• Security: prevent kernel panics via userland requests from kqueue, a random number generator update to prevent weak cryptographic keys and a vulnerability in grep.
• Networking: many updates to NetBSD's new packet filter npf, and improved SMP operations.
• Embedded: Raspberry Pi now has working USB and ethernet, support for the watchdog timer in some Marvell SoCs, fixes to the Kirkwood IRQ code
• Platforms: device driver for Hydra and ASDG Zorro2 bus network cards on Amiga, x68k's bootloader can now boot from CD and network, and dtrace support on amd64.
• Drivers: add LSI Thunderbolt (SAS2208) controllers, Apple's Thunderbolt to Gigabit Ethernet adapter, and improve stability with multiple concurrent file system snapshots.

• Improving network stack concurrency and performance.
• Development of modern file systems and improvement of existing ones.
• Features which are useful in embedded environments, such as high resolution timers and execute in place (XIP) support.
• Automatic testing and quality assurance.

Click on the above link for more information on GSoC in general, there is also a list of proposed projects for this year in NetBSD.

Next steps are:

These blog articles were very detailed on purpose, to have full logfiles available just in case needed. I have used these logs to prepare my pkgsrcCon 2013 talk about Ansible and Amazon's EC2, so things can be looked at without actually running anything. As it turns out this was good, because the 32bit NetBSD instances that I've used during my pkgsrcCon demonstration actually decided to do a kernel panic, and the presentation was a bit more on the theoretical side than I originally planned.

Now after pkgsrcCon is over, I would like to publish the presentation slides with all the details, and especially the playbooks and all other files to look at - enjoy!

[Tags: amazon, ansible, aws, ec2, pkgsrc, xen]

The single steps are:

1. Prepare the two VMs
2. Basic setup for all systems
3. Install the database server
4. Install the webserver
5. Connect database and webserver

1. As before, ensure local time is correct when talking to Amazon, and also make sure the SSH agent has the proper key loaded.

   % date
   Thu Mar 21 00:45:37 CET 2013
   % ssh-add -l
   2048 d5:25:19:3d:59:40:35:32:03:f7:c5:83:de:19:b6:d0 ../../euca2ools/key-eucaHF.pem (RSA)
   

2. Make sure security groups are setup properly. We use one group for the database server, and one for the webserver. This defines the access permissions from the internet, and also allows to identify systems for their individual configuration and also for connecting them in the final step:

   % euca-describe-groups
   ...
   GROUP   sg-ae54b3c5     749335780469    ec2-dbservers   Database servers
   PERMISSION      749335780469    ec2-dbservers   ALLOWS  tcp     22      22      FROM    CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-dbservers   ALLOWS  tcp     3306    3306    FROM    CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-dbservers   ALLOWS  icmp    -1      -1      FROM    CIDR    0.0.0.0/0
   GROUP   sg-a854b3c3     749335780469    ec2-webservers  Web servers
   PERMISSION      749335780469    ec2-webservers  ALLOWS  tcp     22      22      FROM    CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-webservers  ALLOWS  tcp     80      80      FROM    CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-webservers  ALLOWS  icmp    -1      -1      FROM    CIDR    0.0.0.0/0
   

3. Now, run our playbook to setup the two VMs. This uses the single playbook from the previous milestone, and just runs it twice with different security groups:

   % ansible-playbook -i hosts-HF config-ec2-prepare-db+web-vm.yml
   
   PLAY [localhost] ********************* 
   
   TASK: [ec2-webservers | Launch new EC2 instance] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-webservers | Give the system 30 seconds to boot up] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-webservers | Get rid of SSH "Are you sure you want to continue connecting (yes/no)?" query] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-webservers | Fix /usr/bootstrap.sh to run pkgin with -y] ********************* 
   changed: [127.0.0.1] => (item={'cmd': 'install /usr/bootstrap.sh /usr/bootstrap.sh.orig'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod +w /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'sed "s,bin/pkgin update,bin/pkgin -y update," /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod -w /usr/bootstrap.sh'})
   
