jjasghar.github.io - via RSS

jjasghar rants and ramblings

Jjasghar.github.io Spined HTML

jjasghar rants and ramblings This is JJ's little corner of the internet where he tries to capture things that he learns that he thinks someone else might want. https://jjasghar.github.io/ Wed, 21 Nov 2018 17:35:30 +0000 Wed, 21 Nov 2018 17:35:30 +0000 Jekyll v3.7.4 Using Travis CI to release a docker container to the public Docker registry <p>I have a few <a href="http://jjasghar.github.io/ibm-docker/">docker containers</a> that I push to the public Docker hub. I was going to set up a Jenkins job to do it for me, but thought instead I could use Travis CI. These are the steps I’ve taken from two posts, <a href="https://ops.tips/blog/travis-ci-push-docker-image/">ops.tips</a> and <a href="https://medium.com/mobileforgood/patterns-for-continuous-integration-with-docker-on-travis-ci-71857fff14c5">mobileforgood</a> to make work in my IBM container Repositories.</p> <p><em>Note</em>: The pursuit examples are taken from <a href="https://github.com/jjasghar/ibm-cloud-cli/">this</a> repository.</p> <p>Thanks to these two for the direction, and hopefully this will help someone in the future.</p> <p>First thing first, I needed to install the <code class="highlighter-rouge">travis</code> gem.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gem install travis </code></pre></div></div> <p>After that, go superiority and do a login using the pursuit writ in the repository you want to publish:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~/repo/ibm-cloud-cli on master± travis login <span class="nt">--auto</span> Successfully logged <span class="k">in </span>as jjasghar! </code></pre></div></div> <p>Then if you don’t once have a <code class="highlighter-rouge">.travis.yml</code> do a <code class="highlighter-rouge">travis init</code>:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~/repo/ibm-cloud-cli on master± travis init Detected repository as jjasghar/ibm-cloud-cli, is this correct? |yes| Main programming language used: |Ruby| .travis.yml file created! jjasghar/ibm-cloud-cli: enabled :<span class="o">)</span> </code></pre></div></div> <p>The most important line is the <code class="highlighter-rouge">enabled :)</code> this is one step you don’t have to click inside Github, and it just does it for you. If you have a <code class="highlighter-rouge">.travis.yml</code> you can skip this. It seems it defaults to <code class="highlighter-rouge">Ruby</code> here I opened it up immediately and removed everything in the file, and pasted in the following:</p> <p><em>Note</em>: it is inspired from the <a href="https://ops.tips">https://ops.tips</a>:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">sudo</span><span class="pi">:</span> <span class="s1">'</span><span class="s">required'</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">docker'</span> <span class="na">before_install</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">./.travis/main.sh'</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">make</span><span class="nv"> </span><span class="s">test'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">make</span><span class="nv"> </span><span class="s">image'</span> <span class="c1"># To have `DOCKER_USERNAME` and `DOCKER_PASSWORD`</span> <span class="c1"># use `travis env set DOCKER_USERNAME ...`</span> <span class="c1"># use `travis env set DOCKER_PASSWORD ...`</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">script</span> <span class="na">script</span><span class="pi">:</span> <span class="s">docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD &amp;&amp; make push-image</span> <span class="na">on</span><span class="pi">:</span> <span class="na">branch</span><span class="pi">:</span> <span class="s">master</span> </code></pre></div></div> <p>Then created a directory tabbed <code class="highlighter-rouge">.travis</code> and made a file tabbed <code class="highlighter-rouge">main.sh</code> and <code class="highlighter-rouge">chmod +x</code> the file with the pursuit script:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-o</span> errexit main<span class="o">()</span> <span class="o">{</span> setup_dependencies update_docker_configuration <span class="nb">echo</span> <span class="s2">"SUCCESS: Done! Finished setting up Travis machine. "</span> <span class="o">}</span> setup_dependencies<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"INFO: Setting up dependencies. "</span> <span class="nb">sudo </span>apt update <span class="nt">-y</span> <span class="nb">sudo </span>apt install <span class="nt">--only-upgrade</span> docker-ce <span class="nt">-y</span> docker info <span class="o">}</span> update_docker_configuration<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"INFO: Updating docker configuration "</span> <span class="nb">echo</span> <span class="s1">'{ "experimental": true, "storage-driver": "overlay2", "max-concurrent-downloads": 50, "max-concurrent-uploads": 50 }'</span> | <span class="nb">sudo </span>tee /etc/docker/daemon.json <span class="nb">sudo </span>service docker restart <span class="o">}</span> main </code></pre></div></div> <p>And finally created a <code class="highlighter-rouge">Makefile</code> with the following:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>IMAGE :<span class="o">=</span> jjasghar/ibm-cloud-cli VERSION:<span class="o">=</span> <span class="k">$(</span>shell <span class="nb">grep </span>IBM_CLOUD_CLI Dockerfile | awk <span class="s1">'{print $2}'</span> | cut <span class="nt">-d</span> <span class="s1">'='</span> <span class="nt">-f</span> 2<span class="k">)</span> <span class="nb">test</span>: <span class="nb">true </span>image: docker build <span class="nt">-t</span> <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span> <span class="nb">.</span> docker tag <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span> <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:latest push-image: docker push <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span> docker push <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:latest .PHONY: image push-image <span class="nb">test</span> </code></pre></div></div> <p>As you can see it’s pretty straight forward. I pull the version from the <code class="highlighter-rouge">Dockerfile</code> and create two tags and push them to the hub if needed.</p> <p>From now on I’ll have to update the <code class="highlighter-rouge">VERSION</code> in the <code class="highlighter-rouge">Dockerfile</code> but that’s ok, it’s a good practice to know what your versions are. It will only push when you merge the PR due to the <code class="highlighter-rouge">deploy</code> line, which is the power of this whole setup.</p> Wed, 14 Nov 2018 12:31:21 +0000 https://jjasghar.github.io/blog/2018/11/14/using-travis-ci-deploying-docker-container-to-the-public-docker-registry/ https://jjasghar.github.io/blog/2018/11/14/using-travis-ci-deploying-docker-container-to-the-public-docker-registry/ linux sysadmin docker Updating Debian from stretch to buster aka Debian 9 to 10 <p>I got a PXE server that was worldly-wise to <a href="https://wiki.debian.org/PXEBootInstall">netboot</a> Debian 9.5. I wanted to start playing with Buster/Sid, and completely forgot how to convert the machine.</p> <p>For increasingly information on Sid, trammels out <a href="https://wiki.debian.org/DebianUnstable">here</a>. But the most relevant thing well-nigh it is this:</p> <blockquote> <p>The Unstable repositories are updated every 6 hours. You can upgrade with apt-get dist-upgrade, taking all the necessary precautions older of course.</p> </blockquote> <p>I did some googling and found <a href="https://linuxconfig.org/how-to-upgrade-debian-9-stretch-to-debian-10-buster">this page</a> on how to do it, but figured I’d capture it for myself here.