Managing windows hosts with ansible

Lately I’ve been experimenting with ansible a lot.

Dealing with linux hosts is straightforward enough, and you’ll be able to find all sorts of information with google, but ansible can also deal with windows hosts, and that’s where it gets a bit more interesting.

To be able to manage a windows host with ansible, you have to:

  • create a user account on the machine (or in the windows domain) who has to be a member of the administrators group
  • follow the instructions in the ansible documentation about how to enable winrm
  • make sure you use the right ansible modules, if there are special modules for windows for any given purpose they will start with win_, for example instead of copy: for a windows host you’d use win_copy. Some modules simply do not exist as a win_ version, but the generic unix version does not work on windows, for example the telegram notification module, but that you can safely delegate_to: localhost when you want to use it (unless your management host does not have internet access).
  • set up a group in your inventory for your windows hosts, and add the variables for winrm access as group_vars for that group

Here’s an example for a simple playbook that installs all the latest updates, and reboots the target host if necessary:

---
- name: Install all windows updates
  hosts: all

  tasks:

  - name: install all updates
    win_updates:
      category_names:
        - SecurityUpdates
        - CriticalUpdates
        - UpdateRollups
      state: installed
    register: update_result
    notify:
      - telegram-notify
      - reboot-if-required

  handlers:

  - name: telegram-notify
    telegram:
      msg: "{{ ansible_fqdn }}: updates installed."
      token: "{{ eregion_home_telegram_token }}"
      chat_id: "{{ eregion_home_telegram_chat_id }}"
    delegate_to: localhost

  - name: reboot-if-required
    win_reboot:
    when: update_result.reboot_required and not eregion_home_has_dualboot

You’ll notice that the handler: that reboots the target has a when: condition that uses a variable I haven’t mentioned yet. It’s easy enough: two of the windows hosts I am managing have dual boot setups, by default they reboot to linux. I’m dealing with that by creating TWO host entries in my inventory, the regular one, and one with a different name, and two host_vars:

lemmy@kumiko:~/.ansible/inventory> tail -6 51-hosts
[windows]
kumiko-win
kirika-win
yuzuyu.eregion.home

and

lemmy@kumiko:~/.ansible/inventory> cat host_vars/kumiko-win.yml 
---
ansible_host: kumiko.eregion.home

This works with ansible on the command line and with ansible tower.

Captive portals are even worse than you thought.

I just came across this article about captive portals (these annoying websites that force you to a “accept TOS” page on public wifis) that we all hate so much.

I can only agree with what’s said in there, to 200%, but it’s even worse than that: A captive portal is a real danger to the security of your mobile device.

An attacker could easily setup a microcomputer for 15$ to run as access point, and send out the SSID of a well known public WiFi, and then redirect every client to a version of that WIFI’s captive page that has malicious things built it. It could trick you into giving away your credit card information, social security number, or any other valuable information, or maybe even worse, install backdoors on your device.

Say NO to captive portals.

Seamless openSUSE Leap upgrades made easy

Hi everyone,

 

I’ve started to put my trusted approach to seamless openSUSE upgrades into an easy to use shell script.

The script operates under a few assumptions (yes I know, assume makes an ass out of you and me), but what can you do, except calling them prerequisites:

  • Your system has all the latest updates applied according to your current repository setup (run “zypper patch; zypper dup” until there is nothing left to install)
  • All enabled repositories have priorities set that make it crystal clear which of them are preferred over which in case a package appears in more than one repo
  • All enabled repositories also exist for the target version, and use a repository URL that has that version number in it, and where the version number is the only difference between versions (this should usually be true for repositories from OBS and/or packman, buy YMMV)

If all this is true, running the script will create a backup of your current repository structure under /etc/zypp/repos.d_(current_version), and a repo setup for the target version under /etc/zypp/repos.d_(target_version), and then link the new structure to /etc/zypp/repos.d, and after that it will clean zyppers cache, refresh all repositories, and tell you the commands to execute to actually run the upgrade.

You might want to do those commands inside a screen session. You have been warned.

This script is provided with no warranty at all. Use it at your own risk. If you break things you get to keep the pieces.

If by any chance your root filesystem is on either LVM or btrfs, do a snapshot before you start upgrading your system.

Download the script here: leapup.tar.xz

So far I have used this script on two desktop systems which each use 20++ different repositories from OBS and packman, and no problems (aside from a few glitches in 42.3 that are connected to the nvidia drivers, but not to this upgrade process).

 

Update: in the last 4 days I updated five different machines using my script: my desktop computer which runs with 23 different repositories from OBS, my laptop and my work laptop which both run with 25 repos, my cloud host which runs with 10 repositories and my internal server/firewall which also runs with 10 repositories… no problems so far.

Update: There is now a RPM package for openSUSE Leap 42.3 and 15.0 here: https://software.opensuse.org/package/leapup?search_term=leapup

Is the internet broken?

…or is it maybe being broken by people who think it is broken?

I’m pretty sure a lot of people here in Germany have heard the common complaint about end user internet connections being slow in the afternoon and evening because “everybody is watching netflix now” and similar stuff.

I was voicing the same complaint, over and over. My 400MBit cable link at home would drop down to under 80MBit in the evenings, and in downspikes go as low as TEN megabit/second. So I started measuring regularly with speedtest-cli which measures against the closest speedtest..net server, and the graphs in munin were pretty awful. Every day at around noon the performance would start to drop, and go down to around 50mbit by 11pm, and then after midnight would normalize again.

NOT FUN.

but, here’s the thought: What if it is not actually my internet connection?

What if it’s because everybody thinks their internet connection is bad, and starts hitting the speedtest.net servers so hard that they start to slow down?

… So I switched to measuring against a speedtest.net mini server that I’m hosting myself, and no-one else uses… and guess what. My internet performance still drops in the afternoon and evening, but nowhere as dramatic as before.

Makes you think about self-fulfilling prophecies, or maybe internet speed is related to Schrödingers Cat.

 

Edit: Here are two bandwidth graphs from my connection. The first one’s from when I was measuring against the official speedtest.net servers:

Internet performance by day, measuring against speedtest.net servers
Internet performance by day, measuring against speedtest.net servers

The second one was created the same way, but instead of using a random speedtest.net server for every data point I have been measuring against my own speedtest mini server on my cloud host:

Internet performance by day, measuring against my own server
Internet performance by day, measuring against my own server

 

I just hope that that new test site run by the Bundesnetzagentur has enough power to handle the load without drooping.

And another live upgrade – 13.2 -> Leap 42.1

I upgraded my laptop to Leap 42.1 the other day, using the good old method that I’ve been talking about a few times. Worked without major issues, I just had to manually fix the repository URL in a couple of the repositories I’m using.

Now I’m on 42.1 using Plasma 5, and so far I mostly like it. A few features and settings have gone from parts of the kdepim suite, and there is one weird glitch-error where starting kopete gets me a weird “file: ioslave has been terminated” error, that I’m sure is somehow related to kopete styles. Maybe when I’ll do my desktop I’ll do the upgrade to Leap first, and then the upgrade to the latest plasma5, and not the other way around like on this laptop.

On the whole I’m happy with what I have here.

One little thought just keeps nagging me:

How come that Plasma 5 with the breeze style looks a LOT like Windows 10? …, wait, Windows 10 came after Plasma 5, right?

Edit, 2016-09-14: Turns out I should have done the upgrade to Leap 42.1 first, and THEN the KF5 update. I had some repositories enabled that should not be mixed. Disabled the bad ones, zypper dup -l, all is well.