   TASK: [ec2-webservers | Install pkgin via /usr/bootstrap.sh] ********************* 
   changed: [127.0.0.1] => (item={'cmd': u'env PATH=/usr/sbin:${PATH} /usr/bootstrap.sh binpkg'})
   
   TASK: [ec2-webservers | Copy over Ansible binary package] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-webservers | Install Ansible dependencies] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-webservers | Install Ansible package (manually)] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-webservers | Setup lame /usr/bin/python symlink] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Launch new EC2 instance] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Give the system 30 seconds to boot up] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Get rid of SSH "Are you sure you want to continue connecting (yes/no)?" query] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Fix /usr/bootstrap.sh to run pkgin with -y] ********************* 
   changed: [127.0.0.1] => (item={'cmd': 'install /usr/bootstrap.sh /usr/bootstrap.sh.orig'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod +w /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'sed "s,bin/pkgin update,bin/pkgin -y update," /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod -w /usr/bootstrap.sh'})
   
   TASK: [ec2-dbservers | Install pkgin via /usr/bootstrap.sh] ********************* 
   changed: [127.0.0.1] => (item={'cmd': u'env PATH=/usr/sbin:${PATH} /usr/bootstrap.sh binpkg'})
   
   TASK: [ec2-dbservers | Copy over Ansible binary package] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Install Ansible dependencies] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Install Ansible package (manually)] ********************* 
   changed: [127.0.0.1]
   
   TASK: [ec2-dbservers | Setup lame /usr/bin/python symlink] ********************* 
   changed: [127.0.0.1]
   
   PLAY RECAP ********************* 
   127.0.0.1                      : ok=18   changed=18   unreachable=0    failed=0    
   

4. Just to make sure, check that the two instances run properly, and are in the right security groups, ec2-webservers and ec2-dbservers:

   % euca-describe-instances
   RESERVATION     r-a419f9d9      749335780469    ec2-webservers
   INSTANCE        i-21b7c441      ami-5d0f8034    ...
   RESERVATION     r-641efe19      749335780469    ec2-dbservers
   INSTANCE        i-54a2ab3e      ami-5d0f8034    ...
   

5. Next, bring the two freshly setup systems (which are already capable of acting as ansible targets) up to our basic system setup:

   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-basic.yml
   
   PLAY [security_group_ec2-webservers;security_group_ec2-dbservers] ********************* 
   
   TASK: [ping] ********************* 
   ok: [ec2-54-235-44-118.compute-1.amazonaws.com]
   ok: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Install tcsh] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Add user feyrer] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Create ~feyrer/.ssh directory] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Enable ssh login with ssh-key] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Install sudo] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Enable PW-less sudo-access for everyone in group 'wheel'] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Disable ssh logins as root] ********************* 
   ok: [ec2-54-235-44-118.compute-1.amazonaws.com]
   ok: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-54-234-139-151.compute-1.amazonaws.com : ok=8    changed=6    unreachable=0    failed=0    
   ec2-54-235-44-118.compute-1.amazonaws.com : ok=8    changed=6    unreachable=0    failed=0    
   

6. Check:

   % ssh ec2-54-234-139-151.compute-1.amazonaws.com id
   uid=1000(feyrer) gid=100(users) groups=100(users),0(wheel)
   % 
   % ssh ec2-54-235-44-118.compute-1.amazonaws.com id
   uid=1000(feyrer) gid=100(users) groups=100(users),0(wheel)
   

7. Now that the two machines run with our basline configuration, install their individual software and settings. First the database server:

   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-dbserver.yml
   
   PLAY [security_group_ec2-dbservers] ********************* 
   
   TASK: [Install mysql] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Install MySQL rc.d script] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Start MySQL service] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Install python-mysqldb (for mysql_user module)] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Setup DB] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Add db-user] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Copy over DB template] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Import DB data] ********************* 
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-54-235-44-118.compute-1.amazonaws.com : ok=8    changed=8    unreachable=0    failed=0    
   
