In my previous post, I started exploring how to pull information from a puppet stored config DB to use in capistrano, inspired by joe-mac's post.

Well, it seems that the query I used was overly complex. Here's the simplified version:

select h.name
from hosts h
join resources r on h.id = r.host_id
where r.restype = 'Class'
and r.title = 'site::profile::dnscache::local'
order by h.name;

Having established this, I then modified joe-mac's ruby script to look up based on Class rather than facts. Here's the modified script:

#!/usr/bin/env ruby

require 'getoptlong'
require 'puppet'
require 'rdoc/usage'

ActiveRecord::Base.establish_connection(
   :adapter  => 'mysql',
   :database => 'puppet',
   :host     => 'localhost',
   :password => 'secret',
   :username => 'puppet'
)

class Hosts < Puppet::Rails::Host; end

opts = GetoptLong.new(
   [ '--class',    '-c', GetoptLong::REQUIRED_ARGUMENT],
   [ '--help',     '-h', GetoptLong::NO_ARGUMENT ],
   [ '--print',    '-p', GetoptLong::REQUIRED_ARGUMENT]
       )

printtype = "name"
opt_hash = Hash.new()
opts.each do |opt, arg|
   case opt
      when '--class'
         opt_hash['class'] = arg
      when '--help'
         RDoc::usage
      when '--print'
         printtype = arg
   end
end

query = "(resources.restype = \'Class\' AND resources.title = \'#{opt_hash['class']}\')"

puts Hosts.find(:all,
                :include    => [ :resources ],
                :conditions => query
               ).map { |host| host.send(printtype) }

Next step: build this into my capistrano configuration as per joe-mac's example.

I recently enabled stored configs for my puppet installation. My primary aim for doing this was to use the collected infomation to dynamically generate lists of nodes to use with capistrano based on joe-mac's recent blog post.

The concept is simple, but very powerful: run a query on the puppet stored config database to return a list of host names matching some criteria. In my case, I just need a list of hosts that have a specific puppet class applied. So, without further ado, here's the SQL needed to produce just such a list:

select h.name
from hosts h
join resources r on h.id = r.host_id
join resource_tags rt on r.id = rt.resource_id
join puppet_tags pt on rt.puppet_tag_id = pt.id
where pt.name = 'class'
and r.restype = 'Class'
and r.title = 'site::service::dnscache::local'
order by h.name;

This example returns a list of nodes that have a local dnscache service.

To find all nodes running a mysql service I use the same query, replacing the class with site::service::mysql.

I can also modify the query slightly to find all nodes that have apache installed:

select h.name
from hosts h
join resources r on h.id = r.host_id
join resource_tags rt on r.id = rt.resource_id
join puppet_tags pt on rt.puppet_tag_id = pt.id
where pt.name = 'class'
and r.restype = 'Package'
and r.title = 'httpd'
order by h.name;

However, be aware that this does not actually tell me all nodes that have apache installed; it tells me all nodes that have the httpd package included in their puppet definitions. For example, on my LVS master node, I include the piranha package, which pulls in httpd and php as dependencies. The above query doesn't return the name of my LVS master node.

More to follow...

So, you want a list of sshd processes you have running? Chances are, most people would do this:

# ps -ef | grep sshd
root      3223     1  0 Sep18 ?        00:00:00 /usr/sbin/sshd
root      9771  3223  0 17:27 ?        00:00:00 sshd: root@pts/2 
root      9837  9773  0 17:28 pts/2    00:00:00 grep sshd

You might even be clever enough to lose the grep process by doing something like:

# ps -ef | grep '[s]shd'
root      3223     1  0 Sep18 ?        00:00:00 /usr/sbin/sshd
root      9771  3223  0 17:27 ?        00:00:00 sshd: root@pts/2

Suppose you're only interested in child processes, ie. you want to ignore the /usr/bin/sshd process spawned by init. Hmmm, gets a bit tricky... Something like this should do it:

# ps -ef | grep '[s]shd' | grep @pts
root      9771  3223  0 17:27 ?        00:00:00 sshd: root@pts/2

Now, let's reduce that to a list of process Ids so we can send a signal to them:

# ps -ef | grep '[s]shd' | grep @pts | awk '{print $2}'
9771

But, this is all getting a bit long-winded. You're using the wrong tool for the job. Enter: pgrep

# pgrep -f sshd:
9771

What if you want a full process listing? Simple: pass the list of process Ids from pgrep to ps:

ps -fp $(pgrep -d, -f sshd:)
UID        PID  PPID  C STIME TTY          TIME CMD
root      9771  3223  0 17:27 ?        00:00:00 sshd: root@pts/2

For the full process listing it's arguable which is the best approach, but that's sort of the point I'm making. You can use either approach depending on the job in hand.

In a previous article I showed where to find SNMP MIBs for a Fortinet Fortigate firewall device. Here's how to add a new MIB to net-snmp so the toolset can use it.

FIrst, download the MIB files and copy them to /usr/share/snmp/mibs

Look at the top of the file for a line like: YOUR-MIB-NAME DEFINITIONS ::= BEGIN

"YOUR-MIB-NAME" is the name of the MIB.

Edit /etc/snmp/snmp.conf (or /etc/snmp/snmp.local.conf) and add the line:

mibs +YOUR-MIB-NAME

Full details on the net-snmp site:

http://www.net-snmp.org/wiki/index.php/TUT:Using_and_loading_MIBS

I'm monitoring a Fortinet Fortigate 310B firewall device with OpenNMS and needed the appropriate MIBs.

I found them here: ftp://support.fortinet.com/FortiGate/

Click your FortiOS version (v4.00 in my case) then the MIBS directory.

The full path is: ftp://support.fortinet.com/FortiGate/v4.00/MIBS/

Now all I need to do is get snmpwalk to use them!

Despite using a Linux/Unix desktop most of the time, I still have a Windows laptop on which I can test some of my cross-platform tools (Net-UDAP, flac2mp3, etc.). I generally use cygwin as I'm more familiar with the unix-flavour command-line. However, the default cygwin shell is pretty poor as it runs inside the windows cmd shell.

I have tried a couple of ways to overcome this but I think I've just stumbled across the perfect solution: console. Basically, you set cygwin.bat as the default shell for console and... voila! Details here.

Perl6 has a few "nice" features that just make life that little bit easier. One of them is the "say" function - basically, "print" with a newline.

However, this is also available in perl 5.10 with "use feature 'say'" and in perl 5.8 with "use Perl6::Say".

Here's how to load the right version depending on what version of perl your code is running on:

I wanted to be able to enable/disable yum repo files from a kickstart script. They are in "ini" file format, e.g.:

[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=0

I have written some perl code to do this that uses the Config::IniFiles module. But, this is not included in perl core and so would require installation before it could be used.

python includes ini-style file manipulation with the ConfigParser module, so I've written a python script to use it.

Sample usage:

initool --file /etc/yum.repos.d/epel.repo --section epel --option enabled=0
initool --file /etc/yum.repos.d/epel.repo --section epel --del priority

Here's the code:

The SELinux rules required to for MySQL clustering to work on FC4 are as follows:

allow mysqld_t port_t:tcp_socket name_connect;
allow mysqld_t var_lib_t:file append;
allow mysqld_t var_lib_t:sock_file create;
allow mysqld_t var_lib_t:file read;
allow mysqld_t var_lib_t:sock_file unlink;
allow mysqld_t var_lib_t:file { getattr write };

See Making an application work with SELinux for details of how to determine which rules are required to get an application to work with SELinux and how to apply them.

When you add a new service to an SELinux-enabled server, it may fail to work due to the local Linux policy.

This document describes how to add the necessary rules to the local policy to allow the service to work.

The example used is getting MySQL clustering to work on a FC4 server.