Useful ansible stuff

inventory_hostname

inventory_hostname‘ contains the name of the current node being worked on…. (as in, what it is defined in your hosts file as) so if you want to skip a task for a single node –

- name: Restart amavis
  service: name=amavis state=restarted
  when: inventory_hostname != "boris"

(Don’t restart Amavis for boris,  do for all others).

You could also use :

...
  when: inventory_hostname not in groups['group_name']
...

if your aim was to (perhaps skip) a task for some nodes in the specified group.

 

Need to check whether you need to reboot for a kernel update?

  1. If /vmlinuz doesn’t resolve to the same kernel as we’re running
  2. Reboot
  3. Wait 45 seconds before carrying on…
- name: Check for reboot hint.
  shell: if [ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]; then echo 'reboot'; else echo 'no'; fi
  ignore_errors: true
  register: reboot_hint

- name: Rebooting ...
  command: shutdown -r now "Ansible kernel update applied"
  async: 0
  poll: 0
  ignore_errors: true
  when: kernelup|changed or reboot_hint.stdout.find("reboot") != -1
  register: rebooting

- name: Wait for thing to reboot...
  pause: seconds=45
  when: rebooting|changed

Fixing ~/.ssh/known_hosts

Often an ansible script may create a remote node – and often it’ll have the same IP/name as a previous entity. This confuses SSH — so after creating :

- name: Fix .ssh/known_hosts. (1)
  local_action: command  ssh-keygen -f "~/.ssh/known_hosts" -R hostname

If you’re using ec2, for instance, you could do something like :

- name: Fix .ssh/known_hosts.
  local_action: command  ssh-keygen -f "~/.ssh/known_hosts" -R {{ item.public_ip }} 
  with_items: ec2_info.instances

Where ec2_info is your registered variable from calling the ‘ec2’ module.

Debug/Dump a variable?

- name: What's in reboot_hint?
  debug: var=reboot_hint

which might output something like :

"reboot_hint": {
        "changed": true, 
        "cmd": "if [ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]; then echo 'reboot'; else echo 'no'; fi", 
        "delta": "0:00:00.024759", 
        "end": "2014-07-29 09:05:06.564505", 
        "invocation": {
            "module_args": "if [ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]; then echo 'reboot'; else echo 'no'; fi", 
            "module_name": "shell"
        }, 
        "rc": 0, 
        "start": "2014-07-29 09:05:06.539746", 
        "stderr": "", 
        "stdout": "reboot", 
        "stdout_lines": [
            "reboot"
        ]
    }

Which leads on to —

Want to run a shell command do something with the output?

Registered variables have useful attributes like :

  • changed – set to boolean true if something happened (useful to tell when a task has done something on a remote machine).
  • stderr – contains stringy output from stderr
  • stdout – contains stringy output from stdout
  • stdout_lines – contains a list of lines (i.e. stdout split on \n).

(see above)

- name: Do something
  shell: /usr/bin/something | grep -c foo || true
  register: shell_output

So – we could :

- name: Catch some fish (there are at least 5)
  shell: /usr/bin/somethingelse 
  when: shell_output.stdout > "5"

Default values for a Variable, and host specific values.

Perhaps you’ll override a variable, or perhaps not … so you can do something like the following in a template :

...
max_allowed_packet = {{ mysql_max_allowed_packet|default('128M') }}
...

And for the annoying hosts that need a larger mysql_max_allowed_packet, just define it within the inventory hosts file like :

[linux_servers]
beech
busy-web-server mysql_max_allowed_packet=256M
Advertisements

Install Virtualbox on Centos 7

1. Change to root User

Bash

su -
## OR ##
sudo -i

2. Install Fedora or RHEL Repo Files

Bash

cd /etc/yum.repos.d/

## Fedora 26/25/24/23/22/21/20/19/18/17/16 users
wget http://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo

## CentOS 7.4/6.9 and Red Hat (RHEL) 7.4/6.9 users
wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo

3. Update latest packages and check your kernel version

Update packages

Bash

## Fedora 26/25/24/23/22 ##
dnf update

## Fedora 21/20/19/18/17/16 and CentOS/RHEL 7/6/5 ##
yum update


While executing yum update if you get any dependency errorfor glibc use the following to resolve it:

rpm -qa | grep glibc
You may see duplicates for either glibc or glibc common. There might be a common version in between any two packages of glibc and glibc-common. Remove the package which has uncommon version.

