>>> from genie.conf.base import Device >>> device = Device("router", os="iosxr") >>> # Hack to parse outputs without connecting to a device >>> device.custom.setdefault("abstraction", )["order"] = ["os", "platform"] >>> cmd = "show route ipv4 unicast" >>> output = """ ... Tue Oct 29 21:29:10.924 UTC ... ... O 10.13.110.0/24 [110/2] via 10.12.110.1, 5d23h, GigabitEthernet0/0/0/0.110 ... """ >>> device.parse(cmd, output=output) 'vrf': 'default': 'address_family': 'ipv4': 'routes': '10.13.110.0/24': 'route': '10.13.110.0/24', 'active': True, 'route_preference': 110, 'metric': 2, 'source_protocol': 'ospf', 'source_protocol_codes': 'O', 'next_hop': 'next_hop_list': 1: 'index': 1, 'next_hop': '10.12.110.1', 'outgoing_interface': 'GigabitEthernet0/0/0/0.110', 'updated': '5d23h'
ssh command, it cannot
leverage my ssh_config file: pyATS resolves hostnames before
providing them to ssh. There is no plan to open source
pyATS.
Then, Genie Parser has two problems:
show ipv4
vrf all interface is:
Loopback10 is Up, ipv4 protocol is Up
Vrf is default (vrfid 0x60000000)
Internet protocol processing disabled
Loopback30 is Up, ipv4 protocol is Down [VRF in FWD reference]
Vrf is ran (vrfid 0x0)
Internet address is 203.0.113.17/32
MTU is 1500 (1500 is available to IP)
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound common access list is not set, access list is not set
Proxy ARP is disabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
Table Id is 0x0
Loopback30 and parses
the output to this structure:1
"Loopback10": "int_status": "up", "oper_status": "up", "vrf": "ran", "vrf_id": "0x0", "ipv4": "203.0.113.17/32": "ip": "203.0.113.17", "prefix_length": "32" , "mtu": 1500, "mtu_available": 1500, "broadcast_forwarding": "disabled", "proxy_arp": "disabled", "icmp_redirects": "never sent", "icmp_unreachables": "always sent", "icmp_replies": "never sent", "table_id": "0x0"
Do not add further complexity when it can be avoided. We are generally happy with the feature set of i3 and instead focus on fixing bugs and maintaining it for stability. New features will therefore only be considered if the benefit outweighs the additional complexity, and we encourage users to implement features using the IPC whenever possible. Introduction to the i3 window managerWhile this is not as powerful as an embedded language, it is enough for many cases. Moreover, as high-level features may be opinionated, delegating them to small, loosely coupled pieces of code keeps them more maintainable. Libraries exist for this purpose in several languages. Users have published many scripts to extend i3: automatic layout and window promotion to mimic the behavior of other tiling window managers, window swallowing to put a new app on top of the terminal launching it, and cycling between windows with Alt+Tab. Instead of maintaining a script for each feature, I have centralized everything into a single Python process,
i3-companion using asyncio and the
i3ipc-python library. Each feature is self-contained into a
function. It implements the following components:
workspace_exclusive() function monitors new windows and moves them
if needed to an empty workspace or to one with the same application
already running.quake_console() function implements a drop-down console
available from any workspace. It can be toggled with
Mod+ . This is implemented as a scratchpad
window.workspace back_and_forth command, we can ask i3 to
switch to the previous workspace. However, this feature is not
restricted to the current output. I prefer to have one keybinding to
switch to the workspace on the next output and one keybinding to
switch to the previous workspace on the same output. This behavior
is implemented in the previous_workspace() function by keeping a
per-output history of the focused workspaces.workspace number
4 or move container to workspace number 4. The new_workspace()
function finds a free number and use it as the target workspace.output_update() function also takes an extra step to
coalesce multiple consecutive events and to check if there is a real
change with the low-level library xcffib.@on(CommandEvent("previous-workspace"), I3Event.WORKSPACE_FOCUS) async def previous_workspace(i3, event): """Go to previous workspace on the same output."""
CommandEvent() event class is my way to send a command to the
companion, using either i3-msg -t send_tick or binding a key to a
nop command. The latter is used to avoid spawning a shell and a
i3-msg process just to send a message. The companion listens to
binding events and checks if this is a nop command.
bindsym $mod+Tab nop "previous-workspace"
@debounce() to
coalesce multiple consecutive calls, @static() to define a static
variable, and @retry() to retry a function on failure. The whole
script is a bit more than 1000 lines. I think this is
worth a read as I am quite happy with the result.
notify(), to send notifications using DBus. container_info() and
workspace_info() uses it to display information about the container
or the tree for a workspace.
workspace_rename() function. The icons are from
the Font Awesome project. I maintain a mapping between applications
and icons. This is a bit cumbersome but it looks great.
ipc module: the next version of Polybar can receive
an arbitrary text on an IPC socket. The module is defined with a
single hook to be executed at the start to restore the latest status.
[module/network] type = custom/ipc hook-0 = cat $XDG_RUNTIME_DIR/i3/network.txt 2> /dev/null initial = 1
polybar-msg action "#network.send.XXXX". In
the i3 companion, the @polybar() decorator takes the string
returned by a function and pushes the update through the IPC socket.
The i3 companion reacts to DBus signals to update the Bluetooth and
network icons. The @on() decorator accepts a DBusSignal() object:
@on( StartEvent, DBusSignal( path="/org/bluez", interface="org.freedesktop.DBus.Properties", member="PropertiesChanged", signature="sa sv as", onlyif=lambda args: ( args[0] == "org.bluez.Device1" and "Connected" in args[1] or args[0] == "org.bluez.Adapter1" and "Powered" in args[1] ), ), ) @retry(2) @debounce(0.2) @polybar("bluetooth") async def bluetooth_status(i3, event, *args): """Update bluetooth status for Polybar."""
~/.xsession-errors file.3
I am using a two-stage setup: i3.service depends on
xsession.target to start services before
i3:
[Unit] Description=X session BindsTo=graphical-session.target Wants=autorandr.service Wants=dunst.socket Wants=inputplug.service Wants=picom.service Wants=pulseaudio.socket Wants=policykit-agent.service Wants=redshift.service Wants=spotify-clean.timer Wants=ssh-agent.service Wants=xiccd.service Wants=xsettingsd.service Wants=xss-lock.service
i3-session.target:
[Unit] Description=i3 session BindsTo=graphical-session.target Wants=wallpaper.service Wants=wallpaper.timer Wants=polybar-weather.service Wants=polybar-weather.timer Wants=polybar.service Wants=i3-companion.service Wants=misc-x.service
xset s
command. The locker can be invoked immediately with xset s activate.
X11 applications know how to prevent the screen saver from running. I
have also developed a small dimmer application that is executed 20
seconds before the locker to give me a chance to move the mouse if I
am not away.4 Have a look at my configuration
script.
xrandr.
:0 and :1. In the first implementation, I did try to
parametrize each service with the associated display, but this is
useless: there is only one DBus user session and many services
rely on it. For example, you cannot run two notification daemons.
firmware-sof-signed package.3
The BIOS can be updated directly from Linux, thanks to the Linux
Vendor Firmware Service.
