Skip to main content

Posts

Using Ansible to Fix CFEngine (after a trust failure as a result of re-addressing policy hub)

One of the things I have been given (cursed with) in my life in IT is maintenance of CFEngine. CFEngine is one of the oldest, typically left on the wayside, systems for configuration management on Linux and other Unix (and I think also Windows these days).... I'd love to drastically refactor and clean it up, because its grown pretty organically.

Anyway, its on some old equipment and I need to migrate it to a new IP to keep management happy from a risk perspective. How bad could that get? Turns out that CFEngine is sensitive to this, and I get another deluge of email:
!! Not authorized to trust the server=XXX.example.com's public key (trustkey=false)  !! Authentication dialogue with XXX.example.com failed  ... ad nuseum
So.... I think I just broke all the CFEngine agents, which won't be able to grab policy updates. Let's fix this using Ansible.
Recent posts

VirtualBox 5.1.27 + RHEL 7.4 (and others) + kernel update = suggest double reboot

For a long time now, every damn time I go to apply a kernel update, I have to rebuild the VirtualBox Guest Additions. If I have any vboxsf mounts set to mount at boot in /etc/fstab, I can look forward to a rescue-mode prompt. This is not specific to RHEL7, or to RHEL (I see plenty of reports of Ubuntu 11.04 with the same issue).

The 'dkms' (Dynamic Kernel Module Support) is meant to prevent this issue by triggering a rebuild when a kernel package is updated. It's installed,....  so why isn't it working. Time to get my hands dirty and learn a bit about dkms.

VirtualBox 5.1.26 + RHEL 7.4 = GA 5.1.27 needed

Well, its that time of the month again when life gets difficult. That's right, it patching time. So naturally, on the Monday after patch week, I decided to apply the updates that VirtualBox was notifying me about.

This time, its an update from 5.1.24 to 5.1.26.... it did not go as smoothly as I would have hoped. But the breaking change seems to be in the upgrade from RHEL 7.3 to 7.4, which changed the version of X.org to 1.19, which Guest Additions 5.1.26 doesn't seem to support.

The symptom was that the graphic driver didn't seem to work (so tiny resolution). Other functionality such as shared clipboard still worked, thankfully.


VirtualBox 5.1.22 Guest Additions (un)install fail and fix

Patch time again, say goodbye to half a day with urgent Windows updates and routine VirtualBox / Linux etc. updates for my workstation.

Anyway, it seems 5.1.22 fixed by earlier problem in 5.1.20 to do with Shared Folders, but I really wish they would test things a bit more, as this patching didn't go very smoothly and my VM failed to boot to completion (VBoxAdditions missing).

Attempting to run the installer gives you this message:

VirtualBox Guest Additions installer You appear to have a version of the VirtualBox Guest Additions on your system which was installed from a different source or using a different type of installer. If you installed it from a package from your Linux distribution or if it is a default part of the system then we strongly recommend that you cancel this installation and remove it properly before installing this version. If this is simply an older or a damaged installation you may safely proceed. Do you wish to continue anyway? [yes or no]
Okay.... haven&…

VirtualBox 5.1.20 bug with Shared Folders (RHEL 7 guest)

Upgraded VirtualBox (as is my wont to do) and found the following problem after reinstalling the newer Guest Additions.
I've submitted a bug report 16697 for this.

# mount host_home mount: wrong fs type, bad option, bad superblock on host_home, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so. dmesg tells me the following (I had already tried rebuilding the GA with rcvboxadd setup -- the systemd equivalent of /etc/init.d/vboxadd setup)
# dmesg | tail ... [ 334.616717] vboxsf: Successfully loaded version 5.1.20 (interface 0x00010004) [ 343.413650] sf_read_super_aux err=-22 A similar report from an earlier version suggested a installation bug with library locations, so looking around ...
# updatedb # locate mount.vbox /opt/VBoxGuestAdditions-5.1.20/lib/VBoxGuestAdditions/mount.vboxsf /usr/sbin/mount.vboxsf # ls -l /usr/sbin/mount.vboxsf lrwxrwxrwx. 1 root root 49 Apr 26 10:04 /usr/sbin/…

Capturing and Replaying Connection-less Protocols (eg. IPFIX into Logstash)

It can be useful to be able to capture AppFlow (IPFIX) data, which in our environment at least is UDP, and replay that on some other machine where you are playing with Logstash (or some other tool that might read in such data from the network). In this page, I show you how you can capture packets using tcpdump, rewrite them post-capture, and replay them as if they were sent to your own machine. We'll also set up a standalone Logstash instance that reads in IPFIX records and just emits them to stdout in a debugging format.

Step 1: Capture some traffic This is easy; just remember to use a useful filter (not everything will rewrite easily, and capture the entire packet.

Notes: I'm running this capture on production, so I limited the number of packets, using '-c 10000', that could be captured (to prevent disk blowout) I want the application data, so I'm capturing the entire packet with '-s0' Because I only want IPFIX data, and can only realistically rewrite con…

Installer or command that hangs? Use /dev/urandom instead of /dev/random, but constrained to a particular process

Okay, so I'm working on making an Ansible role for deploying an Oracle 10g Webgate, and I want it working on RHEL 6 and RHEL 7. I managed to do that (yay; took a bit of persuading), but quickly noticed that if you don't do something to prevent it, the installer (InstallShield on Linux... yuck, and not just because it wraps Java 6), your entropy pool drains very very quickly and the installer just sits there, hanging.

You can verify that its blocking because of entropy by using a command such as:

watch cat /proc/sys/kernel/random/entropy_avail

and if it isn't hovering between 2000 and 3000, then you have a potential issue; if its staying under 1024 or so, then you very likely will be experiencing hanging behaviour, depending on which application is draining the pool (commonly by trying to read a bunch of data from /dev/random)

I should note that this is in a VMWare environment, so no hardware random number generation for me. Instead, what I typically do is to push out a sysc…