    Check and see if the database works as expected:
   % ssh -t ec2-54-235-44-118.compute-1.amazonaws.com mysql -u webapp -p webapp
   Enter password: ****
   ...
   mysql> show tables;
   +------------------+
   | Tables_in_webapp |
   +------------------+
   | names            |
   +------------------+
   1 row in set (0.01 sec)
   
   mysql> select * from names;
   +----+--------+------+
   | id | first  | last |
   +----+--------+------+
   |  1 | Donald | Duck |
   |  2 | Daisy  | Duck |
   +----+--------+------+
   2 rows in set (0.00 sec)
   
   mysql> bye
   
   
    Excellent. Now setup the webserver, too:
     
   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-webserver.yml
   
   PLAY [security_group_ec2-webservers] ********************* 
   
   TASK: [Installing ap24-php53 package and dependencies] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Install Apache rc.d script] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Enable and start Apache service] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Enable PHP in Apache config file] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': 'LoadModule.*mod_php5.so', 'l': 'LoadModule php5_module lib/httpd/mod_php5.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': 'AddHandler.*x-httpd-php', 'l': 'AddHandler application/x-httpd-php .php'})
   
   TASK: [Make Apache read index.php] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Add simple PHP test - see http://10.0.0.181/phptest.php] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Install phpmyadmin] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Enable phpmyadmin in Apache config] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Fix Apache access control for phpmyadmin] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Enable PHP modules in PHP config file] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*zlib.so', 'l': 'extension=zlib.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*zip.so', 'l': 'extension=zip.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*mysqli.so', 'l': 'extension=mysqli.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*mysql.so', 'l': 'extension=mysql.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*mcrypt.so', 'l': 'extension=mcrypt.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*mbstring.so', 'l': 'extension=mbstring.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*json.so', 'l': 'extension=json.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*gd.so', 'l': 'extension=gd.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*gettext.so', 'l': 'extension=gettext.so'})
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com] => (item={'re': '^extension.*bz2.so', 'l': 'extension=bz2.so'})
   
   TASK: [Create directory for webapp] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Deploy example webapp] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   TASK: [Create webapp symlink for easy access] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   NOTIFIED: [restart apache] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-54-234-139-151.compute-1.amazonaws.com : ok=14   changed=14   unreachable=0    failed=0    
   
   
    Again, test:
   % links -dump ec2-54-234-139-151.compute-1.amazonaws.com/
                                      It works!
   %
   % links -dump http://ec2-54-234-139-151.compute-1.amazonaws.com/phptest.php | head
      PHP Logo                                                                   
                                                                                 
                                  PHP Version 5.3.17                             
   
      System          NetBSD ip-10-80-61-33.ec2.internal 6.0.1 NetBSD 6.0.1      
                      (XEN3PAE_DOMU) i386                                        
      Build Date      Dec 14 2012 10:31:13                                       
                      './configure' '--with-config-file-path=/usr/pkg/etc'       
                      '--with-config-file-scan-dir=/usr/pkg/etc/php.d'           
                      '--sysconfdir=/usr/pkg/etc' '--localstatedir=/var'         
   % 
   % links -dump http://ec2-54-234-139-151.compute-1.amazonaws.com/webapp/
      Showing table hf.names:
   
      Cannot connect to database: Can't connect to local MySQL server through
      socket '/tmp/mysql.sock' (2)(2002)
   
   
    Close to optimum, but the last error is actually expectet: In
     order for proper operation, the Database needs to grant the
     webserver access, and the web server needs to know where the
     database server is. So let's connect them!
     
