Bootstrapping Cloud Instances into Ansible
A while ago, I wrote an article about bootstrapping servers into Ansible—in other words, how to prepare servers to be managed via Ansible. In order for a server to be managed via Ansible, you usually must first create a user account for Ansible, populate the appropriate SSH keys, and grant the new Ansible user sudo permissions. The process I described in my earlier blog post works great for manually-built servers (physical or virtual), but I recently needed to revisit this process for cloud instances. Was it possible to use the process I’d found to bootstrap cloud instances into Ansible?
Cloud instances are a slightly different beast than manually-built servers primarily because password authentication isn’t an option—generally speaking, you’re required to use SSH keys when working with cloud instances. Ansible is SSH-based, as you probably already know, so this shouldn’t be an issue, but it was still something I hadn’t tested or verified. After a bit of testing, I found the bootstrap process I described in my earlier post can be easily adapted for cloud instances.
For reference, here’s the command I use when bootstrapping manually-built servers into Ansible:
ansible-playbook bootstrap.yml -k -K --extra-vars
"hosts=newhost.domain.com user=admin"
Using an SSH Bastion Host
Secure Shell, or SSH, is something of a “Swiss Army knife” when it comes to administering and managing Linux (and other UNIX-like) workloads. In this post, I’m going to explore a very specific use of SSH: the SSH bastion host. In this sort of arrangement, SSH traffic to servers that are not directly accessible via SSH is instead directed through a bastion host, which proxies the connection between the SSH client and the remote servers.
At first, it may sound like the use of an SSH bastion host is a pretty specialized use case. In reality, though, I believe this is a design pattern that can actually be useful in a variety of situations. I plan to explore the use cases for an SSH bastion host in a future blog post.
This diagram illustrates the concept of using an SSH bastion host to provide access to Linux instances running inside some sort of cloud network (like an OpenStack Neutron tenant network or an AWS VPC):
Let’s take a closer look at the nuts and bolts of actually setting up an SSH bastion host.
First, you’ll want to ensure you have public key authentication properly configured, both on the bastion host Continue reading
DockerCon EU 2015: Catch Up on All of the Day 2 News!
We cannot contain our excitement about DockerCon EU 2015! With over 1500 attendees, 80 speakers and 60 sponsors, these past few days were packed with great Docker content from the global Docker community – don’t worry, we’ll post all of the slides and videos … ContinuedMoby’s Cool Hacks from DockerCon EU 2015: Container Migration Tool
Back in September, one of the winning teams from Docker Global Hack Day stood out for us. The Container Migration team, drawing inspiration from a DockerCon team that migrated a Quake 3 container around the world, showed migrating a container … ContinuedTOWER 2.4 NOW AVAILABLE
We’re happy to announce the release of Ansible Tower 2.4. In this release, we’ve focused on some core improvements for our customers operating in spaces like government and security who have specific needs around authentication and tracking, but we expect these features will be useful to much of our general user base as well.
OAUTH, VIA GITHUB AND GOOGLE
No one wants to manage their users in multiple places, and many groups today use external providers for handling their identity and authentication. We’ve added support for pulling users and teams from either GitHub or Google Apps, using OAuth2. With this, you don’t need to add users directly to Tower - they can use the accounts they already have and are using in your organization.
ADDITIONAL ENTERPRISE AUTHENTICATION
Previously, for Enterprise users who have a standard corporate infrastructure Tower has included support for connecting to an LDAP or Active Directory server for user and team information. But not everyone exposes their LDAP for use with all internal services. With Tower 2.4, we’ve extended that enterprise authentication support to also include support for authenticating to a SAML 2.0 identity provider, and to authenticate against a RADIUS server. With this, Continue reading
A New UI for Docker? Visualizing Container Management with Minecraft
written by Adrien Duermael, Software Engineer at Docker, Inc. and Gaëtan de Villèle, Software Engineer at Docker, Inc. Since at least 1999, system administrators have been looking for ways to make Ops a more visual, exciting environment. As recently as … ContinuedDockerCon EU 2015: Watch the Day 1 General Session
Day 1 of DockerCon EU 2015 was awesome! The day started with an action-packed general session including exciting Docker announcements with live demos (the demo gods were pleased!) and attendees hacking hardware using Docker and littleBits. Watch the video of the … ContinuedDockerCon EU 2015: Docker Trusted Registry 1.4 with Integrated Content Trust and Universal Control Plane
What an exciting Second Day! Just when you thought you couldn’t get enough of Docker, Docker, Docker…we’ve added more! In today’s keynote, we talked about some amazing products – from Project Nautilus, the new image scanning and vulnerability detection service … ContinuedDocker Subscription on AWS Now Available in Europe
Docker Trusted Registry and Docker Engine with Business Day Support are now available in Amazon Web Services (AWS) European regions allowing customers to build, ship and run distributed applications. Announced today at DockerCon Europe, Docker Subscription for AWS has expanded … ContinuedTechnology Short Take #56
Welcome to Technology Short Take #56! In this post, I’ve collected a few links on various data center technologies, news, events, and trends. I hope you find something useful here.
