aderixon

# set kernel option via grub2
# (e.g. to disable THP in EL8+)
#
# N.B. this code doesn't support updating the value of an existing setting (not fully idempotent);
# in that case it will add a duplicate entry that may or may not override the first.
# If you have a lot of settings to manipulate, it would be easier to explicitly override the entire kernelopts
# (or use regex_replace)
#
# assumes thp_setting contains the sysfs value for THP
#

aderixon

Towards a better GitLab runner registration in Ansible

(These are just notes for guidance, pending adding my current implementation to GitHub.)

Two issues:

1. The gitlab-runner module in Ansible supports only a limited number of options, and most of the (necessary) others have to be set manually in the runner configuration file. The gitlab-runner register command now supports the use of configuration templates to merge extra settings, but the module currently does not.
2. The GitLab API no longer has a method to return runner tokens after registration (for "seh-cyur-reh-teh"). The only place you can find the token after registration is in the runner configuration file. The token for each runner must be retained otherwise they'll be seen as new instances.

Therefore, to be able to register or modify runners in an idempotent way, you must retrieve the tokens for any currently registered tokens from the runner configuration file (/etc/gitlab-runner/config.toml) before updating it.

aderixon

# backported Jinja2 'equalto' test, from 2.10
# required for EL7
# place in test_plugins/ folder within your playbook or role directory:

from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

import operator

class TestModule:

aderixon

SSSD 2.x in Enterprise Linux 8 appears to apply stricter checks to the base DN (ldap_search_base). eDirectory has no actual 'root' to its tree, so it provides a pseudo object for applications that require a base DN: t=treename, e.g. t=my-domain. This worked fine with SSSD 1.16 in EL7. However, it isn't a valid X.509 type and SSSD 2.x will fail to authenticate during initgroups if you use this as a search base; the error "Invalid DN Syntax(34)" will be logged when debugging is enabled (note also that debug_level must now be set in the [domain] section of sssd.conf, not [sssd]).

Fix is to leave out ldap_search_base altogether as eDirectory doesn't require it. You can set lower level DNs for ldap_user_search_base and ldap_group_search_base if available and standard (e.g. ou=Users,o=Organisation).

(Documenting this because it cost me a week of headbanging.)

aderixon

We're seeing an intermittent issue with PHP LDAP against a TLS connection using a self-signed server certificate on CentOS 7.6, in which for some connections the certificate fails to verify (despite the CA cert being present on the client). This only affects a web application using PHP-FPM and the standard PHP LDAP module - LDAP authentication through sssd works fine.

Components:

• CentOS Linux release 7.6.1810
• sssd-1.16.2-13.el7_6.8.x86_64
• openldap-2.4.44-21.el7_6.x86_64
• nss-3.36.0-7.1.el7_6.x86_64

aderixon

#!/bin/bash
# Write configs for UEFI boot from Cobbler, see:
# http://sapitnotes.com/cobbler-загрузка-по-pxe-в-режиме-uefi-centos-7/
# Translation:
# https://translate.google.com/translate?hl=en&sl=ru&u=http://sapitnotes.com/cobbler-%25D0%25B7%25D0%25B0%25D0%25B3%25D1%2580%25D1%2583%25D0%25B7%25D0%25BA%25D0%25B0-%25D0%25BF%25D0%25BE-pxe-%25D0%25B2-%25D1%2580%25D0%25B5%25D0%25B6%25D0%25B8%25D0%25BC%25D0%25B5-uefi-centos-7/&prev=search
# Adaptations by ajr, 2019-06
# Make executable and place in /var/lib/cobbler/triggers/sync/post/uefi.sh
# or equivalent for your Cobbler installation

for o_name in $(ls -A1 /var/lib/tftpboot/grub/ | grep -E '(.{2}-){6}.{2}');

aderixon

Consider this script on Solaris 11.3:

#!/bin/ksh93
echo "a\nb\nc" | while read val; do
  echo "$val :"
  ssh -q remotehost "zonecfg -z azone \"select capped-memory; end;\""
done

When run, it will only execute the first iteration of the loop:

aderixon

# Ansible tasks to obtain an existing API token from Graylog or
# create a new token if there isn't one.
# (Token can be used to create utility scripts from templates.)
# Token will be named 'ansible'.
# Illustrates use of uri module to interact with REST API,
# and JSON parsing in Ansible.
# Requires Graylog admin user & password.

- set_fact:
    graylog_token: ''

aderixon

---
# example playbook for file lookup when file may be missing
# file lookup plugin throws an exception for a missing file that can't be caught
# so check file(s) exist first and only perform lookups on those that do

- hosts: all
  become: false
  vars:
    filelist:
      - thisfile

aderixon

# before starting mysqld:

- name: check for MySQL pre systemd script
  stat:
    path: /usr/bin/mysqld_pre_systemd
  register: pre_systemd

# Monkey-patch MySQL pre-start systemd script to prevent it setting
# a random root password
# Don't hate me, blame Oracle