Error while connecting to host from Ansible

Below error message I receive while trying to run(ping) command from Ansible master to hosts:

ubuntu@master:~/.ssh$ ansible 10.0.3.90 -m ping -k -u ubuntu
SSH password:
10.0.3.90 | FAILED >> {
    "failed": true,
    "msg": "/bin/sh: 1: /usr/bin/python: not found\r\nOpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_request_session: master session id: 2\r\nShared connection to 10.0.3.90 closed.\r\n",
    "parsed": false
}

It seems from the error message that python is not installed on the machine. 

check python -v 

install via below command

$sudo apt-get install python-support

Now I executed the command again, this time it worked!

ubuntu@master:~/.ssh$ ansible 10.0.3.90 -m ping -u ubuntu

10.0.3.90 | success >> {

    "changed": false, 

    "ping": "pong"

}

Can’t locate Sys/Statistics/Linux.pm in @INC in Nagios plugin

Following is complete error, while I was executing Nagios plugin,

Can't locate Sys/Statistics/Linux.pm in @INC (you may need to install the Sys::Statistics::Linux module) (@INC contains: /usr/lib/nagios/plugins /etc/perl /usr/local/lib/perl/5.18.2 /usr/local/share/perl/5.18.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.18 /usr/share/perl/5.18 /usr/local/lib/site_perl .) at /usr/lib/nagios/plugins/check_linux_stats.pl line 35.

After searching on internet I found that a perl module called “libsys-statistics-linux-perl” and which is missing in my machine.

Since I am using Ubuntu 14.04, I installed libsys-statistics-linux-perl module with apt-get by using following command:

$ apt-get install libsys-statistics-linux-perl

SSH Agent forwarding on Ubuntu 14.04

Use Case: You have got some server in cloud that are not exposed to internet directly. You have one server called (bastion host) by which you can login to the back end servers.

You can login to the bastion host and from there, you can login to the rest of the server that are not exposed to internet. In this way you need to keep the files on bastion host that is not good.

With the help of agent forwarding you don't need to store private key on bastion host, key will be on your local machine and via ssh agent-forwarding the same key would be used to login to the back end server.

I believe that you already know how to login to linux server with key authentication. If not then you can find it here

I assume that you already have setup login via private key on destination server.

I assume that you got host1(client) bastion(middle Server, bastion host) and server1 (Destination Server). With the help of SSH Agent forwarding I can login from host1>bastion>server1 without storing any private key on bastion.
From a network perspective, you ideally want your private servers only accessible via a bastion host or other intermediary host that doesn't contain any of private key.

On Server: You don't need to do anything if you have setup login via private/public key authentication

On Client:
Add your key to your ssh deamon
$ ssh-add "/home/keys/private.pem"
You will receive the below out put
$ ssh-add /home/keys/private.pem
Identity added: /home/keys/private.pem (/home/keys/private.pem)

You may allow Agent forwarding in sshd_config file or can issue in command as well
You can specify -A in ssh command to use agent forwarding

SSH Client configuration
The SSH clients should be configured to allow agent forwarding. The following entry should be added in/etc/ssh/ssh_config file to apply this change for all users in the server, or /home/user/.ssh/config file to apply this change only to specific user.

Host *
    ForwardAgent yes
The above enable agent forwarding from all hosts. It is an aggressive setting. You may want to restrict it to specific hosts depending on your use case.

ssh -At bastion.example.com ssh server1.example.com

This will take you to server1.example.com

How to Setup and Secure Linux SSH Logins to use Private PEM Keys

SSH logins are susceptible to brute force attacks. A thousand things can go wrong which could give someone unauthorized access to your server. The best way to secure your SSH login is to use Public/Private PEM keys. This is default login type for Amazon EC2 servers. Unfortunately Amazon’s interface only created a single account. This tutorial will show you how to setup additional PEM keys for other users.
Once you’ve logged into your server, do the following:
Step 1: New Account setup
Here we will create the new account, and add them to the sudoers group.
sudo adduser user1
sudo su
passwd user1
visudo
Optional: Add the user to Sudoers
visudo
#add this to the last line
1 user1   ALL = (ALL)    ALL
Step 2: Generate the Public/Private key files
Now we will create the public and private key files for user1
su user1
#Enter the password
cd ~/
ssh-keygen -b 2048 -t rsa -f user1
mkdir .ssh
chmod 700 .ssh
cat user1.pub >> .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
chown 600 user1 .ssh
chown user1 .ssh/authorized_keys

Step 3: Download your private key
If you key is not in .pem format you can change it via below command
openssl rsa -in user1 -outform PEM -out user1.pem
You will now have to download, or copy the contents of your private pem file.
If you are going to copy the contents of the file to a key file on your local system, just copy and paste the data into a new file.
Before using your key, make sure to change the permissions to 600.
chmod 600 user1.pem
Step 4: Test your SSH Login
Now let’s test our password-less login to make sure the private pem files are working.
ssh -i /path/to/file/user1.pem user1@server1.exampledomain.com
That should do it! Hope you find this tutorial workable.

Fixes for Puppet Enterprise 8 (!! ERROR: The puppet master service failed to start within 120 seconds; unable to proceed)

I was getting this error while installing PE8 on Ubuntu 14.04

!! ERROR: The puppet master service failed to start within 120 seconds; unable to proceed*

Install the below package before you run the puppet installer:

apt-get install zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties

This fixed the issue for me and PE8 got installed successfully.