I was using the ThinkPad USB-C Dock Gen 2 as a docking
station. Everything works out-of-the-box. However, from time to
time, I got issues reliably getting an image on the two screens. I was
using a couple of 10-year LG monitors with DVI connectors, so I relied
on DP HDMI DVI adapters. This may have been the source of some of the
problems.
| Before | After | |
|---|---|---|
| CPU | Intel i5-4670K @ 3.4 GHz | AMD Ryzen 5 5600X @ 3.7 GHz |
| CPU fan | Zalman CNPS9900 | Noctua NH-U12S |
| Motherboard | Asus Z97-PRO Gamer | Asus TUF Gaming B550-PLUS |
| RAM | 2 8 GB + 2 4 GB DDR3 @ 1.6 GHz | 2 16 GB DDR4 @ 3.6 GHz |
| GPU | Asus Radeon PH RX 550 4G M7 | |
| Disks | 500 GB Crucial P2 NVMe 256 GB Samsung SSD 850 256 GB Samsung SSD 840 |
|
| PSU | be quiet! Pure Power CM L8 @ 530 W | |
| Case | Antec P100 |
$ lscpu -e CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ MINMHZ 0 0 0 0 0:0:0:0 yes 3800.0000 800.0000 1 0 0 1 1:1:1:0 yes 3800.0000 800.0000 2 0 0 2 2:2:2:0 yes 3800.0000 800.0000 3 0 0 3 3:3:3:0 yes 3800.0000 800.0000 $ CCACHE_DISABLE=1 =time -f ' %E' make -j$(nproc) [ ] OBJCOPY arch/x86/boot/vmlinux.bin AS arch/x86/boot/header.o LD arch/x86/boot/setup.elf OBJCOPY arch/x86/boot/setup.bin BUILD arch/x86/boot/bzImage Kernel: arch/x86/boot/bzImage is ready (#1) 4:54.32
$ lscpu -e CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ MINMHZ 0 0 0 0 0:0:0:0 yes 5210.3511 2200.0000 1 0 0 1 1:1:1:0 yes 4650.2920 2200.0000 2 0 0 2 2:2:2:0 yes 5210.3511 2200.0000 3 0 0 3 3:3:3:0 yes 5073.0459 2200.0000 4 0 0 4 4:4:4:0 yes 4932.1279 2200.0000 5 0 0 5 5:5:5:0 yes 4791.2100 2200.0000 6 0 0 0 0:0:0:0 yes 5210.3511 2200.0000 7 0 0 1 1:1:1:0 yes 4650.2920 2200.0000 8 0 0 2 2:2:2:0 yes 5210.3511 2200.0000 9 0 0 3 3:3:3:0 yes 5073.0459 2200.0000 10 0 0 4 4:4:4:0 yes 4932.1279 2200.0000 11 0 0 5 5:5:5:0 yes 4791.2100 2200.0000 $ CCACHE_DISABLE=1 =time -f ' %E' make -j$(nproc) [ ] OBJCOPY arch/x86/boot/vmlinux.bin AS arch/x86/boot/header.o LD arch/x86/boot/setup.elf OBJCOPY arch/x86/boot/setup.bin BUILD arch/x86/boot/bzImage Kernel: arch/x86/boot/bzImage is ready (#1) 1:40.18
make defconfig on commit 15fae3410f1d.
It is with great pleasure that we can announce a new release of nikita. Version 0.6 (https://gitlab.com/OsloMet-ABI/nikita-noark5-core). This release makes new record keeping functionality available. This really is a maturity release. Both in terms of functionality but also code. Considerable effort has gone into refactoring the codebase and simplifying the code. Notable changes for this release include:If free and open standardized archiving API sound interesting to you, please contact us on IRC (#nikita on irc.oftc.net) or email (nikita-noark mailing list). As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.We are currently in the process of reaching an agreement with an archive institution to publish their picture archive using nikita with business specific metadata and we hope that we can share this with you soon. This is an interesting project as it allows the organisation to bring an older picture archive back to life while using the original metadata values stored as business specific metadata. Combined with OData means the scope and use of the archive is significantly increased and will showcase both the flexibility and power of Noark. I really think we are approaching a version 1.0 of nikita, even though there is still a lot of work to be done. The notable work at the moment is to implement access-control and full text indexing of documents. My sincere thanks to everyone who has contributed to this release! - Thomas Release 0.6 2021-06-10 (d1ba5fc7e8bad0cfdce45ac20354b19d10ebbc7b)
- Significantly improved OData parsing
- Support for business specific metadata and national identifiers
- Continued implementation of domain model and endpoints
- Improved testing
- Ability to export and import from arkivstruktur.xml
- Refactor metadata entity search
- Remove redundant security configuration
- Make OpenAPI documentation work
- Change database structure / inheritance model to a more sensible approach
- Make it possible to move entities around the fonds structure
- Implemented a number of missing endpoints
- Make sure yml files are in sync
- Implemented/finalised storing and use of
- Business Specific Metadata
- Norwegian National Identifiers
- Cross Reference
- Keyword
- StorageLocation
- Author
- Screening for relevant objects
- ChangeLog
- EventLog
- Make generation of updated docker image part of successful CI pipeline
- Implement pagination for all list requests
- Refactor code to support lists
- Refactor code for readability
- Standardise the controller/service code
- Finalise File->CaseFile expansion and Record->registryEntry/recordNote expansion
- Improved Continuous Integration (CI) approach via gitlab
- Changed conversion approach to generate tagged PDF documents
- Updated dependencies
- For security reasons
- Brought codebase to spring-boot version 2.5.0
- Remove import of necessary dependencies
- Remove non-used metrics classes
- Added new analysis to CI including
- Implemented storing of Keyword
- Implemented storing of Screening and ScreeningMetadata
- Improved OData support
- Better support for inheritance in queries where applicable
- Brought in more OData tests
- Improved OData/hibernate understanding of queries
- Implement $count, $orderby
- Finalise $top and $skip
- Make sure & is used between query parameters
- Improved Testing in codebase
- A new approach for integration tests to make test more readable
- Introduce tests in parallel with code development for TDD approach
- Remove test that required particular access to storage
- Implement case-handling process from received email to case-handler
- Develop required GUI elements (digital postroom from email)
- Introduced leader, quality control and postroom roles
- Make PUT requests return 200 OK not 201 CREATED
- Make DELETE requests return 204 NO CONTENT not 200 OK
- Replaced 'oppdatert*' with 'endret*' everywhere to match latest spec
- Upgrade Gitlab CI to use python > 3 for CI scripts
- Bug fixes
- Fix missing ALLOW
- Fix reading of objects from jar file during start-up
- Reduce the number of warnings in the codebase
- Fix delete problems
- Make better use of cascade for "leaf" objects
- Add missing annotations where relevant
- Remove the use of ETAG for delete
- Fix missing/wrong/broken rels discovered by runtest
- Drop unofficial convertFil (konverterFil) end point
- Fix regex problem for dateTime
- Fix multiple static analysis issues discovered by coverity
- Fix proxy problem when looking for object class names
- Add many missing translated Norwegian to English (internal) attribute/entity names
- Change UUID generation approach to allow code also set a value
- Fix problem with Part/PartParson
- Fix problem with empty OData search results
- Fix metadata entity domain problem
- General Improvements
- Makes future refactoring easier as coupling is reduced
- Allow some constant variables to be set from property file
- Refactor code to make reflection work better across codebase
- Reduce the number of @Service layer classes used in @Controller classes
- Be more consistent on naming of similar variable types
- Start printing rels/href if they are applicable
- Cleaner / standardised approach to deleting objects
- Avoid concatenation when using StringBuilder
- Consolidate code to avoid duplication
- Tidy formatting for a more consistent reading style across similar class files
- Make throw a log.error message not an log.info message
- Make throw print the log value rather than printing in multiple places
- Add some missing pronom codes
- Fix time formatting issue in Gitlab CI
- Remove stale / unused code
- Use only UUID datatype rather than combination String/UUID for systemID
- Mark variables final and @NotNull where relevant to indicate intention
- Change Date values to DateTime to maintain compliance with Noark 5 standard
- Domain model improvements using Hypersistence Optimizer
- Move @Transactional from class to methods to avoid borrowing the JDBC Connection unnecessarily
- Fix OneToOne performance issues
- Fix ManyToMany performance issues
- Add missing bidirectional synchronization support
- Fix ManyToMany performance issue
- Make List
- and Set
- use final-keyword to avoid potential problems during update operations
- Changed internal URLs, replaced "hateoas-api" with "api".
- Implemented storing of Precedence.
- Corrected handling of screening.
- Corrected _links collection returned for list of mixed entity types to match the specific entity.
