Ansible : rolling upgrades or updates.

Making a change to live servers in production is something which has to be done with extreme care and planning. Several deployment types such as blue/green, canary, rolling update are in use today to minimize user impact. Ansible can be used to orchestrate a zero-downtime rolling change to a service.

A typical upgrade of an application, such as patching, might go like this –

1. disable monitoring alerts for a node
2. disable or pull out from load balancer
3. make changes to server
4. Reboot node
5. wait for node to be UP and do sanity check
6. put node back to load balancer
7. turn on monitoring of node

Rinse and repeat.

Ansible would be a great choice in orchestrating above steps. Let us start with an inventory of web servers, a load balancer and a monitoring node with nagios –

[webservers]
web1.example.net
web2.example.net
web3.example.net
web4.example.net
web5.example.net

[balancer]
haproxy.example.net

[monitoring]
nagios.example.net

The web servers are running apache2, and we will patch apache and the kernel. For the patch to take effect, the servers need to be recycled. We will perform the patching one node at a time, wait for the node to be healthy and go to the next. The first portion of our playbook would be something like this –

---
- hosts: webservers
  serial: 1

  pre_tasks:
  - name: Stop apache service
    service: name=httpd state=stopped

  tasks:
  - name: update apache
    yum: name=httpd state=latest
  - name: Update Kernel
    yum: name=kernel state=latest
  - name: Reboot server
    shell: /sbin/reboot -r +1

  post_tasks:
  - name: Wait for webserver to come up
    wait_for: host={{ inventory_hostname }} port=80 state=started delay=65 timeout=300
    delegate_to: 127.0.0.1

I haven’t included the playbook tasks for disabling/enabling monitoring as well as removing/adding node to the load balancer. The procedures might differ depending on what type of monitoring system or load balancer technology you are using. In addition to this, the sanity check show is a simple port 80 probing, in reality a much more sophisticated validation can be done.

References –

http://docs.ansible.com/ansible/latest/playbooks_delegation.html

http://docs.ansible.com/ansible/latest/guide_rolling_upgrade.html

Getting started with Google Cloud Platform(GCP)

Google provides the same cloud services as other cloud providers such as Amazon Web Services(AWS) and Microsoft (Azure). It refers it as Google Cloud Platform or GCP. You can easily get started by signing up for free – https://cloud.google.com/free/

List of all products provided in GCP – https://cloud.google.com/products/

Google provides several ways to interact with its services-

1. GCP console (web ui)
GCP console is a web user interface which lets you interact with GCP resources. You can view, create, update and delete cloud resources from this page.

How to create a Linux vm(instance) using the console – https://cloud.google.com/compute/docs/quickstart-linux

2. Command Line Interface (gcloud cli toolset)
Install gcloud : https://cloud.google.com/sdk/gcloud/

The gcloud toolkit is a command line interface tool to interact with GCP resources. Very useful in automating cloud tasks, with its command completion and help pages, it is almost a necessity to familiarize yourself with this tool.

How to create an instance using gcloud cli – https://cloud.google.com/sdk/gcloud/reference/compute/instances/create

3. Cloud deployment manager
GCP deployment manager allows you to create, delete and update GCP resources in parallel by declaring a set of templates written in jinja2 or python. Templates can be shared with other teams and can be re-used with little modification.

What deployment manager is and how it works – https://cloud.google.com/deployment-manager/

How to deploy an a GCP instance using deployment manager – https://cloud.google.com/deployment-manager/docs/quickstart

4. APIs
Google provides application programming interface(APIs) to interact with its GCP services. Google recommends using the client libraries over directly calling the RESTful apis.

a. Client libraries

List of client libraries for different programming languages – https://cloud.google.com/apis/docs/cloud-client-libraries

How to interact with Google Compute Engine(GCE) using the Python client library – https://cloud.google.com/compute/docs/tutorials/python-guide#addinganinstance

b. RESTful or raw APIs

API Reference – https://cloud.google.com/compute/docs/reference/beta/

Method for creating an instance – https://cloud.google.com/compute/docs/reference/beta/instances/insert

References –
Google Cloud Platform Services overview

Ansible – How to run a portion of a playbook using tags.

