So I finally got around to updating this thing to SSL. With Let’s Encrypt it is easier then ever. Seriously…no reason not to do it.
The next project is an internal PKI server for intranet. We are working on securing credentials (and yes a self signed cert is OK) I would prefer to have it running a proper cert.
It says insecure but..the cert says
It’s just something more to work on.
I am also lookign into Amazon Secrets Manager for rotating root passwords for my servers? it could be interesting.
So the backups failed over the weekend and I decided to leverage AWS since my company uses them a crazy amount.
I installed the storage gateway and created some volumes. I then mounted the volumes via ISCSI to a VM host and created a VMFS file system.
This allows me to create a VM on the host but it’s storage is in amazon; so if the host goes belly up i just disconnect the iscsi or re connect to a different host.
This is huge!! I am going to start migrating the infrastructure on this (PXE, DNS, DHCP) as it is another layer of protection.
Yes it requires internet but I can replication and fail over so that AWS is primary and local is secondary or vice versa.
There is ISCSI attached to VM Host.
This amazing! long live the cloud!
So we are doing UI testing which requires the latest and greatest web broweser. Some have RPM other have binaries to install from. Both are fine however trying to use some sort of mgmt (Puppet, Ansible) and a tar.bz2 is near impossible.
/cut to compiling from source/
Compiled from source and with a custom %post to symlink it to /usr/local/bin I give you firefox 57 RPM.
the biggest change was this:
%post -p /bin/sh
ln -s /firefox/firefox /usr/local/bin/firefox
It allows me to symlink so instead of users tyiping /firefox/firefox then can just type firefox.
Give me a few days and I can post the spec file if need be or the entire RPM (if that’s legal)
Now to streamline the process so I can do it with other major versions!!!
So I finally got PowerCLI working on linux. I have it on a docker image running VMware Photon OS 1.0. This is pretty neat cause now I can:
1. Write a Powershell Script and drop into /scripts on the docker image
2. Call the docker
a. alias powercli=’z docker run -i -t powercli:scripts /bin/bash’ – This allows me to go into the docker image to add scripts
alias vmwiki=’z docker run powercli:scripts powershell -f /scripts/VMwiki.ps1′ – I can call the script now.
3. Need to start my start up / shutdown script and parameter it; make life much much easier.
So we are making the switch to Ansible tower and we do have a license. However if I can do it the old fashioned way (free) and learn more I am in.
AWX 1.0.1 here I am.
* Tower-manager is non existent; luckily they have tower-cli which is installed via pip install ansible-tower-cli which gives you these options
Using this I can probably replicate tower-manager all for free.
Keep an eye out for some custom scripts and one liners I write.
Here we go!!!
So I completely ignored my WSUS server for the past 6 months; well ignore is a large word. It was on unattended mode. All updates got delivered but now I feel like I actually need to manage it along with AD. With all the ransomware going around it is not a bad idea.
I also decided to get a stack overflow account and answer some questions; maybe dig more into the why rather then it’s solved. I think it might help me career wise and my knowledge. I am worried the jack of all trades admin is going to go away in the next 5 – 10 years so I really need to work on my dev of the devops skill role.
SO I totally forgot about this blog; well time to update. Expect more contant updates; truly I mean it!
I just had to reset the password again via MYSQL; shows how much I use it 🙂
Got my personal spacewalk server up and running. I am using it to deploy config files /etc/hosts to keep the dns in check. so far it is working on one system.
Eventually I hope to get it up and running on all.
This brings me back to a few interviews I did where they asked about configuration. Yeah spacewalk is not puppet or chef but is it not a bad way to keep config files in check.
for those interested in my scripts and config files check out my github. I am going through most of the stuff I wrote and removing confidential info so it is a work in progress:
So the first thing to do is enable SSH on the vmware host (and do NTP if you haven’t already)
then get the configs of your esxi server run the below command and your output should be similar
esxcli system syslog config get
Then Set up the remote host with the following command and your output should be similar:
esxcli system syslog config set –loghost=’tcp://$HOSTNAME:$PORTNUMBER’
NoW check to see if your firewall is disabled
~ # nc -v $HOSTNAME $PORT
Connection to $HOSTNAME $PORT port [tcp/*] succeeded
if you get that great! if you don’t then do the following:
esxcli network firewall ruleset set –ruleset-id=syslog –enabled=true
esxcli network firewall refresh
By Default vmware like using the ports UDP port 514, TCP port 514, and 1514. I would recommend using those for you log stash port.
Once you adjust the firewall run the nc -v $HOSTNAME $PORT and it should work!
To remove old logs install curator and set crontab to :
30 0 * * * /usr/bin/curator –host 127.0.0.1 delete –older-than 180
40 0 * * * /usr/bin/curator –host 127.0.0.1 close –older-than 180
and you should be good!