- Improved several internal structures.
Your browser supports WebP and AVIF image formats. Your browser supports none of these image formats. Your browser only supports the WebP image format. Your browser only supports the AVIF image format.
Without JavaScript, I can t tell what your browser supports.
find media/images -type f -name '*.jpg' -print0 \ xargs -0n1 -P$(nproc) -i \ cwebp -q 84 -af ' ' -o ' '.webp
avifenc from libavif:
find media/images -type f -name '*.jpg' -print0 \ xargs -0n1 -P$(nproc) -i \ avifenc --codec aom --yuv 420 --min 20 --max 25 ' ' ' '.avif
jpegoptim=$(nix-build --no-out-link \ -E 'with (import <nixpkgs> ); jpegoptim.override libjpeg = mozjpeg; ') find media/images -type f -name '*.jpg' -print0 \ sort -z xargs -0n10 -P$(nproc) \ $ jpegoptim /bin/jpegoptim --max=84 --all-progressive --strip-all
find media/images -type f -name '*.png' -print0 \ sort -z xargs -0n10 -P$(nproc) \ pngquant --skip-if-larger --strip \ --quiet --ext .png --force
cwebp in lossless mode:
find media/images -type f -name '*.png' -print0 \ xargs -0n1 -P$(nproc) -i \ cwebp -z 8 ' ' -o ' '.webp
pngquant and lossy compression is only marginally
better than what I get with WebP.
for f in media/images/**/*. webp,avif ; do orig=$(stat --format %s $ f%.* ) new=$(stat --format %s $f) (( orig*0.90 > new )) rm $f done
for f in media/images/**/*.avif; do [[ -f $ f%.* .webp ]] continue orig=$(stat --format %s $ f%.* .webp) new=$(stat --format %s $f) (( $orig > $new )) rm $f done
printf " %10s %10s %10s\n" Original WebP AVIF for format in png jpg; do printf " $ format:u %10s %10s %10s\n" \ $(find media/images -name "*.$format" wc -l) \ $(find media/images -name "*.$format.webp" wc -l) \ $(find media/images -name "*.$format.avif" wc -l) done
Original WebP AVIF PNG 64 47 0 JPG 83 40 74
<picture> to let the browser pick the format it supports, orAccept HTTP
header in the request. For Chrome, it looks like this:
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
http map $http_accept $webp_suffix default ""; "~image/webp" ".webp"; map $http_accept $avif_suffix default ""; "~image/avif" ".avif"; server # [ ] location ~ ^/images/.*\.(png jpe?g)$ add_header Vary Accept; try_files $uri$avif_suffix$webp_suffix $uri$avif_suffix $uri$webp_suffix $uri =404;
/images/ont-box-orange@2x.jpg. If it supports WebP but not AVIF,
$webp_suffix is set to .webp while $avif_suffix is set to the
empty string. The server tries to serve the first existing file in
this list:
/images/ont-box-orange@2x.jpg.webp/images/ont-box-orange@2x.jpg/images/ont-box-orange@2x.jpg.webp/images/ont-box-orange@2x.jpg/images/ont-box-orange@2x.jpg.webp.avif (it never exists)/images/ont-box-orange@2x.jpg.avif/images/ont-box-orange@2x.jpg.webp/images/ont-box-orange@2x.jpgVary header ensures an intermediary cache (a proxy
or a CDN) checks the Accept header before using a cached
response. Internet Explorer has trouble with this header and may
not be able to cache the resource properly. There is a
workaround but Internet Explorer s market share is now so
small that it is pointless to implement it.
devices.yaml. It contains the
device list. The second file is classifier.yaml.
It defines a scope for each device. A scope is a set of keys and
values. It is used in templates and to look up data associated with a
device.
$ ./run-jerikan scope to1-p1.sk1.blade-group.net continent: apac environment: prod groups: - tor - tor-bgp - tor-bgp-compute host: to1-p1.sk1 location: sk1 member: '1' model: dell-s4048 os: cumulus pod: '1' shorthost: to1-p1
to1-p1.sk1.blade-group.net, the following subset of
classifier.yaml defines its scope:
matchers: - '^(([^.]*)\..*)\.blade-group\.net': environment: prod host: '\1' shorthost: '\2' - '\.(sk1)\.': location: '\1' continent: apac - '^to([12])-[as]?p(\d+)\.': member: '\1' pod: '\2' - '^to[12]-p\d+\.': groups: - tor - tor-bgp - tor-bgp-compute - '^to[12]-(p ap)\d+\.sk1\.': os: cumulus model: dell-s4048
searchpaths.py. It describes
which directories to search for a variable. A Python function provides
a list of paths to look up in data/ for a given scope. Here
is a simplified version:2
def searchpaths(scope): paths = [ "host/ scope[location] / scope[shorthost] ", "location/ scope[location] ", "os/ scope[os] - scope[model] ", "os/ scope[os] ", 'common' ] for idx in range(len(paths)): try: paths[idx] = paths[idx].format(scope=scope) except KeyError: paths[idx] = None return [path for path in paths if path]
to1-p1.sk1.blade-group.net is
looked up in the following paths:
$ ./run-jerikan scope to1-p1.sk1.blade-group.net [ ] Search paths: host/sk1/to1-p1 location/sk1 os/cumulus-dell-s4048 os/cumulus common
system for accounts, DNS, syslog servers, topology for ports, interfaces, IP addresses, subnets, bgp for BGP configurationbuild for templates and validation scriptsapps for application variablesto1-p1.sk1.blade-group.net in the bgp namespace, the following
YAML files are processed: host/sk1/to1-p1/bgp.yaml,
location/sk1/bgp.yaml, os/cumulus-dell-s4048/bgp.yaml,
os/cumulus/bgp.yaml, and common/bgp.yaml. The search stops at the
first match.
The schema.yaml file allows us to override this
behavior by asking to merge dictionaries and arrays across all
matching files. Here is an excerpt of this file for the topology
namespace:
system: users: merge: hash sampling: merge: hash ansible-vars: merge: hash netbox: merge: hash
~ :
# In data/os/junos/system.yaml netbox: manufacturer: Juniper model: "~ model upper " # In data/groups/tor-bgp-compute/system.yaml netbox: role: net_tor_gpu_switch
netbox in the system namespace for
to1-p2.ussfo03.blade-group.net yields the following result:
$ ./run-jerikan scope to1-p2.ussfo03.blade-group.net continent: us environment: prod groups: - tor - tor-bgp - tor-bgp-compute host: to1-p2.ussfo03 location: ussfo03 member: '1' model: qfx5110-48s os: junos pod: '2' shorthost: to1-p2 [ ] Search paths: [ ] groups/tor-bgp-compute [ ] os/junos common $ ./run-jerikan lookup to1-p2.ussfo03.blade-group.net system netbox manufacturer: Juniper model: QFX5110-48S role: net_tor_gpu_switch
# In groups/adm-gateway/topology.yaml interface-rescue: address: "~ lookup('topology', 'addresses').rescue " up: - "~ip route add default via lookup('topology', 'addresses').rescue ipaddr('first_usable') table rescue" - "~ip rule add from lookup('topology', 'addresses').rescue ipaddr('address') table rescue priority 10" # In groups/adm-gateway-sk1/topology.yaml interfaces: ens1f0: "~ lookup('topology', 'interface-rescue') "
$ ./run-jerikan lookup gateway1.sk1.blade-group.net topology interfaces [ ] ens1f0: address: 121.78.242.10/29 up: - ip route add default via 121.78.242.9 table rescue - ip rule add from 121.78.242.10 table rescue priority 10
peers: transit: cogent: asn: 174 remote: - 38.140.30.233 - 2001:550:2:B::1F9:1 specific-import: - name: ATT-US as-path: ".*7018$" lp-delta: 50 ix-sfmix: rs-sfmix: monitored: true asn: 63055 remote: - 206.197.187.253 - 206.197.187.254 - 2001:504:30::ba06:3055:1 - 2001:504:30::ba06:3055:2 blizzard: asn: 57976 remote: - 206.197.187.42 - 2001:504:30::ba05:7976:1 irr: AS-BLIZZARD
build namespace:
$ ./run-jerikan lookup edge1.ussfo03.blade-group.net build templates data.yaml: data.j2 config.txt: junos/main.j2 config-base.txt: junos/base.j2 config-irr.txt: junos/irr.j2 $ ./run-jerikan lookup to1-p1.ussfo03.blade-group.net build templates data.yaml: data.j2 config.txt: cumulus/main.j2 frr.conf: cumulus/frr.j2 interfaces.conf: cumulus/interfaces.j2 ports.conf: cumulus/ports.j2 dhcpd.conf: cumulus/dhcp.j2 default-isc-dhcp: cumulus/default-isc-dhcp.j2 authorized_keys: cumulus/authorized-keys.j2 motd: linux/motd.j2 acl.rules: cumulus/acl.j2 rsyslog.conf: cumulus/rsyslog.conf.j2
ipaddr. Here is an excerpt of
templates/junos/base.j2 to configure DNS
and NTP servers on Juniper devices:
system ntp % for ntp in lookup("system", "ntp") % server ntp ; % endfor % name-server % for dns in lookup("system", "dns") % dns ; % endfor %
% for dns in lookup('system', 'dns') % domain vrf VRF-MANAGEMENT name-server dns % endfor % ! % for syslog in lookup('system', 'syslog') % logging syslog vrf VRF-MANAGEMENT % endfor % !