If you have a large playbook it may become useful to be able to run a specific part of it or only a single task without running the whole playbook. Both plays and tasks support a “tags:” attribute for this reason.

In this specific scenario, I have a playbook which configures all productions servers from the moment the servers boot till they start taking traffic. While testing the plays in dev environment, I was debugging an issue on the parts which does dns configuration. This is where the “tags” attributes comes handy –

1. Tag the task –

...
- name: Configure resolv.conf
  template: src=resolv.conf.j2 dest=/etc/resolv.conf
  when: ansible_hostname != "ns1"
  tags:
    - dnsconfig
...

2. Run only the tasks tagged with a specific name –

root@linubuvma:/etc/ansible# ansible-playbook -i dc1/hosts dc1/site.yml --tags "dnsconfig" --check

PLAY [Setup data center 1 servers] *****************************************************

TASK: [common | Configure resolv.conf] ****************************************
skipping: [ns1]
changed: [docker]
ok: [ns2]
ok: [whitehat]
ok: [mail]
ok: [www]
ok: [ftp]

PLAY RECAP ********************************************************************
whitehat                   : ok=1    changed=0    unreachable=0    failed=0
docker                     : ok=1    changed=1    unreachable=0    failed=0
ns1                        : ok=0    changed=0    unreachable=0    failed=0
ns2                        : ok=1    changed=0    unreachable=0    failed=0
mail                        : ok=1    changed=0    unreachable=0    failed=0
www                   : ok=1    changed=0    unreachable=0    failed=0
ftp                   : ok=1    changed=0    unreachable=0    failed=0

Ansible playbook will run only the task with the specified tag, it will skip the rest of the tasks in the playbook. Use the ‘–list-tags’ flag to view all the tags.

References –

http://docs.ansible.com/playbooks_tags.html

https://www.percona.com/live/mysql-conference-2015/sites/default/files/slides/Ansible.pdf

Ansible – Enable logging

By default, Ansible logs the output of playbooks to the standard output only. In order to enable logging to a file for later review or auditing, it can be turned on by setting log_path to a path location where Ansible has a write access.

In my case, i have added the “log_path” setting in the ansible configuration file “/etc/ansible/ansible.cfg” –

# grep log_path /etc/ansible/ansible.cfg
log_path = /var/log/ansible.log

Now I can view the log file to all the details on ansible runs –

root@linubuvma:/etc/ansible# ansible-playbook tasks/groupby.yml --check
PLAY [all:!swarm:!docker1] ****************************************************

TASK: [group_by key=os_{{ ansible_os_family }}] *******************************
changed: [ns2]
.....

root@linubuvma:/etc/ansible# ls -al /var/log/ansible.log
-rw-r--r-- 1 root root 4255 May 16 21:21 /var/log/ansible.log
root@linubuvma:/etc/ansible# head  /var/log/ansible.log
2015-05-16 21:21:43,732 p=22946 u=root |
2015-05-16 21:21:43,732 p=22946 u=root |  /usr/local/bin/ansible-playbook tasks/groupby.yml --check
2015-05-16 21:21:43,732 p=22946 u=root |
2015-05-16 21:21:43,734 p=22946 u=root |  ERROR: the playbook: tasks/groupby.yml could not be found
2015-05-16 21:21:48,575 p=22954 u=root |
2015-05-16 21:21:48,576 p=22954 u=root |  /usr/local/bin/ansible-playbook tasks/groupby.yml --check
2015-05-16 21:21:48,576 p=22954 u=root |
2015-05-16 21:21:48,594 p=22954 u=root |  PLAY [all:!swarm:!docker1] ****************************************************
2015-05-16 21:21:48,609 p=22954 u=root |  TASK: [group_by key=os_{{ ansible_os_family }}] *******************************
2015-05-16 21:21:48,641 p=22954 u=root |  changed: [ns2]

It logs dry-runs (–check) as well and it is smart enough not to log Password arguments.

