Ansible make static dns record in Microsoft DNS

If you have a heterogenous datacenter with GNU/Linux and Microsoft servers, you might run into this problem.

When you want to create dynamic dns records programmatically, you can use the nsupdate module. It doesn’t work with gsstsig auth which is the only way the AD DNS works for “secure updates” so I previously wrote a wrapper for doing so. However, when you want to create static records, it’s a little bit harder. With the help of my Windows teammates, I now have a working solution for making static records in AD DNS, complete with the reverse PTR records.

Dependencies

  • A Windows Server 2016 client with RSAT with DNS installed. Apparently regular RSAT isn’t enough. I don’t know what’s involved in installing the right components, so if anybody could share your notes for how that works, comment at the end here.
  • Winrm with kerberos auth enabled

The tricky part here was learning how to elevate privileges once getting to the Windows client.

Playbook

---
- name: playbook that creates static DNS static records, both A and PTR, through the windows utility box
  hosts: localhost
  vars_files:
  - /etc/ansible/creds/windows_service_account.yml

  tasks:

  - add_host:
      group: rsat
      name: "rsat01.ad.example.com"
      ansible_connection: winrm
      ansible_winrm_server_cert_validation: ignore
      ansible_user: "{{ win_ansible_user }}"
      ansible_ssh_pass: "{{ win_ansible_ssh_pass }}"
      ansible_port: "5986"
      ansible_win_rm_scheme: https
      ansible_winrm_transport: kerberos
      ansible_host: rsat01.ad.example.com
    changed_when: false
    no_log: true

  - set_fact:
      ansible_winrm_server_cert_validation: ignore

  - name: make static a and ptr records, ad
    win_shell: Add-DnsServerResourceRecord -ComputerName ad.example.com -ZoneName ad.example.com -A -Name newhost1 -IPv4Address 10.234.56.78 -CreatePtr
    become: yes
    become_method: runas
    become_user: "{{ win_ansible_user }}"
    delegate_to: rsat01.ad.example.com
    vars:
      ansible_winrm_transport: kerberos

...

References

  1. How to make ansible connect to windows host behind linux jump server – ExceptionsHub
  2. Add-DnsServerResourceRecord [microsoft.com]
  3. Understanding Privilege Escalation — Ansible Documentation

Making my HTPC easier for non-technical people to use

I have a Ubuntu 16.04 instance (I’m not proud) because at the time, Kodi only supported 16.04 of the Ubuntu family and I didn’t feel like compiling it myself on another platform, or depending on prebuilt binaries (if that’s even an option). I ended up not really liking the 10-foot interface that Kodi had to offer (as well as it seemed to really stink at populating its indices of my own local content!), and I really like the paradigm of a desktop environment with traditional file manager and media player programs. So I will reimage the system with Devuan at some point, but that’s another day’s problem.
One of the little issues that I have discovered somehow between PulseAudio and HDMI is that upon each boot, the default audio out is the built-in speakers in the computer case. I have to manually adjust pavucontrol to set it to be the HDMI out audio that sends it to the big screen.
I decided to automate this so others don’t have to know what option to select on what tab in what program, in order to get the sound to goto the TV. I remember (fondly, actually) my automation days in obsolete, proprietary OSes using AutoHotKey. A great way to simulate key presses in X11 (because Wayland seems as scary as systemd or pulseaudio) is to use xdotool (which I’ve written about before).
Using my tried-and-true desktop-file-calls-shell-script method, I have whipped up a nice desktop icon for the user to call after first logging in.

[Desktop Entry]
Name=Output audio to HDMI
Exec=/home/kodi/bin/set-sound.sh
Type=Application
StartupNotify=true
Path=/home/kodi
Icon=multimedia-volume-control
StartupWMClass=pavucontrol
Terminal=true
Comment=Configures pulseaudio to send audio to HDMI automatically

And the shell script:

#!/bin/sh -x
# goal: set sound to have audio output to HDMI for the television.
# startdate: 2019-08-01 22:09
# dependencies:
#    pavucontrol
#    xdotool

pavucontrol &
sleep .5
xdotool key --delay 25 alt+c Down alt+Down End Up Up Up Return
# Return
# 3 up buttons to select the option fourth from the bottom in the list.
# this is very hard-coded for the kodi machine in the living room.

The hard part of course was finding how to notate the different keystrokes very precisely, with the capitalization and special characters.

Auxiliary info and asides

Pro tip: Don’t ever configure “Alt+F4” in an xdotool script, especially when you load it up into ~/.config/autostart, and not bound to a specific window class. I really messed up the Xfce session almost permanently because I magically closed out xfwm, xfdesktop, and I think even xfpanel. That was embarrassing, big-time. Took me a while to even figure out what I had done. I couldn’t figure out how to use the “search” window stack population function of xdotool, to identify the pavucontrol window, so I couldn’t restrict my simulated keypresses to just pavucontrol. I also learned later that when the terminal window running the shell script is terminated, it kills even the backgrounded job of pavucontrol, so no ALT+F4 was required.

firefox keeps reloading existing tabs when i switch

Firefox will unload tabs if you’re running low on memory (for whatever reason). Change these settings in about:config to keep the tabs loaded, and then restart Firefox.

browser.tabs.unloadOnLowMemory = false
accessibility.blockautorefresh = true

References

Weblinks

  1. How To Stop Firefox Tabs From Auto-Refreshing on Tab Switch – Super User
  2. [Fix] Mozilla Firefox Automatically Suspends Tabs and Reloads When You Visit – AskVG

Internet searches

  1. firefox having to reload loaded tabs

ansible use jump box

If you need to connect through an intermediate jump box, or bastion server, here’s how you configure the inventory file:

[other-lan]
c7-prod-app-01 
[other-lan:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q ansible_user@jumpbox.otherlan.example.com"'

If the jump box can resolve the target name as is, you don’t need to specify the IP address. However, you can also force a specific IP address.

c7-prod-app-01 ansible_host=10.300.15.3

References

Weblinks

Shamelessly ripped from Ansible with a bastion host / jump box? [stackoverflow.com]

Hexedit stronghold.cfg to easily unlock military campaign missions

When I installed the Stronghold HD patch to take my CD installation of Stronghold v1.2 up to the latest, version 1.3, I had to rearrange the savegame files as indicated in the helpful documentation (for me, that was file ~/.wine/drive_c/Program Files/FireFly Studios/Stronghold/readme_en.html).

Old savegames and settings

Stronghold HD stores user maps, saves and settings in the Documents\Stronghold folder. If you have upgraded to Stronghold HD from an old version of Stronghold you will need to copy the maps, saves and settings from the Program Files\Firefly Studios\Stronghold folder (default location) to the Documents\Stronghold folder.

Savegames (.sav files)

Old Location: Program Files\Firefly Studios\Stronghold\saves
New Location: Documents\Stronghold\Saves

Maps (custom .map files)

Old Location: Program Files\Firefly Studios\Stronghold\maps
New Location: Documents\Stronghold\maps

Settings (stronghold.cfg)

Old Location: Program Files\Firefly Studios\Stronghold
New Location: Documents\Stronghold

Because I’m using the proper ISO saved from the original game disc, I’ve never needed a no-cd patch.
Anyway, I noticed that my military campaign mission status was not transferred to the new HD installation. I ensured the .sco files were in the new spot (the Saves directory) but it did not unlock the missions. I helpfully had a mission 17 b save that was right at the tail end of that mission, so loading and finishing it got me up to mission 18. However, I didn’t want to have to go through the difficult fixed-force invasion of the Pig’s castle, so I looked for cheat codes for a computer game for the first time in about a decade. Believe it or not, but I couldn’t find any (working) cheats that just declare “success” for a mission. So, I decided to hack the stronghold.cfg.

I’m old-school, so I whipped out vim and :%!xxd and here is the results of my research:

To set the military campaign level unlocked, modify byte 0x147 which is in line:

    00000140: 0000 0055 0000 0013 0000 0021 0000 0000  ...U.......!....
#                               ^
#                               +-- this is hex 0x13 or decimal 19.
This corresponds to being able to play level 19 of the military campaign.

You can use vi with :%!xxd and :%!xxd -r to convert stronghold.cfg to hexedecimal and back.

For Stronghold HD, that is file ~/Documents/Stronghold/stronghold.cfg

Of course you could abuse this, but I was just using it to recover my progress.
castle gate with soldiers garrisoned

References

My own original research and hacking on the config file.

How I use the OBS to build and host dpkgs for Devuan

Introduction

I have started using the public instance of the Open Build Service (OBS), aka openSUSE Build Service.
This post documents my process for taking a package upstream, my packaging recipe (to use the OBS parlance), and getting a hosted package. If you want to duplicate my efforts with your own packages, I hope this helps.

The process

Install osc

The openbuild service command line tool is available in the Devuan ceres repos already, as package name osc.

Select what upstream package to build

My example will use FreeFileSync, because I already bundle it for Devuan and it only takes a few minutes to compile.
Additionally, because the upstream provides only a zip file, I am using my collaborative Opensource Tracking repo for the tarball which dpkg seemed to require and I gave up investigating how to get it to use a zip file as a source.

Prepare to use ocs locally

Osc seems to operate pretty similar to version control, with commits and so on.
If necessary, initialize osc and checkout the project. On the openSUSE OBS instance, it’s probably the home project.

mkdir -p ~/osc ; cd ~/osc
osc checkout home:bgstack15

Build package with osc

Make a new package, either on cli or on the web interface.

osc mkpac freefilesync

Source: Reference 3
Retrieve the upstream source tarball, and prepare the debian.tar.xz file.
I store my dpkg intructions in the exploded directory form in git. So to assemble the debian.tar.xz, I have a few additional steps.
In another location, extract the source tarball, and copy in the debian/ directory. Outside the directory from the tarball, run dpkg-source.

cd ~/deb
tar -zxf freefilesync_10.13.orig.tar.gz
cp -pr ~/dev/stackrpms/freefilesync/debian ./FreeFileSync-10.13/
dpkg-source -b FreeFileSync-10.13

Now the assets required by OBS should exist. Copy in the .dsc and debian tarball to the osc project directory.

[bgstack15@myhost|/home/bgstack15/osc/home:bgstack15/freefilesync]$ ls -al
total 2116
-rw-r--r-- 1 bgstack15 bgstack15    9588 Jun 28 13:49 freefilesync_10.13-1+devuan.debian.tar.xz
-rw-r--r-- 1 bgstack15 bgstack15    1073 Jun 28 13:49 freefilesync_10.13-1+devuan.dsc
-rw-rw-r-- 1 bgstack15 bgstack15 2147432 Jun 28 13:14 freefilesync_10.13.orig.tar.gz

I can perform a local build to ensure it builds correctly.

osc build --local-package Debian_Testing x86_64

That will run for a while, and have to download all the build dependencies on the first run too.
If all that was successful, it’s time to add the assets and commit.

osc add *
osc commit

Build package on OBS

The assets are now the public OBS.
debian tarball, dsc, and upstream tarball
My builds triggered right away when I committed the changes. It took time for build workers to kick off and return the results, but my packages were published within a few hours!

If you want to tell the OBS to rebuild a package, select the status message of the Build Results section.

At the top of the log page, select the “Trigger Rebuild” button.

Or you could run osc rebuild command.

Using the repository

Of course the reason you want to use the OBS is to build packages to install them! A pretty front page is available for a project. Here’s my freefilesync one. It shows up as debian unstable, but it should work on devuan too.

Install the apt key

wget -nv https://download.opensuse.org/repositories/home:bgstack15/Debian_Unstable/Release.key -O Release.key
apt-key add - > Release.key
apt-get update

Install the packages

You can inspect and make sure the package is in your metadata and coming from the expected repo.