devices() returns the list of devices matching a set of
conditions on the scope. For example, devices("location==ussfo03",
"groups==tor-bgp") returns the list of devices in San Francisco in
the tor-bgp group. You can also omit the operator if you want the
specified value to be equal to the one in the local scope. For
example, devices("location") returns devices in the current
location.lookup() does a key lookup. It takes the namespace, the key, and
optionally, a device name. If not provided, the current device
is assumed.scope() returns the scope of the provided device.% for neighbor in devices("location", "groups==edge") if neighbor != device % % for address in lookup("topology", "addresses", neighbor).loopback tolist % protocols bgp group IPV address ipv -EDGES-IBGP neighbor address description "IPv address ipv : iBGP to neighbor "; % endfor % % endfor %
store() as a filter:
interface Loopback0 description 'Loopback:' % for address in lookup('topology', 'addresses').loopback tolist % ipv address ipv address address store('addresses', 'Loopback0') ipaddr('cidr') % endfor % !
store():4
% for device, ip, interface in store('addresses') % % set interface = interface replace('/', '-') replace('.', '-') replace(':', '-') % % set name = ' . '.format(interface lower, device) % name . IN 'A' if ip ipv4 else 'AAAA' ip ipaddr('address') % endfor %
./run-jerikan build. The
--limit argument restricts the devices to generate configuration
files for. Build is not done in parallel because a template may depend
on the data collected by another template. Currently, it takes 1
minute to compile around 3000 files spanning over 800 devices.
templates/opengear/config.j2:15: in top-level template code config.interfaces. interface .netmask adddress ipaddr("netmask") continent = 'us' device = 'con1-ag2.ussfo03.blade-group.net' environment = 'prod' host = 'con1-ag2.ussfo03' infos = 'address': '172.30.24.19/21' interface = 'wan' location = 'ussfo03' loop = <LoopContext 1/2> member = '2' model = 'cm7132-2-dac' os = 'opengear' shorthost = 'con1-ag2' _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ value = JerkianUndefined, query = 'netmask', version = False, alias = 'ipaddr' [ ] # Check if value is a list and parse each element if isinstance(value, (list, tuple, types.GeneratorType)): _ret = [ipaddr(element, str(query), version) for element in value] return [item for item in _ret if item] > elif not value or value is True: E jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'adddress'
jerikan/jinja.py. Mastering
Jinja2 is a good investment. Take time to browse through our
templates as some of them show interesting features.
checks/ directory. Jerikan looks up the key checks
in the build namespace to know which checks to run:
$ ./run-jerikan lookup edge1.ussfo03.blade-group.net build checks - description: Juniper configuration file syntax check script: checks/junoser cache: input: config.txt output: config-set.txt - description: check YAML data script: checks/data.yaml cache: data.yaml
checks/junoser is executed if there is a
change to the generated config.txt file. It also outputs a
transformed version of the configuration file which is easier to
understand when using diff. Junoser checks a Junos configuration
file using Juniper s XML schema definition for Netconf.5 On
error, Jerikan displays:
jerikan/build.py:127: RuntimeError -------------- Captured syntax check with Junoser call -------------- P: checks/junoser edge2.ussfo03.blade-group.net C: /app/jerikan O: E: Invalid syntax: set system syslog archive size 10m files 10 word-readable S: 1
.gitlab-ci.yml
file. When we need to make a change, we create a dedicated branch and
a merge request. GitLab compiles the templates using the same
environment we use on our laptops and store them as an artifact.
ob1-n1.sk1.blade-group.net ansible_host=172.29.15.12 ansible_user=blade ansible_connection=network_cli ansible_network_os=ios ob2-n1.sk1.blade-group.net ansible_host=172.29.15.13 ansible_user=blade ansible_connection=network_cli ansible_network_os=ios ob1-n1.ussfo03.blade-group.net ansible_host=172.29.15.12 ansible_user=blade ansible_connection=network_cli ansible_network_os=ios none ansible_connection=local [oob] ob1-n1.sk1.blade-group.net ob2-n1.sk1.blade-group.net ob1-n1.ussfo03.blade-group.net [os-ios] ob1-n1.sk1.blade-group.net ob2-n1.sk1.blade-group.net ob1-n1.ussfo03.blade-group.net [model-c2960s] ob1-n1.sk1.blade-group.net ob2-n1.sk1.blade-group.net ob1-n1.ussfo03.blade-group.net [location-sk1] ob1-n1.sk1.blade-group.net ob2-n1.sk1.blade-group.net [location-ussfo03] ob1-n1.ussfo03.blade-group.net [in-sync] ob1-n1.sk1.blade-group.net ob2-n1.sk1.blade-group.net ob1-n1.ussfo03.blade-group.net none
in-sync is a special group for devices which configuration should
match the golden configuration. Daily and unattended, Ansible should
be able to push configurations to this group. The mid-term goal is to
cover all devices.
none is a special device for tasks not related to a specific host.
This includes synchronizing NetBox, IRR objects, and the DNS,
updating the RPKI, and building the geofeed files.
ansible/playbooks/site.yaml file.
Here is a shortened version:
- hosts: adm-gateway:!done strategy: mitogen_linear roles: - blade.linux - blade.adm-gateway - done - hosts: os-linux:!done strategy: mitogen_linear roles: - blade.linux - done - hosts: os-junos:!done gather_facts: false roles: - blade.junos - done - hosts: os-opengear:!done gather_facts: false roles: - blade.opengear - done - hosts: none:!done gather_facts: false roles: - blade.none - done
blade.junos role. Once a play has been executed, the
device is added to the done group and the other plays are skipped.
The playbook can be executed with the configuration files generated by
the GitLab CI using the ./run-ansible-gitlab command. This is a
wrapper around Docker and the ansible-playbook command and it
accepts the same arguments. To deploy the configuration on the edge
devices for the SK1 datacenter in check mode, we use:
$ ./run-ansible-gitlab playbooks/site.yaml --limit='edge:&location-sk1' --diff --check [ ] PLAY RECAP ************************************************************* edge1.sk1.blade-group.net : ok=6 changed=0 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0 edge2.sk1.blade-group.net : ok=5 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
--check must detect if a change is needed;--diff must provide a visualization of the planned changes;--check and --diff must not display anything if there is nothing to change;cisco.iosxr collection. The quality of Ansible
Galaxy collections is quite random and it is an additional
maintenance burden. It seems better to write roles tailored to our
needs. The collections we use are in
ci/ansible/ansible-galaxy.yaml. We use
Mitogen to get a 10 speedup on Ansible executions on Linux
hosts.
