According to this http://xenserver.org/discuss-virtualization/virtualization-blog/entry/log-rotation-and-syslog-forwarding.html

It's rewriting from /var/lib/syslog.conf. So changing there should keep the changes.

@scottalanmiller said in What Are You Doing Right Now:

Man, what an arrogant prick:

https://community.spiceworks.com/topic/1616648-starting-with-linux-from-scratch

Guy is a super junior helpdesk guy (@tonyshowoff and I know this guy in person) and he doesn't know anything about Linux or UNIX and has convinced his company that for a super simple little application project that should take a few weeks of effort and zero proprietary stuff requires him to make his own OS and get Linux certified as UNIX... which even Red Hat, Suse and Ubuntu have not done. And when anyone points out that this is crazy, he calls the entire Linux community "arrogant" for stating how hard this is.

This is what we call as Askhole, for sure.

And according to their rating system, he should be very experienced. I mean you only get to red and black by knowing a lot and answering questions....

sVirt is the application of SELinux against virtualization. In RHEL 7 and up, SELinux contexts are added to each KVM virtual machine to ensure separation from host and other guests. Here's an output from my machine (running Fedora 24):

[jhooks@z420fedora ~]$ ps -efZ | grep svirt
system_u:system_r:svirt_t:s0:c102,c768 qemu 2221   1 93 08:41 ?        00:00:04 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Jenkins
system_u:system_r:svirt_t:s0:c50,c877 qemu 2259    1 89 08:41 ?        00:00:01 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Ansible

Each machine receives the svirt_t context type and a different MCS (Multi Category Security) label. From the output above Jenkins has c102 & c768 while Ansible has c50 & c877.

The same is true for the disk images:

[jhooks@z420fedora VMs]$ ls -Z
system_u:object_r:svirt_image_t:s0:c50,c877 Ansible.qcow2
system_u:object_r:svirt_image_t:s0:c102,c768 jenkins.qcow2

Both disk images have matching MCS labels and svirt context types.

Libvirt takes care of auto assigning the MCS labels automatically when the guest is started. If you run the guest without libvirt using qemu directly, this is not the case.

When the guests are shut down the disks go back to their normal labeling:

[jhooks@z420fedora VMs]$ ls -Z
unconfined_u:object_r:virt_content_t:s0 Ansible.qcow2
unconfined_u:object_r:virt_content_t:s0 jenkins.qcow2

Our cafe had pulled pork and Mac n cheese today. It was pretty good.

QEMU doesn't preallocate QCOW2 images by default. If you want to preallocate you have to either convert an existing disk or preallocate at creation. I'm lazy and get tired of typing

qemu-img convert -f qcow2 -O qcow2 -o preallocation=metadata disk1.qcow2 disk2.qcow2

So I wrote a script where I can just type

convert disk1.qcow2 disk2.qcow2

It does some basic error handling, like if the disk you are converting doesn't exist it lets you know, and if you are trying to convert to a file that already exists it lets you know.

I also gave it an interactive mode with -i so it will ask you what the disks are (just for fun).

#!/bin/bash

#Script to convert qemu-images with preallocation

#Script functions
function script_help () {
  echo "
      Usage: $(basename $0) [options] original-file new-file

          -i   Ineractive mode

          -h   this help text

          original-file  File to convert

          new-file       File to create

      Example:
        $(basename $0) file.raw new-file.qcow2"

  exit ${1:-0}
}

function interactive_convert_file () {

  echo "Original file"
  read originalFile

  if [[ ! -f $originalFile ]]; then
    echo "File $originalFile not found"
    exit 1
  fi

  echo "File to convert to"
  read newFile

  if [[ -e $newFile ]]; then
    echo "File already exists!"
    exit 1
  fi


  qemu-img convert -f qcow2 -O qcow2 -o preallocation=metadata $originalFile $newFile

  exit ${1:-0}

}

function argument_convert_file () {

  if [[ ! -f $origFile ]]; then
    echo "File $origFile not found"
    exit 1
  fi

  if [[ -e $newFile ]]; then
    echo "File $newFile already exists!"
    exit 1
  fi

  qemu-img convert -f qcow2 -O qcow2 -o preallocation=metadata $origFile $newFile

  exit ${1:-0}

}

#Show help if no arguments or options are passed
[[ ! "$*" ]] && script_help 1
OPTIND=1


#Read command line options
while getopts "ih" opt; do
    case "$opt" in
      i) interactive_convert_file ;;
      h) script_help ;;
      \?) script_help 1 ;;
    esac
done
shift $(($OPTIND-1));

#Run argument function
origFile=$1
newFile=$2
argument_convert_file

@NattNatt said in What Are You Doing Right Now:

@DustinB3403 That's what I picked...Nope. OP chose PaaS as the correct answer. Not just me then - 32% correct so far...