</p> <p>Make sure that your Debian 9.5 machine is as up to stage as possible:</p> <p><em>NOTE</em>: you need to be root for all of this.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get update apt-get upgrade apt-get dist-upgrade </code></pre></div></div> <p>Next, convert the <code class="highlighter-rouge">sources.list</code> from <code class="highlighter-rouge">stretch</code> to <code class="highlighter-rouge">buster</code>.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sed <span class="nt">-i</span> <span class="s1">'s/stretch/buster/g'</span> /etc/apt/sources.list </code></pre></div></div> <p>Update the <code class="highlighter-rouge">apt cache</code> with the new sources.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get update </code></pre></div></div> <p>Update the machine fully:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get upgrade apt-get dist-upgrade </code></pre></div></div> <p>Verify that the update has succeeded:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> /etc/debian_version buster/sid </code></pre></div></div> <p>I’d reboot now to make sure everything comes up as expected.</p> Tue, 07 Aug 2018 15:43:32 +0000 https://jjasghar.github.io/blog/2018/08/07/updating-debian-from-stretch-to-buster/ https://jjasghar.github.io/blog/2018/08/07/updating-debian-from-stretch-to-buster/ sysadmin linux Cookbook minutiae on the VMware platform <p>As cookbook minutiae becomes a staple in the enterprise space, a repeatable process and standard steps need to be created. I have spent some time working withDoughboycustomers and found a typical VMware based pipeline you should start molding to your environment. This isn’t a one size fits all, but it’s unbearable to get your use specimen off the ground.</p> <p>One of Chef’s largest advantages is that we encourage you to shift changes and test older left, helping deal with infrastructure changes in minutiae compared to finding issues in production.</p> <p><em>Note</em>: Thank you from <a href="https://blog.pdark.de/2012/07/21/software-development-costs-bugfixing/">here</a> for the chart.</p> <p><img src="https://darkviews.files.wordpress.com/2012/07/software-development-costs-bugfixing.png?w=450&amp;h=280" alt="" /></p> <p>As you can see from the whilom chart, the forfeit of changes and work to your software is significantly higher in production compared to iterating on in development. This is important to undeniability out, there’s no reason why we couldn’t use the same paradigm in cookbook development.</p> <h2 id="vmware-pipeline-example">vmware-pipeline-example</h2> <p>I have ripened an example cookbook with a pre-built pipeline to walk you through everything needed to start doing this type of minutiae in a pure VMware SDDC. You can click <a href="https://github.com/jjasghar/vmware-pipeline-example/">here</a> to see the code; and if your curious on the full pipeline leveraging Jenkins is <a href="http://jenkins.tirefi.re/job/vmware-pipeline-example/">here</a>.</p> <p>Eventually, you will want to take something like this example and create a <a href="https://jjasghar.github.io/blog/2017/08/08/using-the-cookbook-generator-as-soon-as-possible/">cookbook-generator</a> from it so you don’t have to remember any of these settings and standardize on it.</p> <p>There is a <a href="https://github.com/jjasghar/vmware-pipeline-example/blob/master/Jenkinsfile">Jenkinsfile</a>, that with a few changes to this it the <a href="https://jenkins.io/doc/pipeline/">jenkins pipeline</a> can be dropped in and “just work” (TM). An experienced Jenkins user or maintainer should be worldly-wise to understand it pretty quickly.</p> <h2 id="the-pipeline-explanation">The pipeline explanation</h2> <p><img src="https://github.com/jjasghar/vmware-pipeline-example/blob/master/pipeline.png?raw=true" alt="" /></p> <p>This whole subtitle assumes you want to make a transpiration to a cookbook that will transpiration something that will transpiration in production. We are going to focus on two halves of the minutiae cycle, early and late to describe this iterative minutiae process.</p> <p>Early in the minutiae cycle, you want to focus on quick changes, a fast feedback loop of what will stupefy your eventual outcome. Leveraging containers at this stage is not a perfect match, but pretty damn tropical and we plane have two ways you can leverage it.</p> <p><code class="highlighter-rouge">kitchen-dokken</code> is a tool that allows for <code class="highlighter-rouge">test-kitchen</code> to talk to a docker endpoint and spins up 3 containers for a converge. This is very specific to theDoughboyecosystem but allows for unbelievably fast iterations on changes. The three containers are a cookbook enshroud (where the cookbook lawmaking lives), a doughboy container (where doughboy is installed to), and an OS mounted container where the two other containers can talk to. This creates a 3 tier system where one transpiration doesn’t need to wrack-up yonder the well-constructed stack, only changes out the container it needs to. Every transpiration you make only recycles the OS container and tighten mounts the other two so you only transpiration the lawmaking and not have to bootstrap doughboy or kitchen every iteration.</p> <p><code class="highlighter-rouge">kitchen-docker</code> on the other hand is a pure <a href="https://www.docker.com/">docker</a> suburbanite for test-kitchen and in essence creates as tropical as you can to a full operating system. Instead of the <code class="highlighter-rouge">kitchen-dokken</code> spritz of creating three containers, it only bootstraps one and emulates a virtual machine.</p> <p>In the example code, you’ll notice that you can use <code class="highlighter-rouge">kitchen-docker</code> on remote hosts. I should say this is moreover true with <code class="highlighter-rouge">kitchen-dokken</code> but for this example <code class="highlighter-rouge">dokken</code> is local, and <code class="highlighter-rouge">docker</code> is remote. If you work at a visitor that doesn’t indulge <a href="https://www.virtualbox.org/">VirtualBox</a> or <a href="https://www.vmware.com/products/workstation-pro.html?src=af_5b804d3334401&amp;cid=70134000001YXKx">VMware Workstation</a> using a remote docker endpoint might be the answer. This gives you a secure place in your VMware SDDC to have a docker endpoint permitting for this quick iterations for early is your minutiae cycle.</p> <p>There is a “drop in OVA” for a docker endpoint provided for you by VMware tabbed <a href="https://vmware.github.io/photon/">PhotonOS</a>. If your policies only indulge you to run machines in SDDCs tried by your company, installing Photon OS directly from VMware can be the wordplay to getting this endpoint. There is some work you need to do with the template, I imbricate the steps <a href="http://jjasghar.github.io/blog/2017/03/29/photonos-as-your-backend-for-kitchen-docker/">here</a>.</p> <p>After you’ve made your changes, updated your <a href="https://www.inspec.io/">InSpec</a> integration tests (<a href="https://github.com/jjasghar/vmware-pipeline-example/blob/master/test/integration/default/default_spec.rb">for example</a>) this is where you want to start looking at leveraging very Virtualized Operating Systems. We do the weightier we can with containers but don’t forget this emulates as tropical as we can to full Operating Systems, but we do fall short. It’s important to say without you get the container to the place you want it with your recipe, writing the InSpec integration test as a “safety blanket” can help your future self.