Friday, May 15, 2015

Active Directory authentication for Linux

Add the following lines to your kickstart config.

# Join AD domain
yum -y install pbis-open
/usr/bin/domainjoin-cli setname ${hostname}.corp.yourdomain.com
/usr/bin/domainjoin-cli join --ou OU=LinuxServers,OU=Internal,DC=corp,DC=yourdomain,DC=com corp.yourdomain.com joinaccount joinpassword
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config LoginShellTemplate /bin/bash
/opt/pbis/bin/config HomeDirTemplate %H/%D/%U


Simple shell script to do the same:
joinad.sh

#!/bin/bash
if [ -z "$1" ]
  then
    echo "Usage: joinad.sh yourservername"
    exit 1
fi

echo "Joining $1"
ssh -t $1 "domainjoin-cli join --disable hostname --ou OU=LinuxServers,OU=Internal,DC=corp,DC=yourdomain,DC=com corp.yourdomain.com joinaccount joinpassword; /opt/pbis/bin/config AssumeDefaultDomain true; /opt/pbis/bin/config LoginShellTemplate /bin/bash; /opt/pbis/bin/config HomeDirTemplate %H/%U"

Terminal/Console

Screen

Below is some customization for screen utility.
cat .screenrc

# SSH agent link
setenv SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock

# Number of lines
defscrollback 10000

# for ctrl right and left arrows
bindkey ^[[1;5D prev
bindkey ^[[1;5C next

bindkey "^[[D" prev # ctrl-left
bindkey "^[[C" next # ctrl-right

# To remove splits
bind X remove

# Window list at the bottom. hostname, centered tabs and redmarked active windows:
#hardstatus alwayslastline
#hardstatus string '%{= kG}[ %{G}%H %{g}][%= %{= kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B} %d/%m %{W}%c %{g}]'
#caption     always        "%{+b rk}%H%{gk} |%c %{yk}%d.%m.%Y | %72=Load: %l %{wk}"
hardstatus alwayslastline "%?%{yk}%-Lw%?%{wb}%n*%f %t%?(%u)%?%?%{yk}%+Lw%?"

To keep your ssh-agent running in screen session add rc file:
cat .ssh/rc
if test "$SSH_AUTH_SOCK" ; then
  ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi

Monday, May 11, 2015

VMware CLI management

I'm trying to use command line interface as much as I can.  Below are some examples of VMware CLI management.

Get a list of all VMs:
vim-cmd vmsvc/getallvms
Take a look at template:
/vmfs/volumes/541abff4-d8f5aafc-5d95-002590e90bb0 # /vmfs/volumes/datastore1/vmwa
re-ovftool/ovftool prve-loadtest.ova
Deploy VM from Windows ovf tool:
C:\Program Files (x86)\VMware\VMware OVF Tool>ovftool --disableVerification --no
SSLVerify -dm=thick --datastore=datastore1 --name=loadtest1  --net:"VM Net
work"="VM Network" c:\Users\igrinkin\loadtest.ova vi://root:root_password@hypervisor1
Opening OVA source: c:\Users\igrinkin\loadtest.ova
Opening VI target: vi://root@10.107.130.29:443/
Deploying to VI: vi://root@10.107.130.29:443/
Transfer Completed
The manifest validates
Warning:
 - No manifest entry found for: 'loadtest1-disk1.vmdk'.
Completed successfully

Copy VM to another ESX server

ssh hypervisor1
cd /vmfs/volumes/datastore1/
scp -r /vmfs/volumes/datastore1/testvm/ hypervisor2:/vmfs/volumes/datastore1/
Open hypervisor2 in vSphere
Configuration - Storage - right-click on datastore1 - Browse to "testvm" folder - click on testvm.vmx - Add to inventory
Remove VM from hypervisor1 to cleanup
You can easily script it to emulate what Vcenter does.

Add a second hard drive to VM without reboot

Add second drive to live server.
Run
echo "- - -" > /sys/class/scsi_host/host2/scan
fdisk should show you the second drive.  Create partition and format.
mkfs.ext3 -m0 /dev/sdb1
tune2fs -c0 -i0 /dev/sdb1

Using mysql module in puppet manifest

I downloaded mysql module from Puppet Labs.

Here is an example of using it in graphite module.

class graphite {

    $graphite_packages = ["graphite-web","MySQL-python","python-carbon","python-whisper"]
    package { $graphite_packages: ensure => installed }

    $graphite_services = ["httpd","carbon-cache"]
    service { $graphite_services: ensure => running, enable => true }

    file { "/etc/graphite-web/local_settings.py":
           owner => "root",
           group => "root",
           mode  => 644,
           source => "puppet:///modules/graphite/local_settings.py",
           notify  => Service["httpd"],
    }

    file { "/etc/carbon/storage-schemas.conf":
           owner => "root",
           group => "root",
           mode  => 644,
           source => "puppet:///modules/graphite/storage-schemas.conf",
           notify  => Service["httpd"],
    }

    file { "/root/graph.sql":
           owner => "root",
           group => "root",
           mode  => 644,
           source => "puppet:///modules/graphite/graph.sql",
           notify  => Service["mysqld"],
    }

    include '::mysql::server'

    mysql::db { 'mydb':
      dbname         => 'graphite',
      user           => 'graphite',
      password       => 'graphitepassword',
      host           => 'localhost',
      grant          => ['ALL'],
      sql            => '/root/graph.sql',
      import_timeout => 900,
    }

}

Friday, May 08, 2015

How to: puppet - hiera - foreman enc

Here is an example of a puppet setup with hiera and Foreman as ENC (external node classifier)

Let's say I want to manage my /etc/resolv.conf using puppet.  Since I have multiple datacenters, I want to point linux clients to the closest DNS server.