References –

http://docs.ansible.com/ansible/latest/intro_configuration.html#log-path

How to terminate or cancel an unresponsive ssh session.

While connected to a remote host through an ssh connection using Putty or other ssh clients, your client might freeze and not respond to any keyboard activity. In order to force an exit, there is a “secret” keyboard shortcut – Enter~. [ Enter followed by ~ followed by .(dot) ]

[daniel@kauai ~]$ ssh daniel@linuxfreelancer.com

Hostname..........: svm1010.xenvps-server.net
Uptime............: 21:25:34 up 14654 days, 15:00,  2 users,  load average: 0.09, 0.19, 0.17
Server IP.........: 173.230.241.181
Operating System..: Ubuntu 10.04.4 LTS
Username..........: daniel

daniel@svm1010:~$ uname
Linux

***Press*** Enter~.  {Enter key, followed by '~', followed by '.'}

daniel@svm1010:~$ Connection to linuxfreelancer.com closed.

[daniel@kauai ~]$ 

After you press the Enter~. the connection will be aborted and your session will return to the connection originating client shell.

Alternatively, you can background the ssh session with Enter~Ctrl+Z and then foreground it with fg command.

References –

https://serverfault.com/questions/283129/why-do-consoles-sometimes-hang-forever-when-ssh-connection-breaks

ipython tutorial and how to delete sensitive data from history

ipython is program which allows you to run python code in an interactive shell. Although Python itself when run from CLI opens an interactive shell as well, ipython is much more powerful and greatly improves your productivity. Some of the things you can do with ipython but not the default python shell is command or code and file name completion, view history, copy/paste a single or multiline code, nicely colored help with in the shell, run Linux commands such as ls or cat, scroll up/down to previous commands, automatically adds spaces after you press enter, etc.

Installation

pip install ipython

Quick demo
Start ipython by typing the

ipython

command in your CLI –

daniel@lindell:/tmp$ ipython
Python 2.7.12 (default, Nov 19 2016, 06:48:10) 
Type "copyright", "credits" or "license" for more information.

IPython 5.4.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: print('ipython')
ipython

In [2]: 

With in the ipython interactive shell you can run any python code, let us walk through some examples –

  In [1]: x=2

In [2]: x
Out[2]: 2

In [3]: mylist=[1,2,3,4,5]

In [4]: [i**3 for i in mylist]
Out[4]: [1, 8, 27, 64, 125]

In [5]: with open('/etc/hosts') as fp:
   ...:     for line in fp:
   ...:         if 'localhost' in line:
   ...:             print line
   ...:             
127.0.0.1	localhost

::1     ip6-localhost ip6-loopback


In [6]: ls /opt/
ansible/  google/  vagrant/

In [7]: 

Go back to previously typed commands / History
With ipython, you can either press the UP arrow key or type

 history 

command to view history. ipython keeps session history as well as all input and output lines in a SQLite file which is located in

~/.ipython/profile_default/history.sqlite 

You can view and modify this file using

sqlite3

tool –

daniel@lindell:/tmp$ sqlite3 ~/.ipython/profile_default/history.sqlite
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE sessions (session integer
                        primary key autoincrement, start timestamp,
                        end timestamp, num_cmds integer, remark text);
CREATE TABLE history
                (session integer, line integer, source text, source_raw text,
                PRIMARY KEY (session, line));
CREATE TABLE output_history
                        (session integer, line integer, output text,
                        PRIMARY KEY (session, line));
sqlite> 

Deleting sensitive data from history
You can delete any line from history by using SQL. First use SELECT statement to find the line number and then use DELETE statement to delete it. In this example, we are deleting line number 10 from the history table –

sqlite> select * from history;
sqlite> .schema history
CREATE TABLE history
                (session integer, line integer, source text, source_raw text,
                PRIMARY KEY (session, line));
sqlite> delete from history where line=10;

References –
https://ipython.org/
http://www.sqlitetutorial.net/sqlite-delete/