ameir dot net – Page 2 – My notes for you to see

Disable/Enable GlobalProtect on OS X

Posted on May 29, 2015 by

Ameir Abdeldayem Posted in Tech Corner — 1 Comment ↓

Sometimes I need to download big ISOs or other large files onto my work laptop, but GlobalProtect forces me to do so via the VPN. In order to speed things up and use my local network connection, I need to disable the VPN, but I cannot do so due to restrictions (it asks for a ticket ID).

Anything’s possible in Unix, so here’s how you force it:

# disable
launchctl remove com.paloaltonetworks.gp.pangps

1 2	# disable launchctl remove com.paloaltonetworks.gp.pangps

# enable
launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist

1 2	# enable launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist

If this is against IT policy at your company, don’t blame me 🙂 .

Here’s a script you can use to make this easy to toggle:

#!/bin/bash

function up() {
  launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
}

function down() {
  launchctl remove com.paloaltonetworks.gp.pangps
}

case $1 in

up)
echo "gp up"
up
  ;;
down)
echo "gp down"
down
  ;;
*)
  echo "'$1' is not a valid verb.  The only valid verbs are 'up' and 'down'."
  exit 1
  ;;
esac

#!/bin/bash

function up() {

launchctl load /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist

}

function down() {

launchctl remove com.paloaltonetworks.gp.pangps

}

case $1 in

up)

echo "gp up"

;;

down)

echo "gp down"

down

;;

echo "'$1' is not a valid verb. The only valid verbs are 'up' and 'down'."

exit 1

;;

esac

Get nameservers from resolv.conf with Ruby

Posted on April 22, 2015 by

Ameir Abdeldayem Posted in Tech Corner — No Comments ↓

I’m a big user of Chef, but was bummed when I couldn’t find any resolver information in Ohai data. I needed to make some changes to an nginx config to use resolver, but wanted to use the resolver that’s already on the host (since nginx doesn’t inherit that for dynamic backends). Anyway, after a lot of doc reading that led me nowhere, I dug into the source of resolv.rb, and tried about 100 different things until I found something that worked:

require 'resolv'
Resolv::DNS::Config.new.lazy_initialize.nameserver_port

1 2	require 'resolv' Resolv::DNS::Config.new.lazy_initialize.nameserver_port

This will give you an array of all your nameservers in resolv.conf, like:

[["8.8.8.8", 53], ["8.8.4.4", 53], ["4.2.2.1", 53], ["4.2.2.2", 53]]

1	[["8.8.8.8", 53], ["8.8.4.4", 53], ["4.2.2.1", 53], ["4.2.2.2", 53]]

In Chef, you can easily iterate over this and use as needed. If you want just the nameservers (without the ports), then you can use:

Resolv::DNS::Config.new.lazy_initialize.nameserver_port.map{|n| n[0]}

1	Resolv::DNS::Config.new.lazy_initialize.nameserver_port.map{\|n\| n[0]}

I hope that helps!

Run multiple ssh commands in parallel with GNU Parallel

Posted on April 21, 2015 by

Ameir Abdeldayem Posted in Linux Luvin' — 2 Comments ↓

Every true sysadmin has been in this predicament — “I need to run this command on a bunch of machines.” The typical approach is to create a for loop, and run the command serially. This works well, but if a) you have tons of hosts, or b) the command takes a while to run on each machine, you may be looking for something a bit more efficient.

Here’s an example that gets a list of hosts using aws-cli, and restarts httpd on them. In your case, update the command and key path as needed.

