Skip to content


add user with ansible

a quick and dirty – add a user (svc_lawprod), set his password (abc123) and age it so it must be changed at his first login instance.

---
- hosts:
  remote_user:

  tasks:

   - name: create user
     shell: useradd -d /home/svc_lawprod -m -u 22800 -c 'Lawson service account' -g lawson -p `openssl passwd abc123` svc_lawprod

   - name: force password reset at 1st login
     shell: chage -d 0 svc_lawprod 

Posted in LINUX.

Tagged with , , , , .


deploying nxlog with ansible

Download and install “nxlog” and provide it with a “customized” version of “/etc/nslog.conf file. First the playbook that will execute only of host’s operating system is RHEL ver. 6:

---
- hosts: 
  remote_user:

  tasks:

   - name: download nxlog 
     yum: name=https://nxlog.co/system/files/products/files/1/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm state=installed
     notify: StartNxLog
     when: "ansible_os_family == 'RedHat' and ansible_distribution_major_version == '6'"

   - name: StartNxLog
     include: /root/playbooks/StartNxLog

The contents of the “include:” file “/root/playbooks/StartNxLog”

- name: copy config file
  copy: src=/root/playbooks/nxlog.conf dest=/etc/nxlog.conf owner=root group=root mode=664

- name: set nxlog service to start at boot and now
  service: name=nxlog enabled=yes state=started

Posted in LINUX.

Tagged with , .


/etc/rsyslog.conf edits with ansible

The host called “wmd1” used to be the remote logger for all the LINUX boxes in the “left” data center. In the “right” data center it was “wmd2”. For whatever reason its replacement in the “left” data center is now called “wmd7”. The rest is Ansible playbook allowing for a mass edits across all the “left” boxes.

- hosts:
  remote_user: root

  tasks:
   - name: copy /etc/rsyslog.conf to /etc/rsyslog.conf.OLD
     copy: src=/etc/rsyslog.conf dest=/etc/rsyslog.conf.OLD force=no

   - name: replace the name of remote logger or insert it if missing
     shell: grep .*wmd.*\.wmd.edu /etc/rsyslog.conf && sed --in-place 's/wmd.*\.wmd.edu/wmd7.wmd.edu/' /etc/rsyslog.conf || echo '*.* @@wmd7.wmd.edu:1515' >> /etc/rsyslog.conf ; service rsyslog restart

The shell line is one long line – there are no folding characters above.

Posted in Linux, LINUX.

Tagged with , , , .


copying files among hosts with ansible

To copy one file from one machine to a set of hosts? Under the ahd label, there is a group of hosts in /etc/ansible/hosts.

[ahd]
host1
host2
host3

There is a host called sysmgttl1 with a file /etc/testWMD, we want to copy to every hosts in ansibel ahd group.
This task is easily accomplished with a playbook with the following content:

- hosts: ahd
  tasks:
    - name: Transfer file from sysmgttl1 to hosts in the ahd group
      synchronize:
        src: /etc/testWMD
        dest: /etc/testWMD
      delegate_to: sysmgttl1

Our playbook is called ehd_sync

# ansible-playbook ehd_sync
 ____________
< PLAY [ahd] >
 ------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
 ______________
< TASK [setup] >
 --------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
ok: [host1]
ok: [host2]
ok: [host3]
______________________________________________
< TASK [Transfer file from ServerA to ServerB] >
 ----------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

changed: [host1 -> sysmgttl1]
changed: [host3 -> sysmgttl1]
changed: [host2 -> sysmgttl1]
 ____________
< PLAY RECAP >
 ------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

host1          : ok=2    changed=1    unreachable=0    failed=0
host2          : ok=2    changed=1    unreachable=0    failed=0
host3          : ok=2    changed=1    unreachable=0    failed=0

To check/validate:

# ansible -a "ls -l /etc/testWMD" aha
host1 | SUCCESS | rc=0 >>
-rw-r--r-- 1 root root 0 Oct  7 14:17 /etc/testWMD
host2 | SUCCESS | rc=0 >>
-rw-r--r-- 1 root root 0 Oct  7 14:17 /etc/testWMD
host3 | SUCCESS | rc=0 >>
-rw-r--r-- 1 root root 0 Oct  7 14:17 /etc/testWMD

Posted in Linux.

Tagged with , , , .


ansible cont.

This time, a user (wmd needs to have in his home directory (several hosts needs this treatment) a very specific file with an equally specific content and permisions. Ansible playbook code for today:

---
- hosts: jam

  tasks:
   - name: edit ~wmd/k5login
   - shell: echo 'E_wmd@CHOP.EDU' > /home/e_wmd/.k5login
   - file: path=/home/e_wmd/.k5login owner=e_wmd group=wmd mode=0644

To execute this spcific playbook:

# ansible-playbook wmd.yml

This effort was required by lack of consitency in user definition in AD…….Often you can fix something faster than the one who owns it….. 🙂

Posted in LINUX.

Tagged with , .


AIX/PowerHA – cannot remove caavg_private disk (change pvid of a disk)

another chapter in storage migration….. Previously XIV delivered all disks. Currently it is VSP. A VSP disk had to replace the caa private disk in order to complete the migration. This process, focused around the procedure from on of my previous posts (search this blog for “CAA_FORCE_ENABLED=1”) kept failing and eventually being limited by time all XIV disks were removed from cluster nodes. HA ODM still showed the original caa disks PVID when queried and the cluster would not sync or operate…..

The PVID from the new caa candidate disk was removed and replaced with the PVID of the original caa disk. Next, both nodes have been rebooted, cluster synced and the peace returned to the cluster!

# lspv
hdisk1          00f660fd7411a5f3              rootvg          active
hdisk0          00f660fdc7e49dad              rootvg          active
hdisk10         00f660fd67ab3d30              lawappqa_vg
hdisk11         00f660fd67ab42ed              lawappqa_vg
hdisk12         00f660f667cb1f64              None
hdisk13         00f660f667cb1e16              None
hdisk14         00f660fd67ab4665              lawappqa_vg
hdisk15         00f660fd67ab4916              lawappqa_vg
hdisk16         00f660f667cb13bf              None
hdisk17         00f660f667cb0f0e              None

The last disk (hdisk17) will be the new caa disk, we will clean its pvid (on all cluster nodes!).

# chdev -l hdisk17 -a pv=clear

The original disk pvid was “00f660fde083fb16”. Now it will be assigned to hdisk17 (done on the primary node).

# perl -e 'print pack("H*","00f660fde083fb16");' >/tmp/pvid
# cat /tmp/pvid | dd of=/dev/hdisk17 bs=1 seek=128
# rmdev -dl hdisk17
# shutdown -Fr

After the reboot (which really was not needed as cfgmgr could be used instead).

# lspv
hdisk1          00f660fd7411a5f3               rootvg          active
hdisk0          00f660fdc7e49dad               rootvg          active
hdisk10         00f660fd67ab3d30               lawappqa_vg
hdisk11         00f660fd67ab42ed               lawappqa_vg
hdisk12         00f660f667cb1f64               None
hdisk13         00f660f667cb1e16               None
hdisk14         00f660fd67ab4665               lawappqa_vg
hdisk15         00f660fd67ab4916               lawappqa_vg
hdisk16         00f660f667cb13bf               None
hdisk2          00f660fde083fb16               caavg_private   active
# /usr/es/sbin/cluster/utilities>./clmgr sync cluster

Notice that hdisk17 has morphed into hdisk2, which is normal. Now, let’s start the cluster and watch it run.

today, scouting the Web, I found another way of changing AIX disk PVID token – see bellow for a neat script (I have not tested it).

#!/usr/bin/ksh
PVID=$1
DISK=$2
set -A a `echo $PVID | \
awk ' {
for (f=1; f <= length($0); f=f+2) { print "ibase=16\nobase=8\n"toupper(substr($0,f,2)) } }' |\ bc 2>/dev/null`
/usr/bin/echo "\0"${a[0]}"\0"${a[1]}"\0"${a[2]}"\0"${a[3]}"\0"${a[4]}"\0"${a[5]}"\0"${a[6]}"\0"${a[7]}"\0\0\0\0\0\0\0\0\c" | dd bs=1 seek=128 of=/dev/$DISK

Posted in LINUX.

Tagged with , , , .


Device eth0 does not seem to be present – RHEL7.2

While trying to get WIFI NIC running on a laptop its eth0 interface disappeared ….. Device eth0 does not seem to be present. This host, while built by KickStart had its NIC labeled as ETH0 which is not the “native” way for RHEL7 so after a while of fruitless efforts I started to look for it under a different name.

To determine location code of all network devices:

#  lspci | grep -i net
00:19.0 Ethernet controller: Intel Corporation 82567LM Gigabit Network Connection (rev 03)
03:00.0 Network controller: Intel Corporation Ultimate N WiFi Link 5300

To locate these devices

# cd /sys/class/net
# ls -la
total 0
lrwxrwxrwx  1 root root 0 Sep 28 08:23 docker0 -> ../../devices/virtual/net/docker0
lrwxrwxrwx  1 root root 0 Sep 28 08:13 enp0s25 -> ../../devices/pci0000:00/0000:00:19.0/net/enp0s25
lrwxrwxrwx  1 root root 0 Sep 28 08:13 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx  1 root root 0 Sep 28 08:13 virbr0 -> ../../devices/virtual/net/virbr0
lrwxrwxrwx  1 root root 0 Sep 28 08:13 virbr0-nic -> ../../devices/virtual/net/virbr0-nic
lrwxrwxrwx  1 root root 0 Sep 28 08:13 wls1 -> ../../devices/pci0000:00/0000:00:1c.1/0000:03:00.0/net/wls1

The last listing indicates that eth0 is now called enp0s25.

# cd /etc/sysconfig/*scripts
# mv ifcfg-eth0 ifcfg-enp0s25
# systemctl restart network

This fixes it and the host is again accessible from the “outside” 🙂

Posted in LINUX.


Spacewalk2.2 db password expired

Satellite 2.2 servers started to send mails containing the following text:

Frame initDB in /usr/lib/python2.6/site-packages/spacewalk/server/rhnSQL/__init__.py at line 117
username = spacewalk
e = (28001, 'ORA-28001: the password has expired\n', 'spacewalk@//localhost/spacedb', 'Connection_Connect(): begin session')

It seems that the “spacewalk” user password has expired. Follow the text bellow to validate it and eventually to change it.

# su - oracle
$ sqlplus / as SYSDBA
SQL> select username, account_status, created, lock_date, expiry_date
 from dba_users
where account_status != 'OPEN';
USERNAME
--------------------------------------------------------------
SPACEWALK
EXPIRED                          12-MAR-16           15-SEP-16

SQL> alter user spacewalk identified by abc123;

SQL> select username, account_status, created, lock_date, expiry_date
 from dba_users
where account_status = 'OPEN';

USERNAME
--------------------------------------------------------------
ACCOUNT_STATUS                   CREATED   LOCK_DATE EXPIRY_DA
-------------------------------- --------- --------- ---------
SPACEWALK
OPEN                             12-MAR-16           25-MAR-17
SQL> bye

Posted in LINUX.

Tagged with , , , , .


AD/KRB5 authentication issues (unexpected) with RedHat 7.2

For some unknown reason a few freshly added users could not login to a freshly built RedHat host. Too much fresh? The host has been COBBLER built and so what is going on?
This is what is recorded in /var/log/secure showing the failed login attempt:

Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc4dd448d822.ptest.wmd.edu  user=wmduszyk
Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=fc4dd448d822.ptest.wmd.edu user=wmduszyk
Sep  8 13:57:56 bctpxypl1 sshd[2397]: pam_krb5[2397]: account checks fail for 'WMDUSZYK@WMD.EDU': user disallowed by .k5login file for 'wmduszyk'
Sep  8 13:57:56 bctpxypl1 sshd[2397]: Failed password for wmduszyk from 10.34.24.10 port 58191 ssh2
Sep  8 13:57:56 bctpxypl1 sshd[2397]: fatal: Access denied for user wmduszyk by PAM account configuration [preauth]
Sep  8 13:59:49 bctpxypl1 su: pam_unix(su-l:session): session closed for user wmduszyk

I am flabbergasted! The host has all the latest patches, and everybody else can login! After a short search on the web I add a paragraph to /etc/krb5.conf containing the ignore_k5login = true phrase and the login issues are gone!

Here is the file /etc/krb5.conf as it is now.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WMD.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
 WMD.EDU = {
  kdc = KERBEROS.WMD.EDU
  admin_server = KERBEROS.WMD.EDU
 }

[domain_realm]
 wmd.edu = WMD.EDU
 .wmd.edu = WMD.EDU

[appdefaults]
 pam = {
  debug = false
  WMD.EDU = {
   ignore_k5login = true
  }
 }

Posted in LINUX.


recovering from san migrations errors, AIX

One AIX host is using XIV storage for its users volume groups. The data from these vgs has to be migrated to the disks provided by HITACHI SAN. This is a trivial task already done and repeated hundreds of times. Get disks from the other SAN, mirror everything, wait for logical volumes to sync, drop XIV “mirrors”, remove HIV disks from volume groups. remove XIV drivers, install HITACHI drivers, reboot and be marry.

Occasionally, san administrator will remove disks (luns) to migrate from before you can drop the mirrors these disks belong to ….. Luckily, he does it after the mirrors are already synced ….

Reboot – if you do not know what do to next. After a reboot, no user volume group (rootvg has SAS disks) will be able to come on-line (be varied on), even with “force”. But this situation is really not as bad as it looks. Make note what disks belong to what volume group, export the vgs and imports back with “force”. The following documents the way out.

# exportvg mksysbvg
# importvg -f -y mksysbvg hdisk3
# exportvg devegate_vg
# importvg -f -y devegate_vg hdisk2
# mount all

The two disks above are the ones from the new SAN (HITACHI).

Posted in LINUX.

Tagged with , , , , , .




Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.