Tomcat and Apache2 with mod_jk on Ubuntu 14.04

I assume that you have got apache2 and tomcat installed and running on your ubuntu14/ubuntu12 server
I assume that tomcat is running on below URL
http://localhost:8080/tomcat/apps/

Installing and configuring mod_jk 

sudo apt-get install libapache2-mod-jk

First lets enable the redirect port 8443 on Tomcat

Step 1: Configure Tomcat
stop tomcat.
sudo /etc/init.d/tomcat stop

Enable the AJP Connector on the Tomcat container hosting JIRA by uncommenting the following element in $TOMCAT_HOME/conf/server.xml:

<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
Start tomcat.
Test that app is accessible on the standard HTTP connector, for example http://appserver:8080. This is to ensure that Tomcat has successfully restarted.

Now we will create our workers.properties file for Apache.

sudo vim /etc/apache2/workers.properties
and paste the below lines in the file

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009

Now to ask Apache to use this worker

sudo vim /etc/apache2/mods-available/jk.conf

change the JkWorkersFile property to /etc/apache2/workers.properties
JkWorkersFile  /etc/apache2/workers.properties
JkLogFile /var/log/apache2/mod_jk.log

Finally to configure the URL Apache should pass through the Tomcat, for this create new site

sudo vim /etc/apache2/sites-available/app.conf

and add the following line in your configuration
<VirtualHost *:80>
.......................................
.......................................
JkMount /tomcat-demo* worker1
</VirtualHost>

Enable the site, execute the below command or create soft link to
a2ensite app.conf

Now, restart the servers

sudo /etc/init.d/tomcat restart
sudo /etc/init.d/apache2 restart

Testing:

Both URL should provide the similar result
http://localhost/tomcat/apps/
http://localhost:8080/tomcat/apps/

mod_jk, mod_proxy_http and mod_proxy_ajp

************************
The Apache Proxy Modules

So far, we have spoken loosely of mod_proxy. However, it's a little more complicated than that. In keeping with Apache's modular architecture, mod_proxy is itself modular, and a typical proxy server will need to enable several modules. Those relevant to proxying and this article include:

mod_proxy: The core module deals with proxy infrastructure and configuration and managing a proxy request.
mod_proxy_http: This handles fetching documents with HTTP and HTTPS.
mod_proxy_ftp: This handles fetching documents with FTP.
mod_proxy_connect: This handles the CONNECT method for secure (SSL) tunneling.
mod_proxy_ajp: This handles the AJP protocol for Tomcat and similar backend servers.
mod_proxy_balancer implements clustering and load-balancing over multiple backends.
mod_cache, mod_disk_cache, mod_mem_cache: These deal with managing a document cache. To enable caching requires mod_cache and one or both of disk_cache and mem_cache.
mod_proxy_html: This rewrites HTML links into a proxy's address space.
mod_xml2enc: This supports internationalisation (i18n) on behalf of mod_proxy_html and other markup-filtering modules. space.
mod_headers: This modifies HTTP request and response headers.
mod_deflate: Negotiates compression with clients and backends.
Having mentioned the modules, I'm going to ignore caching for the remainder of this article. You may want to add it if you are concerned about the load on your network or origin servers, but the details are outside the scope of this article. I'm also going to ignore all non-HTTP protocols, and load balancing.
**********************

We can configure Tomcat with Apache with number of connectors to communicate back and forth. Tomcat uses a variety of protocols. I would be writing down with the mostly used in production environment

mod_proxy_http

mod_proxy_ajp

mod_jk
All above module are good and of Production use, the only thing is that how you are using your current architecture. I found mod_jk and mod_proxy_http above mod_proxy_ajp.

To decide what we are going to use, we need to answer some questions like,

Do we want encrypted communication between apache and tomcat

Does ssl need to terminate on apache and then communication between apache and tomcat is without ssl

If you are using mod_jk or mod_proxy_http and it meets all of your requirements then there is no good reason to change it.



If you need to encrypt the communication between apache and Tomcat then this is significantly easier with mod_proxy_http when you can just switch from the http to the https protocol.

Where apache terminates the SSL, providing the SSL attributes are exposed (two simple directives) then mod_jk automatically passes this information to Tomcat and Tomcat makes it available to web applications without any additional configuration required. To achieve the same result with mod_proxy_http requires apache to be configured to add the SSL information as http headers and a Valve needs to be configured in Tomcat to extract this information and to make it available to web applications. Making SSL information available to Tomcat is therefore a little more complicated with mod_proxy_http.

mod_jk and mod_proxy_http also have very different configuration styles. The mod_proxy_http directives are consistent with other apache directives whereas mod_jk uses an external property file.

Pros and Cons:
mod_proxy

Pros:
       No need for a separate module compilation and maintenance. mod_proxy,
        mod_proxy_http, mod_proxy_ajp and mod_proxy_balancer comes as part of
        standard Apache 2.2+ distribution
       Ability to use http https or AJP protocols, even within the same
        balancer.
Cons:
       mod_proxy_ajp does not support large 8K+ packet sizes.
       Basic load balancer
       Does not support Domain model clustering

mod_jk

Pros:
       Advanced load balancer
       Advanced node failure detection
       Support for large AJP packet sizes
Cons:
      o Need to build and maintain a separate module
My Thought:

If you need to encrypt the apache to Tomcat channel, use mod_proxy_http

If you need to expose SSL information to your web application, use mod_jk

References: http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp