Skip to content

Instantly share code, notes, and snippets.

View jtopjian's full-sized avatar

Joe Topjian jtopjian

131 followers · 38 following
View GitHub Profile
@ahpook
ahpook / gist:1182243
Created August 30, 2011 22:14
Use a generic client certificate with puppet

The problem

There's enough trouble with puppet's ssl model (mandatory client certs) that people go and do odd things to get around it. The primary problem is that for lab/preproduction environments, if you reinstall machines frequently, you lose access to the private key that generated the original cert but (absent some puppet cert --clean [node] operation) the cert still exists, leading to the dreaded Retrieved certificate doesn't match private key error.

A solution

Generate a single client certificate which all your nodes use, and have the master determine node names from facter rather than the SSL DN. This way you can re-install nodes with impunity and as long as your bootstrap plops down the correct config and the cert+key, you don't have any more SSL issues.

The caveats

If you have autosign turned on, this change represents a shift in security tradeoffs: you can turn off autosign and therefore more tightly control which clients can talk to your server because they need to have your clie

@drewolson
drewolson / reflection.go
Last active November 20, 2023 09:39
Golang Reflection Example
package main
import (
"fmt"
"reflect"
)
type Foo struct {
FirstName string `tag_name:"tag 1"`
LastName string `tag_name:"tag 2"`
@bencord0
bencord0 / mkgentoo.sh
Created May 27, 2013 21:25
#!/bin/bash
set -e
FETCHCOMMAND='wget -t 3 -T 5 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"'
RESUMECOMMAND='wget -c -t 3 -T 5 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"'
export FETCHCOMMAND RESUMECOMMAND
emerge --usepkg --buildpkg --update \
app-emulation/qemu \
net-misc/curl \
sys-block/parted \
sys-fs/multipath-tools
@joemiller
joemiller / pantheon-check-ping-endpionts.rb
Created June 18, 2013 15:56
a meta-check for sensu that creates many other checks
#!/usr/bin/env ruby
#
# this is a special meta-check. It runs ping checks against all hosts in
# the /endpoints API and sends individual results directly to sensu-client via
# the udp/3030 client socket. this is different from the normal sensu check model
# where individual scripts run and their exit status and output is used to create
# a single event.
#
# the reason for this check is to be able to dynamically ping a list of hosts
# without the race conditions and timing issues involved with creating individual
@danrl
danrl / ipv4-filter.sh
Last active May 21, 2024 22:53
Very basic packet filters with non-atomic loading. Be careful!
#!/bin/bash
echo -n "loading ipv4 packet filter... "
### clear tables
iptables --flush
iptables --delete-chain
iptables --table mangle --flush
iptables --table mangle --delete-chain
@etoews
etoews / neutron.sh
Created February 27, 2014 21:30
Create a Neutron network, subnet, and port and boot an instance with the port
OS_AUTH_URL=http://162.242.242.161:5000/v2.0/
OS_REGION_NAME=RegionOne
OS_USERNAME=admin
OS_TENANT_NAME=admin
OS_PASSWORD=devstack
NET_NAME="test1-net"
IP_CIDR=192.168.0.0/24
IP_START=192.168.0.10
IP_END=192.168.0.20
@derekp7
derekp7 / gist:9978986
Last active May 11, 2024 04:10
RPC in Bash (rpcsh)

Let's say you have a Bash shell script, and you need to run a series of operations on another system (such as via ssh). There are a couple of ways to do this.

First, you can stage a child script on the remote system, then call it, passing along appropriate parameters. The problem with this is you will need to manually keep the remote script updated whenever you change it -- could be a bit of a challenge when you have something to execute on a number of remote servers (i.e., you have a backup script running on a central host, and it needs to put remote databases in hot backup mode before backing them up).

Another option is to embed the commands you want to run remotely within the ssh command line. But then you run into issues with escaping special characters, quoting, etc. This is ok if you only have a couple commands to run, but if it is a complex piece of Bash code, it can get a bit unwieldy.

So, to solve this, you can use a technique called rpcsh -- rpc in shell script, as follows:

First, place th

@ijin
ijin / consul_dynamic_inventory.rb
Created June 22, 2014 15:22
dynamic inventory script for ansible using consul
#!/usr/bin/env ruby
require 'net/http'
require 'uri'
require 'json'
output = {}
s_json = JSON.parse(Net::HTTP.get_response(URI.parse('http://localhost:8500/v1/catalog/services')).body)
services = s_json.keys.reject{|k| k == 'consul'}
services.each do |srv|
@alistairncoles
alistairncoles / Example CLI usage
Last active January 6, 2019 01:16
keystone v3 setup
EXAMPLE:
(keystone-v3-setup.sh script will perform first few steps using role 'admin')
# Create a domain named d1 (note use of --os-url and --os-token to manage keystone)
anc@u128:~$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN domain create d1
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
@mgagne
mgagne / libvirt-1.2.2_Support-incoming-migration-from-13.10-hosts.patch
Created March 2, 2015 18:44
Migration fails between QEMU 1.5 and QEMU 2.0
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -2109,6 +2109,13 @@
VIR_STRDUP(def->os.machine, "pc-1.0-precise") < 0)
goto cleanup;
}
+ if (STREQ_NULLABLE(vm->def->os.machine, "pc-i440fx-1.5")) {
+ VIR_FREE(vm->def->os.machine);
+ VIR_FREE(def->os.machine);
+ if (VIR_STRDUP(vm->def->os.machine, "pc-i440fx-1.5-saucy") < 0 ||