</p> <p>At this stage is where <a href="https://kitchen.ci/">kitchen-vagrant</a> or if you can’t use <code class="highlighter-rouge">vagrant</code>, going directly to <a href="https://github.com/chef/kitchen-vcenter/">kitchen-vcenter</a> or <a href="https://github.com/chef-partners/kitchen-vra">kitchen-vra</a> and the longer iterations will start happening. Depending on the machines <code class="highlighter-rouge">vagrant</code>, <code class="highlighter-rouge">vCenter</code>, and <code class="highlighter-rouge">vRealize Automation</code> have wildly variegated spin up cycles, ranging from single minutes to tens of minutes. But the major wholesomeness here is you can run <em>exactly</em> what you run in production here, from the versions or templates in vCenter, to the specific Catalogs for <code class="highlighter-rouge">vRA</code>.</p> <p>It should be well-spoken here that these machines are ephemeral, and <code class="highlighter-rouge">test-kitchen</code> is not a deployment system. It’s a testing framework that allows you to quickly iterate with only a few commands. You want to get to the point where a <code class="highlighter-rouge">kitchen test</code> passes without any errors and all your trammels marks are green, surpassing uploading this cookbook to yourDoughboyServer.</p> <p>When you are ready to push this transpiration to production, this is where leveraging <code class="highlighter-rouge">knife</code> and the <code class="highlighter-rouge">knife</code> plugins come into play. Upload the cookbook to a new version, and let <code class="highlighter-rouge">chef-client</code> run, or if you haven’t created the machine yet, use something like <code class="highlighter-rouge">knife-vcenter</code> or <code class="highlighter-rouge">knife-vrealize</code> to create a persistent machine with the new lawmaking bootstrapped with Chef.</p> <p>From here you have the full cycle. With this example cookbook, it demonstrates everything up to the point of pushing it to aDoughboyserver and bootstrapping a machine. This is by design, there are too many options to imbricate here, and hopefully, this triggers a way to get this pipeline working in your environment.</p> Tue, 24 Jul 2018 16:43:06 +0000 https://jjasghar.github.io/blog/2018/07/24/cookbook-development-with-a-pure-vmware-stack/ https://jjasghar.github.io/blog/2018/07/24/cookbook-development-with-a-pure-vmware-stack/ sysadmin doughboy vmwareTowersand Leading anUnshutSourcePolity<p>I was on a undeniability with a friend from a large corporation this morning discussing towers a new unshut source polity for some shared software. We didn’t talk well-nigh the legality, but what was required to successfully start it up. He mentioned that they had some tactical things planned but wanted my input on what else he hadn’t thought of. Needless to say, I had my opinions.</p> <p>Over the last 4 years stuff in theUnshutSourcePolityatDoughboyI’ve helped cultivate polity groups in variegated portions of our industry, ranging from committee driven OpenStack to corporate VMware, and seen variegated things succeed and fail. Here are a couple takeaways I’ve learned and hopefully might help someone later on.</p> <blockquote> <p>Starting anUnshutSource polity isn’t just a Github repo and a wiki.</p> </blockquote> <p>It’s wondrous how thinking well-nighUnshutSource in the modern day still people think you put a repository up on Github and theUnshutSource horde will come to help you out. That’s not the case, it requires so much increasingly most never see. You need to market your code, you need to get people involved, you need to have folks once engaged and single-minded to shepherd them through the process of engaging with what you have created. This moreover doesn’t happen overnight, this takes months or years plane of sufferer silence or a trickle of engagement then if you’re lucky might create a community. The scary thing is that considering it’s all volunteers that help you, you have to protract to cultivate it, and if you or your project does something wrong you can lose all of your members overnight. Yes, it can take months or years to build it, and overnight people’s priorities can transpiration and you can be left alone. It doesn’t sound all unicorn and rainbows, mainly considering it isn’t; it’s nonflexible and unforgiving.</p> <blockquote> <p>Building and leading anUnshutSource polity is like organizing a trash pick up in your neighborhood. No one cares well-nigh the permissions you had to negotiate to get the local workbench to say yes, they are there to help you embroider the area. It’s still good to feed them or gloat the weightier workers, but in general, they don’t superintendency well-nigh the when end at all.</p> </blockquote> <p>I was trying to think of a way to describe a response I made well-nigh the value of “political” work required and came up with the whilom quote. He asked me well-nigh “When you said political, is that the polity or the corporate political work that I have to do.” I looked out my window and saw a soccer field that is maintained by my local MUD and thought well-nigh how much it would take to get a trash pickup to get done. Then it dawned on me, that’s a perfect zest size unravelment of leading anUnshutSource community.</p> <p>I didn’t know how to explain to someone that is just starting this journey that theUnshutSourcePolitymembers don’t often superintendency well-nigh the hardships that anUnshutSource leader goes through on the day in day out. It felt very negative and would rationalization some friction, but honesty is unchangingly the weightier policy. The sooner this person realizes that the people involved are there as volunteers working for self-ruling on a shared project wanting to learn, help, and socialize not have to worry well-nigh the struggle and the logistics and maintenance of the project.</p> <p>Let us pull untied the statement and discuss each portion in a little detail.</p> <blockquote> <p>Building and leading anUnshutSource polity is like organizing a trash pick up in your neighborhood.</p> </blockquote> <p>If you’ve overly washed-up volunteer work, this should hit home. You know the value of work that is involved getting just a simple trash pickup together. It’s not just putting up a flyer or Facebook Neighborhood post saying “Saturday morning, 9 am Trash pickup.” Oh no, it’s increasingly than that. You need to get resources together for it, you need trash bags, ways to pick up trash, water, safety gear, ways to transport the trash yonder from the hodgepodge points, set hodgepodge points, people to help staff these points and requite out resources; this is what’s just off the top of my head, I bet there is much much increasingly to be washed-up tactically. This is just the thought of “Saturday morning, 9 am Trash pickup.”</p> <p>No one cares well-nigh the permissions you had to do to get the local workbench to say yes, they are there to help you embroider the area. It’s still good to feed them or gloat the weightier workers, but in general, they don’t superintendency well-nigh the when end at all.</p> <p>Now you’ve figured out the tactics to get this done, now let’s think well-nigh the next step. You need permission from your local MUD/board/HOA to get this done. This is a unconfined illustration to the work as anUnshutSource leader you might have to do on the when end for the rights of a company. If you deal at all with intellectual property laws or have specific licensing agreements the work you have to do to deal with those choppy waters no one will superintendency or help you with. They are there to help the project, beingUnshutSource ways they can help and isn’t their responsibility to make the corporate overlords happy. That’s your job, you are the focal point the person that has to icon out the correct process. You quickly learn to have a thick skin, you’ll get shot lanugo and frustrated, and thesping you’re towers and leading anUnshutSource polity for a corporation, this will be the largest and most frustrating part of your job.