Running Ubuntu 18.04 i ran out of disk space on my main partition. I increased disk space in VMware and needed to expand the partitions from within Ubuntu. Start with scanning for changes on your disk
echo 1 > /sys/class/block/sda/device/rescan
Verify that you can see the new (correct) disk space using:
fdisk -l
Create a new partition using “cfdisk”, navigate to the free space and hit “new”. After that hit Write to make sure the partition table gets written. Close cfdisk and either reboot or rescan to update your partition table. Now it’s time to add the disk space. First, find the new partition number:
fdisk -l
In my case sda3 was created to i’m going to create a new volume on it
pvcreate /dev/sda3
now extent my volume group with the newly added volume:
vgextend ubuntu-dev-box /dev/sda3
Extend the volume with all available (new) disk space:
I often use a ‘hopping server’ when connecting to clients, that means i need to login twice each time. To make my life easier i sometimes use an SSH tunnel so i can connect to clients directly.
SSH Tunnel can also be usefull when your office blocks netflix 😉
Local Port Forwarding
This will allow you to access remote servers direcly from your local computer. Let’s assume you want to use RDP (3389) to a clients hosts (10.0.1.1) and your hopping server is ‘hopping.server’
ssh -L 6000:10.0.1.1:3389 wieger@hopping.server
Now you can open Remote Desktop and connect to ‘localhost:6000’, directing you through the tunnel!
Remote Port Forwarding
This will make your local service/port acccessible from a remote host. Sometimes i use this to keep a ‘backdoor’ and login remotely (home or whatever).
Let’s say you want to make a webapplication (TCP 443) availible at port 6000 on the remote SSH server
Now you should be able to connect to port 6000 on the remote host (bontekoe.technology)
Dynamic Forwarding (Proxy)
This is ideal for people who want to use the internet safely/anonymous or for offices where Netflix is blocked 😉
Use a remote server to tunnel all web traffic (eg. home server), connect through SSH to it using the -D flag
ssh -D 6000 wieger@bontekoe.technology
Now open up your browser settings, navigate to the connection properties and enter a Proxy server (manually using SOCKS). Use 127.0.0.1 as host and 6000 as port. The tunnel will remain open as long as you are connected through SSH.
mod_pagespeed is an open-source Apache module created by Google to help Make the Web Faster by rewriting web pages to reduce latency and bandwidth. mod_pagespeed releases are available as precompiled linux packages or as source. (See Release Notes for information about bugs fixed)
mod_pagespeed has a very simple web-interface to see statistics. If you do not case, skip this step.
nano /etc/apache2/mods-available/pagespeed.conf
Add these lines to it:
<Location /ps_admin>
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
Allow from all
SetHandler ps-admin
</Location>
<Location /ps_global_admin>
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
Allow from all
SetHandler ps_global_admin
</Location>
After restarting apache you can go to http://<your url>/ps_admin
Speedtest-cli is a great tool to test your internet speed using the Speedtest servers, make sure you have Python installed before installing Speedtest-cli.
Using HAProxy to loadbalance between RDS servers is usefull if you have more then one RDS servers and want users to connect to a single IP.
Install Haproxy
sudo apt-get update sudo apt-get install haproxy
Add the RDP VIP (virtual IP) and RDP hosts
defaults clitimeout 1h srvtimeout 1h listen VIP1 193.x.x.x:3389 mode tcp tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE persist rdp-cookie balance rdp-cookie option tcpka option tcplog server win2k19-A 192.168.10.5:3389 weight 10 check inter 2000 rise 2 fall 3 server win2k19-B 192.168.10.6:3389 weight 10 check inter 2000 rise 2 fall 3 option redispatch
Now we have HAProxy running on a 193.x.x.x ip address, when you connect to that IP it will direct you to one of the Windows 2019 machines. If one dies, it will remove it and you can reconnect to the last one that is online.
phpipam is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It has lots of features and can be integrated with PowerDNS!
mysql_secure_installation Enter current password for root (enter for none): Set root password? [Y/n]: N Remove anonymous users? [Y/n]: Y Disallow root login remotely? [Y/n]: Y Remove test database and access to it? [Y/n]: N Reload privilege tables now? [Y/n]: Y
Create database and user
MariaDB [(none)]> create database phpipam; MariaDB [(none)]> grant all on phpipam.* to phpipam@localhost identified by 'bontekoe123'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> EXIT;
Clone it from Github
cd /var/www/html git clone https://github.com/phpipam/phpipam.git /var/www/html/phpipam/ cd /var/www/html/phpipam git checkout 1.3 git submodule update --init --recursive
Edit the config file
cp config.dist.php config.php nano config.php Add your MariaDB database, username and password there.
