Unfortunately, with_fileglob only works on files local to the Ansible orchestrator host. It will not build a list of files from the remote directory, even if you use something like the copy module that has ‘remote_source: true’. In these situation, you can use the find module to generate a list of files on the remote … Ansible: find module to create glob of remote files
If you need to create a file that has the exact same ownership and permission bits as an existing file, the ‘reference’ flag provides a convenient shortcut. For example, if you had a file named ‘myoriginal’ that had the exact ownership and permissions required for a new file ‘mynewfile’, you could use the commands below … Bash: cloning the ownership and permissions of another file using reference
microk8s is a lightweight Kubernetes deployment by Canonical that is enterprise-grade, yet also compact enough to run on development boxes and edge devices. In this article, I will show you how to deploy a three-node microk8s cluster on Ubuntu nodes that are created using Terraform and a local KVM libvirt provider. Ansible is used for … Kubernetes: microk8s cluster on Ubuntu using Ansible
microk8s is a lightweight Kubernetes deployment by Canonical that is enterprise-grade, yet also compact enough to run on development boxes and edge devices. In this article, I will show you how to deploy a three-node microk8s cluster on Ubuntu nodes that are created using Terraform and a local KVM libvirt provider. This article focuses on … Kubernetes: microk8s cluster on Ubuntu using terraform and libvirt
Terraform is a popular tool for provisioning infrastructure on cloud providers such as EC2 and Azure, but there is also a provider written for local KVM libvirt resources. Using the libvirt provider, we can use standard Terraform constructs to create local VMs, networks, and disks. And unlike older versions of this provider, the plugin binary … KVM: installing Terraform and the libvirt provider for local KVM resources
In a previous article, I showed how to manually setup Alternatives so that different versions of a binary could co-exist on a target machine. In that step-by-step example, we used the Terraform binary as an example, and placed two independent versions in /usr/local/bin, and then set the priority so that terraform14 was preferred. To do … Ansible: Ubuntu alternatives using the community.general collection
Most Git providers-as-a-service have administrative functions for renaming, moving, and even importing repositories from other provider URLs. However, it is also valid to perform these operations manually by repointing the origin and then pushing all commits and tags to a new repository URL. # make sure all changes are pushed first git push # check … Git: cloning a git repository from one location to another
Ansible blocks provide a convenient way to logically group tasks. So it is unfortunate that native Ansible syntax does not allow looping to be combined with a block. Consider the simple conditional block below controlled by a variable ‘do_block_logic’: – name: simple block with conditional block: – name: simple block task1 debug: msg=”hello” – name: … Ansible: implementing a looping block using include_tasks
The legacy method of running crontab jobs from files located at /var/spool/cron (edited using ‘crontab -e’) is slowly giving way to files located in /etc/cron.d. This way of creating a file entry for each job is easily handled by Ansible using the cron module as shown below. – name: Creates a cron file under /etc/cron.d … Ansible: creating a cron.d file for periodic system jobs
One way to implement character padding in Bash is to use printf and substring extraction. This can be especially useful in reports or menu display. Given a $padding variable that contains the maximum length of characters, you can subtract out the length of a display string like below. # length of maximum padding padding=”………………………………..” printf … Bash: using printf to display fixed-width padded string
If you need to expand an encrypted zip file using the Ansible unarchive module, then you will need to provide the password using the ‘extra_opts’ parameter. Per below, make sure you place the “-P” flag as an independent argument to the password. – name: unzip encrypted zip unarchive: src: mysource.zip dest: /remote/path extra_opts: – “-P” … Ansible: unzipping an encrypted file using the unarchive module
Shared infrastructure services for a datacenter are usually deployed on Virtual Machines, but there is a growing opportunity to run these services as containers in a highly-available Kubernetes cluster. I have built a custom image which has a Chrony NTP daemon on a lightweight Alpine image and exposed it as a Service at port 123/udp. … Kubernetes: container for offering NTP as a Service
If you need a lightweight NTP server, an Alpine based container image with a chrony daemon takes up minimal runtime resources and is about 8Mb in size. I have pushed ‘fabianlee/docker-chrony-alpine‘ to docker hub. The run command requires that you specify linux capabilities and a volume for the chrony.conf file, so the easiest way to … Docker: building an ntp server image with Alpine and chrony
WireGuard aims to be the successor to IPsec and more performant than OpenVPN. It is a general purpose VPN that is secure enough for servers, yet light enough to run on embedded devices. In a previous article I described the installation of a WireGuard server with a Windows VPN client. I will extend those instructions … Ubuntu: WireGuard VPN for Ubuntu server, with an iPhone client
WireGuard aims to be the successor to IPsec and more performant than OpenVPN. It is a general purpose VPN that is secure enough for servers, yet light enough to run on embedded devices. In this article, I will show how to install WireGuard on two Ubuntu servers in completely different hyperscalers that are linked by … Ubuntu: site-to-site VPN with WireGuard
Update Sep 2023: Installing ansible-core at user level (not system) with pip Ansible is an agentless configuration management tool that helps operations teams manage installation, patching, and command execution across a set of servers. In this article I’ll describe how to install the latest release of Ansible.
It is relatively straightforward to create a GCP public subnet where the compute instances have access to the public internet via the default internet gateway. But once you start building private subnets behind it, you must start considering firewall, routing, and the NAT gateways required to reach public services. In this article, I will use … Terraform: provisioning GCP servers in both public and private subnets
It is relatively straightforward to create an AWS public subnet where the compute instances have access to the public internet via the default internet gateway. But once you start building private subnets behind it, you must start considering security groups, routing, and the NAT gateways required to reach public services. In this article, I will … Terraform: provisioning AWS servers in both public and private subnets
WireGuard aims to be the successor to IPsec and more performant than OpenVPN. It is a general purpose VPN that is secure enough for servers, yet light enough to run on embedded devices. In this article, I will show how to install WireGuard on an Ubuntu server and then access it using a Windows client. … Ubuntu: WireGuard VPN for Ubuntu servers, with a Windows client
The ‘azurerm‘ Terraform provider allows you to build a Windows server in Microsoft’s Azure hyperscaler. However, in order to use this provisioner, you must first install the Azure CLI. And in line with automation best practices we will use a Service Account (Principal) to create the networks, security rules, and compute instances. When complete, you’ll … Terraform: provisioning an RDP enabled Windows server in Azure
Terraform is a popular tool for provisioning infrastructure on cloud providers such as EC2, Azure, and GCP. If you want to install Teraform on Ubuntu using apt-get, follow HashiCorp’s standard installation document. However, I find that I often need multiple versions for different projects. Find your desired version of the binaries at the Terraform download … Terraform: installing Terraform manually on Ubuntu
Ansible uses ssh to configure its target host inventory, but for on-premise datacenters as well as hyperscalers like EC2/GCP/Azure, the target hosts are often purposely located in deeper private subnets that cannot be reached from the Ansible orchestrator host. One solution is to enable a bastion/jumpbox host that serves as the forwarding host. It sits … Ansible: orchestrating ssh access through a bastion host
If you can conform to a bit of naming convention, one way to easily render template files in Bash is to have the template and bash variables names match. Then you can either use sed or envsubst to do the substitution. For example, here are two variables being defined and then placeholders embedded into the … Bash: render template from matching bash variables
Managing resources in Azure from the command line can be done natively from Ubuntu using the Azure CLI. First, add the prerequisite packages. sudo apt-get update sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg -y Then install the Microsoft signing key and add the custom repository. curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg –dearmor | sudo tee … Azure: installing the Azure CLI on Ubuntu
You can bake a startup script directly into the creation of your GCE compute instance when using Terraform. Although complex post-configuration should be left to tools such as Ansible, essential bootstrap type commands or custom routes for instances in private subnets are reasons why you might need to use this hook. Below is an example … Terraform: invoking a startup script for a GCE google_compute_instance
You can bake a startup script directly into the creation of your EC2 instance when using Terraform. Although complex post-configuration should be left to tools such as Ansible, essential bootstrap type commands or custom routes for instances in private subnets are reasons why you might need to use this hook. Below is an example of … Terraform: invoking a startup script for an EC2 aws_instance
With Ansible, it is possible to have a variable populated with either the content of a remote or local file. For a file on a remote host, you can use the ‘slurp‘ module to put the content into a register, but then you must base64 decode the content. – name: get content of remote file … Ansible: creating a variable from a remote or local file content
In a single Ansible playbook, you may wish to apply some roles to all hosts, while limiting other roles to only certain groups. While it is certainly possible to apply a role to all hosts and then use a ‘when’ to filter down to the desired group like below: – hosts: all gather_facts: yes roles: … Ansible: applying roles to certain groups in a single playbook