We also have a few playbooks for operational purpose: upgrading the OS
version, isolate an edge router, etc. We were also planning on how to
add operational checks in roles: are all the BGP sessions up? They
could have been used to validate a deployment and rollback if there is
an issue.
Currently, our playbooks are run from our laptops. To keep tabs, we
are using ARA. A weekly dry-run on devices in the in-sync group
also provides a dashboard on which devices we need to run Ansible
on.
$ ansible --version ansible 2.10.8 [ ] $ cat test.j2 Hello name ! $ ansible all -i localhost, \ > --connection=local \ > -m template \ > -a "src=test.j2 dest=test.txt" localhost FAILED! => "changed": false, "msg": "AnsibleUndefinedVariable: 'name' is undefined"
jerikan/jinja.py. This is a remain of the
fact we do not maintain Jerikan as a standalone software.
store() filter and a
store() function. With Jinja2, filters and functions live in
two different namespaces.
ansible/roles/blade.linux/tasks/firewall.yaml
and
ansible/roles/blade.linux/tasks/interfaces.yaml.
They are meant to be called when needed, using import_role.
$_vbe_prompt_compact
set to 1 when we want a compact prompt. We use the
following function to define the prompt appearance:
_vbe_prompt () local retval=$? # When compact, just time + prompt sign if (( $_vbe_prompt_compact )); then # Current time (with timezone for remote hosts) _vbe_prompt_segment cyan default "%D %H:%M$ SSH_TTY+ %Z " # Hostname for remote hosts [[ $SSH_TTY ]] && \ _vbe_prompt_segment black magenta "%B%M%b" # Status of the last command if (( $retval )); then _vbe_prompt_segment red default $ PRCH[reta] else _vbe_prompt_segment green cyan $ PRCH[ok] fi # End of prompt _vbe_prompt_end return fi # Regular prompt with many information # [ ] setopt prompt_subst PS1='$(_vbe_prompt) '
Update (2021.05) The following part has been rewritten to be more robust. The code is stolen from Powerlevel10k s issue #888. See the comments for more details.
_vbe-zle-line-init() [[ $CONTEXT == start ]] return 0 # Start regular line editor (( $+zle_bracketed_paste )) && print -r -n - $zle_bracketed_paste[1] zle .recursive-edit local -i ret=$? (( $+zle_bracketed_paste )) && print -r -n - $zle_bracketed_paste[2] # If we received EOT, we exit the shell if [[ $ret == 0 && $KEYS == $'\4' ]]; then _vbe_prompt_compact=1 zle .reset-prompt exit fi # Line edition is over. Shorten the current prompt. _vbe_prompt_compact=1 zle .reset-prompt unset _vbe_prompt_compact if (( ret )); then # Ctrl-C zle .send-break else # Enter zle .accept-line fi return ret zle -N zle-line-init _vbe-zle-line-init
bind-key -T copy-mode M-w \ send -X copy-pipe-and-cancel "sed 's/ .* /%/g' xclip -i -selection clipboard" \;\ display-message "Selection saved to clipboard!"
14:21 % ssh eizo.luffy.cx Linux eizo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 Last login: Fri Apr 23 14:20:39 2021 from 2a01:cb00:3f:b02:9db6:efa4:d85:7f9f 14:21 CEST % uname -a Linux eizo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux 14:21 CEST % Connection to eizo.luffy.cx closed. 14:22 % git status On branch article/zsh-transient Untracked files: (use "git add <file>..." to include in what will be committed) ../../media/images/zsh-compact-prompt@2x.jpg nothing added to commit but untracked files present (use "git add" to track)
:wq for today.
Linux draws a distinction between code running in kernel (kernel space) and applications running in userland (user space). This is enforced at the hardware level - in x86-speak[1], kernel space code runs in ring 0 and user space code runs in ring 3[2]. If you're running in ring 3 and you attempt to touch memory that's only accessible in ring 0, the hardware will raise a fault. No matter how privileged your ring 3 code, you don't get to touch ring 0.
(Blogging this, since this is a recurring anti-pattern I noticed at several customers and often comes up during deployments of 3rd party repositories.)
Update on 2021-02-19: clarified, that Signed-By requires apt >= 1.1, thanks Vincent Bernat
Many upstream projects provide Debian repository instructions like this:
curl -fsSL https://example.com/stable/debian.gpg sudo apt-key add -Do not follow this, for different reasons, including:
% curl -fsSL -o buster.gpg https://pkgs.tailscale.com/stable/debian/buster.gpg
% gpg --keyid-format long buster.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096/458CA832957F5868 2020-02-25 [SC]
2596A99EAAB33821893C0A79458CA832957F5868
uid Tailscale Inc. (Package repository signing key) <info@tailscale.com>
sub rsa4096/B1547A3DDAAF03C6 2020-02-25 [E]
% file buster.gpg
buster.gpg: PGP public key block Public-Key (old)
If you have apt version >= 1.4 available (Debian >=stretch/9 and Ubuntu >=bionic/18.04), you can use this file directly as follows:
% sudo mv buster.gpg /usr/share/keyrings/tailscale.asc % cat /etc/apt/sources.list.d/tailscale.list deb [signed-by=/usr/share/keyrings/tailscale.asc] https://pkgs.tailscale.com/stable/debian buster main % sudo apt update [...]And you re done! Iff your apt version really is older than 1.4, you need to convert the ascii-armored GPG file into a GPG key public ring file (AKA binary OpenPGP format), either by just dearmor-ing it (if you don t care about checking ID + fingerprint):
% gpg --dearmor < buster.gpg > tailscale.gpgor if you prefer to go via GPG, you can also use a temporary GPG home directory (if you don t care about going through your personal GPG setup):
% mkdir --mode=700 /tmp/gpg-tmpdir % gpg --homedir /tmp/gpg-tmpdir --import ./buster.gpg gpg: keybox '/tmp/gpg-tmpdir/pubring.kbx' created gpg: /tmp/gpg-tmpdir/trustdb.gpg: trustdb created gpg: key 458CA832957F5868: public key "Tailscale Inc. (Package repository signing key) <info@tailscale.com>" imported gpg: Total number processed: 1 gpg: imported: 1 % gpg --homedir /tmp/gpg-tmpdir --output tailscale.gpg --export-options=export-minimal --export 0x458CA832957F5868 % rm -rf /tmp/gpg-tmpdirThe resulting GPG key public ring file should look like that:
% file tailscale.gpg
tailscale.gpg: PGP/GPG key public ring (v4) created Tue Feb 25 04:51:20 2020 RSA (Encrypt or Sign) 4096 bits MPI=0xc00399b10bc12858...
% gpg tailscale.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096/458CA832957F5868 2020-02-25 [SC]
2596A99EAAB33821893C0A79458CA832957F5868
uid Tailscale Inc. (Package repository signing key) <info@tailscale.com>
sub rsa4096/B1547A3DDAAF03C6 2020-02-25 [E]
Then you can use this GPG file on your system as follows:
% sudo mv tailscale.gpg /usr/share/keyrings/tailscale.gpg % cat /etc/apt/sources.list.d/tailscale.list deb [signed-by=/usr/share/keyrings/tailscale.gpg] https://pkgs.tailscale.com/stable/debian buster main % sudo apt update [...]Such a setup ensures:
Just over 7 months ago, I
blogged
about extrepo, my answer to the
"how do you safely install software on Debian without downloading random
scripts off the Internet and running them as root" question. I also held
a
talk
during the recent "MiniDebConf Online" that was held, well, online.
The most important part of extrepo is "what can you install through it".
If the number of available repositories is too low, there's really no
reason to use it. So, I thought, let's look what we have after 7
months...
To cut to the chase, there's a bunch of interesting content there, although not all of it has a "main" policy. Each of these can be enabled by installing extrepo, and then running extrepo enable <reponame>, where <reponame> is the name of the repository.
