This post is about launching a Docker Compose orchestrated collection of containers as a system service using systemd. I provisioned a VM running Docker (it’s a loooong story but short version: Azure Kubernetes and Azure container services cannot be deployed without public IP addresses, which goes against some of our secure-by-design decisions) using Terraform and Ansible to deploy and configure it. The service it is running is a web application made up of two Docker containers and I have written a Docker Compose file that builds and runs the infrastructure.
As I mentioned at the end of yesterday’s TerraForm post, one of the two outstanding tasks with my test setup is to kick-off an initial configuration of the VM.
Following on from my last TerraForm post, my next task is to deploy a VM with the tool. This is more complex than it sounds, as a ‘VM’ requires a number of components (network interface, disk) in addition to the VM as well as me wanting to configure it to do some initial boot-strapping on first start.
Since my [post on creating separate EasyBuild development environments]/notes/2021/07/29/setting-up-easybuild-environments.html I have encountered a piece of software I need to develop some custom EasyBlocks for. My scripts allow this, however my magic module does not initialise the platform-specific installs using a custom EasyBlock source. In order to retain the convenience of architecture-local initialisation on each architecture I modified part of my module.
Following on from my first steps with TerraForm post, this post covers the next steps. This includes external state storage and splitting up the terraform configuration.
These notes document my first steps in using TerraForm to manage Azure infrastructure. This first post is how I brought some existing resources under TerraForm’s management.
Since setting up my Raspberry Pi to boot from a USB SSD, I need to repurpose the SSD I used to set this up. I bought a smaller 240GB SSD to replace it and wanted to copy the existing filesystem over to it rather than reinstall.
One of my current issues is that I do not notice my NextCloud install requires updating until it is no longer supported and the clients stops working with it. I already have icinga setup as my monitoring solution, so it has been on my to-do list for a while to create a plugin to check the version of my server against the latest release.
At home we have a NAS (An APC Back-UPS BX1400UI) which protects our internet connectivity equipment, core network switch, one server and network-attached (NAS) storage device. The server runs the backup tool (BackupPC) that backs up all of my local and cloud systems, with the backups stored on an iSCSI volume on the NAS (with monthly “off-site” copies).
I switched from Sublime Text, which I have used for many years, to Visual Studio Code (or ‘VS Code’ for short) mainly due to being unhappy with Sublime Text’s new licencing model (which has gone from licences for a particular major version to a subscription model, with a 3 year subscription period). One thing I have missed is Sublime Text’s built-in spell checker but there is a VS Code marketplace extension for that.
This follows on from my post on platform detection with Lmod, using that as a tool from which to create platform-specific builds of software with EasyBuild. This is a long one, as it contains the full setup for getting this running.
Following on from my getting started with Docker on CentOS post, I found that the version of Docker is very old (1.13) and, amongst other things, does not support multi-stage builds which will allow use to cut down our image size (useful, as the Azure registry charges for data transfer).
Managing software start getting interesting in High-Performance Computing (HPC) when clusters become heterogeneous. One way to manage this, using a common shared filesystem, is to allow the software management tool to detect the current platform and make the appropriate software available. This post shows how to do this with the Lmod tool.
In order for NFS identity mapping to work accross both platforms (Linux and Windows), pending either AD integration or fixing Windows NFS client integration with OpenLDAP server (neither of which is currently in place), we are currently maintaining a passwd file for Windows that maps the Windows identity to the corresponding UID/GID.
This post stated, like most of my posts, with me making notes as I went along trying to accomplish a technical task. I quickly became a bit of a rant as I encountered numerous issues with Ansible’s Azure integration.
Further to my post on querying AD with LDAP, to search for users by Windows username or email address one can use these commands:
Every month I produce usage spreadsheets for the HPC service I run. This involved much copying and pasting of data, which I already have a script to export in CSV format, into a bunch of spreadsheets for different people. In total, it takes about 7 hours (essentially a full working day of doing nothing else) to do - this post is taking some of that 7 hours to get the existing script to generate the required spreadsheets directly. This is definitely going to be a case of getting back more time than I invest.
We had a problem with our network a few months ago, in which the router seemed to be running out of capacity to track connections. In order to try and identify the cause, I came up with this snippet that will display the number of currently tracked connections per-host on the Linux router. The first grep limits it to hosts that start ‘192.168.’, which is specific to the part of my network I was interested in:
I keep getting this wrong (forgetting the
--ptyoption), so all (Slurm users) recite together now:
This post describes the process of enabling boot-from-USB and then using a USB disk for booting my Raspberry PI 4. It was made from notes I jotted down when I did this, over a week ago, so I apologise if it seems a bit disjointed or bulleted.
