Ansible

Sometimes it is useful to wait for a port to be closed, for example when updating an app that can’t always properly be shut down using other Ansible modules.

This can easily be achieved using the ansible.builtin.wait_for or ansible.builtin.win_wait_for module.

Read more…

Cowsay is one of those packages you just end up installing randomly on just about any client over time.

And if your using ansible you may be in for a little surprise:

Read more…

MongoDB does not rotate it’s log on it’s own.

To get it to ratet we will use logrotate.

First, we need to configure some things in mongod.conf to get the desired behaviour when we utilize logrotate.

systemLog:
 destination: file
 path: /var/log/mongodb/mongod.log
 logAppend: true
 logRotate: reopen

Afterwards, we can create a logroatet configuration going in /etc/logrotate.d/mongodb.

/var/log/mongodb/mongod.log
{
 rotate 5 # Keep the last 5 rotated logs, so 6 files including the currently active
 size 10M # Rotate once the log reaches 10MB in size, depending on your envrionment you could instead use daily, weekly, monthly, etc
 missingok # It's ok if the log file does not exist
 create 0600 mongodb mongodb # Permissions and ownership for the roatetd logs
 delaycompress # Don't compress on first rotation, so we have the current log and log.1 uncompressed
 compress  # Compress everything else
 sharedscripts # Run this script only once and not for every matching file
 postrotate # Script to run after rotating
 /bin/kill -SIGUSR1 $(systemctl show --property MainPID --value mongod.service)
 endscript # End of script
}

The postrotate script simply finds the PID of mongod.service: systemctl show --property MainPID --value mongod.service and sends it a SIGUSR1 which is the signal MongoDB expects if you wish to rotate the log.

Read more…

In theory Ansible should be declarative and have full control over the systems we touch with it.

In practice, this is unfortunately not always the case.

This combination of tasks loads a given yaml file from the remote host, combines a “overwrite dict” onto it, and writes the file back to disk.

- name: Load yaml file contents as fact
  ansible.builtin.slurp:
    src: /etc/some-file.yaml
  register: yaml_file

- name: Parse yaml file contents
  ansible.builtin.set_fact:
    yaml_file_content: "{{ yaml_file.content | b64decode | from_yaml }}"

- name: Create the keys/values that should be overwritten
  ansible.builtin.set_fact:
    yaml_file_content_overwrite:
      some:
        key: "Overwrite value"
      another: "Also overwritten"

- name: Write yaml file with changed values
  ansible.builtin.copy:
    content: "{{ yaml_file_content | combine(yaml_file_content_overwrite, recursive=true) | to_yaml }}"
    dest: /etc/some-file.yaml

With this nifty task we can replace the value of a key (given as yaml_key) to a new value (given as new_value) while preserving it’s indentation.

Read more…

SELinux by default prohibits certain things from working through VMware tools (Ansible connection or plain API).

This can be solved two ways:

• Disabling SELinux: BAD, but easy
• Writing a custom SELinux policy: complicated but more secure

Note: Adding/Changing this policy through a VMware tools connection is thankfully possible

Example policy

This policy is the base for a VMware tools policy and allows entering the rpm context (yum).

module custom-vmtools 1.0;

require {
        type rpm_script_t;
        type vmtools_unconfined_t;
        class process transition;
}

#============= vmtools_unconfined_t ==============

allow vmtools_unconfined_t rpm_script_t:process transition

When using VMware as the connection plugin to connect to remote hosts you commonly set two facts for username and password:

ansible_vmware_tools_user: "mkamner"
ansible_vmare_tools_password: "Super Secret PW"

This will work just fine for windows and with many tasks on linux.

However, if you want to use become: true on linux it will fail with the strangest error messages.

For example: apt will fail, because it can’t acquire the lock file

The solution is rather simple, become does not honor the VMware facts set, instead it wants two different facts set:

Read more…

Need to automate a VM? you need Ansible!