The wording is pretty bad, but I can see where they got that. I don't think they are saying they want to maintain the web server, they just want to build the application. So the development of the app would be PaaS.

That's a badly worded question.

@coliver said in Thoughts on a Ubiquiti/Cisco comparo?:

I think the answer is yes to all of these questions. Cisco does use a proprietary VPN for the client connections but, if I remember correctly, their site-to-site stuff is using IPSEC or L2TP.

Ya I've done site-to-site with IPsec between an ERL and a Cisco.

I think they need to re-evaluate how this sign in page looks.

Is it doing any routing? Like @scottalanmiller said, I wouldn't shut it off until you know exactly what it's doing.

I wrote another thing. The Alexa skill uses a Go application I wrote in AWS Lambda to get the data from the most recent topics of the site. It would have read the whole first page of topics, so I stopped early.

Youtube Video

So in Ansible you can use conditionals when a fact is different between systems (eg distribution, release, ip address, etc). You can also use variables with dictionaries and facts to accomplish this. Here is an example using a dictionary with package names for Apache:

---
# vars file for test
dist_hash:
    "RedHat":
        webserver: 'httpd'
    "Fedora":
        webserver: 'httpd'
    "Ubuntu":
        webserver: 'apache2'

webserver: "{{ dist_hash[ansible_distribution]['webserver'] }}"

The variable that will be called in the task is at the bottom. That variable references the hash (dictionary) above it. So it looks in dist_hash for the distribution (in my case Fedora) and replaces ansible_distribution with the actual name. Then it looks at the webserver value of the hash under that distribution name.

I set up a simple task that copies a template called test.j2 with these contents:

We will install {{ webserver }} on this system.

The main task file is this:

---
# tasks file for test
- name: test
  template:
    src: test.j2
    dest: /tmp/test.conf
    owner: root
    group: root
    mode: 0644

So it copies test.j2 and fills in the variable and stores it as /tmp/test.conf. Here's the output of that file:

[jhooks@starscream tmp]$ cat test.conf 
We will install httpd on this system.

This is one way to keep conditionals to a minimum in your roles.

For some practice tonight I wrote a Prometheus exporter that gets the total users, posts, and topics from the site.

QEMU has a guest agent like other hypervisors. If you have the guest agent you can get some info out of the guest directly from the host. Here's a way to get the IP address from the guest:

virsh qemu-agent-command $guest '{"execute":"guest-network-get-interfaces"}' | python -mjson.tool

This spits out some json:

{
    "return": [
        {
            "hardware-address": "00:00:00:00:00:00",
            "ip-addresses": [
                {
                    "ip-address": "127.0.0.1",
                    "ip-address-type": "ipv4",
                    "prefix": 8
                },
                {
                    "ip-address": "::1",
                    "ip-address-type": "ipv6",
                    "prefix": 128
                }
            ],
            "name": "lo"
        },
        {
            "hardware-address": "52:54:00:1b:3a:ba",
            "ip-addresses": [
                {
                    "ip-address": "10.1.30.6",
                    "ip-address-type": "ipv4",
                    "prefix": 24
                },
                {
                    "ip-address": "fe80::5054:ff:fe1b:3aba",
                    "ip-address-type": "ipv6",
                    "prefix": 64
                }
            ],
            "name": "eth0"
        }
    ]
}

@scottalanmiller said in CentOS rsync between servers using keyfile to pass credentials:

Okay, now do the same thing on the second server. Then take the contents of the public key from the first one and populate the /home/user/.ssh/authorized_keys file on the second server with it.

I'd just do ssh-copy-id Its easier. That way there is no chance the SELinux context (or mode) for that file can change.

As I'm sure most of you know, systemd has other units than just services. I'll be dealing with services, timers, and targets in this write up.

The main reason for me switching was ansible-pull. Now it's mostly my fault because I didn't create a script with any logic and just assumed that ansible-pull was smart enough to do this (it's not the main function of Ansible so it's not surprising it doesn't). I was using Ansible pull for basic bare configs after kickstarting and then having it run every 10 minutes to check for changes. I set up a cronjob that called ansible-pull to checkout the repo and pull in any changes and run the playbook locally. Well what I didn't realize is that if there is any hangup in that process, ansible-pull isn't killed automatically and then when 10 minutes is up, it will start another ansible-pull process. So after 24 hours of that, some machines had a load of 8+. They were hanging during setup because they were having issues contacting a non-important NFS share that was automounted.