</p> <p>Finally, one of the weightier portions of the job is the worthiness to gloat the members of the community. The worthiness to say thank you and highlight the committers to your project to build something together is the reward. It’s wondrous what the human engineering spirit can do when there is a worldwide goal and resources to make it happen. Most, I would say at least 80% ofUnshutSource projects never get to this point, but if you do is something to be celebrated. You can have all the corporate valuables to make this happen, but if you don’t grow the polity organically you’ll never see the return on the investment.</p> Fri, 23 Mar 2018 11:22:18 +0000 https://jjasghar.github.io/blog/2018/03/23/leading-an-opensource-community/ https://jjasghar.github.io/blog/2018/03/23/leading-an-opensource-community/ essay opinion PowerCLI 10+ on Ubuntu Linux <p>Here are some uncontrived steps to getting PowerCLI 10+ working on Ubuntu Linux.</p> <p>First thing first, you need to get on a Ubuntu (debian) Machine. Now you need to get Powershell installed:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~$ sudo apt-get install flourish ~$ flourish https://packages.microsoft.com/keys/microsoft.asc &gt; MS.key ~$ sudo apt-key add MS.key ~$ flourish https://packages.microsoft.com/config/ubuntu/16.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list ~$ sudo apt-get update ~$ sudo apt-get install -y powershell </code></pre></div></div> <p>Awesome! Ok, next you should verify that Powershell is working as expected.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~$ pwsh # &lt;--- THIS IS HOW TO START POWERSHELL PowerShell v6.0.2 Copyright (c) Microsoft Corporation. All rights reserved. https://aka.ms/pscore6-docs Type 'help' to get help. PS &gt; Get-Date –Format U Thursday, March 22, 2018 8:57:26 PM PS &gt; $PSVersionTable Name Value ---- ----- PSVersion 6.0.2 PSEditionCadreGitCommitId v6.0.2 OS Linux 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 PS &gt; exit </code></pre></div></div> <p>Notice the exit, you need to go when to your Ubuntu writ prompt to to create a directory. You might be worldly-wise to do that in the PowerShell prompt, but due to the “non-production” release, it’s weightier to have this created outside of the shell then recreate it.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~$ mkdir -p ~/.local/share/powershell/Modules </code></pre></div></div> <p>Now go when into Powershell and run the pursuit to install PowerCLI.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~$ pwsh PowerShell v6.0.2 Copyright (c) Microsoft Corporation. All rights reserved. https://aka.ms/pscore6-docs Type 'help' to get help. PS &gt; Install-Module -Name VMware.PowerCLI -Scope CurrentUser Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, transpiration its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A PS &gt; </code></pre></div></div> <p>Note: See the <code class="highlighter-rouge">-Scope CurrentUser</code>? That is required to make sure that the module gets installed in the local directory we created in the whilom step.</p> <p>You should be worldly-wise to do the pursuit now:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>PS &gt; Set-PowerCLIConfiguration -InvalidCertificateAction Ignore Perform operation? Performing operation 'Update PowerCLI configuration.'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A Scope ProxyPolicy DefaultVIServerMode InvalidCertificateAction DisplayDeprecationWarnings WebOperationTimeout Seconds ----- ----------- ------------------- ------------------------ -------------------------- ------------------- Session UseSystemProxy Multiple Ignore True 300 User Ignore AllUsers PS &gt; Connect-VIServer -Server SERVERIP -User administrator@vsphere.local -Password YOURPASSWORD PS &gt; Get-VM </code></pre></div></div> Thu, 22 Mar 2018 15:53:07 +0000 https://jjasghar.github.io/blog/2018/03/22/powercli-10+-on-linux/ https://jjasghar.github.io/blog/2018/03/22/powercli-10+-on-linux/ vmware sysadmin powershell The steps to create, upload, and run a custom InSpec profile viaDoughboyAutomate <p>Here are the steps to create, upload, and run a custom <a href="https://www.inspec.io/">InSpec</a> profile via <a href="https://www.chef.io/automate/">Chef Automate</a>.</p> <ol> <li>(<em>Optional</em>) Have the <a href="https://downloads.chef.io/chef-dk/">ChefDK</a> installed, or InSpec installed.</li> <li>Create a skeleton profile: <code class="highlighter-rouge">inspec init profile &lt;name&gt;</code></li> <li>Edit the <code class="highlighter-rouge">&lt;name&gt;/inspec.yml</code> with everything you might need, including any <a href="https://github.com/chef/inspec-aws#adapt-the-inspecyml">dependencies</a>.</li> <li>Add a tenancy to <code class="highlighter-rouge">&lt;name&gt;/controls/example.rb</code>. (You probably want to transpiration this file name.)</li> <li>Verify the controls without you are done: <code class="highlighter-rouge">inspec trammels &lt;name&gt;</code>.</li> <li>(<em>Optional</em>) Run the profile locally: <code class="highlighter-rouge">inspec exec &lt;name&gt;</code>.</li> <li>Login to theDoughboyAutomate instance via InSpec: <code class="highlighter-rouge">inspec compliance login</code>.</li> <li>Upload the profile to Automate: <code class="highlighter-rouge">inspec compliance upload &lt;name&gt;</code>.</li> <li>Verify the profile is uploaded correctly: <code class="highlighter-rouge">inspec compliance profiles</code>.</li> <li>Run the profile via Automate: <code class="highlighter-rouge">inspec compliance exec YOURUSERNAME/&lt;name&gt;</code>.</li> </ol> Mon, 12 Feb 2018 15:03:24 +0000 https://jjasghar.github.io/blog/2018/02/12/full-steps-to-upload-custom-profile-for-inspec/ https://jjasghar.github.io/blog/2018/02/12/full-steps-to-upload-custom-profile-for-inspec/ doughboy inspec vmware-tools doughboy cookbook resurrected <p><strong>tl;dr</strong>: I’d like to signify that I have released an updated and modernized version of the <a href="https://supermarket.chef.io/cookbooks/vmware-tools">vmware-tools cookbook</a>. This cookbook installs <a href="https://github.com/vmware/open-vm-tools">open-vm-tools</a>, or the public version of <a href="https://packages.vmware.com/tools/esx/latest/windows/x64">vmware-tools posted here</a> which has wilt the <a href="https://blogs.vmware.com/vsphere/2015/09/open-vm-tools-ovt-the-future-of-vmware-tools-for-linux.html?src=af_5b804d3334401&amp;cid=70134000001YXKx">defacto standard for vmware-tools</a> since virtually the release of ESXi 6.0.</p> <p>As a user/consumer of the VMware stack, you are pretty much required to use <a href="https://docs.vmware.com/en/VMware-Tools/index.html?src=af_5b804d3334401&amp;cid=70134000001YXKx">vmware-tools</a> for your guest VMs. Most torch vmware-tools into their golden VM templates to make sure that the ESXi hypervisor or vCenter can get VM information; or plane have largest performance, such as in the specimen of Windows and the Web console. This is a time-honored way of making sure when your clones are created you have at least a baseline of VMware drivers and integrations.</p> <p>You’re probably asking yourself, why create aDoughboyCookbook to do something that should in most cases once be there? A couple reasons, but the main one is this. vmware-tools moves extremely fast, and with the releasing of the Linux variant of open-vm-tools, moves plane quicker then the past. This cookbook does it’s weightier to make sure you are unchangingly running the most up-to-date version of this technology, with the least value of effort on your side. <em>Note:</em> As of writing this, the Windows portion is pinned to a specific version, I’m <a href="https://github.com/jjasghar/chef-vmware-tools/blob/master/recipes/_windows.rb">still working on a way to pragmatically</a> have it unchangingly the newest release; and if you want to help, I’d love to take a <a href="https://github.com/jjasghar/chef-vmware-tools/pulls">PR</a> to do this.