev/sda1", 'Ebs.VolumeSize' => 8, # Size in GB 'Ebs.DeleteOnTermination' => true, 'Ebs.VolumeType' => "GP2", # General performance - you might want something faster }] # SSH: override.ssh.username = "ubuntu" override.ssh.private_key_path = "/home/youruser/.ssh/id_rsa" # or the SSH key you've generated # /vagrant directory - thanks to https://github.com/hashicorp/vagrant/issues/5401 override.nfs.functional = false # It tries to use NFS - use RSYNC instead end config.vm.box = "ubuntu/trusty64" config.vm.provision "shell", path: "./run_setup.sh" config.vm.provision "shell", run: "always", path: "./run_showmaker.sh" end

Of course, if you try to put this into your Github repo, it’s going to get pillaged and you’ll be spending lots of money on monero mining very quickly… so instead, I spotted this which you can do to separate out your credentials:

At the top of the Vagrantfile, add these two lines:

require_relative 'settings_aws.rb' include SettingsAws

Then, replace the lines where you specify a “secret”, like this:

aws.access_key_id = AWS_ACCESS_KEY aws.secret_access_key = AWS_SECRET_KEY

Lastly, create a file “settings_aws.rb” in the same path as your Vagrantfile, that looks like this:

module SettingsAws AWS_ACCESS_KEY = "DECAFBADDECAFBADDECAF" AWS_SECRET_KEY = "DeadBeef1234567890+AbcdeFghijKlmnopqrstu" end

This file then can be omitted from your git repository using a .gitignore file.

Today I learned… Cloud-init doesn’t like you repeating the same things

2017-06-292017-07-03 JonTheNiceGuy Leave a comment

Because of templates I was building in my post “Today I learned… Ansible Include Templates”, I thought you could repeat the same sections over again. Here’s a snippet of something like what I’d built (after combining lots of templates together):

Note this is a non-working code sample!

#cloud-config packages: - iperf - git


write_files:

- content: {% include 'files/public_key.j2' %}

  path: /root/.ssh/authorized_keys

  owner: root:root

  permission: '0600'

- content: {% include 'files/private_key.j2' %}

  path: /root/.ssh/id_rsa

  owner: root:root

  permission: '0600'
packages:

- byobu
write_files:

- content: |

    #!/bin/bash

    git clone {{ test_scripts }} /root/iperf_scripts

    bash /root/iperf_scripts/run_test.sh

  path: /root/run_test

  owner: root:root

  permission: '0700'

runcmd: - /root/run_test

I’d get *bits* of it to run – basically, the last file, the last package and the last runcmd… but not all of it.

Turns out, cloud-init doesn’t like having to rebuild all the fragments together. Instead, you need to put them all together, so the write_files items, and the packages items all live in the same area.

Which, when you think about what it’s doing, which is that the parent lines are defining a variable called… well, whatever that line is, and if you replace it, it’s only going to keep the last one, then it all makes sense really!

Today I learned… that you can look at the “cloud-init” files on your target server…

2017-06-082017-06-08 JonTheNiceGuy Leave a comment

Today I have been debugging why my Cloud-init scripts weren’t triggering on my Openstack environment.

I realised that something was wrong when I tried to use the noVNC console[1] with a password I’d set… no luck. So, next I ran a command to review the console logs[2], and saw a message (now, sadly, long gone – so I can’t even include it here!) suggesting there was an issue parsing my YAML file. Uh oh!

I’m using Ansible’s os_server module, and using templates to complete the userdata field, which in turn gets populated as cloud-init scripts…. and so clearly I had two ways to debug this – prefix my ansible playbook with a few debug commands, but then that can get messy… OR SSH into the box, and look through the logs. I knew I could SSH in, so the cloud-init had partially fired, but it just wasn’t parsing what I’d submitted. I had a quick look around, and found a post which mentioned debugging cloud-init. This mentioned that there’s a path (/var/lib/cloud/instances/$UUID/) you can mess around in, to remove some files to “fool” cloud-init into thinking it’s not been run… but, I reasoned, why not just see what’s there.

And in there, was the motherlode – user-data.txt…. bingo.

In the jinja2 template I was using to populate the userdata, I’d referenced another file, again using a template. It looks like that template needs an extra line at the end, otherwise, it all runs together.

Whew!

This does concern me a little, as I had previously been using this stanza to “simply” change the default user password to something a little less complicated:

#cloud-config ssh_pwauth: True chpasswd: list: | ubuntu:{{ default_password }} expire: False

But now that I look at the documentation, I realise you can also specify that as a pre-hashed value (in which case, you would suffix that default_password item above with |password_hash('sha512')) which makes it all better again!

[1] If you run openstack --os-cloud cloud_a console url show servername gives you a URL to visit that has an HTML5 based VNC-ish client. Note the “cloud_a” and “servername” should be replaced by your clouds.yml reference and the server name or server ID you want to connect to.
[2] Like before, openstack --os-cloud cloud_a console log show servername gives you the output of the boot sequence (e.g. dmesg plus the normal startup commands, and finally, cloud-init). It can be useful. Equally, it’s logs… which means there’s a lot to wade through!

One to read: “Test Driven Development (TDD) for networks, using Ansible”

2017-06-082017-06-08 JonTheNiceGuy Leave a comment

Thanks to my colleague Simon (@sipart on Twitter), I spotted this post (and it’s companion Github Repository) which explains how to do test-driven development in Ansible.

Essentially, you create two roles – test (the author referred to it as “validate”) and one to actually do the thing you want it to do (in the author’s case “add_vlan”).

In the testing role, you’d have the following layout:

/path/to/roles/testing/tasks/main.yml /path/to/roles/testing/tasks/SOMEFEATUREtest.yml

In the main.yml file, you have a simple stanza:

--- - name: Include all the test files include: "{{ outer_item }}" with_fileglob:"/path/to/roles/validate/tasks/*test.yml" loop_control: loop_var=outer_item

I’m sure that “with_fileglob” line could be improved to not actually need a full path… anyway

Then in your YourFeature_test.yml file, you do things like this:

--- - name: "Pseudocode in here. Use real modules for your testing!!" get_vlan_config: filter_for=needle_vlan register:haystack_var

- assert: that=" {{ needle_item }} in haystack_var "

When you run the play of the role the first time, the response will be “failed” (because “needle_vlan” doesn’t exist). Next do the “real” play of the role (so, in the author’s case, add_vlan) which creates the vlan. Then re-run the test role, your response should now be “ok”.

I’d probably script this so that it goes:

reset-environment set_testing=true (maybe create a random little network)

test

run-action

test

reset-environment set_testing=false

The benefit to doing it that way is that you “know” your tests aren’t running if the environment doesn’t have the “set_testing” thing in place, you get to run all your tests in a “clean room”, and then you clear it back down again afterwards, leaving it clear for the next pass of your automated testing suite.

Fun!

Today I learned… Ansible Include Templates

2017-06-052017-06-08 JonTheNiceGuy 1 Comment

I am building Openstack Servers with the ansible os_server module. One of these fields will accept a very long string (userdata). Typically, I end up with a giant blob of unreadable build script in this field…

Today I learned that I can use this:

--- - name: "Create Server" os_server: name: "{{ item.value.name }}" state: present availability_zone: "{{ item.value.az.name }}" flavor: "{{ item.value.flavor }}" key_name: "{{ item.value.az.keypair }}" nics: "[{%- for nw in item.value.ports -%}{'port-name': '{{ ProjectPrefix }}{{ item.value.name }}-Port-{{nw.network.name}}'}{%- if not loop.last -%}, {%- endif -%} {%- endfor -%}]" # Ignore this line - it's complicated for a reason boot_volume: "{{ ProjectPrefix }}{{ item.value.name }}-OS-Volume" # Ignore this line also :) terminate_volume: yes volumes: "{%- if item.value.log_size is defined -%}[{{ ProjectPrefix }}{{ item.value.name }}-Log-Volume]{%- else -%}{{ omit }}{%- endif -%}" userdata: "{% include 'templates/userdata.j2' %}" auto_ip: no timeout: 65535 cloud: "{{ cloud }}" with_dict: "{{ Servers }}"

This file (/path/to/ansible/playbooks/servers.yml) is referenced by my play.yml (/path/to/ansible/play.yml) via an include, so the template reference there is in my templates directory (/path/to/ansible/templates/userdata.j2).

That template can also then reference other template files itself (using {% include 'templates/some_other_file.extension' %}) so you can have nicely complex userdata fields with loads and loads of detail, and not make the actual play complicated (or at least, no more than it already needs to be!)

Some notes from Ansible mentoring

2017-06-022017-06-08 JonTheNiceGuy Leave a comment

Last night, I met up with my friend Tim Dobson to talk about Ansible. I’m not an expert, but I’ve done a lot of Ansible recently, and he wanted some pointers.

He already had some general knowledge, but wanted some pointers on “other things you can do with Ansible”, so here are a couple of the things we did.

If you want to set certain things to happen as “Production” and other things to happen as “Pre-production” you can either have two playbooks (e.g. pre-prod.yml versus prod.yml) which call certain features… OR use something like this:
--- - hosts: localhost tasks: - set_fact: my_run_state: "{% if lookup('env', 'runstate') == '' %}{{ default_run_state|default('prod') }}{% else %}{{ lookup('env', 'runstate')|lower() }}{% endif %}" - debug: msg="Doing prod" when: my_run_state == 'prod' - debug: msg="Doing something else" when: my_run_state != 'prod'

With this, you can define a default run state (prod), override it with a group or host var (if you have, for example, a staging service or proof of concept space), or use your Environment variables to do things. In the last case, you’d execute this as follows:

runstate=preprod ansible-playbook site.yml
You can tag almost every action in your plays. Here are some (contrived) examples:
--- - name: Get facts from your hosts   tags: configure   hosts: all - name: Tell me all the variable data you've collected   tags: dump   hosts: localhost   tasks:     - name: Show data       tags: show       debug:         var=item       with_items: hostvars

When you then run

ansible-playbook test.yml --list-tags

You get

playbook: test.yml
  play #1 (all): Get facts from your hosts      TAGS: [configure]       TASK TAGS: [configure]
  play #2 (localhost): Tell me all the variable data you've collected   TAGS: [dump]       TASK TAGS: [dump, show]

Now you can run ansible-playbook test.yml -t configure or ansible-playbook test.yml --skip-tags configure

To show how useful this can be, here’s the output from the “–list-tags” I’ve got on a project I’m doing at work:
playbook: site.yml
  play #1 (localhost): Provision A-Side Infrastructure  TAGS: [Functional_Testing,A_End]       TASK TAGS: [A_End, EXCLUDE_K5_FirewallManagers, EXCLUDE_K5_Firewalls, EXCLUDE_K5_Networks, EXCLUDE_K5_SecurityGroups, EXCLUDE_K5_Servers, Functional_Testing, K5_Auth, K5_FirewallManagers, K5_Firewalls, K5_InterProjectLinks, K5_Networks, K5_SecurityGroups, K5_Servers]   play #2 (localhost): Provision B-Side Infrastructure  TAGS: [Functional_Testing,B_End]       TASK TAGS: [B_End, EXCLUDE_K5_Firewalls, EXCLUDE_K5_Networks, EXCLUDE_K5_SecurityGroups, EXCLUDE_K5_Servers, Functional_Testing, K5_Auth, K5_FirewallManagers, K5_Firewalls, K5_InterProjectLinks, K5_Networks, K5_SecurityGroups, K5_Servers]   play #3 (localhost): Provision InterProject Links - Part 1    TAGS: [Functional_Testing,InterProjectLink]       TASK TAGS: [EXCLUDE_K5_InterProjectLinks, Functional_Testing, InterProjectLink, K5_InterProjectLinks]   play #4 (localhost): Provision InterProject Links - Part 2    TAGS: [Functional_Testing,InterProjectLink]       TASK TAGS: [EXCLUDE_K5_InterProjectLinks, Functional_Testing, InterProjectLink, K5_InterProjectLinks]
  play #5 (localhost): Provision TPT environment        TAGS: [Performance_Testing]       TASK TAGS: [EXCLUDE_K5_FirewallManagers, EXCLUDE_K5_Firewalls, EXCLUDE_K5_Networks, EXCLUDE_K5_SecurityGroups, EXCLUDE_K5_Servers, K5_Auth, K5_FirewallManagers, K5_Firewalls, K5_InterProjectLinks, K5_Networks, K5_SecurityGroups, K5_Servers, Performance_Testing, debug]

This then means that if I get a build fail part-way through, or if I’m debugging just a particular part, I can run this: ansible-playbook site.yml -t Performance_Testing --skip-tags EXCLUDE_K5_Firewalls,EXCLUDE_K5_SecurityGroups,EXCLUDE_K5_Networks

Using Python-OpenstackClient and Ansible with K5

2017-06-012017-06-08 JonTheNiceGuy Leave a comment

Recently, I have used K5, which is an instance of OpenStack, run by Fujitsu (my employer). To do some of the automation tasks I have played with both python-openstackclient and Ansible. This post is going to cover how to get those tools to work with K5.

I have access to a Linux virtual machine (Ubuntu 16.04) and the Windows Subsystem for Linux in Windows 10 to run “Bash on Ubuntu on Windows”, and both accept the same set of commands.

In order to run these commands, you need a couple of dependencies. Your mileage might vary with other Linux distributions, but, for Ubuntu based distributions, run this command:

sudo apt install python-pip build-essential libssl-dev libffi-dev python-dev

Next, use pip to install the python modules you need:

sudo -H pip install shade==1.11.1 ansible cryptography python-openstackclient

If you’re only ever going to be working with a single project, you can define a handful of environment variables prefixed OS_, like this:

export OS_USERNAME=BloggsF export OS_PASSWORD=MySuperSecretPasswordIsHere export OS_REGION_NAME=uk-1 export OS_USER_DOMAIN_NAME=YourProjectName export OS_PROJECT_NAME=YourProjectName-prj export OS_PROJECT_ID=baddecafbaddecafbaddecafbaddecaf export OS_AUTH_URL=https://identity.uk-1.cloud.global.fujitsu.com/v3 export OS_VOLUME_API_VERSION=2 export OS_IDENTITY_API_VERSION=3

But, if you’re working with a few projects, it’s probably worth separating these out into clouds.yml files. This would be stored in ~/.config/openstack/clouds.yml with the credentials for the environment you’re using:

--- clouds: root: identity_api_version: 3 regions: - uk-1 auth: auth_url: https://identity.uk-1.cloud.global.fujitsu.com/v3 password: MySuperSecretPasswordIsHere project_id: baddecafbaddecafbaddecafbaddecaf project_name: YourProjectName-prj username: BloggsF user_domain_name: YourProjectName

Optionally, you can separate out the password, username or any other “sensitive” information into a secure.yml file stored in the same location (removing those lines from the clouds.yml file), like this:

--- clouds: root: auth: password: MySuperSecretPasswordIsHere

Now, you can use the Python based Openstack Client, using this invocation:

openstack --os-cloud root server list

Alternatively you can use the Ansible Openstack (and K5) modules, like this:

--- tasks: - name: "Authenticate to K5" k5_auth: cloud: root register: k5_auth_reg - name: "Create Network" k5_create_network: name: "Public" availability_zone: "uk-1a" state: present k5_auth: "{{ k5_auth_reg.k5_auth_facts }}" - name: "Create Subnet" k5_create_subnet: name: "Public" network_name: "Public" cidr: "192.0.2.0/24" gateway_ip: "192.0.2.1" availability_zone: "uk-1a" state: present k5_auth: "{{ k5_auth_reg.k5_auth_facts }}" - name: "Create Router" k5_create_router: name: "Public" availability_zone: "uk-1a" state: present k5_auth: "{{ k5_auth_reg.k5_auth_facts }}" - name: "Attach private network to router" os_router: name: "Public" state: present network: "inf_az1_ext-net02" interfaces: "Public" cloud: root - name: "Create Servers" os_server: name: "Server" availability_zone: "uk-1a" flavor: "P-1" state: present key_name: "MyFirstKey" network: "Public-Network" image: "Ubuntu Server 14.04 LTS (English) 02" boot_from_volume: yes terminate_volume: yes security_groups: "Default" auto_ip: no timeout: 7200 cloud: root

Working with complicated template data UserData in Ansible

2017-03-242017-06-05 JonTheNiceGuy Leave a comment

My new job means I’m currently building a lot of test boxes with Ansible, particularly OpenStack guests. This means I’m trying to script as much as possible without actually … getting my hands dirty with the actual “logging into it and running things” perspective.

