Skip to content

Instantly share code, notes, and snippets.

View bpluly's full-sized avatar

Simon Lucy bpluly

5 followers · 9 following
View GitHub Profile
@bpluly
bpluly / gist:7777c72211bf0002a1ade54a88e31bc3
Last active October 31, 2023 16:20
Using rsync from Fabric2/Patchwork/Paramiko on AWS EIC connections to update certificates on HAProxy

Further adventures in EIC land. I use Fabric2 for all the distribution of code and as much Opswork as I can. That includes updating certs. The certs are all managed from my local machine and then distributed. I use rsync to move the certificate trees (all LetsEncrypt). Before using EIC this was simple the same ssh config could be used but had to be repeated for the Patchwork rsync as it makes its own connection even though there's an existing connection to the host. The ssh_opts for EIC mean you have to inject the InstanceId for each host, the Paramiko Connection object might have it but I failed to find it spelunking; it relies on the ssh_opts parameter to fill the rsync options.

Using the EC2 API DescribeInstances gets the InstanceId along with everything else about the instance and using the Private DNS for the host filters the API response. To get the Private DNS on my ssh config I use the Connection objects which has the updated host string, converting Hostname to the Host which is either an IP address

@bpluly
bpluly / describe-instances-resource.md
Last active November 24, 2023 18:13
AWS describe-instances when private dns name is the instance resource

The Instance metadata has two fields for PrivateDNSName one in the Instance struct and then within NetworkInterfaces[] within that struct. When resource names are used for the private dns field you have to filter for the field in the NetworkInterfaces list (generally the first one). For example, to get the InstanceID of an instance using the resource name dns:

aws ec2 describe-instances --filters "Name=network-interface.private-dns-name,Values=i-0c8489ec965617999.eu-west-2.compute.internal" --query "Reservations[0].Instances[0].{Instance:InstanceId}" { "Instance": "i-0c8489ec965617999" }

@bpluly
bpluly / gitsshproxy.md
Last active December 8, 2023 13:29

As part of the process of migrating as many instances as possible from public IPv4 addresses, because it's going to get expensive I have to use a proxy from the backend interface to github in order to pull updates from the repos. This is part of the distribution of the whole system apart from configuration not in the repos. To begin with I planned on adding a forward Proxy on the existing HAProxy on the front of the production web servers, it's in the same backend subnet and it's always going to have an IPv4 interface. But that got very ugly. I decided instead on using ssh and proxy through the sshd already running on the HAProxy instance. After a lot of complexity I went back to the simplest.

Host github.com
   HostName github.com
   AddressFamily inet
   IdentityFile ~/.ssh/github_rsa
   IdentityFile ~/.ssh/keyforproxyinstance
 User git