$ apt-cache policy freefilesync
freefilesync:
  Installed: (none)
  Candidate: 10.13-1+devuan
  Version table:
     10.13-1+devuan 500
        500 http://download.opensuse.org/repositories/home:/bgstack15/Debian_Unstable  Packages

Install the package!

apt-get install freefilesync

Final thoughts

I tried using a _service file (example) to automate the build tasks. It involves having the .dsc files available (such as in source control), which is generated from dpkg-source -b dirname-of-package/. If I have to do all that, and upload the dsc file, and then have the build nodes do all the same work, it’s not really worth it to me. Also, I never got it working because I’m not as smart as that guy in the example.

References

A random, fellow Devuan user thinks it’s OK to use the OBS debian repos for Devuan packages.
Steven Pusser’s Pale Moon project was a great example to me.
Beginnerʼs Guide | Open Build Service
My debuild instructions:

cl ; time debuild -us -uc 2>&1 | tee -a ~/log/debuild.$( basename "$( pwd )" ).$( date "+%F" ).log ; echo $? ; debuild -- clean 1>/dev/null 2>&1 ;

How I use the COPR to build and host rpms for CentOS and Fedora

Introduction

For about a year now, I have been using the Fedora Project’s public Cool Other Packages Repository (copr) to build and host rpms for my Fedora and CentOS GNU/Linux installations.
This post documents the process I use to take an upstream package, build the packages for the different chroots, and host them for download.

The process

No local tools are required, other than the source control software, normally git.

Select the upstream package

My example will use FreeFileSync, which is a great program and it’s quick to compile.
Additionally, because the upstream provides only a zip file, I am using my collaborative Opensource Tracking repo for the tarball which dpkg seemed to require and I gave up investigating how to get it to use a zip file as a source.

Prepare the spec file and additional artifacts

My spec file, patches, and additional items for building FreeFileSync on Fedora are on my gitlab page. This topic today is not intended to show you how to use rpmbuild, which is a deep and useful topic.

Add a package to copr

With the rpm sources available on the Internet, we’re ready to work in the copr environment.

Create a project

A project can host a single package or many. Also useful to note, that a spec file can produce more than one rpm. So for the copr, a “package” can include either a single rpm artifact or multiple. For example, a libssl.spec will probably produce a libssl-devel, libssl, and libss-docs rpms. You would only have to set up the libssl.spec, and any produced rpms will just be handled automatically.
So, on the main page of COPR, select “New Project.”

Name the project and include any long-form text you care to share. The build options, farther down the page, are important. You can always change these options later, so don’t feel that you have to be extremely careful right now. Select the chroot arch environments you want to build the rpms for.

The external repositories section is really nice. If you need the packages from your favorite Internet yum repo, you can paste the baseurl values here.

Create a new package

In your shiny new project, you will want to add some packages!
Select the Packages tab, and then “New package.”

Plug in the relevant information.
For FreeFileSync, my rpmbuild input artifacts are at https://gitlab.com/bgstack15/stackrpms.git, with a committish (I love that term!) of “freefilesync-bump” which is the dev tree I use for testing the latest version of FreeFileSync.
The subdir for just the freefilesync package, in my entire git tree, is freefilesync/. I’ve got a lot of other spec files in there, but the copr can look in just one dir, which is pretty great.
Use the “rpkg” option, based on the git source. I don’t actually know how the other methods work, and the rpkg has always been good enough for git-hosted spec files for me.

If the package needs to be excluded from certain architectures, there’s a blacklist field you can use.
Save the package settings.

Trigger a build

On the package list, find the new package and select “Rebuild.”

You can choose which chroots to use, and the checkboxes are pre-populated with your defaults and blacklist. My freefilesync package has some unresolvable build dependencies on EL6, so I have excluded those.

Also, specifically, FreeFileSync needed some very custom dependencies co build on EL7– some higher versions of libs like curl and openssl, so it’s a complex dependency tree so either include copr://bgstack15/FreeFileSync in your project’s external repository list.