This week, I hit a problem standing up a popular firewall vendor’s machine with Ansible, because I was trying to bypass the first-time-wizard… anyway, it wasn’t working, and I couldn’t figure out why. I talked to my colleague [mohclips] and he eventually told me that I needed to use a template, because what I was trying to do was too complicated.

But, damn him, I knew that wasn’t the answer :)

Anyway, I found this comment on a ticket, which lead me to the following… if you’re finding that your userdata: variable in the os_server module of Ansible isn’t working, you might need to wrap it up like this:

userdata: |
  {%- raw -%}#!/bin/bash
  # Kill script if the pipe fails
  set -euf -o pipefail
  # Write everything from this point on to Syslog
  echo " == Set admin credentials == "
  clish -c 'set user admin password-hash {% endraw -%}{{ default_password|password_hash('sha512') }}{%- raw -%}' -s
  {% endraw %}

Note that, if you have a space before your variable, use {% endraw -%} and if you’ve a space after it, use {%- raw %} as the hyphen means “ditch all the spaces before/after this command”.

One to read or watch: “Programming is Forgetting: Toward a New Hacker Ethic”

2017-01-302017-06-02 JonTheNiceGuy Leave a comment

Here is a transcript of a talk by Allison Parrish at the Open Hardware Summit in Portland, OR. The talk “Programming is Forgetting: Toward a New Hacker Ethic” is a discussion about the failings of the book “Hackers” by Steven Levy. Essentially, that book proposed (in the 80’s) a set of ethics for Hackers (which is to say, creative programmers or engineers, not malicious operators). Allison suggests that many of the parables in the book do not truly reflect the “Hacker Ethic”, and revises them for today’s world.

Her new questions (not statements) are as follows:

Who gets to use what I make? Who am I leaving out? How does what I make facilitate or hinder access?
What data am I using? Whose labor produced it and what biases and assumptions are built into it? Why choose this particular phenomenon for digitization or transcription? And what do the data leave out?
What systems of authority am I enacting through what I make? What systems of support do I rely on? How does what I make support other people?
What kind of community am I assuming? What community do I invite through what I make? How are my own personal values reflected in what I make?

This is a significant re-work of the original “Hacker Ethic“, and you should really either watch or read the talk to see how she got to these from the original, especially as it’s not as punchy as the original.

I’d like to think I was thinking of things like these questions when I wrote CampFireManager and CCHits.

GPG Encrypting files using a keyserver

2016-04-062016-04-06 JonTheNiceGuy Leave a comment

Another “at work” post!

I’ve been generating files which need to be distributed via a file server, but need to be encrypted using GPG (the open source PGP application). Rather than managing keys for a large number of users, instead, I have a text file with the user names in, and a batch file. Please see the below gist for details :)

# Using this script Place this batch file and the text file into the same directory, edit the batch file to specify the key server and the text file to specify the names to encrypt. If you hit an issue where an individual has multiple keys against their name, the script may well complain and ditch responses. In this case, uncomment the line in the batch file which says: `REM %COMMAND% --recv-keys <KEY ID>` So it should say instead: `%COMMAND% --recv-keys DECAFBAD`@echo off REM SCRIPTNAME: run_gpg.bat REM AUTHOR: Jon Spriggs REM VERSION: 1.0 REM RELEASE: 2016-04-04 REM LICENSE: GNU General Public License 3.0 REM ABOUT: This script is used to automate the GPG encryption of any file to a series of email addresses. REM NOTES: You must run this from the path where the batch file and text files are located. set COMMAND=gpg --no-options set COMMAND=%COMMAND% --trust-model always set COMMAND=%COMMAND% --mangle-dos-filenames set COMMAND=%COMMAND% --no-default-keyring set COMMAND=%COMMAND% --keyserver ldap://your.key.server.here set COMMAND=%COMMAND% --auto-key-locate keyserver set COMMAND=%COMMAND% --quiet set COMMAND=%COMMAND% --primary-keyring ".\pubring.pkr" set COMMAND=%COMMAND% --secret-keyring ".\secring.skr" REM If you need to add particular keys (for example, where several matching strings occur) then uncomment this line: REM %COMMAND% --recv-keys <KEY ID> set COMMAND=%COMMAND% --options ".\email address list.txt" %COMMAND% --encrypt %1 del pubring.* secring.*recipient name@example.com recipient name2@example.com

Share this:

Note this is a non-working code sample!

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: