Tag: Ansible

What makes it "tech"..

Updating Linux tzdata for DST changes

So, you are a sysadmin living/managing servers in Egypt or in Egypt’s timezone. Or even a good faithful linux user. The government, in it’s infinite wisdom, decided that we should go back to DST. Are you sure you are ready for this?

index

Since I do run servers a lot of servers in the Africa/Cairo timezone, mostly Ubuntu LTS and Debian servers, I looked to see if there is an update for the tzdata package in Ubuntu that would include this, but couldn’t find any (bug report ?).

Although it’s not the best way to do this, I decided to create the timezone datafile myself. IANA is responsible for providing the datafiles. I downloaded the datafiles package, untared it, and checked the the africa file I was happy to see this:

Rule Egypt 2014 only - May 15 24:00 1:00 S

So, the file is up to date. No, using instructions from this awesome debian wiki page, I did the following to compile and test the datafile:

# cd /tmp/
# mkdir tzdata
# cd tzdata
# wget http://www.iana.org/time-zones/repository/releases/tzdata2014c.tar.gz
# tar zxvf tzdata2014c.tar.gz
# zic -d . africa
# TZ="/tmp/tzdata/Africa/Cairo" date --date="2014-05-15 01:00:00 UTC"
    Thu May 15 03:00:00 EET 2014
# TZ="/tmp/tzdata/Africa/Cairo" date --date="2014-05-16 01:00:00 UTC"
    Fri May 16 04:00:00 EEST 2014

As you can see, the time representation will change according the the timezone file. Now, all you need to do, is to copy it in place:

# cp /tmp/tzdata/Africa/Cairo /usr/share/zoneinfo/posix/Egypt
# cp /tmp/tzdata/Africa/Cairo /etc/localtime

Remember that you might need to do something similar if you have any Java applications, Java timezone files are provided by the package tzdata-java.

Now, to apply this on all of our servers, we used Ansible. A simple playbook should do the trick:

---
- hosts: all
  sudo: yes
  tasks:
    - name: Update timezone file
      copy: src=/path/to/data/file dest={{ item }}
      with_items:
        - /usr/share/zoneinfo/posix/Egypt
        - /etc/localtime
      when: ansible_os_family == "Debian"

This should be it! However, this is not meant to be a permanent solution. You should update your tzdata package as soon as the next update is released.

UPDATE: I just found out that the Ubuntu had released a critical update to fix this problem. You don’t need to perform these steps now, just make sure to get the latest tzdata package. Not sure about debian, yet.

What makes it "tech"..

Better handling of public SSH keys using Ansible..

Ansible has a dedicated module to manage public keys; the authorized_key module. It’s a very nice module, with enough flexibility to do almost anything I can think of.

However, it does have one very annoying thing. While I was migrating our automation scripts to ansible; I got to the point where I was working on the script that provisions our users. By default, we disabled all password authentication and root SSH access. Only key based access is allowed.

I found that I have to actually put the public SSH key strings inside the playbook vars. That’s just not cool. SSH keys are long, they might have specific options (although the authorized_key module allows you to configure that) and it’s harder to maintain the list of keys like this. So, I tried to work around this. My target was to add the public SSH keys for my users as static files in an ansible role. Basically, I will be populating my my group_vars files by reading files inside my roles.

  • First, I added the public key files in the ‘files‘ directory of the role I was using to configure the users.
  • Now, I have to find a way to “read” the key files and set them in the vars file. Fortunately, ansible provides Lookup plugins that allows me to do just that!
  • So, the related part of the vars file should look like this:


ssh_users:
  - name: user1
    key: "{{ lookup('file', 'user1.pub') }}"
  - name: user2
    key: "{{ lookup('file', 'user2.pub') }}"
  - name: user3
    key: "{{ lookup('file', 'user3.pub') }}"
  - name: user4
    key: "{{ lookup('file', 'user4.pub') }}"

  • Next, all we need to do is call the authorized_key module as usual

- name: Add ssh user keys
  authorized_key: user={{ item.name }} key="{{ item.key }}"
  with_items: ssh_users

Edit: Updated the variable name to avoid the deprecated syntax. Details in the first comment.

Here you go. Key files are neatly tucked in the files directory, easy to maintain and no wrapped lines and cluttered options missing up your var files.

What makes it "tech"..

Loops with lineinfile ansible module

I just started playing with ansible recently. And I love it!

I am working on a playbook for configuring Apache 2.4 for a complex application. The plan to run the application on an IaaS cloud(ish) platform. We need to control the Apache worker settings via the playbook since there will be several “flavors” of cloud instances with different sizes and configurations. I was considering using a template for the configuration file. But since I am playing..Screen-Shot-2013-03-30-at-6.07.36-PM

I decided to take a shot at using the lineinfile module, which I find really cool! And to make this a bit more interesting, I wanted to this this using ansible loops, not one configuration item at a time.

So, basically, this is the first shot at getting this done, there is a lot of room for improvement:

- name: Setting Apache Prefork MPM
  lineinfile:
    dest=/etc/apache2/conf.d/mpm_prefork.conf
    regexp="{{ item.key }}"
    line="{{ item.value }}"
with_items:
  - { key: "StartServers" , value: "StartServers {{ StartServers }}" }
  - { key: "MinSpareServers", value: "MinSpareServers {{ MinSpareServers }}" }
  - { key: "MaxSpareServers", value: "MaxSpareServers {{ MaxSpareServers }}" }
  - { key: "MaxClients", value: "MaxClients {{ MaxClients }}" }
  - { key: "MaxRequestsPerChild", value: "MaxRequestsPerChild {{ MaxRequestsPerChild }}"

Additionally, I added the values in the var file:

var:
  StartServers: 10
  MinSpareServers: 5
  MaxSpareServers: 10
  MaxClients: 300
  MaxRequestsPerChild: 0

This should do the trick!