Either you use the default apache configuration or you can create a virtual host specificly for this. That i leave up to you.
Finish the installer
Go to http://x.x.x.x/phpipam and you will see the wizard, asking you to finish the installation. Follow the easy steps. After that you can login with admin/admin and change the default password.
Create your first subnet
Here you can create your first subnet. If can automaticly help you by discovery, checking hosts status and more.
A browser retrieves many resources from the webserver (css/js, etc). Cache allows websites to store this files in temporary storage to allow faster retrieval next time the file is needed.
mod_expires headers
Using these statements we can inform the browser that it can cache files for a longer period. Make sure mod_headers is enabled in apache.
<ifModule mod_headers.c>
<filesMatch "\.(ico|jpe?g|png|gif|swf)$">
Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(css)$">
Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(js)$">
Header set Cache-Control "private"
</filesMatch>
<filesMatch "\.(x?html?|php)$">
Header set Cache-Control "private, must-revalidate"
</filesMatch>
</ifModule>
Turn off ETags
By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header.
Compression is implemented by the DEFLATE filter. The following directive will enable compression for documents in the container where it is placed; again, make sure the module is enabled in Apache.
Ansible is not only a great tool for simple tasks (like updating servers) but can be of much help deploying and automating the infrastructure underneath it. Ansible supports building your infrastructure from the ground up.
Ansible is compatible with almost anything, if you can use CLI – you can use Ansible. Out of the box it has lots of plugins for vendors like Cisco, HP/Aruba, Arista, Juniper, Netapp and many more. Want to take it to a higher level? There is also support for VmWare, Xenserver, RHEV and more. Nothing ansible cannot build for you.
Build our network topology with Ansible
I will show you how to build a leaf-spine topology using ansible. If you want to know more about leaf-spine network topology’s please refer to this article. In short; leafs are access switches connected to the spines using layer-3 routing (ospf/bgp).
Ansible Hosts file
In order to manage our entire infrastructure in one place we will create a hosts file with groups (spines, leafs, servers) and children objects (the actual devices). For now i use VyOS as swithes but this can be any Cisco, HP or Juniper switch of course.
In the above example you will see i have two leaf switches that i want to connect to my two spine switches. I grouped them under the two host categories and then created a new categorie “infrastructure” linking them together. With that setup i can run tasks on either a set of leafs or on both spines and leafs together. Don’t forget to create a local ansible.cfg pointing to the hosts file
Let’s start with the easy part, configure all devices to have interfaces in the correct subnet so they can communicate with eachother. Also, i am giving them a loopback address on interface lo used for internal purposes and management. Let’s create the playbook ipaddr.yml
Notice that in this case i am using the hostsgroup ‘infrastructure’ because i want to set these IP adresses on all the switches (leafs and spines). This saves time as i can now do this from only one playbook. So, run it and see if the leaf actually has the correct configuration now.
vyos@leaf01:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.136.71/28 u/u
eth1 192.168.11.2/30 u/u
eth2 192.168.21.2/30 u/u
lo 127.0.0.1/8 u/u
10.0.0.11/32
::1/128
Looks great! So now i have 2 spines and 2 leaves that can ping eachother and are connected.
vyos@leaf01:~$ ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data.
64 bytes from 192.168.11.1: icmp_req=1 ttl=64 time=0.288 ms
64 bytes from 192.168.11.1: icmp_req=2 ttl=64 time=0.305 ms
Automated checking
Ansible is meant to automate stuff, so after applying the interface configuration it would be best to automaticly check if the devices are reachable. Let’s create a task to ping from within the playbook after applying the configuration.
So now we have spines, leaves, everything is connected but we still need Layer3 routing. We can use either BGP or OSPF. In this example i will use ansible to push the OSPF configuration to VyOS and create a new “area 0”. There are two ways to accomplish this, using the CLI or just push the config file itself. I’m going to the easy way, push the file. So i create a template in ansible and save it as ospf_conf.j2;
protocols {
ospf {
area 0 {
{% for dict in interface_data[inventory_hostname] -%}
{% if dict["name"] != "lo" -%}
network {{ dict["ipv4"] | ipaddr("network") }}/{{ dict["ipv4"] | ipaddr("prefix") }}
{% else -%}
network {{ dict["ipv4"] }}
{% endif -%}
{% endfor -%}
}
parameters {
{% for dict in interface_data[inventory_hostname] -%}
{% if dict["name"] == "lo" -%}
router-id {{ dict["ipv4"] | ipaddr("address") }}
{% endif -%}
{% endfor -%}
}
}
}
interfaces {
{% for dict in interface_data[inventory_hostname] -%}
{% if dict["name"] != "lo" -%}
ethernet {{ dict["name"] }} {
ip {
ospf {
network point-to-point
}
}
}
{% endif -%}
{% endfor -%}
}
So what this does is add each range from the interface_data to the ospf networks, and add the ospf parameter to the interface (eth1/2). So add this task to the playbook:
So, run the playbook. After this you will see that each device has a working ospf configuration and the leafs are now redundantly connected to each spine.
vyos@leaf01# show protocols ospf
area 0 {
network 10.0.0.11/32
network 192.168.11.0/30
network 192.168.21.0/30
}
parameters {
router-id 10.0.0.11
}
vyos@leaf01# run show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.0.0.1 1 Full/DROther 32.379s 192.168.11.1 eth1:192.168.11.2 0 0 0
10.0.0.2 1 Full/DROther 32.369s 192.168.21.1 eth2:192.168.21.2 0 0 0
vyos@leaf01# traceroute 192.168.12.2
traceroute to 192.168.12.2 (192.168.12.2), 30 hops max, 60 byte packets
1 192.168.11.1 (192.168.11.1) 0.320 ms 0.318 ms 0.313 ms
2 192.168.12.2 (192.168.12.2) 0.557 ms 0.553 ms 0.584 ms
[edit]
vyos@leaf01# traceroute 192.168.22.2
traceroute to 192.168.22.2 (192.168.22.2), 30 hops max, 60 byte packets
1 192.168.21.1 (192.168.21.1) 0.254 ms 0.249 ms 0.245 ms
2 192.168.22.2 (192.168.22.2) 0.503 ms 0.502 ms 0.499 ms
The routing table will show you all 4 ip’s, some directly attached and some using OSPF:
vyos@leaf01.leaf01# run show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
S>* 0.0.0.0/0 [210/0] via 192.168.136.65, eth0, 19:18:47
O>* 10.0.0.1/32 [110/10] via 192.168.11.1, eth1, 18:05:55
O>* 10.0.0.2/32 [110/10] via 192.168.21.1, eth2, 17:20:50
O 10.0.0.11/32 [110/0] is directly connected, lo, 18:06:16
C>* 10.0.0.11/32 is directly connected, lo, 18:06:16
O>* 10.0.0.12/32 [110/20] via 192.168.11.1, eth1, 17:20:50
* via 192.168.21.1, eth2, 17:20:50
We did this in less then 5 minutes, remember the time where we had to configure this by hand? Now if i would require a new interface i can edit my playbook, run it and be done in 30 seconds.
Today, I’m going to install the latest Apache2 and PHP7 on an Ubuntu 18.04 server and enable the HTTP/2 protocol. To upgrade an existing Apache system to use HTTP/2, follow these simple instructions:
Ansible Role is a concept that deals with ideas rather than events. Its basically another level of abstraction used to organize playbooks. They provide a skeleton for an independent and reusable collection of variables, tasks, templates, files, and modules which can be automatically loaded into the playbook. Playbooks are a collection of roles. Every role has specific functionality.
For example, to install Nginx, we need to add a package repository, install the package and set up configuration. Roles allow us to create very minimal playbooks that then look to a directory structure to determine the configuration steps they need to perform.
Role directory structure
In order for Ansible to correctly handle roles, we should build a directory structure so that Ansible can find and understand. We can do this by creating a Roles directory in our working directory.
The directory structure for Roles looks like this:
rolename
- files
- handlers
- meta
- templates
- tasks
- vars
A role’s directory structure consists of files, handlers, meta, templates, tasks, and vars. These are the directories that will contain all of the code to implement our configuration. We may not use all of the directories, so in real practice, we may not need to create all of these directories.
Ansible will search for and read any yaml file called roles/nginx/tasks/main.yml automatically. Here is the main.yml file;
As we can see, the file just lists the steps that are to be performed, which makes it reads well.
We also made a change how we references external files in our configuration. Our src lines reference a static_files directory. This is unnecessary if we place all of our static files in the files subdirectory. Ansible will find them automatically.
Now that we have the task portion of the playbook in the tasks/main.yml file, we need to move the handlers section into a file located at handlers/main.yml.