   
   
     This step is done by preparing a shell script on both systems, which
     will then be ran to  - depending on the system's security group - perform the
     proper steps:
   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-connections.yml
   
   PLAY [security_group_ec2-webservers;security_group_ec2-dbservers] ********************* 
   
   TASK: [Collect EC2 host information] ********************* 
   ok: [ec2-54-234-139-151.compute-1.amazonaws.com]
   ok: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Prepare connection-script in /tmp/do-connect-vms.sh] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   TASK: [Run connection-script] ********************* 
   changed: [ec2-54-234-139-151.compute-1.amazonaws.com]
   changed: [ec2-54-235-44-118.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-54-234-139-151.compute-1.amazonaws.com : ok=3    changed=2    unreachable=0    failed=0    
   ec2-54-235-44-118.compute-1.amazonaws.com : ok=3    changed=2    unreachable=0    failed=0    
   
   
    With that final step, our test web application works, and the
     webserver can access the database properly:
   % links -dump http://ec2-54-234-139-151.compute-1.amazonaws.com/webapp/
      Showing table hf.names:
   
      +--------------------+
      | id | first  | last |
      |----+--------+------|
      | 1  | Donald | Duck |
      |----+--------+------|
      | 2  | Daisy  | Duck |
      +--------------------+
   
        ----------------------------------------------------------------------
   
      Enter new values:
   
      first:     _____________________ 
      last:      _____________________ 
      [ Submit ] 
   
   

20 years back from today, NetBSD was initially checked into CVS. Revision 1.1 of src/Makefile was committed on March 21st 1993 on 09:45:37 by Chris Demetriou (cgd@):

% cvs log -Nr1.1 Makefile
...
revision 1.1
date: 1993/03/21 09:45:37;  author: cgd;  state: Exp;
branches:  1.1.1;
Initial revision 

Personally, I've followed NetBSD since the day in 1993 when the Amiga port popped up, which was the first platform that the newly forked operating system was ported to after its separation from BSD.

Many things have happened in the past 20 years, and a lot could be shown and told for the history books at this point. But I guess that can be done later - I'd be happy to help out with such a project if someone wants to start it, though :)

For today I'm very happy that NetBSD is available on a wide range on platforms, runs the software that I want and gives me the assurrance it will be around tomorrow and hopefully for the next 20 years, too.

Cheers, NetBSD!

Update: Jeremy Reed pointed me at his BSDnewletter posting, which gives a number of details of NetBSD's history. Recommended reading!

[Tags: history, netbsd]

The single steps are:

1. Prepare the environment with proper time, SSH agent and EC2 firewall groups
2. Setup EC2 instance with pkgin and ansible
3. Do basic preparations to meet our standards for logins, shells and general usability and security
4. Setup database server with DB software, user and import of data
5. Setup web server with all the software and some demo application

1. Make sure time is set properly - needed when talking to Amazon EC2:

   % sudo sh /etc/rc.d/ntpd stop
   ntpd not running? (check /var/run/ntpd.pid).
   % sudo sh /etc/rc.d/ntpdate restart
   Setting date via ntp.
   % sudo sh /etc/rc.d/ntpd start
   Starting ntpd.
   % date
   Sat Mar 16 16:46:19 CET 2013
   

2. Teach our EC2 SSH key to SSH agent, so we don't have to type a password (which we don't know anyways - EC2 only works with SSH keys):

   % ssh-add -l
   Could not open a connection to your authentication agent.
   % 
   % eval `ssh-agent`
   Agent pid 10467
   % ssh-add -l
   The agent has no identities.
   % ssh-add ../../euca2ools/key-eucaHF.pem
   Identity added: ../../euca2ools/key-eucaHF.pem (../../euca2ools/key-eucaHF.pem)
   % ssh-add -l
   2048 d5:25:19:3d:59:40:35:32:03:f7:c5:83:de:19:b6:d0 ../../euca2ools/key-eucaHF.pem (RSA)
   

3. Check security (firewall) groups - those are stored in EC2, and we have previously set them up:

   % euca-describe-groups
   ...
   GROUP   sg-a854b3c3     749335780469    ec2-webservers  Web servers
   PERMISSION      749335780469    ec2-webservers  ALLOWS  tcp     22      22      FROM    CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-webservers  ALLOWS  tcp     80      80      FROM    CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-webservers  ALLOWS  icmp    -1      -1      FROM    CIDR    0.0.0.0/0
   

4. See if there are any EC2 instances running:

   % euca-describe-instances
   %
   

   No - that's fine, we are about to change that!