HOSTS=`aws ec2 describe-instances --filters "Name=tag:env,Values=production" "Name=tag:Name,Values=web-frontend" --query "Reservations[].Instances[].PublicDnsName" --region "us-east-1" | jq -r .[]`
echo -n $HOSTS | parallel -vv --gnu -j +3 -d " " -I HOST "ssh -i ~/my-key.pem -l root HOST 'service httpd restart'"

HOSTS=`aws ec2 describe-instances --filters "Name=tag:env,Values=production" "Name=tag:Name,Values=web-frontend" --query "Reservations[].Instances[].PublicDnsName" --region "us-east-1" | jq -r .[]`

echo -n $HOSTS | parallel -vv --gnu -j +3 -d " " -I HOST "ssh -i ~/my-key.pem -l root HOST 'service httpd restart'"

Elasticsearch cluster administration notes

Posted on January 11, 2015 by

Ameir Abdeldayem Posted in Linux Luvin' — No Comments ↓

If a replica shard is in an INITIALIZATION state and the primary shard is healthy, then the shard is being replicated from the primary to the replica. You can use the cat API to get this state:

$ curl '0:9200/_cat/shards'
prod_article_index  0 p STARTED      13708596 55.2gb 192.168.27.181 es-a05.mycompany.com
prod_article_index  0 r INITIALIZING                 192.168.25.158 es-a04.mycompany.com
prod_article_index  1 r INITIALIZING                 192.168.25.158 es-a04.mycompany.com
prod_article_index  1 p STARTED      13710169   55gb 192.168.11.214 es-m04.mycompany.com

$ curl '0:9200/_cat/shards'

prod_article_index 0 p STARTED 13708596 55.2gb 192.168.27.181 es-a05.mycompany.com

prod_article_index 0 r INITIALIZING 192.168.25.158 es-a04.mycompany.com

prod_article_index 1 r INITIALIZING 192.168.25.158 es-a04.mycompany.com

prod_article_index 1 p STARTED 13710169 55gb 192.168.11.214 es-m04.mycompany.com

Now, we have no clue from this view what progress has been made, if any. On large shards, it may even look like things are frozen. How do we gain insight into what is happening? Well, thankfully, there’s a status page which is called like so:

$ curl '0:9200/my_index/_recovery?pretty=true'
...
      "index" : {
        "files" : {
          "total" : 516,
          "reused" : 0,
          "recovered" : 468,
          "percent" : "90.7%"
        },
        "bytes" : {
          "total" : 59067844341,
          "reused" : 0,
          "recovered" : 29729874095,
          "percent" : "50.3%"
        },
        "total_time_in_millis" : 0
      },
...

$ curl '0:9200/my_index/_recovery?pretty=true'

...

"index" : {

"files" : {

"total" : 516,

"reused" : 0,

"recovered" : 468,

"percent" : "90.7%"

"bytes" : {

"total" : 59067844341,

"reused" : 0,

"recovered" : 29729874095,

"percent" : "50.3%"

"total_time_in_millis" : 0

...

Queue size reached

$ curl '0:9200/_cat/thread_pool?v'
host                       ip           bulk.active bulk.queue bulk.rejected index.active index.queue index.rejected search.active search.queue search.rejected
es-m05.mycompany.com 192.168.9.141            0          0             0            0           0              0             0            0               0
es-a04.mycompany.com 192.168.25.158           0          0             0            0           0              0             0            0               0
es-a05.mycompany.com 192.168.27.181           0          0             0            0           0              0             1            0           83425
es-m04.mycompany.com 192.168.11.214           0          0             0            0           0              0             1            0           77815

$ curl '0:9200/_cat/thread_pool?v'

host ip bulk.active bulk.queue bulk.rejected index.active index.queue index.rejected search.active search.queue search.rejected

es-m05.mycompany.com 192.168.9.141 0 0 0 0 0 0 0 0 0

es-a04.mycompany.com 192.168.25.158 0 0 0 0 0 0 0 0 0

es-a05.mycompany.com 192.168.27.181 0 0 0 0 0 0 1 0 83425

es-m04.mycompany.com 192.168.11.214 0 0 0 0 0 0 1 0 77815

To increase your queue size, you can add the following to elasticsearch.yml. Replace “bulk” and “search” with the appropriate thread pool name, along with a reasonable value. You can find the list of those at http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-threadpool.html .

