David Lundgren

Web Developer & Systems Administrator

Ansible “Authentication or permission failure.”

I recently upgraded some servers, and on reboot I ran into the peculiar condition where I received the following warning:

fatal: [user] => Authentication or permission failure. In some cases, you
 may have been able to authenticate and did not have permissions on the remote
 directory. Consider changing the remote temp path in ansible.cfg to a path
 rooted in "/tmp". Failed command was: mkdir -p
 $HOME/.ansible/tmp/ansible-tmp-1401973086.25-185293296215162 && echo
 $HOME/.ansible/tmp/ansible-tmp-1401973086.25-185293296215162, exited with
 result 1

I followed the instructions I found on Changing Ansible Temporary Directory, as it has worked for many others. I had to turn on verbose logging but I still couldn’t see the issue. After running the command manually I got the following error

mkdir: cannot create directory '.ansible': Disk quota exceeded`

Basically, when I restarted my servers the grpquota and usrquota commands in /etc/fstab took effect. I’m not sure why they were on as we have restarted these servers on other occasions and they were not there. While I have these servers scheduled for a restart, to remove the quotas, and add noatime, I’ve simply turned off the quotas using quotaoff /

Cleaning up Ansible task formatting

I’ve been using Ansible for the last several years, and I’ve used YAML just as long. Yet a lot of playbooks and tasks for Ansible are often horribly formatted. This causes anger within me, so I want to let others know, that there is a better way.

“Use the YAML, Ansible Writers”

YAML may not be as expressive as other formats, however, as authors of roles and tasks for Ansible we can do better at formatting so that they are readable.

Example of hard to read

- name: download file
  get_url: url=https://raw.githubusercontent.com/some/path/some.file dest=/usr/local/share/some.file

- name: update permissions
  file: path=/usr/local/share/some.file mode="0644"

Example of a more readable version of the above.

- name: download file
    url: https://raw.githubusercontent.com/some/path/some.file
    dest: /usr/local/share/some.file

- name: update permissions
    path: /usr/local/share/some.file
    mode: "0644"

It’s easier to change change /usr/local/share/some.file into "{{ download_file_dest }}" because you don’t have parse the entire line and scroll over in your HEAD!

Leaving the LPi Development Team

It’s never easy leaving a great team. The last three years have been full of growth for me, both mentally and professionally. In those years I have been given the chance to integrate Phing as our deployment automation tool, learn more about coffee (thanks Eric!) and begin the path of mentoring without being completely condescending. I’ve worked on projects that handled geo-spatial searching in MySQL [FYI: you want to use this UDF for distance calculations as it is order of magnitudes faster], to those that help manage church websites. Those who know me, would have asked why I chose to work at LPi given it’s religious affiliations, it’s about the code, and the chance to work on stuff that a large group of people will actually use!

I will miss the team, but by embracing the changes in our life we learn to move forward. IT is full of change anyway, staying static means certain death. Some LPi competitors are learning this the hard way, and I still look forward to seeing them either being acquired or leaving LPi’s market.

BlockList.de IP lists with CIDR notation

Several weeks ago one of the servers I manage ended up with a lot of comment spam. After several hours of searching through the logs and correlating the IP’s, I found out that a majority of the hosts were listed in the BlockList.de’s bots.txt file. I didn’t want to import ALL the IP’s on the list as I noticed that quite a few could be pushed into fewer lines using CIDR notation.

I set out to compress this and ended up with this Gist that can do exactly that.

require_once "/path/to/BlocklistDe.php";

$botList = new BlocklistDe('bots.txt');

This particular server was using Ubuntu, so I pushed the 13k addresses into the iptables configuration. Spam has been cut quite dramatically.

FreeBSD and sudo defaults

Several weeks ago I started transitioning some Ubuntu VM’s to FreeBSD VM’s . On previous VM’s I was able to use the following command line without any problems

sudo phing code-update

After switching to FreeBSD I found that sudo, or its “sudo -E” variant, was having problems when running in sub shells. Phing svn tasks were asking for passwords that were previously setup to use svn+ssh. Using “sudo svn list svn+ssh://svn.example.com/svn/project” worked but not when phing ran. It turns out there are two environment variables that Ubuntu’s sudo package was preserving: HOME & MAIL. NOTE: Ubuntu 14.04LTS’ sudo package appears to only preserve HOME.

I created /usr/local/etc/sudoers.d/svnusers

Defaults env_reset
Defaults env_keep+="HOME"

This made FreeBSD’s sudo work as it had on Ubuntu. A day’s worth of investigation to solve the riddle but it works as I would expect it to.

Unix::ServiceConfig released

In 2004 I started working with multiple FreeBSD servers for multiple clients, that needed to be administered by non-admin users. I know you are saying “you idiot” and “why would a non-admin user need to administer the server?” I was hired as a consultant and they wanted to be able to add users, web hosts, databases and dns entries more easily than remembering all the little things that were needed. I didn’t trust WebMin at the time due to being hacked several times prior. In response I wrote Unix::ServiceConfig which I hooked up to a perl script as a way to help me with allowing the non-admin users to more easily manage the server.

It worked really well at it’s job, and the users were happy. I haven’t updated the code since 2008, and it is primarily FreeBSD centric. But I figured it is better to release it now, than to never release it. It is under the MIT license.