Skip to content

Instantly share code, notes, and snippets.

@aderixon
aderixon / grub2-kernelopts.yml
Created November 9, 2022 11:48
Adding kernelopts in GRUB 2 with Ansible
# set kernel option via grub2
# (e.g. to disable THP in EL8+)
#
# N.B. this code doesn't support updating the value of an existing setting (not fully idempotent);
# in that case it will add a duplicate entry that may or may not override the first.
# If you have a lot of settings to manipulate, it would be easier to explicitly override the entire kernelopts
# (or use regex_replace)
#
# assumes thp_setting contains the sysfs value for THP
#
@aderixon
aderixon / gitlab-runner-implementation.md
Last active November 12, 2021 11:08
Towards a better GitLab runner registration in Ansible

Towards a better GitLab runner registration in Ansible

(These are just notes for guidance, pending adding my current implementation to GitHub.)

Two issues:

  1. The gitlab-runner module in Ansible supports only a limited number of options, and most of the (necessary) others have to be set manually in the runner configuration file. The gitlab-runner register command now supports the use of configuration templates to merge extra settings, but the module currently does not.
  2. The GitLab API no longer has a method to return runner tokens after registration (for "seh-cyur-reh-teh"). The only place you can find the token after registration is in the runner configuration file. The token for each runner must be retained otherwise they'll be seen as new instances.

Therefore, to be able to register or modify runners in an idempotent way, you must retrieve the tokens for any currently registered tokens from the runner configuration file (/etc/gitlab-runner/config.toml) before updating it.

@aderixon
aderixon / equalto.py
Last active November 12, 2021 10:27
Ansible Jinja2 2.7 equalto test
# backported Jinja2 'equalto' test, from 2.10
# required for EL7
# place in test_plugins/ folder within your playbook or role directory:
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import operator
class TestModule:
@aderixon
aderixon / centos8-sssd-basedn.md
Last active December 3, 2020 16:12
Fun with EL8, SSSD and eDirectory LDAP

SSSD 2.x in Enterprise Linux 8 appears to apply stricter checks to the base DN (ldap_search_base). eDirectory has no actual 'root' to its tree, so it provides a pseudo object for applications that require a base DN: t=treename, e.g. t=my-domain. This worked fine with SSSD 1.16 in EL7. However, it isn't a valid X.509 type and SSSD 2.x will fail to authenticate during initgroups if you use this as a search base; the error "Invalid DN Syntax(34)" will be logged when debugging is enabled (note also that debug_level must now be set in the [domain] section of sssd.conf, not [sssd]).

Fix is to leave out ldap_search_base altogether as eDirectory doesn't require it. You can set lower level DNs for ldap_user_search_base and ldap_group_search_base if available and standard (e.g. ou=Users,o=Organisation).

(Documenting this because it cost me a week of headbanging.)

@aderixon
aderixon / openldap-tlsmc-php-bug.md
Last active October 8, 2019 10:40
CentOS/RHEL 7.5+ OpenLDAP TLS bug with self-signed certificate & PHP LDAP

We're seeing an intermittent issue with PHP LDAP against a TLS connection using a self-signed server certificate on CentOS 7.6, in which for some connections the certificate fails to verify (despite the CA cert being present on the client). This only affects a web application using PHP-FPM and the standard PHP LDAP module - LDAP authentication through sssd works fine.

Components:

  • CentOS Linux release 7.6.1810
  • sssd-1.16.2-13.el7_6.8.x86_64
  • openldap-2.4.44-21.el7_6.x86_64
  • nss-3.36.0-7.1.el7_6.x86_64
@aderixon
aderixon / uefi.sh
Last active September 11, 2019 08:16
Cobbler post-sync trigger script to generate GRUB2 per-client configurations
#!/bin/bash
# Write configs for UEFI boot from Cobbler, see:
# http://sapitnotes.com/cobbler-загрузка-по-pxe-в-режиме-uefi-centos-7/
# Translation:
# https://translate.google.com/translate?hl=en&sl=ru&u=http://sapitnotes.com/cobbler-%25D0%25B7%25D0%25B0%25D0%25B3%25D1%2580%25D1%2583%25D0%25B7%25D0%25BA%25D0%25B0-%25D0%25BF%25D0%25BE-pxe-%25D0%25B2-%25D1%2580%25D0%25B5%25D0%25B6%25D0%25B8%25D0%25BC%25D0%25B5-uefi-centos-7/&prev=search
# Adaptations by ajr, 2019-06
# Make executable and place in /var/lib/cobbler/triggers/sync/post/uefi.sh
# or equivalent for your Cobbler installation
for o_name in $(ls -A1 /var/lib/tftpboot/grub/ | grep -E '(.{2}-){6}.{2}');
@aderixon
aderixon / zonecfg-loop-bug.txt
Last active March 7, 2019 12:33
Solaris 11.3 bug/oddity with remote zonecfg in loop
Consider this script on Solaris 11.3:
#!/bin/ksh93
echo "a\nb\nc" | while read val; do
echo "$val :"
ssh -q remotehost "zonecfg -z azone \"select capped-memory; end;\""
done
When run, it will only execute the first iteration of the loop:
@aderixon
aderixon / graylog-api-token.yml
Created November 13, 2018 11:30
Example of creating Graylog API token in Ansible
# Ansible tasks to obtain an existing API token from Graylog or
# create a new token if there isn't one.
# (Token can be used to create utility scripts from templates.)
# Token will be named 'ansible'.
# Illustrates use of uri module to interact with REST API,
# and JSON parsing in Ansible.
# Requires Graylog admin user & password.
- set_fact:
graylog_token: ''
@aderixon
aderixon / lookup-test.yml
Last active June 16, 2021 11:04
Ansible file lookups when file is potentially not present
---
# example playbook for file lookup when file may be missing
# file lookup plugin throws an exception for a missing file that can't be caught
# so check file(s) exist first and only perform lookups on those that do
- hosts: all
become: false
vars:
filelist:
- thisfile
@aderixon
aderixon / main.yml
Last active September 22, 2017 13:33
Ansible MySQL 5.7 Community Edition install
# before starting mysqld:
- name: check for MySQL pre systemd script
stat:
path: /usr/bin/mysqld_pre_systemd
register: pre_systemd
# Monkey-patch MySQL pre-start systemd script to prevent it setting
# a random root password
# Don't hate me, blame Oracle