You can also check for duplicates with the following command:
yum list –showduplicates glibc

rpm -e glibc-common-2.17-196.el7

rpm -qa kernel |sort -V |tail -n 1

uname -r

Note: If you got kernel update or run older kernel than newest installed then reboot:

Bash

reboot

4. Install following dependency packages

CentOS 7/6/5 and Red Hat (RHEL) 7/6/5 needs EPEL repository, install it with following command:

Bash

## CentOS 7 and RHEL 7 ##
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

## CentOS 6 and RHEL 6 ##
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

## CentOS 5 and RHEL 5 ##
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-5.noarch.rpm
Bash

## Fedora 26/25/24/23/22 ##
dnf install binutils gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-devel dkms

## Fedora 21/20/19/18/17/16 and CentOS/RHEL 7/6/5 ##
yum install binutils gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-devel dkms

## PAE kernel users install ##
## Fedora 24/23/22 ##
dnf install binutils gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-PAE-devel dkms

## Fedora 21/20/19/18/17/16 and CentOS/RHEL 7/6/5 ##
yum install binutils gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-PAE-devel dkms

5. Install VirtualBox Latest Version 5.1 (currently 5.1.28)

Bash

## Fedora 26/25/24/23/22 ##
dnf install VirtualBox-5.1

## Fedora 21/20/19/18/17/16/15/14 and CentOS/RHEL 7/6/5 ##
yum install VirtualBox-5.1

Note:
This command create automatically vboxusers group and VirtualBox user must be member of that group.
This command also build needed kernel modules.
Package is VirtualBox-5.1 not VirtualBox.

Rebuild kernel modules with following command:

Bash

## Fedora 26/25/24/23/22/21/20/19 and CentOS/RHEL 7 ##
/usr/lib/virtualbox/vboxdrv.sh setup

## Fedora 18/17/16 and CentOS/RHEL 6/5 ##
/etc/init.d/vboxdrv setup
## OR ##
service vboxdrv setup

You might get the following error:

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
This system is not currently set up to build kernel modules (system extensions).
Running the following commands should set the system up correctly:

yum install kernel-devel-3.10.0-327.28.2.el7.x86_64
(The last command may fail if your system is not fully updated.)
yum install kernel-devel
vboxdrv.sh: failed: Look at /var/log/vbox-install.log to find out what went wrong.

Execute the following: yum install kernel-devel

If the error still persists look in the log: /var/log/vbox-install.log
If you find the following error: Error: unable to find the sources of your current Linux kernel. Specify KERN_DIR=<directory> and run Make again. Stop.

## Current running kernel on Fedora ##
KERN_DIR=/usr/src/kernels/`uname -r`
 
## Current running kernel on CentOS and Red Hat (RHEL) ##
KERN_DIR=/usr/src/kernels/`uname -r`-`uname -m`
 
## Fedora example ##
KERN_DIR=/usr/src/kernels/2.6.33.5-124.fc13.i686
 
## CentOS and Red Hat (RHEL) example ##
KERN_DIR=/usr/src/kernels/2.6.18-194.11.1.el5-x86_64
 
## Export KERN_DIR ##
export KERN_DIR

Make sure your system is rebooted.

6. Add VirtualBox User(s) to vboxusers Group

Replace user_name with your own user name or some another real user name.