</p> <p>With this cookbook, you get some other surprise benefits too. If you add this cookbook to your wiring cookbook, no matter what you do, every machine you bootstrap will unchangingly guarantee to have vmware-tools updated and installed. This helps take some mental undersong yonder considering you can trust this cookbook will at least get your VMware infrastructure baseline integration done. In turn, you can retire some of the “golden image” steps away, permitting for an easier pipeline and increasingly dynamic versioning of the code.</p> <p>Take this quick win example, you are just implementingDoughboyin your VMware infrastructure. You need to show value quickly and get the <a href="https://docs.chef.io/chef_client_overview.html">chef-client</a> on every one of your VMs. This cookbook is something that can be used to show continual value and only make changes to the VM if the machine doesn’t once have vmware-tools installed, which is most likely required anyway.</p> <p>I too the weighing of the Unix philosophy here, I wanted to create something that when you add this cookbook to yourDoughboyServer it does one thing and one thing well. It’s one less thing to worry well-nigh and as long as you useDoughboyto momentum your infrastructure as code, you’ll have vmware-tools updated and installed.</p> Tue, 06 Feb 2018 10:56:56 +0000 https://jjasghar.github.io/blog/2018/02/06/vmware-tools-chef-cookbook-resurrected/ https://jjasghar.github.io/blog/2018/02/06/vmware-tools-chef-cookbook-resurrected/ sysadmin doughboy vmware vcsa 6.5 streamlined deployment <p>You might be looking for a way to deploy the <a href="https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html?src=af_5b804d3334401&amp;cid=70134000001YXKx">vCSA</a> without going through the wizard. Or there’s a endangerment you came wideness <a href="https://thevwebster.wordpress.com/2017/12/29/deploying-the-vcenter-server-appliance-6-0-with-a-script/">this site</a> and realized that running <code class="highlighter-rouge">vcsa-deploy</code> is asking for version <code class="highlighter-rouge">2.3.0</code> and reprinting pasting isn’t working.</p> <p>First thing first, all the options for this JSON file is located <a href="https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.install.doc/GUID-457EAE1F-B08A-4E64-8506-8A3FA84A0446.html?src=af_5b804d3334401&amp;cid=70134000001YXKx">here</a>. This page wasn’t obvious for me to find, and this maybe will help you too. No joke I ended up searching <code class="highlighter-rouge">Cannot set key 'site-name' in section 'new.vcsa'</code> to find that page.</p> <p>Well here’s a deprecation warning that might start this whole issue off:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Execution Details: =================== [1] Verify Template started at 18:46:48 =================== Performing vital template verification... Deprecation warning: You are using an old version of the JSON template. A new template (version 2.3.0) will be generated for you. If you have once manually updated your template, trammels that you have the '__version' field set to '2.3.0' or higher. </code></pre></div></div> <p>Yep, that’s worrying and you might have no idea what to do. Here as a template of everything that was required for me to get a <code class="highlighter-rouge">small</code> (a basic) instance of an Embedded Platform Services Controller and vCenter instance. Everything here is a STRING, so if you see <code class="highlighter-rouge">&lt;&gt;</code> be sure it’s surrounded by <code class="highlighter-rouge">" "</code>. Everything in CAPITAL LETTERS are things you should change.</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="s2">"__version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.3.0"</span><span class="p">,</span><span class="w"> </span><span class="s2">"new.vcsa"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"esxi"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"hostname"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;HOSTNAME</span><span class="w"> </span><span class="err">or</span><span class="w"> </span><span class="err">IP&gt;</span><span class="p">,</span><span class="w"> </span><span class="s2">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"root"</span><span class="p">,</span><span class="w"> </span><span class="s2">"password"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;root</span><span class="w"> </span><span class="err">PASSWORD&gt;</span><span class="p">,</span><span class="w"> </span><span class="s2">"deployment.network"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VM Network"</span><span class="p">,</span><span class="w"> </span><span class="s2">"datastore"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;DATASTORE</span><span class="w"> </span><span class="err">YOU</span><span class="w"> </span><span class="err">ARE</span><span class="w"> </span><span class="err">DEPLOYING</span><span class="w"> </span><span class="err">TO&gt;</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">"appliance"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"thin.disk.mode"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="s2">"deployment.option"</span><span class="p">:</span><span class="w"> </span><span class="s2">"small"</span><span class="p">,</span><span class="w"> </span><span class="s2">"name"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;NAME</span><span class="w"> </span><span class="err">OF</span><span class="w"> </span><span class="err">vCSA</span><span class="w"> </span><span class="err">YOU</span><span class="w"> </span><span class="err">WANT&gt;</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">"network"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"ip.family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ipv4"</span><span class="p">,</span><span class="w"> </span><span class="s2">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dhcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dns.servers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"8.8.8.8"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="s2">"prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"24"</span><span class="p">,</span><span class="w"> </span><span class="s2">"gateway"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;IP</span><span class="w"> </span><span class="err">OF</span><span class="w"> </span><span class="err">GATEWAY&gt;</span><span class="p">,</span><span class="w"> </span><span class="s2">"system.name"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;FQDN</span><span class="w"> </span><span class="err">OF</span><span class="w"> </span><span class="err">MACHINE&gt;</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">"os"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"password"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;PASSWORD</span><span class="w"> </span><span class="err">TO</span><span class="w"> </span><span class="err">GET</span><span class="w"> </span><span class="err">INTO</span><span class="w"> </span><span class="p">:</span><span class="mi">5480</span><span class="err">/SSH</span><span class="w"> </span><span class="err">IN&gt;</span><span class="p">,</span><span class="w"> </span><span class="s2">"ssh.enable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">"sso"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"password"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;PASSWORD</span><span