Author: kittycool only

by

Using Ansible to get Flexlm License Information and copy to Shared File Environment

You can use Ansible to extract Flexlm information from a remote license server, which is stored in a central place where you can display the information.

I use crontab to extract the information every 15 min and place it in a central place so that users can check the license availability. 

- name: Extract Information from ANSYS Lic Server and extract to file
  block:
    - name: Get FlexLM License Info
      ansible.builtin.shell: "/usr/local/ansys_inc/shared_files/licensing/linx64/lmutil lmstat -c ../license_files/ansyslmd.lic -a"
      register: lmstat_output

    - name: Save FlexLM License Output to File on ANSYS Lic Server
      copy:
        content: "{{ lmstat_output.stdout }}"
        dest: "/var/log/ansible_logs/ansys_lmstat.log"

    - name: Get FlexLM Output from Remote Server
      fetch:
        src: "/var/log/ansible_logs/ansys_lmstat.log"
        dest: "/usr/local/lic_lmstat_log/ansys_lmstat.log"
        flat: yes

The fetch command is useful for fetching files from remote machines and storing them locally in a file tree. For more information, do take a look at Fetch files from remote nodes

At crontab, I fetch the file every 15min

*/15 * * * * /root/ansible_cluster/run_lmstat_licsvr.sh

The run_lmstat_licsvr.sh is simply to call the ansible playbook to run the ansible script above.

by

BASH – Leaving a line after Cat

If you are writing a script that involve cat and if you wish to leave a line after “cat”, do the following

cat /usr/local/lic_lmstat_log/abaqus_lmstat.log ; echo
.....
.....
Users of tfluid_int_ccmp:  (Total of 128 licenses issued;  Total of 0 licenses in use)

Users of tfluid_int_fluent:  (Total of 128 licenses issued;  Total of 0 licenses in use)
[user1@node1 ~]$
by

SSL connection error For Delinea MFA with DirectControl 

Muco of the Troubleshooting comes from the Knowledgebase Article is derived from KB-8958: MFA with DirectControl fails with SSL connection error and Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

Problem :

When attempting to log in with a user that requires MFA the following error is presented:

$ ssh user@192.168.0.1
SSL Connection Error

Cause:

The error is likely due to a certificate problem. A required certificate may be missing or the permission may not be set correctly

How to check:

# /usr/share/centrifydc/bin/adcdiag
VERSION   : Verify that DirectControl version supports MFA               : Pass
JOINSTATE : Verify that DirectControl is in connected mode               : Pass
ZONECHK   : Verify that MFA is supported in the zone                     : Pass
SSHDCFG   : Verify that SSHD enables ChallengeResponseAuthentication     : Warning
          : Cannot read sshd configuration file. Probably you are not
          : using Delinea openssh. SSH login for MFA users will fail if
          : option ChallengeResponseAuthentication is not set to yes.
          : Please check and ensure ChallengeResponseAuthentication is
          : set to yes in sshd configuration file.
CDCCFG    : Verify that MFA options in centrifydc.conf are correct       : Pass
PROXYCFG  : Verify that HTTP proxy configuration is set properly         : Pass
CLDINST   : Verify that trusted Identity Platform instance is specified  : Pass
          : Successfully connected to Identity Platform and certificate
          : has been verified OK.
CNTRCFG   : Verify that Connectors are configured correctly              : Pass
CURCNTR   : Verify that DirectControl has selected a workable Connector  : Pass
CLOUDROLE : Verify that this machine has permissions to perform Identity
          : Platform authentication                                      : Pass
......
......
......

Check the Logs at /var/centrify/tmp…. You may notice some errors like 

.....
.....
ERROR:
Not a trusted connector or no valid connector certificate installed locally.
SUGGESTIONS:
1. Verify that the IWA root CA certificate is installed in the system. Please refer to KB-7393 on how to configure the root CA certificate in the system.
2. Please collect connector log if you need Delinea support.
.....
.....

Resolution:

Check whether the Certificates have been added at

  •  /etc/pki/ca-trust/source/anchors/ 
  • /var/centrify/net/certs

Check the SSH Settings at

# vim /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

Restart the SSHD Services

# systemctl restart sshd.service

Restart the Centrifydc services

# /usr/share/centrifydc/bin/centrifydc restart

Active Directory Flush and Reload

# adflush -f
# adreload
by

Troubleshooting Intel VMD Driver Boot Issue on Supermicro Server with Rocky Linux 8.7

I was installing Rocky Linux 8.7 on a Supermicro Server with Intel VirtualRAID. I could not boot to Rocky Linux 8.7, the Install Screen could not be presented. Instead, there are repeated errors like the one below on the screen.

“DMAR: [INTR-REMAP] Request device [bc:00.5] fault index 0x8000 [fault reason 0x25] Blocked a compatibility format interrupt request”

The Issue was explained in the Article from Intel “Unable to Boot RHEL* 8.7/9.0 if Intel® VMD Is Enabled for Intel® Virtual RAID on CPU (Intel® VROC) RAID Management

Resolution
A problem with the inbox Intel®️ VMD driver included in RHEL 8.7 and 9.0 was identified, and it is necessary to add the boot parameter intremap=off to the kernel command line while installing the operating system. This will prevent the operating system from encountering any problems.

This particular issue has been fixed via a kernel update and has been implemented in RHEL 9.1.

it is necessary to add the boot parameter intremap=off to the kernel command line while installing the operating system

I tried Rocky Linux 8.9 and the issue was fixed.

by

Optimizing Ansible Performance: Serial Execution

By default, Ansible parallelises tasks on multiple hosts simultaneously and speeds up automation in large inventories. But sometimes, this is not ideal in a load-balanced environment, where upgrading the servers simultaneously may cause the loss of services. How do we use Ansible to run the updates at different times? I use the keyword “serial” before executing the roles universal package. 

- hosts: standalone_nodes
  become: yes
  serial: 1 
  roles:
        - linux_workstation

Alternatively, you can use percentages to indicate how many will upgrade at one time. 

- hosts: standalone_nodes
  become: yes
  serial: 25%
  roles:
        - linux_workstation

References:

  1. How to implement parallelism and rolling updates in Ansible
by

Optimizing Ansible Performance: Implementing Parallelism with Forks

Ansible’s parallel processes are known as forks, and the default number of forks is five. In other words, Ansible attempts to run automation jobs on 5 hosts simultaneously. The more forks you set, the more resources are used on the Ansible control node.

How do you implement? Just edit the ansible.cfg file. Look for the “forks” parameters. You can use the command “ansible-config view” to view ansible.cfg output. 

[defaults]
inventory = inventory
private_key_file = ~/.ssh/xxxxxx
become = true
become_user = root
timeout = 30
forks = 10
log_path = /var/log/ansible.log
display_skipped_hosts=yes
display_ok_hosts=yes
display_failed_stderr=yes
show_custom_stats=yes
verbosity = 0

References and Other Useful Information:

  1. How to implement parallelism and rolling updates in Ansible
  2. Ansible Update Management: Serial Execution and Percentage Indicators
by

Ansible Delayed Error Handling with Rescue Blocks: Chrony Setup Example

A recap there are 2 main use of Blocks in Ansible. The first write-up can be found at Grouping Tasks with Block in Ansible

  1. Apply conditional logic to all the tasks within the block. In such a way, the logic only need to be declared once
  2. Apply Error handling especially when recovering from an error condition.

Today, we will deal with Point 2 in this blog entry

According to Ansible Documentation found at https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_blocks.html

Rescue blocks specify tasks to run when an earlier task in a block fails. This approach is similar to exception handling in many programming languages. Ansible only runs rescue blocks after a task returns a ‘failed’ state. Bad task definitions and unreachable hosts will not trigger the rescue block.

Here is my simple example for implementation

- name: Check current Timezone
  command: timedatectl show --property=Timezone --value
  register: timezone_output
  changed_when: false

- name: Configure Timezone to Asia/Singapore
  command: timedatectl set-timezone Asia/Singapore
  when: timezone_output.stdout != "Asia/Singapore"

- name: Install and Configure Chrony Service Block
  block:
    - name: Install Chrony package
      dnf:
        name: chrony
        state: present

    - name: Configure Chrony servers
      lineinfile:
        path: /etc/chrony.conf
        line: "server sg.pool.ntp.org iburst"
        insertafter: '^#.*server 3.centos.pool.ntp.org iburst'
        state: present

    - name: Enable Chrony service
      service:
        name: chronyd
        state: started
        enabled: yes
  rescue:
    - name: Print when Errors
      debug:
        msg: 'Something failed at Chrony Setup'
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"