This post documents my attempt to send traffic from specific local hosts (Sky TV boxes) via my existing VPN connection, whilst retaining direct access to my broadband connection for all other hosts as a workaround to the annoying problems Sky services have when the client is behind a carrier-level network address translation (carrier-grade NAT or CGNAT).
We have a recurring problem with disk space being exhausted on the root filesystem of a system, the root cause of which is gnome-terminal holding open file-handles to very large deleted temporary files in /tmp. I suspect there is a bug in gnome-terminal not closing the handles to its scrollback buffer (possibly only when set to unlimited scrollback, as some users have).
For many years I have run an OpenVPN server on my home router, which provides access to my home network remotely when I am away from home and a private tunnel to my cloud server through which most monitoring and all command-and-control (via SaltStack at the time of writing) take place.
I have been planning to migrate my monitoring to my Raspberry PI 4, from its current location on a VM which is fine unless there is a fault with the VM or the host but this has happened (today in fact). It monitors these hosts and it is helpful to know what is going on if there is a problem. My intention is to also shutdown the VM host in the event of a power outage (to extend UPS battery runtime) and it would be nice for monitoring to continue during the outage.
For the first time in quite a few years I have been really suffering with hay-fever. The glorious sunshine during peak grass season (which is what causes mine) season has sent grass-pollen counts through the roof. This is coupled with me walking our two dogs during peak pollen times, in the morning and evenings (when the weather is cooler for the dogs) but I have been thinking about whether other factors are at play in my unusually high level of suffering this year. These are my entirely unscientific, layman, musings.
Because I keep ending up looking at my old scripts to refresh myself on how to do this by hand, here’s the recipe for querying AD with ldapsearch.
Decrypt a VNC password file in one-line with nothing but openssl:
Quick and dirty password generator
Quick and dirty, how to change the windows password from the command line in an insecure fashion (exposes password on the command-line).
Linux has a number of SCSI drivers, many devices are managed by their own driver as well as the
sggeneric driver. Some tools need access to both devices provided by the specific driver (e.g.
srfor CD/DVD drives) and the generic one - requiring knowledge of which device files correspond to the same physical device to pass through to, e.g., Docker containers.
Since at least July 2013 (the initial commit in my current Salt configuration repository at home) I have been using SaltStack to orchestrate and configure my systems, including VMs, at home. In the last few years Ansible has grown in popularity and I have recently been looking closely at it due to its integration with Azure and Microsoft include Ansible in their Azure documentation and Cloud Shell Platform.
One of the things we need more of in my new day-job is automation, something we were good at in my previous role. To get started with GitHub Actions I have decided to start with linting in one of my repositories, Slurm Helpers, and this post documents the journey to getting that working.
For nearly 2 years I have been using Let’s Encrypt (like half the tech world) for SSL certificates on my public-facing projects and services. I have decided to try an extend their use to my internal sites too, and do-away with running my own certificate authority except for a few niche cases (OpenVPN, for example).
Last night we had a power-cut that lasted approximately 20 minutes, about 5 minutes into which I started my usual routine of manually shutting down systems to shed load (and hence prolong runtime for our broadband infrastructure) from my UPS. At around 15 minutes into the power-cut I started to get a bit twitchy about how much runtime was left on the UPS and finally go around to doing something about it (not the ideal conditions to be setting it up, but a good motivator).
As a stepping stone in migration a CentOS Linux system from local user management to Active Directory(AD) integration, I setup Kerberos authentication to the AD but retaining local identity information.
I had a need to split DNS resolution on a series of hosts between two DNS servers, one local to the environment and one for global address resolution. In the past I have always used BIND 9 for my go-to DNS server, however for this trivial forwarding tasks it seemed overkill and a good opportunity to give something lighter-weight a go. So I opted to try Dnsmasq instead.
Related to my previous post on monitoring output, I also needed to provide a script to transfer the output files from the scripts to a remote server. For the same reasons, so the researcher can maintain his own scripts, this was written in Python rather than Bash.
Related to my previous post on launching 16 scripts in tmux, I also needed to provide a script to monitor the output files from some scripts and alert if they are not updated. For the same reasons, so the researcher can maintain his own scripts, this was written in Python rather than Bash.
I was asked to help write a script to automate launching 16 scripts in a tmux session.
Since migrating BackupPC to a VM I have not been doing off-site backups (since I have been working from home full-time). Today I had to visit the office to retrieve some essential adaptors for my work laptop, and while I was there I grabbed my off-site backups disks. Now I have done this, I need to figure out how to pass the device through to my VM in order to update the oldest backup (which has not been updated since December 2019!).
As part of my migration of core services off the router to VMs I am moving the Omada controller. I have already moved the SaltStack controller and Debian pre-seed web site, but as these were straight-forward migration of daemons and data I did not write any notes about the process.
