cyverse / atmosphere-ansible Goto Github PK

As per our hangouts discussion on PR #25 - This is a 'nice to have' that we should address in the near future.

Ubuntu 14.04.2 XFCE Base instance contains both:

Port 1657
Port 22

Should add either lineinfile to remove all entries and add just the desired port for SSH using regex to remove, then add again. Only then SSH can be restarted

Atmosphere-ansible: After initial SSH login, check the total disk usage. if >90% include+run additional playbooks/roles
|---> Examples include:
rm /opt/.tar
rm /opt/.tar.gz
... more to come

If SSH_KEYS_TO_REMOVE is undefined, the task fails. When need to edit the when clause to have task run if the variable is defined.

We no longer need to use iRODS' insecure FTP server: https://files.renci.org/pub/irods/

Roles that should be updated:

• atmo-kanki-irodsclient
• atmo-irods

Once logged in, perform some basic tests

Is Ansible still running? If so, check the ELK server for Ansible deployment logs and check for any deployment errors in the final report.

Need clarification for what to do when ELK is not up and running. @nfaction

I helped triage the following ticket where a user had a desktop, but applications failed to launch. In fact I could not launch applications from the terminal.

I tried the following:

export DISPLAY=<can be :2 for vnc or :5 for guacamole>
export AUTHORITY=<path to Xauthority usually in ~/.Xauthority>

$ firefox 
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :5

When I ran xauth list there were no cookies for the current vm's new ip/hostname. This was the issue. The cookies must match the current hostname. All I had to do was add new cookies. See this well written stackoverflow answer:
https://stackoverflow.com/questions/20611783/after-changing-hostname-gedit-and-other-x-clients-dont-open/20612084#20612084

Some systems have their time set in the future, which causes all sorts of issues. It appears that some suspended instances do not correct. We are reading from hwclock to bring time closer, which appeared to work, but it may instead be necessary to get time from outside, say with curl then set the hwclock using hwclock --systohc. A fix for this was made with issue #30 but without seeing output from ELK is difficult to determine if the curl is working.

One can read the current time like this: hwclock -r

Steps to fix this:

1. Stop ntpd, and be sure to handle errors if ntpd is not already installed
2. Get time from an outside source, like this: date -s "$(curl -s --head http://google.com | grep ^Date: | sed 's/Date: //g')"
3. Sync current time back to HW using system time like this: hwclock --systohc
4. Install NTP
5. Start service

http://superuser.com/questions/635020/how-to-know-current-time-from-internet-from-command-line-in-linux

-bash-3.2# hwclock -s
-bash-3.2# date
Tue Jun 14 22:48:59 MST 2016
-bash-3.2# date -s "14 JUN 2016 15:48:00"
Tue Jun 14 15:48:00 MST 2016

OR

date -s "$(curl -s --head http://google.com | grep ^Date: | sed 's/Date: //g')"

The time update MUST OCCUR BEFORE ntp package install for CentOS systems

AFAIK there is always a symlink for the "proper name" of a timezone that redirects back to the more basic result. Here is an example:

(troposphere) root@r01c3b08:/opt/dev/troposphere# ll /usr/share/zoneinfo/America/Chicago
lrwxrwxrwx 1 root root 13 Oct 20  2015 /usr/share/zoneinfo/America/Chicago -> ../US/Central
(troposphere) root@r01c3b08:/opt/dev/troposphere# ll /usr/share/zoneinfo/US/Central
-rw-r--r-- 1 root root 3559 Oct 20  2015 /usr/share/zoneinfo/US/Central
(troposphere) root@r01c3b08:/opt/dev/troposphere# md5sum /usr/share/zoneinfo/US/Central
d0f076c9f390e7d8a933cc7cc1ad2e90  /usr/share/zoneinfo/US/Central
(troposphere) root@r01c3b08:/opt/dev/troposphere# md5sum /usr/share/zoneinfo/America/Chicago
d0f076c9f390e7d8a933cc7cc1ad2e90  /usr/share/zoneinfo/America/Chicago

Atmosphere-ansible should remove the ZONE_INFO variable and concatenate the TIME_ZONE variable to (A default variable for) ZONE_INFO_DIR.

The sections about playbooks is wrong. The playbooks have been moved into sub directories.

1. A user adds a friend's key to their box in atmosphere
2. User redeploys and see's friend's key
3. Friend goes hostile
4. User removes key from atmosphere and redeploys
5. Friend still has access, and makes user 😞

The following section detects python 3 installs python 2:
https://github.com/cyverse/attmosphere-ansible/blob/0a352c14769e382dd8eb7928bb3294fdf97186a1/ansible/roles/atmo-ssh-setup/tasks/main.yml#L57-L68

However it doesn't detect python 3 correctly. Testing whether a user has ssh is not sufficient. @c-mart found that an Ubuntu 16.04 instance had ssh access as root, which resulted in no python2 install.

A simple fix (and what seems more correct) is to ensure that python 2 independent even of the distro.

/etc/sudoers

my_username  ALL = (ALL) NOPASSWD: ALL
%users ALL=(ALL) NOPASSWD: ALL
my_username ALL=(ALL) NOPASSWD:ALL
my_username  ALL=(ALL) ALL

This probably could be solved with a blockinfile.

The script that is deployed and available for backup/restore is using /bin/basename instead of locating the basename executable. This means that a change for basename to /usr/bin/basename breaks the script.

For an Ubuntu 16.04 instance ...

lenards@vm000-00:~$ ls -lha /bin/ | grep basename
lenards@vm000-100:~$ ls -lha /usr/bin/ | grep basename
-rwxr-xr-x  1 root   root     31K Mar  2  2017 basename
lenards@vm000-100:~$ ls -lha /sbin/ | grep basename

One approach might be to capture the location in a variable, BASENAME=$(which basename), and then use that in determined the remote location.

Will need to stop service and possible HUP the process.

denypid=$(pgrep -f "python /usr/sbin/denyhosts" | xargs)
echo "Found running pids: $denypid"
echo "Killing those processes now..."
for i in $denypid;do
    kill -HUP $i
done

Otherwise network filesystems mounted in home directory will cause instance resume to fail catastrophically. Not even mentioning breaking file permissions on remote network file systems.