Using Mac keychain to store and retrieve Ansible vault passwords

Mac Keychain App logo

When using Ansible for my home lab, an initial problem was about how to keep sudo passwords for my various machines in an practical manner (I really don’t like the idea of password-less sudo even in my homelab).

The remote users used for my ansible logins to each of my machines are different, and can be managed via the inventory file. But the sudo passwords for them are not the same, and it is pretty annoying to enter them while running ansible on the command line.

I decided to find a way to make this a little less annoying.

Installing a specific version of a Homebrew Formula

Homebrew

From time to time, I have felt the need to install a specific version of a Homebrew formula. Like the other day, I was investigating whether a particular problem I was facing with Podman was because of a version bump from 2.x to 3.x.

At some point in the past, a way around it was to find the formula file at a particular commit of the Homebrew tap, and directly install it via brew install $URL.

That is no longer supported, for good reason. But the tip provided is pretty terse.

I thought I will just jot down the steps I took to do this the recommended way.

Using Podman as a Docker Desktop alternative using Vagrant

Podman

So the tech world went a little crazy today, as usual ignoring more consequential problems happening in the world. Docker posted a notice saying that its Mac and Windows desktop clients will no longer be free for anybody other than individuals and small companies.

Here is The Register:

Docker will restrict use of the free version of its Docker Desktop utility to individuals or small businesses, and has introduced a new more expensive subscription, as it searches for a sustainable business model.

The company has renamed its Free plan to “Personal” and now requires that businesses with 250 or more employees, or higher than $10m in annual revenue, must use a paid subscription if they require Docker Desktop.

This gave me an excuse to try out something which I had been meaning to do for a while - use Podman as a replacement for Docker desktop on my Mac.

Notes on the httprouter Golang library

For most simple to moderately complex web servers in Golang, I have always preferred to use the standard net/http library, laboring through the parsing of RequestPaths and query parameters when necessary.

But when the boilerplate code for request parsing starts obscuring the business logic, I tend to look out at other libraries. I however have always hesitated using too heavy a framework to keep dependencies simple.

For HTTP routing, for example, I have found httprouter to satisfy most of the gaps in the standard library that I have frequently faced, and at the same time the library is totally dep free!

Here are some really quick notes about using the library, mostly for my own reference. 😄

Automating MySQL GTID Migration With Ansible

MySQL 5.6 onwards introduced GTID based replication drastically simplifying replication setup and increasing reliability. New MySQL cluster 5.6+ setups are already done with GTID enabled by default.

But if you are one of those people who migrated from a pre-5.6 MySQL version, you probably avoided enabling GTID to make the upgrade easier. In such a situation, typically, you would upgrade the slaves to the new MySQL version, and then failover the master to an upgraded slave. This would let you do an online upgrade of a MySQL cluster from a pre-5.6 to a 5.6+ installation, but you will not be able to do this with GTID enabled.

I recently had a requirement to move a bunch of such MySQL 5.7 clusters using the old binlog position based replication to a GTID based replication setup.

Now there is a pretty good official document about how to do this manually, which you should definitely read up before doing this. But it is a pain to do this manually on a bunch of servers.

I captured all the steps mentioned in the document into an Ansible playbook to automate the whole process. It also includes a procedure missing in the official document, to actually flip the ongoing replication to GTID protocol.

The playbook source is here with step by step documentation here.

Creating a Certificate Authority in 2020 for Your Soho

I have a couple of systems at home which provide web services, like my Intel NUC and my Synology NAS, and I have been wanting for a while to move all of them to a proper https only environment.

But my biggest hurdle for doing that, has been the enormous pain in managing certificates in a way that makes everybody - the servers, the browsers, the local http clients happy. From my previous attempts, there was always the browsers which annoyed me to no end, and I ended up getting by using improperly made self-signed certificates and accepting all the invalid certificate warnings that my browser threw up.

So this Friday night, I spent my late night hours trying to get at the bottom of it all, and several frustrating hours later, finally made everybody happy.

Open Every Link in a Web Page In a New Tab

Found this nifty trick in a github comment.

If you add this bit of code in the <head> section of an HTML 5 page, clicking on every link will open in a new tab.

<base target="_blank">

This tag is mostly used to set a URL to resolve all relative links on a page. But it offers an additional attribute target to set a default target policy for links.

You can, of course, override the target attribute on a link to link basis, if you are using this feature.

Ansible privilege escalation with expect when you don't have root shell privileges

The default Ansible privilege escalation mechanism requires broad sudo privileges. If your production environment gives you sudo access but bars you from getting a root shell, you are out of luck. As, the doc says - you cannot expect Ansible to work when sudo commands are restricted.

Privilege escalation permissions have to be general. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. If you have /sbin/service or /bin/chmod as the allowed commands this will fail with ansible as those paths won’t match with the temporary file that ansible creates to run the module.

Integer maths in Go using constants with exponential notation

I seem to learn more about the nuances of the Go language every other day. Sometime back, I had looked at how Go untyped constants work during maths operations with typed variables. I just found another significant part of the spec that I had previously glossed over, this one is also about untyped constants - numeric constants in Go live in an unified space with arbitrary precision and a fungible numeric type.

Runit, Chpst and ulimit defaults

So I ran into this problem at work today with an runit based service breaching open files limit.

My first thought was to increase the system ulimit for nofile in /etc/security/limits.conf. I changed this from 30k to about 60k. But strangely, the service still keep dying.