Windows 10 does not come with a telnet client (one of the commands I still have to drop into a WSL session for). Today I rectified that by enabling the optional feature.
From my May post, in which I started using PowerShell, I have been using it to do a search I would previously have used a Linux environment to use
Hot on the heals of migrating BackupPC from a bare-metal (router) system to a VM, the next set of services to migrate are my monitoring services. For this I run two seperate systems, Icinga2 and Munin. Icinga excels as monitoring and alerting to problems and faults as they happen, Munin provides resource monitoring and graphing that gives a better view of “what just happened to kill our performance?”(quoted from their website) and historic views of the same.
Now that I have deploying VMs sorted I am migrating the first service from my router onto a new VM, my BackupP server. This should be relatively straight forward as the server set-up is managed in SaltStack and the data resides on an iSCSI volume from my NAS, do configuration and “transfer” should be simple. Should be.
Following the awful time I had setting up a working preseed configuration for Debian installer I am exploring the alternative method of pre-building the disk image using debootstrap.
Over the weekend I bought and collected 2 8th generation HPE Microservers. The two I have bought have been upgraded to 16GB of ECC memory and have had their stock processors replaced with E3-1240 v2 processors. They also came with 10GbE cards fitted, although currently I have no infrastructure to make use of these.
To use your own custom backgrounds, drop the background file(s) in
%APPDATA%\Microsoft\Teams\Backgrounds\Uploadsin cmd). They must be PNG files and will just show up in the list of backgrounds to choose from in the user interface.
I have automated monitoring (via Icinga2) of the update status of my various servers, all of which currently run Debian. To date I’ve been using cron to run a daily
apt-get update, to my mind the obvious solution to “I need it to update daily”, which updates the local package cache and then the monitoring picks up whether there’s anything to update. While investigating a problem with another cron-job yesterday, I noticed messages from apt-daily and apt-daily-upgrade services and a quick Google revealed that there is a Debian way to do this.
Yesterday I wrote about getting started with PowerShell but in order to make certain things persist, such as aliases, they need to be created each time the shell starts in the “profile” start-up script.
Over the past 6-12 months I have started using a more Microsoft-y environment on Windows, both on my own laptop and work’s. It started with using the bundled Windows OpenSSH client, removing the need for me to launch a Windows Subsystem for Linux (WSL) environment just to ssh to another system. I also been trying out Microsoft Terminal(yes, it is open source), which was released on Tuesday, and it is a really slick tool - a vast improvement on the old command-line windows and/or PuTTY. Yesterday I switched my default session from (WSL) Debian to PowerShell and have started using it as my main shell environment on Windows.
My Netgear ReadyNAS 214 has two Ethernet ports. It is used as a safe place to store my data as well has hosting an iSCSI target that all my backups are done to (with regular off-site copies made to mitigate against failure or physical damage/loss of the NAS) so some extra bandwidth would not hurt and the web user-interface provides the option to bond them. Since my managed switch also supports bonding, I have decided to do this.
For a very long time I have been running my own Linux-based routers as gateways to the internet. The configuration was setup a very long time ago and it has not been revisited, other than to update logins etc., since. I discovered today that there is now a kernel-mode PPPoE module (since 2.4, from what I can gather) that I have missed the arrival of and a more performant driver for it. As I was monitoring the route due to line-speed problems, I noted that I could see the process
pppoeappear in top hovering around the 12% CPU mark and wondered if that was expected or not. Googling this lead to these changes.
For some systems that I have user accounts on but do not administer, I use Salt SSH (agent-less salt minion) to manage the common user-local files that are managed on the systems I do administer on these systems. I have previously made notes about it.
This post is just pulling together notes I have made whilst researching eGPUs with this laptop. I currently use a Razer Core X Chroma™ with it, which works very well except for issues with USB-disconnects but this seems to be a general problem with USB devices and Windows 7 onwards.
In order to backup my PS3™, in preparation for replacing the hard disk drive with a larger SSD I have laying around my desk, I needed a FAT32 formatted USB disk. Windows 10 will only allow disks larger than 32GB to be formatted as exFAT (or NTFS), which the PS3™ does not support.
On 1st & 2nd February I was fortunate to attend FOSDEM 2020 in at Université Libre de Bruxelles, Brussels. While I was there I took part in the event’s keysigning party and now need to sign the keys I verified (only 8 days before the deadline of 30th April!).
Rawlplug’s UNO range are currently my favourite wall plug, reliable and I’m yet to have any problems with the installation of one. I struggle to find this information, particularly supported screw sizes, when I want to refer to it to here it is:
Setting up the final piece of the new network puzzle, the wireless access points…
Continuing from yesterday’s work on my new network kit, today I’m starting with configuring the new switch.
This post documents the re-introduction of VLANs to our home network, removed in 2018 to solve problems with 4-year old WAP and power-line adapters their replacement means we can move back to more secure and flexible networking set-up.