Systemd timers will not run another instance until the first is completed, so that fixes this. It also lets you run a service one off unlike cron.

First create your files in /usr/lib/systemd/system:

touch myscript.{target,timer,service}
touch myscript2.service

You don't need a target, but if you want to have more than one script run, it makes it easier.

Here's some examples with a snapshot backup I use for some of my VMs at home:

backup-pbx.service:

[Unit]
Description=Backup PBX
Before=backup-tower.service

[Service]
Type=simple
ExecStart=/usr/local/bin/snapshot PBX pbx-snap /var/backups/VMs/ hda

[Install]
WantedBy=backup.target

backup-tower.service:

[Unit]
Description=Backup Tower Data
After=backup-pbx.service

[Service]
Type=simple
ExecStart=/usr/local/bin/snapshot Tower tower-snap /var/backups/VMs/ vdb

[Install]
WantedBy=backup.target

backup.target:

[Unit]
Description=Snapshot based backup for VMs

[Install]
WantedBy=default.target

backup.timer:

[Unit]
Description=Backup VMs

[Timer]
OnBootSec=10min
OnCalendar=Sun *-*-* 00:00:00
Unit=backup.target

[Install]
WantedBy=multi-user.target

Now just enable each one

systemctl enable backup-tower backup-pbx backup.target backup.timer

And start the timer:

systemctl start backup.timer

Mine is set to run every week on Sunday at midnight.

This allows us to one off run the services also without going into either crontab or a cron file and grabbing the whole command.

systemctl start backup-tower

These are also all logged with journalctl. So if you want to see all of the entries for backup-tower just run

journalctl -u backup-tower

Apr 23 13:58:29 kvm.pa.jhbcomputers.com systemd[1]: Starting Backup Tower data...
Apr 23 13:58:29 kvm.pa.jhbcomputers.com snapshot[18508]: Domain snapshot tower-snap created
Apr 23 13:58:29 kvm.pa.jhbcomputers.com snapshot[18508]: tar: Removing leading `/' from member names
Apr 23 13:58:29 kvm.pa.jhbcomputers.com snapshot[18508]: /data/VMs/tower-var.qcow2
Apr 23 14:02:38 kvm.pa.jhbcomputers.com snapshot[18508]: [43B blob data]
Apr 23 14:02:38 kvm.pa.jhbcomputers.com snapshot[18508]: Successfully pivoted
Apr 23 14:02:38 kvm.pa.jhbcomputers.com snapshot[18508]: Domain snapshot tower-snap deleted

@black3dynamite said in What Are the Latest Virtualization Platform Recommendations:

@scottalanmiller said in What Are the Latest Virtualization Platform Recommendations:

@black3dynamite said in What Are the Latest Virtualization Platform Recommendations:

And since discovering Mangolassi, XenServer seems to be only popular here when Xen Orchestra is being used with it.

that's the only context in which it makes sense. That's its one main management tool.

But saying that, you could say the same kind of thing for Vmware ESXi... it's only popular with vSphere to manage it. Of course, you need something to manage anything. When you have a management tool that is free and really good, there is no need for anything else and/or the two just become associated. That XS is only popular with XO just makes sense, as it is open, free and very powerful. XS has to have some tool, and that one is so good that no one else tries to compete.

Besides not supported better file systems for vm storage especially when using thin storage. I'm never a fan XenCenter it gets the job done but I much rather do things via CLI. I really hope XenServer devs integrated XO soon.

I think they should focus on things like not using ext3 first.

@matteo-nunziati said in virtualize all the things... ?:

@stacksofplates said in virtualize all the things... ?:

@bj said in virtualize all the things... ?:

@jaredbusch said in virtualize all the things... ?:

Then Manage it from your Fedora desktop

I think I'd rather not install an entire desktop to manage VMs. That seems like taking a step in the wrong direction to me.

You don't have to. You can manage from cli only. And if you just want virt-manager just have a VM on the host that you can X11 forward from.

If you have failover/replica/ha you can consider to use a vm to control the hypervisor

You can do it even without that. Single hosts are easy, and for the amount of resources it uses, you can just have one on each host as a fail safe. But as long as a single host is up you can control them all from a single Virt-Manager VM.

Why would you want your email through a shared hosting provider? It's usually garbage and only IMAP/POP.

Ansible released Tower's source yesterday under the original name AWX. Here's the repo:

https://github.com/ansible/awx

I spent last night getting it up and running and it's not too bad. I might do a write up if I get time.

@penguinwrangler said in domain controller in the cloud for small office?:

My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.

Identity Management (FreeIPA) would be great if you want to expose the kids to Linux.

One of the easiest things I’ve ever set up.