Bash

usermod -a -G vboxusers user_name

7. Start VirtualBox

Use launcher from menu or simply run:

Bash

VirtualBox

fswatch – Monitors Files and Directory Changes or Modifications in Linux

fswatch is a cross-platform, file change monitor that gets notification alerts when the contents of the specified files or directories are altered or modified.

It executes four types of monitors on different operating systems such as:

  1. A monitor build on the File System Events API of Apple OS X.
  2. A monitor based on kqueue, a notification interface present in FreeBSD 4.1 also supported on many *BSD systems, OS X inclusive.
  3. A monitor based on File Events Notification API of the Solaris kernel plus its spin-offs.
  4. A monitor based on inotify, a kernel subsystem that shows file system modifications to apps.
  5. A monitor based on ReadDirectoryChangesW, a Windows API that records alters to a directory.
  6. A monitor that regularly check that status of file system, keeps file modification times in memory, and manually determine file system changes (which works anywhere, where stat can be used).

Features of fswatch

  1. Supports several OS-specific APIs
  2. Allows recursive directory monitoring
  3. Performs path filtering using including and excluding regular expressions
  4. Supports customizable record format
  5. Additionally, it supports periodic idle events

How To Install fswatch in Linux Systems

Unfortunately, fswatch package is not available to install from the default system repositories in any Linux distributions. The only way to install the latest version of fswatch is to build from source tarball as show in the following installation instructions.

First grab the latest fswatch tarball using following wget command and install it as shown:

$ wget https://github.com/emcrisostomo/fswatch/releases/download/1.9.3/fswatch-1.9.3.tar.gz
$ tar -xvzf fswatch-1.9.3.tar.gz
$ cd fswatch-1.9.3
$ ./configure
$ make
$ sudo make install 

Important: Make sure you’ve GNU GCC (C and C++ Compiler) and Development Tools (build-essential on Debian/Ubuntu) installed on the system, before you compile fswatch from source. If not, install it using following command on your respective Linux distributions..

# yum group install 'Development Tools'		[On CentOS/RHEL]
# dnf group install 'Development Tools'		[On Fedora 22+ Versions]
$ sudo apt-get install build-essential          [On Debian/Ubuntu Versions]

On Debian/Ubuntu distributions, you might get following error while executing fswatch command..

fswatch: error while loading shared libraries: libfswatch.so.6: cannot open shared object file: No such file or directory

To fix it, you need to execute the command below, this will help refresh the links and cache to the dynamic libraries before you can start using fswatch.

$ sudo ldconfig

How do I use fswatch on Linux?

The general syntax for running fswatch is:

$ fswatch [option] [path]

On Linux, it is recommended that you use the default inotify monitor, you can list available monitors by employing the -M or - list-monitors option:

$ fswatch -M
$ fswatch --list-monitors

fswatch - List Monitors

The command below enables you to watch the changes in the current directory (/home/tecmint), with events being delivered to standard output every 4 seconds.

The -l or –-latency option allows you to set the latency in seconds, the default being 1 second.

$ fswatch -l 4 .

fswatch - Monitor Home Directory Changes

The next command monitors changes to the /var/log/auth.log file every 5 seconds:

$ fswatch -l 5 /var/log/auth.log

Using -t or --timestamp option prints the time stamp for every event, to print the time in UTC format, employ -u or --utf-time option. You can as well format time using -f or --format-time format option:

$ fswatch --timestamp /var/log/auth.log

Next, -x or --event-flags tells fswatch to print the event flags along side the event path. You can use –event-field-seperator option to print events using the particular separator.

$ fswatch --events-flags ~ /var/log/auth.log

To print the numeric value of an event indicating changes in your home directory and /var/log/auth.log file, use -n or --numeric option as below:

$ fswatch --numeric ~ /var/log/auth.log 

Perhaps you can look through the fswatch man page for detailed usage options and information:

$ man fswatch

Pyinotify – Monitor Filesystem Changes in Real-Time in Linux

Pyinotify is a simple yet useful Python module for monitoring filesystems changes in real-time in Linux.