Note that the list is not exhaustive, but I intend to show that even though we're nowhere near complete, extrepo is already quite useful in its current state:
debian_official, debian_backports, and debian_experimental repositories contain Debian's official, backports, and experimental repositories, respectively. These shouldn't have to be managed through extrepo, but then again it might be useful for someone, so I decided to just add them anyway. The config here uses the deb.debian.org alias for CDN-backed package mirrors.belgium_eid repository contains the Belgian eID software. Obviously this is added, since I'm upstream for eID, and as such it was a large motivating factor for me to actually write extrepo in the first place.elastic: the elasticsearch software.dovecot, winehq and bareos
contain upstream versions of their respective software. These two repositories contain software that is available in Debian, too; but their upstreams package their most recent release independently, and some people might prefer to run those instead.sury, fai, and postgresql repositories, as well as a number of repositories such as openstack_rocky, openstack_train, haproxy-1.5 and haproxy-2.0 (there are more) contain more recent versions of software packaged in Debian already by the same maintainer of that package repository. For the sury repository, that is PHP; for the others, the name should give it away.
The difference between these repositories and the ones above is that it is the official Debian maintainer for the same software who maintains the repository, which is not the case for the others.vscodium repository contains the unencumbered version of Microsoft's Visual Studio Code; i.e., the codium version of Visual Studio Code is to code as the chromium browser is to chrome: it is a build of the same softare, but without the non-free bits that make code not entirely Free Software.extrepo, too. The iridiumbrowser repository contains a Chromium-based browser that focuses on privacy.torproject repository.kubernetes repository that contains the Kubernetes stack, the as well as the google_cloud one containing the Google Cloud SDK.extrepo, please note that non-free and contrib repositories are disabled by default. In order to enable these repositories, you must first enable them; this can be accomplished through /etc/extrepo/config.yaml.
vscode repository contains it.msteams repository. And, hey, skype.opera and google_chrome.docker-ce repository contains the official build of Docker CE. While this is the free "community edition" that should have free licenses, I could not find a licensing statement anywhere, and therefore I'm not 100% sure whether this repository is actually free software. For that reason, it is currently marked as a non-free one. Merge Requests for rectifying that from someone with more information on the actual licensing situation of Docker CE would be welcome...steam repository.
Here is my monthly update covering what I have been doing in the free software world during November 2020 (previous month):
build_path_captured_by_pyuic5, build_path_captured_by_octave & build_path_captured_by_nim.
SOURCE_DATE_EPOCH is not Debian specific [...] and make a number of misc cosmetic changes [...][...].--load-existing-diff command. [...]diffoscope-minimal package that was introduced by Mattia Rizzolo has a different short description from the primary diffoscope one. [...]2.2.17-1 & 3.1.3-1) New upstream releases.
1.6.9+dfsg-1) New upstream release.
2.101.0, 2.102.0, 2.103.0 & 2.104.0) New upstream releases.
2.14) Mark an autopkgtest as 'superficial'. (#974491)
2.1-1) New upstream release.
3.1.2+dfsg-3) Re-upload a previous QA upload of mine (3.1.2+dfsg-2) to ensure the package's transition to the testing distribution. (#974872)
minidlna package which could not be successfully purged from the system without reporting a cannot remove '/var/log/minidlna' error. (#975372)
codemirror-js, glibc, jupyter-notebook, krb5, libhibernate3-java, raptor2, spice-vdagent & webcit.
CVE-2020-26939)
gdm3) where gdm3 detecting any users may have caused gdm3 to launch the initial system setup, permitting the creation of new users with superuser capabilities. (CVE-2020-16125)
sddm display manager. Here, local and unprivileged users could create a connection to the X server. (CVE-2020-28049)
CVE-2020-28196)
raptor2, a set of parsers for Resource Description Framework (RDF) files used in LibreOffice and other applications. (CVE-2017-18926)
CVE-2020-28948 & CVE-2020-28949)
TL;DR
Do not redefine option 43. Instead, specify the vendor
option space to use to encode parameters with vendor-option-space.
Dynamic Host Configuration Protocol (Request)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x44e3a7c9
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 02:00:00:00:00:01 (02:00:00:00:00:01)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (54) DHCP Server Identifier (10.0.2.2)
Option: (55) Parameter Request List
Length: 14
Parameter Request List Item: (3) Router
Parameter Request List Item: (51) IP Address Lease Time
Parameter Request List Item: (1) Subnet Mask
Parameter Request List Item: (15) Domain Name
Parameter Request List Item: (6) Domain Name Server
Parameter Request List Item: (66) TFTP Server Name
Parameter Request List Item: (67) Bootfile name
Parameter Request List Item: (120) SIP Servers
Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server
Parameter Request List Item: (43) Vendor-Specific Information
Parameter Request List Item: (150) TFTP Server Address
Parameter Request List Item: (12) Host Name
Parameter Request List Item: (7) Log Server
Parameter Request List Item: (42) Network Time Protocol Servers
Option: (50) Requested IP Address (10.0.2.15)
Option: (53) DHCP Message Type (Request)
Option: (60) Vendor class identifier
Length: 15
Vendor class identifier: Juniper-mx10003
Option: (51) IP Address Lease Time
Option: (12) Host Name
Option: (255) End
Padding: 00
option NEW_OP-encapsulation code 43 = encapsulate NEW_OP;
# Juniper vendor option space option space juniper; option juniper.image-file-name code 0 = text; option juniper.config-file-name code 1 = text; option juniper.image-file-type code 2 = text; option juniper.transfer-mode code 3 = text; option juniper.alt-image-file-name code 4 = text; option juniper.http-port code 5 = text;
class "juniper-mx10003" match if (option vendor-class-identifier = "Juniper-mx10003") vendor-option-space juniper; option juniper.transfer-mode "http"; option juniper.image-file-name "/images/junos-vmhost-install-mx-x86-64-19.3R2-S4.5.tgz"; option juniper.config-file-name "/cfg/juniper-mx10003.txt";
Dynamic Host Configuration Protocol (ACK)
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x44e3a7c9
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 10.0.2.15
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 02:00:00:00:00:01 (02:00:00:00:00:01)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (ACK)
Option: (54) DHCP Server Identifier (10.0.2.2)
Option: (51) IP Address Lease Time
Option: (1) Subnet Mask (255.255.255.0)
Option: (3) Router
Option: (6) Domain Name Server
Option: (43) Vendor-Specific Information
Length: 89
Value: 00362f696d616765732f6a756e6f732d766d686f73742d69
Option: (150) TFTP Server Address
Option: (255) End
vendor-option-space directive allows you to make different ZTP
implementations coexist. For example, you can add the option space for
PXE:
option space PXE; option PXE.mtftp-ip code 1 = ip-address; option PXE.mtftp-cport code 2 = unsigned integer 16; option PXE.mtftp-sport code 3 = unsigned integer 16; option PXE.mtftp-tmout code 4 = unsigned integer 8; option PXE.mtftp-delay code 5 = unsigned integer 8; option PXE.discovery-control code 6 = unsigned integer 8; option PXE.discovery-mcast-addr code 7 = ip-address; option PXE.boot-server code 8 = unsigned integer 16, unsigned integer 8, ip-address ; option PXE.boot-menu code 9 = unsigned integer 16, unsigned integer 8, text ; option PXE.menu-prompt code 10 = unsigned integer 8, text ; option PXE.boot-item code 71 = unsigned integer 32; class "pxeclients" match if substring (option vendor-class-identifier, 0, 9) = "PXEClient"; vendor-option-space PXE; option PXE.mtftp-ip 10.0.2.2; # [ ]
issoPackage = with pkgs.python3Packages; buildPythonPackage rec pname = "isso"; version = "custom"; src = pkgs.fetchFromGitHub # Use my fork owner = "vincentbernat"; repo = pname; rev = "vbe/master"; sha256 = "0vkkvjcvcjcdzdj73qig32hqgjly8n3ln2djzmhshc04i6g9z07j"; ; propagatedBuildInputs = [ itsdangerous jinja2 misaka html5lib werkzeug bleach flask-caching ]; buildInputs = [ cffi ]; checkInputs = [ nose ]; checkPhase = '' $ python.interpreter setup.py nosetests ''; ;
"$ issoEnv /bin/gunicorn", like with a virtual
environment.
issoEnv = pkgs.python3.buildEnv.override extraLibs = [ issoPackage pkgs.python3Packages.gunicorn pkgs.python3Packages.gevent ]; ;
issoConfig = pkgs.writeText "isso.conf" '' [general] dbpath = /db/comments.db host = https://vincent.bernat.ch http://localhost:8080 notify = smtp [ ] '';
Dockerfile:
issoDockerImage = pkgs.dockerTools.buildImage name = "isso"; tag = "latest"; extraCommands = '' mkdir -p db ''; config = Cmd = [ "$ issoEnv /bin/gunicorn" "--name" "isso" "--bind" "0.0.0.0:$ port " "--worker-class" "gevent" "--workers" "2" "--worker-tmp-dir" "/dev/shm" "--preload" "isso.run" ]; Env = [ "ISSO_SETTINGS=$ issoConfig " "SSL_CERT_FILE=$ pkgs.cacert /etc/ssl/certs/ca-bundle.crt" ]; ; ;
issoEnv derivation in config.Cmd, the
whole derivation, including Isso and Gunicorn, is copied inside the
Docker image. The same applies for issoConfig, the configuration
file we created earlier, and pkgs.cacert, the derivation containing
trusted root certificates. The resulting image is 171 MB once
installed, which is comparable to the Debian Buster image generated by
the official Dockerfile.
NixOS features an abstraction to run Docker containers. It is not
currently documented in NixOS manual but you can look at the source
code of the module for the available options. I choose to use
Podman instead of Docker as the backend because it does not
require running an additional daemon.
virtualisation.oci-containers = backend = "podman"; containers = isso = image = "isso"; imageFile = issoDockerImage; ports = ["127.0.0.1:$ port :$ port "]; volumes = [ "/var/db/isso:/db" ]; ; ; ;
$ systemctl status podman-isso.service podman-isso.service Loaded: loaded (/nix/store/a66gzqqwcdzbh99sz8zz5l5xl8r8ag7w-unit-> Active: active (running) since Sun 2020-11-01 16:04:16 UTC; 4min 44s ago Process: 14564 ExecStartPre=/nix/store/95zfn4vg4867gzxz1gw7nxayqcl> Main PID: 14697 (podman) IP: 0B in, 0B out Tasks: 10 (limit: 2313) Memory: 221.3M CPU: 10.058s CGroup: /system.slice/podman-isso.service 14697 /nix/store/pn52xgn1wb2vr2kirq3xj8ij0rys35mf-podma> 14802 /nix/store/7vsba54k6ag4cfsfp95rvjzqf6rab865-conmo> nov. 01 16:04:17 web03 podman[14697]: container init (image=localhost/isso:latest) nov. 01 16:04:17 web03 podman[14697]: container start (image=localhost/isso:latest) nov. 01 16:04:17 web03 podman[14697]: container attach (image=localhost/isso:latest) nov. 01 16:04:19 web03 conmon[14802]: INFO: connected to SMTP server nov. 01 16:04:19 web03 conmon[14802]: INFO: connected to https://vincent.bernat.ch nov. 01 16:04:19 web03 conmon[14802]: [INFO] Starting gunicorn 20.0.4 nov. 01 16:04:19 web03 conmon[14802]: [INFO] Listening at: http://0.0.0.0:8080 (1) nov. 01 16:04:19 web03 conmon[14802]: [INFO] Using worker: gevent nov. 01 16:04:19 web03 conmon[14802]: [INFO] Booting worker with pid: 8 nov. 01 16:04:19 web03 conmon[14802]: [INFO] Booting worker with pid: 9
comments.luffy.cx to the container. NixOS provides a simple
integration to grab a Let s Encrypt certificate.
services.nginx.virtualHosts."comments.luffy.cx" = root = "/data/webserver/comments.luffy.cx"; enableACME = true; forceSSL = true; extraConfig = '' access_log /var/log/nginx/comments.luffy.cx.log anonymous; ''; locations."/" = proxyPass = "http://127.0.0.1:$ port "; extraConfig = '' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header Set-Cookie; proxy_hide_header X-Set-Cookie; proxy_ignore_headers Set-Cookie; ''; ; ; security.acme.certs."comments.luffy.cx" = email = lib.concatStringsSep "@" [ "letsencrypt" "vincent.bernat.ch" ]; ;
rr.ntt.net or whois.radb.net can be a bottleneck. Updating many
filters may take several tens of minutes, depending on the load:
$ time bgpq4 -h whois.radb.net AS-HURRICANE wc -l 909869 1.96s user 0.15s system 2% cpu 1:17.64 total $ time bgpq4 -h rr.ntt.net AS-HURRICANE wc -l 927865 1.86s user 0.08s system 12% cpu 14.098 total
$ git clone https://github.com/vincentbernat/irrd-legacy.git -b blade/master $ cd irrd-legacy $ docker build . -t irrd-snapshot:latest [ ] Successfully built 58c3e83a1d18 Successfully tagged irrd-snapshot:latest $ docker container run --rm --detach --publish=43:43 irrd-snapshot 4879cfe7413075a0c217089dcac91ed356424c6b88808d8fcb01dc00eafcc8c7 $ time bgpq4 -h localhost AS-HURRICANE wc -l 904137 1.72s user 0.11s system 96% cpu 1.881 total
rr.ntt.net:
NTTCOM, RADB, RIPE, ALTDB, BELL, LEVEL3, RGNET, APNIC, JPIRR, ARIN,
BBOI, TC, AFRINIC, ARIN-WHOIS, and REGISTROBR. However, it misses
RPKI.2 Feel free to adapt!
The image can be scheduled to be rebuilt daily or weekly, depending on
your needs. The repository includes a .gitlab-ci.yaml
file automating the build and triggering the compilation
of all filters by your CI/CD upon success.
rpki-client and
transformed into RPSL objects to be imported in IRRd.
whois and
bgpq4. The first one allows you to do a query with the WHOIS
protocol:
$ whois -BrG 2a0a:e805:400::/40 [ ] inet6num: 2a0a:e805:400::/40 netname: FR-BLADE-CUSTOMERS-DE country: DE geoloc: 50.1109 8.6821 admin-c: BN2763-RIPE tech-c: BN2763-RIPE status: ASSIGNED mnt-by: fr-blade-1-mnt remarks: synced with cmdb created: 2020-05-19T08:04:58Z last-modified: 2020-05-19T08:04:58Z source: RIPE route6: 2a0a:e805:400::/40 descr: Blade IPv6 - AMS1 origin: AS64476 mnt-by: fr-blade-1-mnt remarks: synced with cmdb created: 2019-10-01T08:19:34Z last-modified: 2020-05-19T08:05:00Z source: RIPE
$ bgpq4 -6 -S RIPE -b AS64476 NN = [ 2a0a:e805::/40, 2a0a:e805:100::/40, 2a0a:e805:300::/40, 2a0a:e805:400::/40, 2a0a:e805:500::/40 ];
Notice I recommend that you read Writing a custom Ansible module as an introduction, as well as Syncing MySQL tables for a more instructive example.