Networking
- Open Virtual Network (OVN) is really ramping up and getting lots of attention, which I personally think is absolutely well-deserved. Russell Bryant has a couple great articles on OVN—how to test OVN’s “EZ Bake” release with DevStack as well as an article on implementing OpenStack security groups using OVN ACLs (which in turn leverage the integration between Open vSwitch and the Linux kernel’s conntrack module). Gal Sagie has a write-up on integration between Kuryr and OVN (Kuryr is another topic that is really interesting).
- Here’s an article on using PHP to query NSX API via REST (specifically, working with syslog settings on NSX Manager).
- Speaking of Gal Sagie and OVN, Gal has a post describing a concept for something called “Topology Service Injection” and some proposals for implementing this in OVN. (Gal and Liran Schour from IBM are slated to do a talk on this at the OVS conference this week.)
- One new networking feature added to OpenStack in the Kilo release was Neutron subnet pools. Carl Continue reading
DockerCon EU 2015: Catch Up on All of the Day 1 News!
¡Que día mas increíble! With over 1500 attendees at DockerCon EU 2015, today was an awesome day of Docker learning, meeting the global Docker community, and more! Don’t miss tomorrow’s Docker news by watching the livestream of each general session. Below are some of … ContinuedScale Testing Docker Swarm to 30,000 Containers
1,000 nodes, 30,000 containers, 1 Swarm manager Swarm is the easiest way to run Docker app in production. It lets you take an an app that you’ve built in development and deploy it across a cluster of servers. Recently we … ContinuedDocker Content Trust Gets Hardware Signing
Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content. Today we’re incredibly excited to announce the support of hardware … ContinuedGetting Started with Docker Toolbox and Compose
Today at DockerCon EU 2015, I ran through a demo of running and developing an app from a fresh computer using Docker Toolbox and Compose. This was to show how easy it is for new developers to get started when … ContinuedDocker Online Meetups #28 and #29: Production-Ready Docker Swarm and Docker Networking is Now GA
This week, we hosted two Docker Online Meetups. The first on Wednesday featured Alexander Beslic presenting on production-ready Swarm. For the second one on Thursday, Madhu Venugopal discussed the recently-GA Docker Networking. Below are the recorded videos and slides from … ContinuedA Handy GUI Tool for Working with APIs
In this post I’m going to share with you an OS X graphical application I found that makes it easier to work with RESTful APIs. The topic of RESTful APIs has come up here before (see this post on using cURL to interact with RESTful APIs), and RESTful APIs have been a key part of a number of other posts (like my recent post on using jq to work with JSON). Unlike these previous posts—which were kind of geeky and focused on the command line—this time around I’m going to show you an application called Paw, which provides a graphic interface for working with APIs.
Before I start talking about Paw, allow me to first explain why I’m talking about working with APIs using this application. I firmly believe that the future of “infrastructure engineers”—that is, folks who today are focused on managing servers, hypervisors, VM, storage, networks, and firewalls—lies in becoming the “full-stack engineer,” someone who has knowledge and skills across multiple areas, including automation/orchestration. In order to gain those skills in automation/orchestration, it’s pretty likely that you’re going to end up having to work with APIs. Hence, why I’m talking about this stuff, and why Continue reading
Announcing Docker Trusted Registry 1.4 – New User Interface, Integrated Content Trust and Support for Docker Engine 1.9
The Docker Trusted Registry is a commercial registry service that you can run on-premise or in your virtual private cloud (VPC) to store and manage your Docker images. Trusted Registry is available in conjunction with a commercially supported Docker Engine … ContinuedBusyCal and Textual
I wanted to call out a couple of software packages whose vendors I’ve worked with recently that I felt had really good customer service. The software packages are BusyCal (from BusyCal, LLC) and Textual (from Codeux Software, LLC).
As many of you know, the Mac App Store (MAS) recently suffered an issue due to an expired security certificate, and this caused many MAS apps to have to be re-downloaded or, in limited cases, to stop working (I’m looking at you, Tweetbot 1.6.2). This incident just underscored an uncomfortable feeling I’ve had for a while about using MAS apps (for a variety of reasons that I won’t discuss here because that isn’t the focus of this post). I’d already started focusing on purchasing new software licenses outside of the MAS, but I still had (and have) a number of MAS apps on my Macs.
As a result of this security certificate snafu, I started looking for ways to migrate from MAS apps to non-MAS apps, and BusyCal (a OS X Calendar replacement) and Textual (an IRC client) were two apps that I really wanted to continue to use but were MAS apps. The alternatives were dismal, at best.
Watch the General Sessions at DockerCon EU 2015 Live!
With less than 4 days before DockerCon Europe 2015, Moby Dock and a good part of the Docker team are getting ready to swim across the ocean and land in Barcelona for 2 days of DockerCon madness. For those of you would can’t … ContinuedIPv6 and SSL for Yandy.IO
Thanks to Digitalocean the site is now fully IPv6 capable. Also, thanks to the awesome service at Cloudflare, just because I can, Yandy.IO is also now SSL encrypted. Your browser should redirect to...[[ Summary content only, you can read everything now, just visit the site for full story ]]