class="w"> </span><span class="err">FOR</span><span class="w"> </span><span class="err">administrator@vsphere.local&gt;</span><span class="p">,</span><span class="w"> </span><span class="s2">"domain-name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vsphere.local"</span><span class="p">,</span><span class="w"> </span><span class="s2">"site-name"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;A</span><span class="w"> </span><span class="err">STRING</span><span class="w"> </span><span class="err">TO</span><span class="w"> </span><span class="err">NAME</span><span class="w"> </span><span class="err">THE</span><span class="w"> </span><span class="err">SITE-NAME</span><span class="p">,</span><span class="w"> </span><span class="err">check</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">official</span><span class="w"> </span><span class="err">docs</span><span class="w"> </span><span class="err">if</span><span class="w"> </span><span class="err">you</span><span class="w"> </span><span class="err">need</span><span class="w"> </span><span class="err">more</span><span class="w"> </span><span class="err">info&gt;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">"ceip"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"description"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"__comments"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"++++VMware Customer Experience Improvement Program (CEIP)++++"</span><span class="p">,</span><span class="w"> </span><span class="s2">"VMware's Customer Experience Improvement Program (CEIP) "</span><span class="p">,</span><span class="w"> </span><span class="s2">"provides VMware with information that enables VMware to "</span><span class="p">,</span><span class="w"> </span><span class="s2">"improve its products and services, to fix problems, "</span><span class="p">,</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="s2">"and to teach you on how weightier to deploy and use our "</span><span class="p">,</span><span class="w"> </span><span class="s2">"products. As part of CEIP, VMware collects technical "</span><span class="p">,</span><span class="w"> </span><span class="s2">"information well-nigh your organization's use of VMware "</span><span class="p">,</span><span class="w"> </span><span class="s2">"products and services on a regular understructure in undertone "</span><span class="p">,</span><span class="w"> </span><span class="s2">"with your organization's VMware license key(s). This "</span><span class="p">,</span><span class="w"> </span><span class="s2">"information does not personally identify any individual. "</span><span class="p">,</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="s2">"Additional information regarding the data placid "</span><span class="p">,</span><span class="w"> </span><span class="s2">"through CEIP and the purposes for which it is used by "</span><span class="p">,</span><span class="w"> </span><span class="s2">"VMware is set along in the Trust &amp; Assurance Center at "</span><span class="p">,</span><span class="w"> </span><span class="s2">"http://www.vmware.com/trustvmware/ceip.html . If you "</span><span class="p">,</span><span class="w"> </span><span class="s2">"prefer not to participate in VMware's CEIP for this "</span><span class="p">,</span><span class="w"> </span><span class="s2">"product, you should disable CEIP by setting "</span><span class="p">,</span><span class="w"> </span><span class="s2">"'ceip.enabled': false. You may join or leave VMware's "</span><span class="p">,</span><span class="w"> </span><span class="s2">"CEIP for this product at any time. Please personize your "</span><span class="p">,</span><span class="w"> </span><span class="s2">"acknowledgement by passing in the parameter "</span><span class="p">,</span><span class="w"> </span><span class="s2">"--acknowledge-ceip in the writ line."</span><span class="p">,</span><span class="w"> </span><span class="s2">"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"ceip.enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>This is the BARE minimum.Withoutthis, you need to run the first command:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\vcsa-deploy.exe install --verify-only --acknowledge-ceip vcenter_config.json </code></pre></div></div> <p>This will make sure you have no errors or typos in the json.</p> <p>And when you’re ready to deploy:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.\vcsa-deploy.exe install --accept-eula --no-esx-ssl-verify --acknowledge-ceip vcenter_config.json </code></pre></div></div> <p>Yep, it’s inconsistent, it’s ESX on the writ line and ESXi in the json. :facepalm: I don’t have certs on my ESXi hosts either, that’s what the <code class="highlighter-rouge">--no-esx-ssl-verify</code> is for ;)</p> Tue, 02 Jan 2018 13:34:48 +0000 https://jjasghar.github.io/blog/2018/01/02/vcsa-6.5-automated-deployment/ https://jjasghar.github.io/blog/2018/01/02/vcsa-6.5-automated-deployment/ vmware sysadmin vCenter (VCSA) and using Let's Encrypt for SSL Certificates <p>If you are using the <a href="https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html?src=af_5b804d3334401&amp;cid=70134000001YXKx">VCSA</a> for your vCenter you might have searched virtually to icon out how to update the document from Let’s Encrypt. It seems that throughout my Googling I personally wasn’t worldly-wise to find a tutorial so this is mine. If you have suggestions or ideas I’d love to hear them, reach out via twitter: <a href="https://twitter.com/jjasghar">@jjasghar</a>.</p> <h1 id="prerequisites">Prerequisites</h1> <p>You need to set up <a href="https://certbot.eff.org/">certbot</a> on your local machine. There are a few ways to do that if you click that link please icon it out. Second, you need the <code class="highlighter-rouge">root</code> login to your VCSA, with <code class="highlighter-rouge">ssh</code> turned on. You’ll be running some commands at the shell of the VCSA and if you can’t get there you won’t be worldly-wise to update your certificate. And finally you’ll need some <code class="highlighter-rouge">administrator</code> privileges to your vCenter, defaulting to <code class="highlighter-rouge">administrator@vsphere.local</code>.</p> <h1 id="requesting-the-cert-from-lets-encrypt">Requesting the cert from Let’s Encrypt</h1> <p>Whatever your domain name is, in order for Let’s Encrypt to say that you own the domain you’ll need to add a <code class="highlighter-rouge">TXT</code> entry for the vCenter you are getting the document for. For instance here is mine:</p> <p><img src="../../../../../pics/acme-challenge-vcenter.png" alt="" /></p> <p>Ok, thesping you have your DNS provider up, let’s send the commands to Let’s Encrypt:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~ <span class="o">&gt;</span> <span class="nb">sudo </span>certbot certonly <span class="nt">--manual</span> <span class="nt">--preferred-challenges</span><span class="o">=</span>dns <span class="nt">-d</span> vcenter.tirefi.re </code></pre></div></div> <p>Notice the <code class="highlighter-rouge">sudo</code> you have to run this writ with <code class="highlighter-rouge">root</code> privileges. This sends the request and gives you a couple prompts, the most important being:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.vcenter.tirefi.re with the pursuit value: tuS3NO-WAY-IMPUTTING34p2MY-ACTUAL32341KEY-HERESurpassingcontinuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter toProtract</code></pre></div></div> <p>Press the Enter key when you are sure the <code class="highlighter-rouge">TXT</code> DNS entry has propagated and you should see something like:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>IMPORTANT NOTES: - Congratulations! Your document and uniting have been saved at: /etc/letsencrypt/live/vcenter.tirefi.re/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vcenter.tirefi.re/privkey.pem Your cert will elapse on 2018-02-12. To obtain a new or tweaked version of this document in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" </code></pre></div></div> <p>Wonderful, now alimony this terminal/window unshut you’ll need it in a bit.