As a System administrator, you can use it to monitor changes happening to a directory of interest such as web directory or application data storage directory and beyond.

It depends on inotify (a Linux kernel feature incorporated in kernel 2.6.13), which is an event-driven notifier, its notifications are exported from kernel space to user space via three system calls.

The purpose of pyinotify is to bind the three system calls, and support an implementation on top of them providing a common and abstract means to manipulate those functionalities.

In this article, we will show you how to install and use pyinotify in Linux to monitor filesystem changes or modifications in real-time.

Dependencies

In order to use pyinotify, your system must be running:

  1. Linux kernel 2.6.13 or higher
  2. Python 2.4 or higher

How to Install Pyinotify in Linux

First start by checking the kernel and Python versions installed on your system as follows:

# uname -r 
# python -V

Once dependencies are met, we will use pip to install pynotify. In most Linux distributions, Pip is already installed if you’re using Python 2 >=2.7.9 or Python 3 >=3.4 binaries downloaded from python.org, otherwise, install it as follows:

# yum install python-pip      [On CentOS based Distros]
# apt-get install python-pip  [On Debian based Distros]
# dnf install python-pip      [On Fedora 22+]

Now, install pyinotify like so:

# pip install pyinotify

It will install available version from the default repository, if you are looking to have a latest stable version of pyinotify, consider cloning it’s git repository as shown.

# git clone https://github.com/seb-m/pyinotify.git
# cd pyinotify/
# ls
# python setup.py install

How to Use pyinotify in Linux

In the example below, I am monitoring any changes to the user tecmint’s home (/home/tecmint) directory as root user (logged in via ssh) as shown in the screenshot:

# python -m pyinotify -v /home/tecmint

Monitor Directory Changes

Next, we will keep a watch for any changes to the web directory (/var/www/html/tecmint.com):

# python -m pyinotify -v /var/www/html/tecmint.com

To exit the program, simply hit [Ctrl+C].

Note: When you run pyinotify without specifying any directory to monitor, the /tmp directory is considered by default.

Docker Security

2017-03-19 10_39_45-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_40_30-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_40_45-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_41_21-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_41_31-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_41_44-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

Docker contaniners share the kernel wth the machine they are running on.

2017-03-19 10_44_12-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player.png

If any of the containers starts using up more resources like CPU, RAM the other containers might run ino /do/s issue.

2017-03-19 10_45_35-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player.png

The attack can break out from a container into the host  machine or other containers.

2017-03-19 10_46_35-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player.png

Make sure that the images coming from dockerhub are from trusted sources.

2017-03-19 10_47_30-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

You should be careful with what secrets you store in your containers.2017-03-19 10_47_51-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_48_01-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 10_48_32-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

2017-03-19 10_52_52-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player.png

You can use the commands:

docker network disconnect nh

nh is the name of the container. This will disconnect your containers from the network and they will be inaccessible.

docker diff

Docker diff will show you which files have been modified.

If you do not want external invalid/destructive files to modify your containersthen you can make your containers read-only

2017-03-19 10_56_31-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player.png

Specify –read-only option while running your container.

2017-03-19 11_00_00-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_00_14-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_00_35-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

2017-03-19 11_03_31-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_03_41-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_04_27-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_04_51-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_05_01-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_05_39-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_06_11-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_06_35-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_06_46-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

2017-03-19 11_07_41-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

2017-03-19 11_10_19-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_10_37-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_10_53-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_11_21-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_11_45-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_12_03-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_12_44-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_12_55-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_13_11-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_13_55-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_14_06-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_14_21-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_14_35-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_15_00-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_15_43-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_16_29-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_17_06-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_17_17-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_17_34-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_18_37-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player2017-03-19 11_18_48-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player

 

2017-03-19 11_19_44-GOTO2016•Docker-Download-From2-YTPak.com.mp4 - VLC media player