Enabling EPEL, Python Bindings for SELinux, and Firewall Settings

I have been learning from this book Fabio Alessandro Locati, published under Packt>.

There is one simple exercise where there is an example of “Configuring a basic server”. The codes can be found

Enabling EPEL

To enable EPEL, in RHEL/CentOS 7, just install the epel-release package

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure EPEL is enabled 
      yum: 
        name: epel-release 
        state: present 
      become: True 
    

Python bindings for SELINUX

Ansible is written in python, and mainly use the Python bindings to operate on the operating system.

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
     - name: Ensure libselinux-python is present 
      yum: 
        name: libselinux-python  
        state: present 
      become: True 
    - name: Ensure libsemanage-python is present 
      yum: 
        name: libsemanage-python 
        state: present 
      become: True 

Firewall Settings

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure FirewallD is running 
      service: 
        name: firewalld 
        state: started 
        enabled: True 
      become: True 
    - name: Ensure SSH can pass the firewall 
      firewalld: 
        service: ssh 
        state: enabled 
        permanent: True 
        immediate: True 
      become: True 

Basic Installing and Configuring NTP with Ansible

I have been learning from this book Fabio Alessandro Locati, published under Packt>.

There is one simple exercise where there is an example of “Ensuring that NTP is installed, configured and running”. The codes can be found at https://github.com/PacktPublishing/Learning-Ansible-2.X-Third-Edition/tree/master/Chapter02

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure NTP is installed 
      yum: 
        name: ntp 
        state: present 
      become: True 
    - name: Ensure the timezone is set to UTC 
      file: 
        src: /usr/share/zoneinfo/GMT 
        dest: /etc/localtime 
        state: link 
      become: True 
    - name: Ensure the NTP service is running and enabled 
      service: 
        name: ntpd 
        state: started 
        enabled: True 
      become: True 

Basic Installing and Configuring a Web Server with Ansible

I have been learning from this book Fabio Alessandro Locati, published under Packt>

There is one simple exercise where there is an example of “Installing and Configuring a Web Server”. The codes can be found at https://github.com/PacktPublishing/Learning-Ansible-2.X-Third-Edition/tree/master/Chapter02

Installing and Configuring a Web Server

The first set of codes deal with the installation and enabling of HTTPd package and services. In addition, both HTTP and HTPS must be able to pass through the firewalld

-- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure the HTTPd package is installed 
      yum: 
        name: httpd 
        state: present 
      become: True 
    - name: Ensure the HTTPd service is enabled and running 
      service: 
        name: httpd 
        state: started 
        enabled: True 
      become: True 
    - name: Ensure HTTP can pass the firewall 
      firewalld: 
        service: http 
        state: enabled 
        permanent: True 
        immediate: True 
      become: True 
    - name: Ensure HTTPS can pass the firewall 
      firewalld: 
        service: https 
        state: enabled 
        permanent: True 
        immediate: True 
      become: True  

Reviewing and Running the Deployment, we can use the command to fire it.

$ ansible-playbook webserver.yaml --list-tasks
$ ansible-playbook -i host webserver.yaml

Publishing a Simple Website

Assuming the Website is a simple single-page website using a simple template call index.html.j2

--- 
- hosts: all 
  remote_user: ansible
  tasks: 
    - name: Ensure the website is present and updated 
      template: 
        src: index.html.j2 
        dest: /var/www/html/index.html 
        owner: root 
        group: root 
        mode: 0644 
      become: True  

Just a note that the “become: True” parameter represents the fact that the tasks should be executed with sudo access. In other words, the sudo user’s file should allow access

Massive Ransomware Campaign Targeting Unpatched Vmware ESXi Servers

From SINGCERT (https://www.csa.gov.sg/singcert/Alerts/AL-2023-015) dated 04 Feb 2023

There are reports of an ongoing ransomware campaign actively exploiting a vulnerability (CVE-2021-21974) in unpatched VMware ESXi servers.

Successful exploitation of the vulnerability could allow an attacker to perform remote code execution by triggering the heap-overflow issue in OpenSLP service.

The following versions of the products are affected by the aforementioned vulnerability:

•             ESXi versions 7.x earlier than ESXi70U1c-17325551

•             ESXi versions 6.7.x earlier than ESXi670-202102401-SG

•             ESXi versions 6.5.x earlier than ESXi650-202102101-SG

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. As a precaution, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations.

Users and administrators may also wish to configure their firewall rules to block any connections to the following IP addresses purportedly carrying out the attacks:

  • 104.152.52[.]55
  • 193.163.125[.]138
  • 43.130.10[.]173
  • 104.152.52[.]0/24

More information can be found at

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/

https://www.csa.gov.sg/singcert/Advisories/ad-2021-009/

Myths and Legends in High-Performance Computing

Abstract Taken form Myths and Legends in High-Performance Computing

In this humorous and thought provoking article, we discuss certain myths and legends that are folklore among members of the high-performance computing community. We collected those myths from conversations at conferences and meetings, product advertisements, papers, and other communications such as tweets, blogs, and news articles within (and beyond) our community. We believe they represent the zeitgeist of the current era of massive change, driven by the end of many scaling laws such as ennard scaling and Moore’s law. While some laws end, new directions open up, such as algorithmic scaling or novel architecture research. However, these myths are rarely based on scientific facts but often on some evidence or argumentation. In fact, we believe that this is the very reason for the existence of many myths and why they cannot be answered clearly. While it feels like there should be clear answers for each, some may remain endless philosophical debates such as the question whether Beethoven was better than Mozart. We would like to see our collection of myths as a discussion of possible new directions for research and industry investment

Myths and Legends in High-Performance Computing

The article addresses the follow myths

  • Myth 1: Quantum Computing Will Take Over HPC!
  • Myth 2: Everything Will Be Deep Learning!
  • Myth 3: Extreme Specialization as Seen in Smartphones Will Push Supercomputers Beyond Moore’s Law!
  • Myth 4: Everything Will Run on Some Accelerator!
  • Myth 5: Reconfigurable Hardware Will Give You 100X Speedup!
  • Myth 6: We Will Soon Run at Zettascale!
  • Myth 7: Next-Generation Systems Need More Memory per Core!
  • Myth 8: Everything Will Be Disaggregated!
  • Myth 9: Applications Continue to Improve, Even on Stagnating Hardware!
  • Myth 10: Fortran Is Dead, Long Live the DSL!
  • Myth 11: HPC Will Pivot to Low or Mixed Precision!
  • Myth 12: All HPC Will Be Subsumed by the Clouds!

Basic Ansible Introductory Learning Notes

I have been learning from this book Fabio Alessandro Locati, published under Packt>

I thought I just capture a few learning notes as I read.

Introduction to Playbooks

Playgroups are one of the core features of Ansible and tell what Ansible what to execute. They are like a do-list for Ansible that contains a list of tasks; each task internally links to a piece of code called a module

- hosts: all 
  remote_user: vagrant
  tasks: 
    - name: Ensure the HTTPd package is installed 
      yum: 
        name: httpd 
        state: present 
      become: True 
    - name: Ensure the HTTPd service is enabled and running 
      service: 
        name: httpd 
        state: started 
        enabled: True 
      become: True 

What it means?

  • hosts: List the Host or Host groups. The Host field is required. The –list-hosts-host will let us know which hosts the playbook is using.
  • remote_user: The user Ansible will be using while logging onto the system.
  • There are 2 tasks.
    • The first one is to ensure that the httpd package is present
    • The 2nd one is to enable the httpd service is enabled and running
  • The tasks are quite self-explanatory.
  • become: True. The commands should be executed with sudo access. If the sudo user’s file does not allow the user to run the particular command, the command will fail

Running a Playbook

$ ansible-playbook -i host setup_apache.yml

Ansible Verbosity

You can increase the verbosity by using the parameter -v, -vv or -vvv

Variables in Ansible

---
- hosts: all
  remote_user: vagrant
  tasks: 
    - name: Print OS and version
      debug:
        msg: '{{ ansible_distribution }} {{ ansible_distribution_version }}'

Creating the Ansible User

--- 
- hosts: all 
  user: vagrant 
  tasks: 
    - name: Ensure ansible user exists 
      user: 
        name: ansible 
        state: present 
        comment: Ansible 
      become: True
    - name: Ensure ansible user accepts the SSH key 
      authorized_key: 
        user: ansible 
        key: https://github.com/fale.keys 
        state: present 
      become: True
    - name: Ensure the ansible user is sudoer with no password required 
      lineinfile: 
        dest: /etc/sudoers 
        state: present 
        regexp: '^ansible ALL\=' 
        line: 'ansible ALL=(ALL) NOPASSWD:ALL' 
        validate: 'visudo -cf %s'
      become: True

The lineinfile is an interesting module. It works in a similar way to sed (a stream editor) where you specify the regular expression that will be used to match the line, and then specify the new line that will be used to substitute the matched line.

World’s first hydrogen-powered off-grid data centre announced

‘Data Centre-as-a-Service’ pioneer, ECL, has announced the launch of what it claims is the world’s first modular, sustainable, off-grid data centre that uses green hydrogen as its primary power source. The company further claims to be able to deliver data centres in one megawatt (MW) blocks that can achieve 99.9999 per cent uptime.
…..
…..
While other data center providers have deployed hydrogen fuel cells as backup power supplies, and with some conducting trials of systems forecast for production delivery in three-to-five years, ECL asserts that it is the first provider to deliver a fully-green hydrogen-powered data centre. This leapfrog innovation is enabled by bringing together several disruptive technologies including green hydrogen-based power generation, battery energy storage and highly reliable power architecture without dependence on the utility grid.
…..
…..
ECL also said that its cooling innovations enable much higher density-per-rack than traditional data centre providers, a strong benefit given the increasing per-server power consumption driven by accelerating chip and system density. Water created as a by-product of hydrogen-based power generation is used to cool ECL’s server racks, eliminating the need for external water sources. Combining this with proprietary rear door heat exchange technology results in lower Power Usage Effectiveness (PUE) ratios than any other colocation data centre provider.

World’s first hydrogen-powered off-grid data centre announced

Open Source – Policy Plus for All Windows Edition

This is not an entry for Linux, but for Open Source

If you require an Open-Source Local Group Policy for All Windows Editions including Home, you may want to consider Policy Plus

According to the Project Websie

Policy Plus is intended to make the power of Group Policy settings available to everyone.

  • Run and work on all Windows editions, not just Pro and Enterprise
  • Comply fully with licensing (i.e. transplant no components across Windows installations)
  • View and edit Registry-based policies in local GPOs, per-user GPOs, individual POL files, offline Registry user hives, and the live Registry
  • Navigate to policies by ID, text, or affected Registry entries
  • Show additional technical information about objects (policies, categories, products)
  • Provide convenient ways to share and import policy settings