threadpool.bulk.queue_size: 3000
threadpool.search.queue_size: 3000

1 2	threadpool.bulk.queue_size: 3000 threadpool.search.queue_size: 3000

Installing OpenVZ templates in Proxmox

Posted on January 11, 2015 by

Ameir Abdeldayem Posted in Linux Luvin' — No Comments ↓

Promox has built-in support for installing templates, but they’re pretty outdated and not well-maintained. openvz.org, on the other hand, regularly updates their templates, and has a wide selection to choose from.

In order to make these templates available for use in Proxmox, it’s simple. Get the links for the templates you’d like from the link above, and download them like:

cd /var/lib/vz/template/cache/
wget http://download.openvz.org/template/precreated/ubuntu-14.04-x86_64-minimal.tar.gz \
  http://download.openvz.org/template/precreated/centos-7-x86_64-minimal.tar.gz

cd /var/lib/vz/template/cache/

wget http://download.openvz.org/template/precreated/ubuntu-14.04-x86_64-minimal.tar.gz \

http://download.openvz.org/template/precreated/centos-7-x86_64-minimal.tar.gz

All of the links were placed together with one wget command, but you could also do a wget for each template.

You will now see the templates in your local storage. Note that if you use alternate storage (e.g. GlusterFS), you’ll need to update the template path above accordingly.

IMAP Append – Message contains bare newlines

Posted on January 11, 2015 by

Ameir Abdeldayem Posted in Linux Luvin' — No Comments ↓

The Cyrus IMAP server (which is used by FastMail, FYI), is pretty picky when it comes to enforcing RFCs. When performing a recent email migration (from Zoho, which is less picky), I got a boatload of errors along the way.

With each of my messages as individual files (downloaded as “RFC822” in raw IMAP speak), the following cleaned it up:

perl -i'.bak' -pe 's/\s+$/\r\n/g' ./*.eml

1	perl -i'.bak' -pe 's/\s+$/\r\n/g' ./*.eml

Although you can use sed as well, the command is not the prettiest due to the way it works with lines.

To be more thorough, this is what I ultimately placed in my PHP-based migration script:

// For FastMail and Cyrus, if the header ends in just \n (not \r\n) then we make it \r\n
$message = preg_replace("/(?<!\r)\n+/m", "\r\n", $message);

1 2	// For FastMail and Cyrus, if the header ends in just \n (not \r\n) then we make it \r\n $message = preg_replace("/(?<!\r)\n+/m", "\r\n", $message);

Create multiple Proxmox containers via script

Posted on January 11, 2015 by

Ameir Abdeldayem Posted in Linux Luvin' — No Comments ↓

There are times when I need to create a number of OpenVZ containers in Proxmox at once, which would take way too long via the user interface. There are a number of ways to accomplish this programmatically, but the most straightforward (assuming you have root access) is via pvectl .

Below is an example script which creates identical containers. Adjust the container IDs to ones that are available, as well as any other parameters you need. If you need more advanced options, the man page can be found at https://pve.proxmox.com/wiki/Pvectl_manual .

TEMPLATE_PATH="/var/lib/vz/template/cache/ubuntu-14.04-x86_64-minimal.tar.gz"
IP_PREFIX="192.168.4."
HOSTNAME_SUFFIX=`hostname -f`
MEMORY_SIZE=2048
SWAP_SIZE=2048
DISK_SIZE=40
CPU_COUNT=2
for CTID in 100 101 102; do
	CMD="pvectl create ${CTID} ${TEMPLATE_PATH} -ip_address=${IP_PREFIX}${CTID} -onboot 1 \
-hostname v${CTID}-${HOSTNAME_SUFFIX} -cpus ${CPU_COUNT} -memory=${MEMORY_SIZE} -swap=${SWAP_SIZE} -disk=${DISK_SIZE}"
	echo "Running '${CMD}'..."
	$CMD
done

TEMPLATE_PATH="/var/lib/vz/template/cache/ubuntu-14.04-x86_64-minimal.tar.gz"

IP_PREFIX="192.168.4."

