Author: Bian Xi

Systemd-resolved DNS configuration for VPN

Posted on by Bian Xi Leave a Comment on Systemd-resolved DNS configuration for VPN

Systemd-resolved DNS configuration for VPN

VPN GUI

When using ubuntu GUI VPN connection, the DNS might not be updated correctly. Following command can be used to update search domain and DNS server.

sudo systemd-resolve --interface tun0 --set-dns <dns_server> --set-domain <domain>

Note: The latest test in VPN GUI, the DNS setting is working as expected.

VPN CLI

For openvpn command line,

openvpn --config client.ovpn --script-security 2 --up ./manual-config

The manual-config script can be as follow

#!/bin/sh
set -e
resolvectl dns $dev 192.0.2.53 192.0.2.54
resolvectl domain $dev "~foo.example.com" "~bar.example.com"
resolvectl dnssec $dev off

or

#!/bin/sh
systemd-resolve -i $dev \
  --set-dns=192.0.2.53 --set-dns=192.0.2.54 \
  --set-domain=foo.example.com --set-domain=bar.example.com \
  --set-dnssec=off  # <- Not super nice, but might be needed.

Another method is to use /etc/openvpn/update-systemd-resolved script, which is in openvpn-systemd-resolved package,

openvpn \
  --config client.ovpn \
  --up /etc/openvpn/update-systemd-resolved \
  --down /etc/openvpn/update-systemd-resolved \
  --down-pre \

NetworkManager Integration

To allow DNS and other options applied to new interface, a dispatcher file can be created, for example, /etc/NetworkManager/dispatcher.d/10-openvpn-tun0-up. The content can be as follows

#!/usr/bin/env bash

interface=$1
event=$2

if [[ $interface != "tun0" ]] || [[ $event != "up" ]]
then
  return 0
fi

# place your commands bellow this line

resolvectl dns tun0 192.168.1.1 192.168.1.2
resolvectl domain tun0 "~new.com"

References

Systemd-resolved DNS configuration for VPN
Network Manager script when interface up?

Learning – Introduction to AWS Services

Posted on by Bian Xi Leave a Comment on Learning – Introduction to AWS Services

Learning - Introduction to AWS Services

AWS Global Datacenter

  • AWS Account - Global (Billing, IAM, Route53)
  • Regions - Independent Geographic Area (S3, CDN, DynamoDB)
  • VPCs (ELB)
  • Availability Zones - Multiple isolated locations / data centers within a region (EC2, RDS, EBS)
  • Edge locations
  • Ragional Caches
  • Services

Storage

References

Introduction to AWS Services

Learning – Ansible 101 – Episode 3 – Introduction to Playbooks

Posted on by Bian Xi Leave a Comment on Learning – Ansible 101 – Episode 3 – Introduction to Playbooks

Learning - Ansible 101 - Episode 3 - Introduction to Playbooks

Playbooks

Default module

The ansible command default module is command. So following commands are the same

ansible -i inventory multi -m command -a "date"
ansible -i inventory multi -a "date"

update_cache task

For idempotence, can update_cache task

Molecule

Testing Ansible roles using Molecule.

Background

Timeout

Timeout in 3600 seconds.

ansible -i inventory multi -b -B 3600 -P 0 -a "yum -y update"

Pulling time

Using -P for seconds

ansible -i inventory multi -b -B 3600 -P 0 -a "yum -y update"

Job ID

The result shows ansible job ID, which can be used to query in the server.

192.168.60.6 | CHANGED => {
    ...
    "ansible_job_id": "991487770448.3711",
    ...
    "results_file": "/root/.ansible_async/991487770448.3711",
    ...
}

Query by job id

ansible -i inventory db -b -m async_status -a "jid=991487770448.3711"

*Note: This will not show log or error of job"

Check log

ansible -i inventory multi -b -a "tail /var/log/messages"
ansible -i inventory multi -b -m shell -a "tail /var/log/messages | grep ansible-command | wc -l"

Cron

ansible -i inventory multi -b -m cron -a "name=something hour=4 job=/path/to/script.sh"
ansible -i inventory multi -b -m cron -a "name=something hour=4 job=/path/to/script.sh state=absent"

Git

ansible -i inventory multi -b -m git -a "repo=github_url_goes_here dest=/opt/app update=yes version=1.2.4"

Reuse SSH connection

Ansible configuration file ansible.cfg

[ssh_connection]
pipelining = True

Clean up

Destroy VMs

vagrant destroy -f

Playbooks

mkdir playbooks
cd playbooks

Inventory

[ec2]
35.175.148.144

[ec2:vars]
ansible_user=centos
ansible_ssh_private_key_file=~/.ssh/jeffgeerling_aws.pem

Create a shell script

shell-script.sh

# Install Apache.
yum install --quiet -y httpd httpd-devel
# Copy configuration files.
cp httpd.conf /etc/httpd/conf/httpd.conf
cp httpd-vhosts /etc/httpd/conf/httpd-vhosts.conf
# Start Apache and configure it to run at boot.
service httpd start
chconfig httpd on