Following my last post I’ve been going through my DVD collection and fixing the forced subtitles for the films that have them.
As part of an on-going project to convert my DVD and BluRay collection to a hard-disk based media collection (mainly to save shelf-space and having to keep swapping disks) I’ve encountered a disk that has so-called “forced subtitles” to subtitle some foreign language speech into the viewers native language.
In July I replaced my Lenovo ThinkPad x240 with a Dell XPS 13 9370 I impulse bought from the reduced section of John Lewis. Last week I finally got around to installing the new SSD I bought in a Black Friday deal on-line.
Shortly before this time last year I revolutionised my backup infrastructure. This year I finally got around to scripting updating the off-site version.
I had been using my own external hard disk for backing up my work computer, however (despite being 256GB) Time Machine kept complaining it didn't have enough space. Fortunately I also have access to a 3TB network share at work, so here's how I changed my Mac to backup to there instead.
I've started a Mobile App at work using React Native. Obviously this needs testing. This post is about getting started on that process.
After much suffering from the incompitence of Virgin Media we have switched to PlusNet for our broadband provider. Thankfully FTTC has arrived in our neighbourhood so we can, at long last, get more than 300kbps estimated speed down the phone line (although we had to have a new phone line installed, as we did not already have one).
Trying to debug a missing close paragraph tag somewhere in a 300 line web page, I came across Tidy which helped with it's
-eflag to report errors and warnings.
To change an Microsoft Active Directory password on your (non-bound) Mac:
I've been playing around with different ways to get graphical applications working in Docker and in the process creates some large images.
After my previous post, on installing Docker, I needed to setup my first container. I choose to set-up a container for Firefox, first, as that required me to get a graphical application that also needed sound working.
For a while (
possiblyprobably since I installed it) I've had weird graphical glitches on resuming my laptop from deep sleep. Until now I'd settled for rebooting it to fix it but I went on the hunt for a better solution.
I'm working on digitising some of my DVD collection at the moment, which means creating some pretty large files. Trying to view these over the network to discover what they are is pretty tedious (lots of buffering!), so I've been working on dumping an "index" image file that will helpfully give me enough information to determine what it is without actually loading/playing the file.
I've been using virtual machines (via VirtualBox) for Linux-based testing and development for sometime but I've been persuaded that it's high-time I joined everyone else and started using containerisation.
Further to my earlier post on automating deployment of my blog I found a small flaw with my method and have decided to fix it.
I sometimes manually install a Debian package, whilst trying to figure out dependencies for something else, and then discover I should have installed a different "parent" package that will pull it in.
So, I've started a new blog. It think this is my 3rd or 4th Blog, although it's the first new one in over 13 years, since I switched to Wordpress in April 2006.
These notes are a bit rough because they have been copied more-or-less directly from my old wiki that was just for my own consumption. They are from when I finally set-up icinga at home. Note that the configuration has moved on substantially since these notes were written, however as it is in a git repository I have not made any more notes or blog posts about it, to date.
For many, many years (at least since 2008) I’ve been using BackupPC to provide backups of my machines, at home and in the cloud. I recently replaces my NAS with one that has a larger capacity (as part of a project to turn my DVD collection into something more convenient to browse and watch) and that NAS has iSCSI support so I moved my backup solution from a USB attached disk to an iSCSI target and introduced off-site replication of the backup pool for DR purposes.
salt-ssh provides a way to run salt remotely without it being installed on the destination system. This means, for example, that I can use it to manage my user’s dotfiles on the BlueBEAR HPC cluster.
A master-less Salt minion can be used to manage a standalone machine (e.g. my work Linux desktop) or bootstrap any master-controlled minion (or even the master itself) as the salt states will take over management of the minion’s configuration and reconfigure it appropriately on first run.
This content is dumped, almost directly, from my old wiki and includes notes about 3 different iterations of orchestrating my own CA. From newest to oldest. It is a sister page to my notes on using an OpenSSL Certificate Authority.
Using OpenSSL as a Certificate Authority - ported from my old wiki. See also my OpenSSL certficiates in a nutshell post for client-level certficiate handling.
These notes are a little rough-and-ready, copied more or less directly from my old wiki which was only intended for my consumption.
OpenVPN setup notes - ported from old wiki (unedited).
Salt is a remote execution and configuration management tool that I have been using to manage the many Linux servers and desktops I have. Its state system also replaces some of my notes as a self-documenting machine-readable description of how each item is configured.
I have one TP-LINK TL-SG3210 JetStream 8-Port Gigabit L2 Managed Switch with 2 SFP Slots. Initially I had to connect via serial cable as it defaults to a static ip address of 192.168.0.1 which conflicts.
subscribe via RSS