HOSTNAME_SUFFIX=`hostname -f`

MEMORY_SIZE=2048

SWAP_SIZE=2048

DISK_SIZE=40

CPU_COUNT=2

for CTID in 100 101 102; do

CMD="pvectl create ${CTID} ${TEMPLATE_PATH} -ip_address=${IP_PREFIX}${CTID} -onboot 1 \

-hostname v${CTID}-${HOSTNAME_SUFFIX} -cpus ${CPU_COUNT} -memory=${MEMORY_SIZE} -swap=${SWAP_SIZE} -disk=${DISK_SIZE}"

echo "Running '${CMD}'..."

$CMD

done

Your output will be something like:

Running 'pvectl create 100 /var/lib/vz/template/cache/ubuntu-14.04-x86_64-minimal.tar.gz -ip_address=192.168.4.106 -onboot 1 -hostname v100.my-proxmox-host.com -memory=2048 -swap=2048 -disk=40'...
Creating container private area (/var/lib/vz/template/cache/ubuntu-14.04-x86_64-minimal.tar.gz)
Performing postcreate actions
CT configuration saved to /etc/pve/openvz/100.conf
Container private area was created

Running 'pvectl create 100 /var/lib/vz/template/cache/ubuntu-14.04-x86_64-minimal.tar.gz -ip_address=192.168.4.106 -onboot 1 -hostname v100.my-proxmox-host.com -memory=2048 -swap=2048 -disk=40'...

Creating container private area (/var/lib/vz/template/cache/ubuntu-14.04-x86_64-minimal.tar.gz)

Performing postcreate actions

CT configuration saved to /etc/pve/openvz/100.conf

Container private area was created

rsync to multiple hosts in parallel

Posted on November 27, 2014 by

Ameir Abdeldayem Posted in Linux Luvin' — No Comments ↓

_HOSTS="host1 host2 host3 host4"
echo -n $_HOSTS | parallel -vv --gnu -j +3 -d " " -I HOST "rsync -crlvz -e 'ssh -p 22' --stats --progress --exclude '.git*' . user@HOST:$TARGET_DIR"

1 2	_HOSTS="host1 host2 host3 host4" echo -n $_HOSTS \| parallel -vv --gnu -j +3 -d " " -I HOST "rsync -crlvz -e 'ssh -p 22' --stats --progress --exclude '.git*' . [email protected]:$TARGET_DIR"

Enable XHProf for WordPress

Posted on April 21, 2014 by

Ameir Abdeldayem Posted in Tech Corner — No Comments ↓

sudo yum install php-pecl-xhprof graphviz

1	sudo yum install php-pecl-xhprof graphviz

You’ll now need to have this module loaded in PHP; this varies depending on which handler you use:

sudo service restart php-fpm # if you're using PHP-FPM/FastCGI
sudo service restart httpd # if you're using mod_php

1 2	sudo service restart php-fpm # if you're using PHP-FPM/FastCGI sudo service restart httpd # if you're using mod_php

cd into wp-content/plugins

git clone https://github.com/Upstatement/xhprof-for-wordpress.git

1	git clone https://github.com/Upstatement/xhprof-for-wordpress.git

In wp-config.php:

define('PROFILE', true);

1	define('PROFILE', true);

In your admin dashboard, enable “WP XHProf Profiler” from the plugins section.

You will have “Profiler output” links at the very bottom of your page that’ll show you XHProf output.

