jonuwz

#!/usr/bin/perl
use strict;
use warnings;
use POSIX qw(strftime);

my %names;
my $fmt="%-24s%-9s%s\n";

setpwent;
while (my ($name, $junk, $uid) = getpwent) {

jonuwz

ServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule prefork.c>
StartServers       8

jonuwz

#!/bin/bash
# This makes sure that a pgp public key for a given email exists.
# If it already exists it prints the info, if not it creates one, then prints the info
# If we create the keypair, the secret is exported and removed from the keyring

# Minimum requirement is a key
if [[ -z "$1" ]];then
  echo -e "\nUsage\n\t$(basename $0) key [ name ] [ comment ]\n\n"
  exit 1
fi

jonuwz

 db2 -x "SELECT A.COLSEQ, A.COLNAME FROM SYSCAT.KEYCOLUSE A, SYSCAT.TABCONST B WHERE A.CONSTNAME=B.CONSTNAME AND B.TYPE='P' AND A.TABNAME='$TABNAME' order by A.COLSEQ"

jonuwz

#!/opt/puppet/bin/ruby
require 'httpclient'
require 'base64'
require 'gssapi'
require 'json'

module IPAcommon

  @@IPAlist_element = {
    :hostgroup    => 'cn',

jonuwz

1. patch IPA to allow subject alt names in cert requests
2. patch IPA to allow certificates to be named after the service (not just the hostname)
   /etc/init.d/ipa restart

3. On IPA

echo $password | kinit admin
domain=$(domainname)
for serv in pe-internal-dashboard pe-internal-broker pe-internal-mcollective-servers pe-internal-peadmin-mcollective-client pe-internal-puppet-console-mcollective-client pe-internal-dashboard;do
  ipa service-del $serv/puppet.$domain

jonuwz

Index: /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
===================================================================
--- /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
+++ /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
@@ -10,7 +10,7 @@
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,10,11

jonuwz

Index: /usr/lib/python2.6/site-packages/ipalib/plugins/cert.py
===================================================================
--- /usr/lib/python2.6/site-packages/ipalib/plugins/cert.py
+++ /usr/lib/python2.6/site-packages/ipalib/plugins/cert.py
@@ -297,11 +297,11 @@
         # Ensure that the hostname in the CSR matches the principal
         subject_host = get_csr_hostname(csr)
         (servicename, hostname, realm) = split_principal(principal)
-        if subject_host.lower() != hostname.lower():
+        if subject_host.lower() != hostname.lower() and subject_host.lower() != servicename.lower():

jonuwz

This is so we can do puppet cert clean remotely.

on the puppet box :

puppet cert generate pe-api
cat /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private_keys/pe-api.pem > cat /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private/pe-api.pem

cat <<'EOF' > /etc/puppetlabs/httpd/console_apps.d/api.conf
SSLProxyEngine on
SSLProxyCACertificateFile /etc/puppetlabs/puppet/ssl/certs/ca.pem

jonuwz

Single (soon to be multi) node kubernetes backed by ceph storage on Raspberry Pi 4

Hardware

4 * Raspberry Pi 4B 4GB
1 * Sandisk Extreme A1 32GB
3 * Sandisk Ultra A1 32GB
4 * TOPK Type C Cable QC 3.0 Fast Charge
4 * CSL - Flat Ethernet Cable Cat6 0.25m
1 * Anker PowerPort 60 W 6-Port USB Charger with PowerIQ