Posts

When first starting out writing tasks within a role, write the entire task as you normally would. do not include any variables or things that may change. by doing this, you keep to the simplest form of Ansible provisioning possible. In the software development world, this is a two-part form of YAGNI and premature optimization. Consider this first cut of the role a draft, requiring proofreading before committing to version control. --- # roles/ssh/tasks/main.yml - name: configure sshd daemon template: > src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=644 sudo: yes notify: Restart ssh Then, once you have finished with the role, re-read each task in the role and look for things that stand out as hard-coded strings. For example, paths to configuration files, owners and groups, or even permissions. Think of each of these as a possible candidate for a variable. Using the above example, I can rewrite the task using variables. ...

Something I’ve encountered while searching for answers to Ansible around the Internet is how to deal with configuration values that are character-delimited. For instance, the fail2ban jail file allows you to specify a set of hostname/IPs to whitelist. ... # /etc/fail2ban/jail.conf # "ignoreip" can be an IP address, a CIDR mask or a DNS host #ignoreip = 127.0.0.1/8 ignoreip = 127.0.0.1/8 1.2.3.4/8 bantime = 600 ... I have commented out the default value for ignoreip so that you can see a before-and-after view of the configuration setting. ...

You’re a software developer or an Operations person that is working with a Java application. Here are some questions for you. Do you have a WAR that you need to deploy? Do you know if it comes to you preconfigured or a blank slate? Do you know what happens if you deploy the WAR to an application server and not realize that it is preconfigured? I’ve now seen this many times and I’m here to get up on my soapbox and say something. Java was originally intended to be write once, run anywhere but I have repeatedly seen where the configuration is embedded within the WAR container. This embedding now renders the WAR file useless to run anywhere but the exact machine/platform/environment where the configuration is for. ...

When copying files, using templates, or creating just about anything on a target machine via Ansible, make sure that you are as explicit as possible. Don’t assume that a file will be created with a specific owner unless you specify that owner in the Ansible task. For example, you are providing your own SSH configuration file, overridding whatever is on the system, your task will look like this: --- # roles/ssh/tasks/main.yml - name: configure ssh client configuration template: src=ssh_config.j2 dest=/etc/ssh/ssh_config sudo: yes notify: Restart ssh In this situation, you are running the task with sudo privileges, so you are assuming that this file will be owned by root:root. Looking at an Ubuntu machine confirms that this file, by default, is also owned by root:root: ...

I’m in the process of automating the provision step for a client’s project in Ansible, from a Vagrant environment through to the Production environment. Along the way, and in previous Ansible projects, I’ve accumulated some tips which I’ll enumerate here in a series of articles. They are meant to be short, yet detailed. I intended to write all of the tips in one article, but then the article became too long and nobody is going to take an hour to read it. Better to chop it up into bite-sized pieces. ...

Well, that title is a mouthful. It is intentionally verbose so that if anyone stumbles across this issue, they can easily find this article and not spend time (like I did) sifting through source code for an answer. Background Let’s say you are creating a new hook in your development IPBoard 3.x 1. This hook changes the values of a few settings that already exist in the system (for example, disabling Gravatar support). While this setting could be easily changed by an administrator, we want to programmatically change it through the use of hooks. ...

Not enough people give careful thought about ensuring uniqueness across systems when they design a solution. This goes doubly so for off-the-shelf (OTS) software packages. And if the design isn’t well thought out, it is going to be difficult to ensure uniqueness when doing any data migrations. Granted, data migrations are an art more than they are a science. There are always edge cases and invariably something goes wrong that nobody thought about. This is why testing a data migration multiple times should be built into any project plan (and given an extremely large buffer in the budget). ...

I’m currently building my new product, Storigible, and where I get stuck is the marketing component of the website. Specifically, the difficult part for me is getting the design right because I don’t see myself as a designer 1. All of that aside, what I’m writing about today is the usage of shell scripts versus more complex scripts to automate things like deployment. Storigible’s marketing website is a static website served by Amazon S3. I created it this way because the marketing component can be fully decoupled from the application component (which resides at another subdomain). I needed a good way to deploy the website files onto S3, which is basically saying, I needed a good way to upload the files to S3’s server. Deployment isn’t much more than a simple copy when you are dealing with a static website. ...

I attended BSides Vancouver last week (great job everyone!) and Mark Curphey had a good talk (Modern Software is Like Lego & WTF Don’t People Use Secure Headers?) containing a statistic on how few websites use secure headers. His company even came up with a Web-based tool to find which websites contain secure headers. I love this idea but I found it lacked in one area: testing sites not publicly addressable on the Web. There are many more internal websites that could be sniffed or exploited inside company networks. So I went about writing a tool called tinfoil that allows anyone to check servers within their network. ...

I’m writing up a new gem called Tinfoil that tests whether web servers support secure headers. Since this is a command-line interface (CLI) for a Unix-based system, I have a hard time testing the CLI in Ruby’s built-in Test::Unit framework. The problem is that the CLI outputs directly to STDOUT and STDERR, polluting my test output when I run them. The problem to this was solved by capturing stdout and stderr and redirecting them for a short time while the test runs. I got it from this StackOverflow answer, and I have added another method for capturing stderr. ...