Print git hash during puppet run

So here a little trick that I implemented @customer

During each puppet run, the git commit hash of the puppet manifest
being applied in printed on in the logs instead of a timestamp:

# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for host1.example.com
Info: Applying configuration version ’38f861974ef7041752c0051cfbca676544dc1cef’
Notice: Finished catalog run in 9.78 seconds

To achieve that, I’m just storing the git hash in a file
(something like “echo $GIT_COMMIT > .gitversion”) when building the package in jenkins
and then deploying it in the rpm.

In the puppet server configuration I have the following configuration
line:

config_version = /bin/cat $confdir/environments/$environment/.gitversion

systemd integration in the “ps” command

In Debian, since version 2:3.3.10-1, the procps package has the systemd integration bits enabled. This means that now the “ps” command can display which (user) unit has started a process or to which slice or scope it belongs.

For example with the following command:

ps  -eo pid,user,command,unit,uunit,slice

ps-systemd

Debian GNOME/systemd sprint

Last weekend was a pretty busy weekend as we had our first joined Debian GNOME/systemd sprint.  10 people gathered at my employer office Inuits in Antwerp to work together on GNOME and systemd integration in Debian.

I worked mainly on GNOME packages, helping with transitions and packaging new bits for the GNOME 3.12 release. We also discussed a lot of things like the switch of the team repository from svn to git and the version of GNOME that we are planning to ship in Jessie.

I really think this was a very constructive sprint and such event should happen more often, we already planned to do this again near the release of 3.14.

The full log of the sprint can be found at: https://lists.debian.org/debian-devel-announce/2014/05/msg00001.html

Hide partitions in nautilus

If you want to hide a partition in nautilus (which uses udisks2), you can do that easily by setting the UDISKS_IGNORE environment to 1 in an udev rules file.

The following example hides all the partitions that have a logical volume name that finishes by “-sbuild”:

$ cat /etc/udev/rules.d/99-hide-lv-udisks.rules
ENV{DM_LV_NAME}=="*-sbuild", ENV{UDISKS_IGNORE}="1"

After that you need to run “udevadm trigger” as root, the disks should then immediately disappear from nautilus.

You can use “udevadm info” to see the different environment variables that could be used to identify a disk/partition.

 

Add a new CA certificate to the certificates stash in Debian

Since a few days, the CAcert root certificates have been removed from the ca-certificates package. While there was a discussion about whether it should be trusted by default in Debian, let’s see here how an administrator can trust CAcert again (or any other CA certificates).

In Debian, the certificates stash is located in /etc/ssl/certs/. This directory contains by default a series of symlinks that points to the certificates installed by the ca-certificates package (including the needed symlinks generated by c_rehash(1)) and a ca-certificates.crt which is a concatenation of all these certificates. Everything managed by the update-ca-certificates(8) command which is taking care of updating the symlinks and the ca-certificates.crt file.

Adding a new (CA) certificate to the stash is quite easy as update-ca-certificates(8) is also looking for files in /usr/local/share/ca-certificates/, the administrator just has to place the new certificate in the PEM format in this directory (with the .crt extension) and run update-ca-certificates(8) as root. All the applications on the system (wget, …) should now trust it.

Connection downgrade from https to http in Firefox

Note to self, when calling a page over https, all the connections created by javascript must also be over https. Otherwise, Firefox will not try to connect without, unfortunately, even complaining.

I got hit by this when trying Kibana 3 at work yesterday and it took me quite some time to realize what was happening.

Mount NFS export for machine behind a NAT

So today I was trying to mount an NFS export from a machine that was behind a NAT1. The “/etc/exports” file was correct but I kept getting “access denied” errors.

It turns out that, by default, the NFS server is only allowing access to clients when the originating port is a reserved port (< 1024) but the NAT machine in the middle was mangling the originating port to something else.

Adding “insecure” to the exports for that machine did the trick.

  1. Yeah I know NAT must die ↩︎

Managing /etc/network/interfaces with puppet and augeas

First blog post for a long time, let’s try post interesting stuffs I find during my work as GNU/Linux system administrator at Inuits.