Migrating from one Chef server to another

Posted on April 20, 2014 by

Ameir Abdeldayem Posted in Linux Luvin' — 7 Comments ↓

It happens — you’re on a server that just can’t be upgraded any further, and you need more resources. Or, you need to backup a Chef server. Or, you need to setup a QA instance. Or, you need to finally migrate from Chef 10 to Chef 11. Or, you have one of many other possible reasons, but you need to be able to stand up a new Chef instance, and not have to do a ton of work. If any of that applies to you, then this post is for you.

In the case where you’re migrating from one Chef server to another (i.e., the old one is going bye-bye), it would be very helpful to have your Chef server be CNAMEd (e.g. chef.company.com -> vm101.iad.company.com) or behind a load balancer/proxy where you can change targets easily. That way, you won’t need to update the client configs, and it’ll be an easy swap. Everything should “just work” ™.

First, we’ll make a copy of your knife.rb:

cp -a ~/.chef/knife{,-orig}.rb

1	cp -a ~/.chef/knife{,-orig}.rb

Now, we’ll need to get access to your new Chef server via knife. You can do so by logging in as admin, and regenerating and saving a new private key. You can also create a new user here instead of using admin, but I advise against this, as any user you create will conflict with users of the same name from the old server. Yes, that means that if you’ve been using ‘admin’ as the main user, you may run into problems (but let’s just hope that you’ve been using per-person accounts).

Now, we’ll update your current knife.rb to reflect the new node information in it:

...
node_name                'admin'
client_key               '/Users/user/.chef/new-server-admin.pem'
chef_server_url          'https://vm102.iad.company.com'
...

...

node_name 'admin'

client_key '/Users/user/.chef/new-server-admin.pem'

chef_server_url 'https://vm102.iad.company.com'

...

It wouldn’t hurt to check that you have access to the new node by doing a knife user list .

Now, we’ll need to download all of the data from the “old” Chef server. To do so, we’ll be using the nifty ‘knife backup‘ plugin. To get it installed on OS X, I did:

sudo gem install knife-backup

1	sudo gem install knife-backup

Now, to finally back things up, we’ll do:

knife backup export -D ~/chef-backup/ -c ~/.chef/knife-orig.rb

1	knife backup export -D ~/chef-backup/ -c ~/.chef/knife-orig.rb

Note that the argument after -D is the destination directory where all of the Chef data will go; this directory will automatically be created for you. The argument of -c tells knife which config file to use; we’ll, of course, be using the “old” server here. Also, if you only need to backup a certain set of data from your Chef server (e.g. only users and environments), you can specify that. See the knife backup documentation for details.

Now that we have all the data we need, we’ll need to push it up to the new server. This works much the same as the export:

knife backup restore -D ~/chef-backup

1	knife backup restore -D ~/chef-backup

I left off the -c here because knife.rb is the default config file.

Once everything has been restored, your original user in Chef will now be available (you can verify this via the Chef Server UI). The amazing thing is that your keys have not changed, and can be used as-is. Chef Server keeps track of your public keys, so all of your private keys for all nodes/clients are still good.

This, now, is where you update your knife.rb to reflect your original user settings. If you’re running behind a load balancer/proxy, you can simply use your original config as-is after replacing the old server with the new one. If you’re doing the CNAME/A record route, you can do the same once DNS has propagated. Otherwise, you can overwrite your new config with your old one, and edit it to reflect the new server’s URL.

If your nodes are pointing to the wrong server in their client.rb, you can use knife ssh with sed to find/replace the server URLs.

If you’ll be accessing multiple Chef servers frequently enough, I highly recommend looking at the knife block plugin. That way, you can switch between different configurations with ease, including those for Berkshelf.

Disable/Enable GlobalProtect on OS X

Get nameservers from resolv.conf with Ruby

Run multiple ssh commands in parallel with GNU Parallel

Elasticsearch cluster administration notes

Installing OpenVZ templates in Proxmox

IMAP Append – Message contains bare newlines

Create multiple Proxmox containers via script

rsync to multiple hosts in parallel

Enable XHProf for WordPress

Migrating from one Chef server to another

Recent Posts

Recent Comments