Create playbook.yml

---
- name: Install Apache.
  hosts: all

  tasks:
    - name: Install Apache
      command: yum install --quiet -y httpd httpd-devel
    - name: Copy configuration files.
      command: >
        cp httpd.conf /etc/httpd/conf/httpd.conf
    - command: >
        cp httpd-vhosts /etc/httpd/conf/httpd-vhosts.conf
    - name: Start Apache and configure it to run at boot.
      command: service httpd start
    - command: chkconfig httpd on

or

---
- name: Install Apache.
  hosts: all

  tasks:
    - name: Install Apache
      shell: |
        yum install --quiet -y httpd httpd-devel
        cp httpd.conf /etc/httpd/conf/httpd.conf
        cp httpd-vhosts /etc/httpd/conf/httpd-vhosts.conf

    - name: Start Apache and configure it to run at boot.
      command: service httpd start
    - command: chkconfig httpd on

or

---
- name: Install Apache.
  hosts: all
  become: true

  tasks:
    - name: Install Apache
      yum:
        name:
          - httpd
          - httpd-devel
        state: present
      become: true
    - name: Copy configuration files.
      copy:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        owner: root
        group: root
        mode: 0644
      with_items:
        - src: httpd.conf
          dest: /etc/httpd/config/httpd.conf
        - src: httpd-vhosts.conf
          dest: /etc/httpd/conf/httpd-vhosts.conf

  - name: Make sure Apache is started now and at boot.
    service:
      name: httpd
      state: started
      enabled: true

    - command: >
        cp httpd-vhosts /etc/httpd/conf/httpd-vhosts.conf
    - name: Start Apache and configure it to run at boot.
      command: service httpd start
    - command: chkconfig httpd on

run on all nodes except one

ansible-playbook -i inventory multi --limit db
ansible-playbook -i inventory multi --limit=192.168.60.6
ansible-playbook -i inventory multi --limit="!:db"

List inventory

ansible-inventory --list i inventory

References

Ansible 101 - Episode 3 - Introduction to Playbooks

Learning – Ansible 101 – Episode 2 – Ad-hoc tasks and Inventory

Posted on by Bian Xi Leave a Comment on Learning – Ansible 101 – Episode 2 – Ad-hoc tasks and Inventory

Learning - Ansible 101 - Episode 2 - Ad-hoc tasks and Inventory

Run ad-hoc tasks using Ansible.

Vagrant Cloud

Vagrant init

vagrant init geerlingguy/centos7

Vagrantfile

Vagrant.configure("2") do |config|
  config.vm.box = "geerlingguy/centos7"

  config.ssh.insert_key = false

  config.vm.synced_folder ".", "/vagrent", disabled: true

  config.vm.provider :virtualbox do |v|
    v.memory= 256
    v.linked_clone = true
  end

  # App server 1
  config.vm.define "app1" do |app|
    app.vm.hostname = "orc-app1.test"
    app.vm.network :private_network, ip: "192.168.60.4"
  end

  # App server 2
  config.vm.define "app2" do |app|
    app.vm.hostname = "orc-app2.test"
    app.vm.network :private_network, ip: "192.168.60.5"
  end

  # DB server
  config.vm.define "db" do |db|
    db.vm.hostname = "orc-db.test"
    db.vm.network :private_network, ip: "192.168.60.6"
  end
end
vagrant up

Create inventory file

# Application servers
[app]
192.168.60.4
192.168.60.5

# Database server
[db]
192.168.60.6

# Group has all the servers
[multi:children]
app
db

# Variable for all the servers
[multi:vars]
ansible_ssh_user=vagrant
ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key

Run Ansible

ansible multi -i inventory -a "hostname"

Note: accept host key if prompt, or change the .ssh/config file to ignore host key

To run one by one,

ansible multi -i inventory -a "hostname" -f 1

Run ansible to query configuration

ansible -i inventory db -m setup

Install NTP

ansible -i inventory multi -b -m yum -a "name=ntp state=present"

ansible -i inventory multi --become -m yum -a "name=ntp state=present"

Note: Run the second time, the status will be SUCCESS, not CHANGED

Ask for sudo password

ansible -i inventory multi -K -m yum -a "name=ntp state=present"

Note: for this image, the vagrant user has password vargent

Check service status

ansible -i inventory multi -b -m service -a "name=ntpd state=started enabled=yes"

Check service options

  • Use google search "ansible service module".

  • Use ansible-doc command

ansible-doc service

NTP commands

ansible -i inventory multi -b -a "service ntpd stop"
ansible -i inventory multi -b -a "ntpdate -q 0.rhel.pool.ntp.org"

my_sql

Setup user on mysql server.

ansible -i inventory db -b -m mysql_user -a "name=django host=% password=12345 priv=*.*:ALL state=present"

Limit to one server

ansible -i inventory multi -a "free -m" --limit '192.168.60.4'
ansible -i inventory multi -a "free -m" --limit '*.4'
ansible -i inventory multi -a "free -m" --limit '!192.168.60.4'
ansible -i inventory multi -a "free -m" --limit '!192.168.60.4:!192.168.60.5'

References

Ansible 101 - Episode 2 - Ad-hoc tasks and Inventory