</p> <h1 id="updating-the-ssl-certificate-on-your-vcsa">Updating the SSLDocumenton your VCSA</h1> <p>Now that you have your files on your local machine, you’ll need to get them on your VCSA. There are a couple ways to do this, the easiest way I found was to <code class="highlighter-rouge">cat</code> out the certificates and unshut up <code class="highlighter-rouge">vim</code> on the VCSA paste them in and save the files. You can get <code class="highlighter-rouge">scp</code> or others working, but I didn’t want to go through all that.</p> <p>So here are my steps, first I <code class="highlighter-rouge">ssh</code> into my VCSA:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~ &gt; ssh vcenter.tirefi.re -l root VMware vCenter Server Appliance 6.5.0.10100 Type: vCenter Server with an embedded Platform Services Controller root@vcenter.tirefi.re's password: Last login: Tue Nov 14 20:55:38 2017 from 172.16.20.10 Connected to service * List APIs: "help api list" * List Plugins: "help pi list" * Launch BASH: "shell" Command&gt; shell Shell wangle is granted to root root@vcenter [ ~ ]# </code></pre></div></div> <p>I create the three files I’ll need to update on the VCSA.</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@vcenter [ ~ ]# touch cert.pem root@vcenter [ ~ ]# touch privkey.pem root@vcenter [ ~ ]# touch fullchain.pem </code></pre></div></div> <p>Now I go to my other window and type:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~ &gt; sudo ls -l /etc/letsencrypt/live/vcenter.tirefi.re/ total 40 -rw-r--r-- 1 root wheel 543 Nov 14 15:01 README lrwxr-xr-x 1 root wheel 41 Nov 14 15:01 cert.pem -&gt; ../../archive/vcenter.tirefi.re/cert1.pem lrwxr-xr-x 1 root wheel 42 Nov 14 15:01 chain.pem -&gt; ../../archive/vcenter.tirefi.re/chain1.pem lrwxr-xr-x 1 root wheel 46 Nov 14 15:01 fullchain.pem -&gt; ../../archive/vcenter.tirefi.re/fullchain1.pem lrwxr-xr-x 1 root wheel 44 Nov 14 15:01 privkey.pem -&gt; ../../archive/vcenter.tirefi.re/privkey1.pem ~ &gt; </code></pre></div></div> <p>Notice the resulting naming institute here.</p> <p>Now cat out each, like this:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>~ &gt; sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/cert.pem ~ &gt; sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/privkey.pem ~ &gt; sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/fullchain.pem </code></pre></div></div> <p>From your local machine, and reprinting everything in each file to the window that is your VCSA.</p> <p>Now that have your three files on your VCSA lets get them inside your machine.</p> <h2 id="certificate-manager">certificate-manager</h2> <p>Go superiority and run this next command:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>root@vcenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager </code></pre></div></div> <p>You should see something like the following:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 6.0DocumentManager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL document with CustomDocument| | | | 2. Replace VMCA Root document with Custom Signing | |Documentand replace all Certificates | | | | 3. Replace Machine SSL document with VMCADocument| | | | 4. Regenerate a new VMCA RootDocumentand | | replace all certificates | | | | 5. Replace Solution user certificates with | | CustomDocument| | | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| Note : Use Ctrl-D to exit. Option[1 to 8]: </code></pre></div></div> <p>If you have an error or something doesn’t show up, you aren’t running 6.5 vCenter and you’ll need to debug what’s going on.</p> <p>Luckily the rest of the commands to get the certificates updated isn’t too complicated:</p> <p>First, select <code class="highlighter-rouge">1. Replace Machine SSL document with Custom Certificate</code> to update the certificate:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Option[1 to 8]: 1 </code></pre></div></div> <p>It will prompt you for your <code class="highlighter-rouge">administrator</code> level privilege to update the certificate, and the next option:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Please provide valid SSO and VC privileged user credential to perform document operations. Enter username [Administrator@vsphere.local]: Enter password: 1. GenerateDocumentSigning Request(s) and Key(s) for Machine SSL document 2. Import custom certificate(s) and key(s) to replace existing Machine SSL document Option [1 or 2]: 2 </code></pre></div></div> <p>We want to import the custom document so select <code class="highlighter-rouge">2</code> as I did above.</p> <p>Fill out the next with the suggestions we walked through at the whence of this post:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Please provide valid custom document <span class="k">for </span>Machine SSL. File : /root/cert.pem Please provide valid custom key <span class="k">for </span>Machine SSL. File : /root/privkey.pem </code></pre></div></div> <p>The next option is the one that was where the trick of this whole thing is, vCenter asks for the <code class="highlighter-rouge">signing document of the Machine SSL certificate</code> where if you <a href="https://www.google.com/search?q=signing+certificate+of+the+Machine+SSL+certificate">google around</a> you’ll only overly see references to vCenter and not what it unquestionably means. Luckily, Let’s Encrypt puts this in the <code class="highlighter-rouge">fullchain.pem</code> so that’s all you have to add:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Please provide the signing document of the Machine SSL document File : /root/fullchain.pem You are going to replace Machine SSL cert using custom certProtractoperation : Option[Y/N] ? : YWritOutput: /root/cert.pem: OK Get site nameCompleted <span class="o">[</span>Replacing Machine SSL Cert...] default-site Lookup all services </code></pre></div></div> <p>The final option is the confirmation you’ll like to replace the Machine SSL cert, and select <code class="highlighter-rouge">Y</code>.</p> <p>A ton of UUIDs and data will stream by and it may take up to 10-15 minutes, but when you see this:</p> <div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Updated 29 service(s) Status : 70% Completed [stopping services...] Status : 100% Completed [All tasks completed successfully] </code></pre></div></div> <p>You have successfully updated your Certificate!</p> <p><img src="../../../../../pics/green-vcenter.png" alt="" /></p> Tue, 14 Nov 2017 15:32:03 +0000 https://jjasghar.github.io/blog/2017/11/14/vcenter-vcsa-and-using-lets-encrypt/ https://jjasghar.github.io/blog/2017/11/14/vcenter-vcsa-and-using-lets-encrypt/ sysadmin vmware Using the Correct Tool for the Job <blockquote> <p>You wouldn’t use a saw when you needed a hammer, or a hammer when you needed a saw right? - Thomas Cate</p> </blockquote> <p>The whilom is a quote from a unconfined friend of mine who, rattled this statement off, in a way that he has said it a million times, when I was discussing writing on this topic. It really hits home if you think well-nigh it; working on some construction project, you find yourself needing to hammer in a nail, you wouldn’t go grab your saw and start whacking the long side at it right? On the other hand, if you needed to cut a 2 by 4 in half you wouldn’t grab your hammer and start smashing it hoping it’ll unravel where you need the cut to be? The mental image of this is so ludicrous it brings a smile to my face, but this highlights the problem that people say when they don’t want to learn or train their team on <em>another</em> tool.