If you have multiple terraform projects, it can be necessary to support multiple versions of the terraform binary to match module and provider dependencies. Instead of creating a custom solution of binary copies and links, this can be done using the Alternatives concept which handles these symbolic links in a standard way using links in … Terraform: using update-alternatives to manage multiple terraform binaries
For Ubuntu, there are a couple of ways you can install the linux-headers package matching the kernel version. You can either explicitly specify the version, or use the meta package as shown below. # specify kernel version using subshell sudo apt-get install -y linux-headers-$(uname -r) # OR meta package that auto-matches kernel sudo apt-get install … Ansible: installing linux-headers matching kernel for Ubuntu
In a previous post, I described the Kubernetes Downward API and how it allows us to inject pod/container metadata into our runtime container. In this article, I’ll show how you can read the environment variables and mounted files from inside a containerized GoLang based application.
In a previous post, I described the Kubernetes Downward API and how it allows us to inject pod/container metadata into our runtime container. In this article, I’ll show how you can read the environment variables and mounted files from inside a containerized Python based application.
The Kubernetes Downward API allows a pod to get access to metadata about itself and the cluster without creating a tight coupling to the Kubernetes API. For example, information such as pod name, labels, annotations, IP address, node, and cpu/memory limits can be made available inside the pod. In this article, I’ll show how to … Kubernetes: using the Downward API to access pod/container metadata
In a previous article I discussed the advantages to keeping container images in the private Google Container Registry of a project. And if you have a GKE cluster in the exact same project, then image pulls happen seamlessly without any additional configuration required. However, if the GKE cluster is in a different project than the … GCP: pulling an image from the Container Registry of another project
Docker hub now enforces pull rate limits (since November 2020). And unfortunately, this limit is often reached at critical moments such as upgrades or infrastructure events when bulk pod recreation is happening. One way to avoid this problem is to place your images into an alternate image registry. This could mean a lot of work … GCP: pushing GKE images into gcr.io to avoid pull rate limits
If you are doing a substitution with sed but need to exclude a specific line or pattern, that can be accomplished by prefixing an exclusion and using “!”. For example, to substitute “hello” for “goodbye” in the following content, but to skip any line containing “world”, use syntax like the following: $ sed “/world/! s/hello/goodbye/g” … Bash: sed substitution with an exclusion pattern
If you need to determine the version of the nginx ingress controller deployed, then you can invoke the ingress controller binary with the ‘–version’ flag. But this binary is located in the ingress-nginx-controller pod, so do a ‘kubectl exec’ like below. # show all running nginx ingress pods kubectl get pods -n $ingress_ns -l app.kubernetes.io/name=ingress-nginx … Kubernetes: detecting the installed version of nginx ingress
Pulling the most recent script/file/asset from a remote host may be preferable, but you would like to provide a fallback to a local file just in case the remote pull fails. This is relatively easy to do with Ansible by allowing the remote pull to ‘ignore_errors’ and then doing a local file copy if an … Ansible: preferring a pull from a URL with fallback to a local file
If you are executing gkectl commands that scale or modify your worker nodes and hit a problem, the first place to go is into the gkectl logs. But if you need to dig deeper there are a couple of CRD that can assist in troubleshooting. First, make sure you have executed gkectl with high verbosity … GCP: troubleshooting nodepool replica changes for Anthos on-premise
Once you introduce an istio sidecar proxy into your deployment, it becomes another point at which you might need to troubleshoot network connectivity to the primary container. Assuming you have deployed a pod with an app label “helloworld” in the default namespace listening on port 5000, you can use a command like the following to … Kubernetes: testing pod communication directly from istio sidecar proxy