I was looking for a clean and easy way to manage network interface configuration on Debian-like system (the /etc/network/interfaces file) using Puppet.

Puppet currently doesn’t have a resource type to handle network interfaces and unlike Redhat-like systems where the network configuration is split in a different file per interface, the ”interfaces” configuration file under Debian is monolithic making it difficult to manage.

So here comes Augeas to the rescue. Augeas is a configuration file parser that map a configuration file into a tree. Puppet provides a native Resource type you can work with it in your puppet recipes.

Let’s say you want to generate the following stanza in ”/etc/network/interfaces” (this create a bond interface):

auto bond0
iface bond0 inet static
    address 192.168.110.42
    netmask 255.255.255.0
    network 192.168.110.0
    gateway 192.168.110.240
    slaves eth0 eth1
    bound_mode active-backup
    bond_miimon 100
    bond_downdelay 200
    bond_updelay 200

You can define the following ressource:

augeas{ "bond_interface" :
    context => "/files/etc/network/interfaces",
    changes => [
        "set auto[child::1 = 'bond0']/1 bond0",
        "set iface[. = 'bond0'] bond0",
        "set iface[. = 'bond0']/family inet",
        "set iface[. = 'bond0']/method static",
        "set iface[. = 'bond0']/address 192.168.110.42",
        "set iface[. = 'bond0']/netmask 255.255.255.0",
        "set iface[. = 'bond0']/network 192.168.110.0",
        "set iface[. = 'bond0']/gateway 192.168.110.240",
        "set iface[. = 'bond0']/slaves 'eth0 eth1'",
        "set iface[. = 'bond0']/bound_mode active-backup",
        "set iface[. = 'bond0']/bond_miimon 100",
        "set iface[. = 'bond0']/bond_downdelay 200",
        "set iface[. = 'bond0']/bond_updelay 200",
    ],
}

and Puppet will take care of creating the resource and updating it. Be aware that the interfaces and options not managed by puppet are left untouched.

Redmine strange issue

I’m currently deploying redmine for a customer, and today we ran into a strange issue.

People were able to login, but for certain operations some of them get an “Invalid form authenticity token” error. Moreover redmine was setting more that one cookie with different values and paths in firefox. After some time I figure out that RAILS_RELATIVE_URL_ROOT was set in the apache configuration but was empty. It looks like firefox and IE behave differently if the path of the cookie is empty, firefox considers that the path is the current directory and IE thinks it’s ‘/’ Now everything seems working.

I will try to blog a little more about what I’m doing at work

Hadopi made in Belgium

hadopimayoThe Belgian senator Philippe Monfils (MR) has presented a few weeks ago a project (in french) for a HADOPI1-like law in Belgium. This law aims at condemning people who share copyrighted works without going to court. If an internet user’s connexion is used for illegal filesharing, she will first receive a warning, then a fine. The third step proposes a limitation of bandwidth. The last one is the complete suppression of that person’s internet connection (but she still has to pay for that connection).

In the facts this arises a lot of questions and fears about the freedom to access the Internet but also about the means used to prove the facts. An IP address isn’t enough to prove anything, considering how easy it is to break into a WiFi access point, even a secured one. It also raises the problem of the conviction that will affect a group of people (whole families, businesses,…) for the crime of a single person. There is also a chances of double penalty (the obligation to continue to pay the fees for a suspended Internet access) and there is also the possibility that somebody gets convicted for counteracting while his neighbour only gets a warnings for the same infraction and thus breaking an equal justice.

Also, will such a law really help artists (or the entertainment industry)? There is no proof that it will encourage people to buy more discs and moreover how can anybody buy anything from legal sources without an internet access? What is sure is that this will cost lot of money for results that are not proven.

Hadopi Mayonnaise is a group of concerned citizens that want to open the dialogue about this law. If you want to help them you can visit NURPA2 website. They are currently looking for translation for both websites in Dutch.

  1. “Haute autorité pour la diffusion des œuvres et la protection des droits sur internet”, name of the law that has made lot of noises in France ↩︎
  2. the association behind Hadopi Mayonnaise ↩︎