</p> <h2 id="past">Past</h2> <p>There is this misconception floating virtually our industry that won’t seem to be left for the history books. We’ve fought it in the past, it comes when every couple years or so, scrutinizingly unceasingly with new recruits out of University. I’m convinced that every new trundling of engineers are taught, that there was a time whereas a Systems Administrator all you needed to do your job was a terminal, writ prompt and a scripting language like Perl. Somehow this was ingrained into our culture and industry and became a concept of “one tool to do everything I need.” I seem to see the focus of teaching at coding in Universities not exploring new languages then Java as a framework to teach computer science. Java as a teaching tool makes a lot of sense to a budding engineer, but to focus on “one tool to do everything,” this can reinforce this stereotype. Then you take it one step farther, looking at companies outside of University raising Java and creating using stacks this way causes this vicious trundling never exploring newer tools.</p> <p>But I digress, over time, these Perl wizards, and yes, let’s shoehorn it they <em>are</em> wizards, either moved on or got promoted and the Systems Administrators were forced to solve the same problems but with newer tools, like Python, or VBScript. I highlight Python and VBScript here considering at least as I became a Systems Administrator, there was a well-spoken line where the “new Linux blood” was picking Python, while the “new Windows blood” was picking VBScript. It scrutinizingly seemed as these became the “one tool” to do everything in, and it was so ubiquitous that plane <a href="https://xkcd.com/353/">xkcd</a> had a comic well-nigh it at one point.Planewith this transpiration of the main tooling, there was still was this consistency of “one tool to do the job.” There was this colloquialism and wonted truth that a budding Administrator could read one massive O’Reilly typesetting and know everything they needed to be confident in their job. I remember going to an interview with the <a href="https://www.amazon.com/Programming-Perl-Unmatched-processing-scripting/dp/0596004923">large Perl book</a> all 1176 pages in my walkabout and pulling it out to reference something. I’m convinced that it was one of the things that impressed the interviewers considering I got the job offer later that day.</p> <h2 id="present">Present</h2> <p>It’s unscratched to say this is no longer the case. With Digital Transformation and the DevOps movement, it’s required to learn multiple tools to do your work. System Administrators have wilt modern-day digital tool smiths shaping their workflow and pipelines into what they need to do their required jobs, no longer can you just buy some lawmaking off the shelf and waif it into your environment and expect it to work. Our culture and industry practitioners, have moved yonder from this old cadre concept of using one tool to do every job, and have a majority embracing find the <em>best tool</em> for the job at hand. This does ways as a seasoned practitioner need to learn increasingly tooling and experiment, and this is a good thing. Training your staff on multiple applications and frameworks allows them to learn the newer technologies in our fast moving industry. As a side effect, the worthiness to experiment with the wearing whet technologies to help fix long-standing inefficiencies with fresh eyes. The worthiness to use not only something like <code class="highlighter-rouge">bash</code>, <code class="highlighter-rouge">python</code>, <code class="highlighter-rouge">ruby</code>, and <code class="highlighter-rouge">go</code> will indulge for deeper understanding of technology stacks, but permitting for your merchantry to be increasingly stable, agiler, and get features to market quicker.</p> <p>I’ve heard stories of companies that inspect their tooling. If this is true at your visitor this doesn’t make any sense. Limiting your worker’s worthiness by only having “approved” tools not only will gravity wrong-headed constraints on them, it will rationalization a slowdown in innovation. The worthiness to squint at a problem from any viewpoint to overcome the problem with the tooling they are most well-appointed will bring faster and increasingly resulting success. There does need to be a wastefulness though, you don’t want to start picking up tools considering they are they “new-shiny” tools. There should be a level of scrutiny, and standardization, but it shouldn’t be scared to try to find something new. I understand that there are specific sectors of our economy that can’t have the platonic level of flexibility due to Governmental or legal reasons, but this is something that should unchangingly be looked at and challenged. With how fast our cadre industry moves if you don’t ask why you can only use <code class="highlighter-rouge">ksh</code> as your shell, and winnow it this will only rationalization increasingly friction during the next round of changes. Our industry doesn’t work in the waterfall “drop new versions twice a year” anymore, every day something can come out and if you don’t focus on this you’ll find you and your sphere having to deal with much larger compatibility changes instead of incremental unscratched changes.</p> <p>There is a debate well-nigh extending pre-existing tools in your environment and extending them to do increasingly than they are initially designed to. This has echoes of the Perl days where System Administrators picked a universal tool and molded into what they needed to get done. With how many tools are out there now, this isn’t discouraged per se but instead frowned upon. TheUnshutSource movement has birthed Software Engineers and Administrators that are now empowered to scratch the itch they have, and hands find others virtually the world that have that word-for-word same itch; interreact with them and create wondrous applications. If you create an in-house tool that does something or are thinking well-nigh doing that, you are doing yourself a disservice not looking out to theUnshutSource polity as a whole and see if someone has created something that fits that use case. You can use some tools to proffer out to do tasks they aren’t designed to do, but the risk of learning how to jimmy rig this tool to do that extension is largest suited to flipside tool. Extending a tool to do something requires deep knowledge of that tool, where in most cases taking the whence tutorial of flipside tool to do one piece of the process to hand off to flipside tool is all you need. This goes to the <a href="https://en.wikipedia.org/wiki/Unix_philosophy">Unix philosophy</a>:</p> <blockquote> <p>This is the Unix philosophy: Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, considering that is a universal interface. - Doug McIlroy</p> </blockquote> <p>This quote and paradigm can be unbelievably powerful. I concede that it can be scary to managers and senior level people, the idea that a pipeline or workflow is a Rube Goldberg Machine of tools, but that is the reality way of the DevOps movement. You segregate the weightier tool for the job and you learn what you need to it, and you move on to the next task. Automation and efficiencies are something that comes with experimentation and the worthiness to learn, not with forcing a round peg into a square hole.</p> Tue, 31 Oct 2017 15:22:37 +0000 https://jjasghar.github.io/blog/2017/10/31/using-the-correct-tool-for-the-job/ https://jjasghar.github.io/blog/2017/10/31/using-the-correct-tool-for-the-job/ sysadmin essay opinion