I want my puppet templates to be generic, so that I don't have to touch it again.  All hard-coded data (like IP addresses) goes into hiera.

Puppet

I separate puppet classes by modules for convenience.  Here is how puppet manifest looks like:

cat puppet/modules/dns/manifests/init.pp

class dns ( $dns_search = hiera("dns::search"),
            $dns_servers = hiera("dns::servers")) {

    file { "/etc/resolv.conf":
           owner => "root",
           group => "root",
           mode  => 644,
           content => template("dns/resolv.conf.erb"),
    }
}
Basically, I'm saying that "dns_search" and "dns_servers" variables will come from hiera data.

Here is the template that puppet will apply:
cat puppet/modules/dns/templates/resolv.conf.erb

# This file is controlled by Puppet
search <%= dns_search %>
<% @dns_servers.each do |server| -%>
nameserver <%= server %>
<% end -%>

Hiera

Hiera configuration file goes by location:
cat /etc/puppet/hiera.yaml

---
:backends:
  - yaml
:yaml:
  :datadir: /etc/puppet/hieradata
:hierarchy:
  - "%{::clientcert}"
  - "nodes/%{::fqdn}"
  - "%{::environment}"
  - "location/%{::location}"
  - defaults

Location hiera file for Redwood City will look like:
cat puppet/hieradata/location/rwc.yaml

---
dns::search: rwc.mycompany.com mycompany.com
dns::servers:
 - 192.168.0.2
 - 192.168.0.3
 - 10.10.0.2

Foreman

You don't have to use Foreman but it gives you a nice GUI, dashboard and can easily be used as ENC to create puppet host groups and configuration groups.

Foreman installation was pretty straightforward from:
http://theforeman.org/manuals/1.1/quickstart_guide.html

foreman-installer --foreman-db-type=mysql

I used mysql database and my own certificate that was signed by my own CA.
cat /etc/puppet/foreman.yaml

---
:url: "https://foreman.mycompany.com"
:ssl_ca: "/etc/pki/tls/certs/mycompanyca.crt"
:ssl_cert: "/etc/pki/tls/certs/foreman.crt"
:ssl_key: "/etc/pki/tls/private/foreman.key"
:user: ""
:password: ""
:puppetdir: "/var/lib/puppet"
:puppetuser: "puppet"
:facts: true
:timeout: 10
:threads: null

Wednesday, April 15, 2015

GIT

Create new GIT repo on the server:
add user git
create athorized_keys for git
mkdir /data/git
ln -s /data/git /git
cd /git
mkdir ops.git
cd ops.git
git --bare init

Friday, April 10, 2015

Puppet notes

Built-in puppet variables in templates:

# This file is controlled by Puppet
# /etc/puppet/puppet.conf
# <%= scope.lookupvar('::osfamily') %> <%= scope.lookupvar('::operatingsystemmajrelease') %>

Example of template and file:

    file { "/etc/puppet/puppet.conf":
           owner => "root",
           group => "root",
           mode  => 644,
           content => template("puppet/puppet.conf.erb"),
           notify  => Service["puppet"],
    }

    file { "/etc/sysconfig/puppet":
           owner => "root",
           group => "root",
           mode  => 644,
           source => "puppet:///modules/puppet/puppet",
           notify  => Service["puppet"],
    }

Hieradata

cat hiera.yaml
---
:backends:
  - yaml
:yaml:
  :datadir: /etc/puppet/hieradata
:hierarchy:
  - "%{::clientcert}"
  - "nodes/%{::fqdn}"
  - "%{::environment}"
  - "location/%{::location}"
  - defaults


Example of location yaml

cat location/mylocation.yaml
---
dns::search: myl.location.com location.com
dns::servers:
 - 192.168.0.100
 - 192.168.0.101
ssh::group_key: AAAAB3NzaC1yc........

Monday, March 16, 2015

How to setup E-mail relay

Gmail rejects e-mail from my server.


Solution: E-mail relay through Mandrill (MailChimp service)

1.  Create account with Mandrill (it's free)
2.  Generate some API key on Mandrill website
3.  Setup your Postfix
 yum -y install postfix cyrus-sasl-plain cyrus-sasl-md5

4.  Modify /etc/postfix/main.cf
relayhost = smtp.mandrillapp.com
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = AUTH LOGIN
smtp_sasl_security_options =


5.  Put your credentials in /etc/postfix/sasl_passwd file
smtp.mandrillapp.com yourusername@yourdomain.com:yourapikeyhere

6.  Create sasl db readable by postfix
postmap sasl_passwd
chmod 600 sasl_passwd
chown postfix:postfix sasl_passwd.db


Your maillog should look similar to this:
Mar 15 23:45:05 tm1 postfix/master[29546]: daemon started -- version 2.6.6, configuration /etc/postfix
Mar 15 23:45:41 tm1 postfix/pickup[29548]: 34B98580496: uid=500 from=<user>
Mar 15 23:45:41 tm1 postfix/cleanup[29678]: 34B98580496: message-id=<20150316064541.34B98580496@mail.tagmap.me>
Mar 15 23:45:41 tm1 postfix/qmgr[29549]: 34B98580496: from=<user@mail.tagmap.me>, size=419, nrcpt=1 (queue active)
Mar 15 23:45:42 tm1 postfix/smtp[29680]: 34B98580496: to=<user@gmail.com>, relay=smtp.mandrillapp.com[54.70.134.182]:25, delay=1.3, delays=0.02/0.01/1.1/0.24, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5A3F038028A)
Mar 15 23:45:42 tm1 postfix/qmgr[29549]: 34B98580496: removed