- name: prepare RIPE objects irr_sync: irr: RIPE mntner: fr-blade-1-mnt source: whois-ripe.txt register: irr
- name: sign RIPE objects shell: cmd: gpg --batch --user noc@example.com --clearsign stdin: " irr.objects " register: signed check_mode: false changed_when: false - name: update RIPE objects by email mail: subject: "NEW: update for RIPE" from: noc@example.com to: "auto-dbm@ripe.net" cc: noc@example.com host: smtp.example.com port: 25 charset: us-ascii body: " signed.stdout "
key-cert object and adding it as a valid authentication
method for the corresponding mntner object:
key-cert: PGPKEY-A791AAAB certif: -----BEGIN PGP PUBLIC KEY BLOCK----- certif: certif: mQGNBF8TLY8BDADEwP3a6/vRhEERBIaPUAFnr23zKCNt5YhWRZyt50mKq1RmQBBY [ ] certif: -----END PGP PUBLIC KEY BLOCK----- mnt-by: fr-blade-1-mnt source: RIPE mntner: fr-blade-1-mnt [ ] auth: PGPKEY-A791AAAB mnt-by: fr-blade-1-mnt source: RIPE
module_args = dict( irr=dict(type='str', required=True), mntner=dict(type='str', required=True), source=dict(type='path', required=True), ) result = dict( changed=False, ) module = AnsibleModule( argument_spec=module_args, supports_check_mode=True )
whois command to retrieve all
the objects from the provided maintainer.
# Per-IRR variations: # - whois server whois = 'ARIN': 'rr.arin.net', 'RIPE': 'whois.ripe.net', 'APNIC': 'whois.apnic.net' # - whois options options = 'ARIN': ['-r'], 'RIPE': ['-BrG'], 'APNIC': ['-BrG'] # - objects excluded from synchronization excluded = ["domain"] if irr == "ARIN": # ARIN does not return these objects excluded.extend([ "key-cert", "mntner", ]) # Grab existing objects args = ["-h", whois[irr], "-s", irr, *options[irr], "-i", "mnt-by", module.params['mntner']] proc = subprocess.run("whois", *args, capture_output=True) if proc.returncode != 0: raise AnsibleError( f"unable to query whois: args ") output = proc.stdout.decode('ascii') got = extract(output, excluded)
whois command and the
objects to exclude from synchronization. The second part invokes the
whois command, requesting all objects whose mnt-by field is the
provided maintainer. Here is an example of output:
$ whois -h whois.ripe.net -s RIPE -BrG -i mnt-by fr-blade-1-mnt [ ] inet6num: 2a0a:e805:300::/40 netname: FR-BLADE-CUSTOMERS-FR country: FR geoloc: 48.8566 2.3522 admin-c: BN2763-RIPE tech-c: BN2763-RIPE status: ASSIGNED mnt-by: fr-blade-1-mnt remarks: synced with cmdb created: 2020-05-19T08:04:59Z last-modified: 2020-05-19T08:04:59Z source: RIPE [ ] route6: 2a0a:e805:300::/40 descr: Blade IPv6 - PA1 origin: AS64476 mnt-by: fr-blade-1-mnt remarks: synced with cmdb created: 2019-10-01T08:19:34Z last-modified: 2020-05-19T08:05:00Z source: RIPE [ ]
extract() function. It parses and
normalizes the results into a dictionary mapping object names to
objects. We store the result in the got variable.
def extract(raw, excluded): """Extract objects.""" # First step, remove comments and unwanted lines objects = "\n".join([obj for obj in raw.split("\n") if not obj.startswith(( "#", "%", ))]) # Second step, split objects objects = [RPSLObject(obj.strip()) for obj in re.split(r"\n\n+", objects) if obj.strip() and not obj.startswith( tuple(f" x :" for x in excluded))] # Last step, put objects in a dict objects = repr(obj): obj for obj in objects return objects
RPSLObject() is a class enabling normalization and comparison of
objects. Look at the module code for more details.
>>> output=""" ... inet6num: 2a0a:e805:300::/40 ... [ ] ... """ >>> pprint( k: str(v) for k,v in extract(output, excluded=[]) ) '<Object:inet6num:2a0a:e805:300::/40>': 'inet6num: 2a0a:e805:300::/40\n' 'netname: FR-BLADE-CUSTOMERS-FR\n' 'country: FR\n' 'geoloc: 48.8566 2.3522\n' 'admin-c: BN2763-RIPE\n' 'tech-c: BN2763-RIPE\n' 'status: ASSIGNED\n' 'mnt-by: fr-blade-1-mnt\n' 'remarks: synced with cmdb\n' 'source: RIPE', '<Object:route6:2a0a:e805:300::/40>': 'route6: 2a0a:e805:300::/40\n' 'descr: Blade IPv6 - PA1\n' 'origin: AS64476\n' 'mnt-by: fr-blade-1-mnt\n' 'remarks: synced with cmdb\n' 'source: RIPE'
wanted dictionary using the same structure, thanks
to the extract() function we can use verbatim:
with open(module.params['source']) as f: source = f.read() wanted = extract(source, excluded)
got and wanted to build the diff
object:
if got != wanted: result['changed'] = True if module._diff: result['diff'] = [ dict(before_header=k, after_header=k, before=str(got.get(k, "")), after=str(wanted.get(k, ""))) for k in set((*wanted.keys(), *got.keys())) if k not in wanted or k not in got or wanted[k] != got[k]]
source variable) and let
the IRR ignore unmodified objects. We also append the objects to be
deleted by adding a delete: attribute to each them them.
# We send all source objects and deleted objects. deleted_mark = f" 'delete:':16 deleted by CMDB" deleted = "\n\n".join([f" got[k].raw \n deleted_mark " for k in got if k not in wanted]) result['objects'] = f" source \n\n deleted " module.exit_json(**result)
--diff and --check flags. It does not return
anything if no change is detected. It can work with APNIC, RIPE and
ARIN. It is not perfect: it may not detect some changes,3 it
is not able to modify objects not owned by the provided
maintainer4 and some attributes cannot be modified, requiring
to manually delete and recreate the updated object.5 However,
this module should automate 95% of your needs.
key-cert and mntner objects
and therefore we cannot detect changes in them. It is also not
possible to detect changes to the auth mechanisms of a mntner
object.
inetnum object requires
deleting and recreating the object.
vrrp_instance gateway1 state BACKUP # interface eth0 # virtual_router_id 12 # priority 101 # virtual_ipaddress 2001:db8:ff/64
state keyword in instructs Keepalived to not take the leader
role when starting. Otherwise, incoming nodes create a temporary
disruption by taking over the IP address until the election settles.
The interface keyword in defines the interface for sending and
receiving VRRP packets. It is also the default interface to configure
the virtual IP address. The virtual_router_id directive in is
common to all nodes sharing the virtual IP. The priority keyword in
helps choosing which router will be elected as leader. If you need
more information around Keepalived, be sure to check the
documentation.
VRRP design is tied to Ethernet networks and requires a
multicast-enabled network for communication between nodes. In some
environments, notably public clouds, multicast is unavailable. In this
case, Keepalived can send VRRP packets using unicast:
vrrp_instance gateway1 state BACKUP interface eth0 virtual_router_id 12 priority 101 unicast_peer 2001:db8::11 2001:db8::12 virtual_ipaddress 2001:db8:ff/64 dev lo
notify_* scripts.
Until version 2.21 (not released yet), the interface directive is
mandatory and Keepalived will transmit and receive VRRP packets on
this interface only. If peers are reachable through several
interfaces, like on a BGP on the host setup, you need a
workaround. A simple one is to use a VXLAN interface:
$ ip -6 link add keepalived6 type vxlan id 6 dstport 4789 local 2001:db8::10 nolearning $ bridge fdb append 00:00:00:00:00:00 dev keepalived6 dst 2001:db8::11 $ bridge fdb append 00:00:00:00:00:00 dev keepalived6 dst 2001:db8::12 $ ip link set up dev keepalived6
vrrp_instance gateway1 state BACKUP interface keepalived6 mcast_src_ip 2001:db8::10 virtual_router_id 12 priority 101 virtual_ipaddress 2001:db8:ff/64 dev lo
unicast_peer can be used without
the interface directive. I think using VXLAN is still a
neat trick applicable to other situations where communication using
broadcast or multicast is needed, while the underlying network provide
no support for this.
Next.