Uly.me – cloud engineer

Ansible Run Commands

August 2, 2020

Typically you will run Ansible using playbooks, just like the playbook that I ran from the previous post to patch a bunch of servers all at once. In addition to running playbooks, you can also run single ad hoc commands to a server or to a group of servers. Below are a few examples of that.

First, here’s my /etc/ansible/hosts file.

[servers]
server1
server2
[webservers]
server3
server4
[appservers]
server5
server6
[dbservers]
server7
server8

Here are the commands.

ansible servers -m ping
ansible webservers -m command -a "df -h"
ansible appservers -m command -a "crontab -l"
ansible dbservers -m command -a "cat /etc/hosts"
ansible all -m command -a "cat /etc/passwd"
ansible webservers -m command -a "systemctl status apache2"
ansible appservers -m command -a 'uptime'

The first command runs ping on server1 and server2. The second command displays disk information of server3 and server4. The third command displays the crontab of server5 and server6, and so on and on. You get the drift.

Ansible Update Playbook

August 1, 2020

I have an Ansible playbook that will patch all Ansible clients defined in the Ansible hosts file. The following are contents of my hosts file, and the update playbook.

File: /etc/ansible/hosts

[all:vars]
ansible_user='ubuntu'
ansible_become=yes
ansible_become_method=sudo
ansible_python_interpreter='/usr/bin/env python3'
[servers]
server1
server2
server3
[servers:vars]
ansible_python_interpreter=/usr/bin/python3

File: /etc/ansible/update.yml

---
- hosts: servers
  become: true
  become_user: root
  tasks:
    - name: Update apt repo and cache on all Debian/Ubuntu boxes
      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

    - name: Upgrade all packages on servers
      apt: upgrade=dist force_apt_get=yes

    - name: Check if a reboot is needed on all servers
      register: reboot_required_file
      stat: path=/var/run/reboot-required get_md5=no

    - name: Reboot the box if kernel updated
      reboot:
        msg: "Reboot initiated by Ansible for kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exist

Here’s how I run my Ansible update playbook.

ansible-playbook -i /etc/ansible/hosts /etc/ansible/update.yml

The advantage of using Ansible is, I can run a single playbook to update dozens of servers. It’s also a great tool for rolling out software as well as executing commands to a group of servers.

Center Search Widget

August 1, 2020

Here’s how to center the Search widget in a WordPress Page or a post. This applies only if you’re using the default Search Widget. Div classes may vary based on theme being used. The CSS example below may not work for your theme. Check your theme’s source code to be sure.

.entry-content .wp-block-search {
  display:block;
  margin-left:auto;
  margin-right:auto;
  text-align: center;
}
.entry-content .wp-block-search label {
  display:none;
}
.entry-content .wp-block-search input {
  width:250px;
}

The CSS above centers the search block. It suppresses the search label, and finally sets the form’s input to a fixed width of 250px.

AWS IAM MFA

July 28, 2020

Here’s how to give AWS IAM users the ability to manage their own (MFA) Multi Factor Authentication. MFA makes your AWS console secure. AWS IAM users will be able to turn on MFA, using virtual devices such as Google Authenticator to secure their cloud accounts. Here’s the policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowViewAccountInfo",
      "Effect": "Allow",
      "Action": "iam:ListVirtualMFADevices",
      "Resource": "*"
    },
    {
      "Sid": "AllowManageOwnVirtualMFADevice",
      "Effect": "Allow",
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:DeleteVirtualMFADevice"
      ],
      "Resource": "arn:aws:iam::*:mfa/${aws:username}"
    },
    {
      "Sid": "AllowManageOwnUserMFA",
      "Effect": "Allow",
      "Action": [
        "iam:DeactivateMFADevice",
        "iam:EnableMFADevice",
        "iam:ListUsers",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ResyncMFADevice"
      ],
      "Resource": "arn:aws:iam::*:user/${aws:username}"
    }
  ]
}

AWS IAM Self Manage Policy

July 28, 2020

Here’s the permission needed for an AWS user to manage their own IAM account. The policy allows them to view their own account information, change their own passwords, rotate access keys and certificates, and manage their own git credentials.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetAccessKeyLastUsed", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }

Change Default Editor

July 28, 2020

Ubuntu and Linux Mint use nano as their default editor. You’ll see it if you try to edit crontab or visudo. Now, there’s nothing wrong with nano, but I prefer using vim instead. Here’s how to change the default editor.

sudo update-alternatives --config editor

You’ll be prompted to change the default editor.

There are 4 choices for the alternative editor (providing /usr/bin/editor).
 
  Selection    Path                Priority   Status
------------------------------------------------------------
  0            /bin/nano            40        auto mode
  1            /bin/ed             -100       manual mode
  2            /bin/nano            40        manual mode
* 3            /usr/bin/vim.basic   30        manual mode
  4            /usr/bin/vim.tiny    15        manual mode
 
Press <enter> to keep the current choice[*], or type selection number:

Type 3 to choose vim basic.