Archive for the ‘Devops’ Category

I’ve found many tutorials on how to accomplish this on Debian/Ubuntu systems, but not RHEL.

You have to have at least a minimal installation with the EPEL repository enabled.

Install packages

yum install -y git{,web,-daemon,olite} httpd xinetd

Setup Gitolite
Copy your public ssh-key to /tmp and allow gitolite to read it

cp ~/.ssh/ /tmp/$ && chmod 644 /tmp/$

Change to the gitolite user and run gl-setup

sudo -u gitolite -i
gl-setup /tmp/$

Alter the base permissons of the repos and fix what we already have. In /var/lib/gitolite/.gitolite.rc change:
$GL_WILDREPOS to 1; and
$REPO_UMASK to 0027

chmod g+r /var/lib/gitolite/projects.list
chmod g+rx /var/lib/gitolite/repositories

Change the group of the apache user to allow it access to the gitolite repositories

usermod -a -G gitolite apache

Configure git-daemon to only export repositories with a git-daemon-export-ok file inside (created by added R permissions to daemon)

# default: off
# description: The git dæmon allows git repositories to be exported using \
# the git:// protocol.
service git {
disable = no
socket_type = stream
wait = no
user = nobody
group = gitolite
server = /usr/libexec/git-core/git-daemon
server_args = --base-path=/var/lib/gitolite/repositories --syslog --inetd --verbose
log_on_failure += USERID }

Configure /etc/gitweb.conf to point to the right projectroot and project_list (the only 2 lines you actually need are here)

our $projectroot = "/var/lib/gitolite/repositories";
our $projects_list = "/var/lib/gitolite/projects.list";

Make the services persistant (survive a reboot):

chkconfig httpd on
chkconfig xinetd on
service httpd start
service xinetd start

To allow access to gitweb or gitdaemon in the config file, do something like this in your gitolite.conf:

repo    webtest
        R       =   daemon gitweb
        RW+     =   admin

If you need to add these perms to a wildcard repo, you can use the setperm admin command:

echo "READERS gitweb daemon" | ssh gitolite@host setperms path/to/wildrepo

Check it with:

ssh gitolite@host getperms path/to/wildrepo


Posted: March 30, 2012 in Devops

Towards the end of January 2012, Tobi Oetiker released rrdtool 1.4.6. This release contained a community submitted patch to allow export of rrd in json.

Here’s an example (based on a collectd rrd file):

$ /opt/rrdtool-1.4.7/bin/rrdtool xport --json -s $(date -d "10 mins ago" +%s) -e $(date +%s) \
    --step 10 DEF:load_1min_avg=/var/lib/collectd/$(hostname -f)/load/load.rrd:shortterm:AVERAGE \
{ about: 'RRDtool xport JSON output',
  meta: {
    start: 1333111500,
    step: 10,
    end: 1333111500,
    legend: [
  data: [
    [ 8.7720000000e+00 ],
    [ 9.0620000000e+00 ],
    [ 9.0540000000e+00 ],
    [ 8.9620000000e+00 ],
    [ 8.8840000000e+00 ],
    [ 9.0520000000e+00 ],
    [ 8.9760000000e+00 ],
    [ 8.0920000000e+00 ],
    [ 7.8240000000e+00 ],
    [ 7.8620000000e+00 ],
    [ 8.0440000000e+00 ],
    [ 8.4500000000e+00 ],
    [ 8.5720000000e+00 ],
    [ 8.6540000000e+00 ],
    [ 8.9960000000e+00 ],
    [ 9.2200000000e+00 ],
    [ 9.3700000000e+00 ],
    [ null ],
    [ null  ]

Now all you need to do is get this data into jqplot or flot and you can make beautiful dashboards.

List Comprehension

Posted: February 21, 2012 in Devops, Featured, Python
Tags: ,

Why is it better to use list comprehension instead of map + lambda?


I’ve started using the string formatting dictionaries and never looked back.

As the ‘%’ operator is deprecated in python 3, I’ve added the future version too.

Python 3.2 (r32:88445, Feb 21 2011, 21:11:06) 
[GCC 4.6.0 20110212 (Red Hat 4.6.0-0.7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> fdict = {'name': 'AJ'}
>>> print('%(name)s is my friend' % fdict)
AJ is my friend
>>> '{name} is my friend'.format(**fdict)
AJ is my friend

Using iptables-save

Posted: December 9, 2010 in Devops, System Engineering

I just lost my netfilter persistance file (/etc/sysconfig/iptables) becuase I used /usr/bin/system-config-securitylevel-tui.
I see two options now:

  1. Edit /etc/sysconfig/iptables and then restart, or
  2. Use /sbin/iptables to insert rules then save with /sbin/iptables-save

I’m going for option 2, as I can create a backup of the config at the same time doing this:

example rule to allow port tcp/80:

/sbin/iptables -I RH-Firewall-1-INPUT 10 
    -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
test -d /var/backup/iptables || mkdir -p /var/backup/iptables
/sbin/iptables-save | /usr/bin/tee /etc/sysconfig/iptables 
    /var/backup/iptables/iptables-sysconfig-$(date +%s)

Everybody wants servers now!
Now that servers are virtual, everybody knows you can click a button and give them what they want!
Before you know it, you’ll have tripled your server count!

How can you make sure that things won’t fail in a massive way?
Physically plan your virtual setup!

Think about this, you’ve got sixteen machines to create a pool of hypervisors. They’ve all got two, quad-core processors and thirty-two gigabytes of RAM.

You only have one switch per rack, and you plan to use four racks (four hypervisors in each rack). This gives you the possibility to recover from a rack failure (most likely switch failure) as long as you keep the pool on seventy-five percent loaded on CPU, RAM, Network and Storage.


You must also think about maximum VM sizing. If you size a single VM over twenty-five percent of the capacity of one hypervisor, then you risk not being able to migrate all machines from the four hypervisors that are allowed to fail.