5. Run first playbook to launch EC2 instance and prepare it for using with ansible:

   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml
   
   PLAY [localhost] ********************* 
   
   TASK: [Launch new EC2 instance] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Give the system 30 seconds to boot up] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Get rid of SSH "Are you sure you want to continue connecting (yes/no)?" query] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Fix /usr/bootstrap.sh to run pkgin with -y] ********************* 
   changed: [127.0.0.1] => (item={'cmd': 'install /usr/bootstrap.sh /usr/bootstrap.sh.orig'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod +w /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'sed "s,bin/pkgin update,bin/pkgin -y update," /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod -w /usr/bootstrap.sh'})
   
   TASK: [Install pkgin via /usr/bootstrap.sh] ********************* 
   changed: [127.0.0.1] => (item={'cmd': u'env PATH=/usr/sbin:${PATH} /usr/bootstrap.sh binpkg'})
   
   TASK: [Copy over Ansible binary package] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Install Ansible dependencies] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Install Ansible package (manually)] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Setup lame /usr/bin/python symlink] ********************* 
   changed: [127.0.0.1]
   
   PLAY RECAP ********************* 
   127.0.0.1                      : ok=9    changed=9    unreachable=0    failed=0    
   

   We now have a EC2 instance running that has Ansible installed:

   % euca-describe-instances
   RESERVATION     r-d77272ad      749335780469    ec2-webservers
   INSTANCE        i-9fafc2f2      ami-5d0f8034    ec2-107-22-69-112.compute-1.amazonaws.com ...
   

6. With this EC2 instance, we can do some basic preparations for our standards, e.g. a login without requiring root (and while there, actually disable allowing as root), setup sudo and a proper shell:

   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-basic.yml
   
   PLAY [security_group_ec2-webservers] ********************* 
   
   TASK: [ping] ********************* 
   ok: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Install tcsh] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Add user feyrer] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Create ~feyrer/.ssh directory] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Enable ssh login with ssh-key] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Install sudo] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Enable PW-less sudo-access for everyone in group 'wheel'] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Disable ssh logins as root] ********************* 
   ok: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-107-22-69-112.compute-1.amazonaws.com : ok=8    changed=6    unreachable=0    failed=0    
   

   Let's have a look if things actually work:

   % ssh 107.22.69.112 id
   uid=1000(feyrer) gid=100(users) groups=100(users),0(wheel)
   % ssh ec2-107-22-69-112.compute-1.amazonaws.com id
   uid=1000(feyrer) gid=100(users) groups=100(users),0(wheel)
   % ssh ec2-107-22-69-112.compute-1.amazonaws.com sudo id
   uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest)
   

7. Next, install database software and import our demo database, just as we did in out local VM:

   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-dbserver.yml
   
   PLAY [security_group_ec2-webservers] ********************* 
   
   TASK: [Install mysql] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Install MySQL rc.d script] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Start MySQL service] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Install python-mysqldb (for mysql_user module)] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Setup DB] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Add db-user] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Copy over DB template] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Import DB data] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-107-22-69-112.compute-1.amazonaws.com : ok=8    changed=8    unreachable=0    failed=0    
   

   Again, let's see if everything works as expected:

   % ssh ec2-107-22-69-112.compute-1.amazonaws.com
   ...
   ip-10-202-65-196: {1} mysql -u webapp -p webapp
   Enter password: ******
   ...
   mysql> show tables;
   +------------------+
   | Tables_in_webapp |
   +------------------+
   | names            |
   +------------------+
   1 row in set (0.00 sec)
   
   mysql> select * from names;
   +----+--------+------+
   | id | first  | last |
   +----+--------+------+
   |  1 | Donald | Duck |
   |  2 | Daisy  | Duck |
   +----+--------+------+
   2 rows in set (0.00 sec)
   
   mysql> exit
   Bye
   ip-10-202-65-196: {2} exit
   logout
   Connection to ec2-107-22-69-112.compute-1.amazonaws.com closed.
   

8. Last, add Apache+PHP and our small demo web-application:

     
   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-webserver.yml
   
   PLAY [security_group_ec2-webservers] ********************* 
   
   TASK: [Installing ap24-php53 package and dependencies] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Install Apache rc.d script] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Enable and start Apache service] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Enable PHP in Apache config file] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': 'LoadModule.*mod_php5.so', 'l': 'LoadModule php5_module lib/httpd/mod_php5.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': 'AddHandler.*x-httpd-php', 'l': 'AddHandler application/x-httpd-php .php'})
   
   TASK: [Make Apache read index.php] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Add simple PHP test - see http://10.0.0.181/phptest.php] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Install phpmyadmin] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Enable phpmyadmin in Apache config] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Fix Apache access control for phpmyadmin] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Enable PHP modules in PHP config file] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*zlib.so', 'l': 'extension=zlib.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*zip.so', 'l': 'extension=zip.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*mysqli.so', 'l': 'extension=mysqli.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*mysql.so', 'l': 'extension=mysql.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*mcrypt.so', 'l': 'extension=mcrypt.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*mbstring.so', 'l': 'extension=mbstring.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*json.so', 'l': 'extension=json.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*gd.so', 'l': 'extension=gd.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*gettext.so', 'l': 'extension=gettext.so'})
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com] => (item={'re': '^extension.*bz2.so', 'l': 'extension=bz2.so'})
   
   TASK: [Create directory for webapp] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Deploy example webapp] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   TASK: [Create webapp symlink for easy access] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   NOTIFIED: [restart apache] ********************* 
   changed: [ec2-107-22-69-112.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-107-22-69-112.compute-1.amazonaws.com : ok=14   changed=14   unreachable=0    failed=0    
   

9. Test!

   % links -dump http://ec2-107-22-69-112.compute-1.amazonaws.com/
                                      It works!
   
   % links -dump http://ec2-107-22-69-112.compute-1.amazonaws.com/phptest.php
      PHP Logo                                                                   
                                                                                 
                                  PHP Version 5.3.17                             
   
      System          NetBSD ip-10-202-65-196.ec2.internal 6.0.1 NetBSD 6.0.1    
                      (XEN3PAE_DOMU) i386                                        
      Build Date      Dec 14 2012 10:31:13                                       
   ...
   
   % links -dump http://ec2-107-22-69-112.compute-1.amazonaws.com/webapp/
      Showing table hf.names:
   
      +--------------------+
      | id | first  | last |
      |----+--------+------|
      | 1  | Donald | Duck |
      |----+--------+------|
      | 2  | Daisy  | Duck |
      +--------------------+
   
        ----------------------------------------------------------------------
   
      Enter new values:
   
      first:     _____________________ 
      last:      _____________________ 
      [ Submit ] 
   

10. At this point, everything is setup and can be enjoyed. If the instance is needed no longer, it can be terminated:

    % euca-describe-instances
    RESERVATION     r-d77272ad      749335780469    ec2-webservers
    INSTANCE        i-9fafc2f2      ami-5d0f8034    ec2-107-22-69-112.compute-1.amazonaws.com       ...
    % euca-terminate-instances i-9fafc2f2
    INSTANCE        i-9fafc2f2
    % euca-describe-instances
    RESERVATION     r-d77272ad      749335780469    ec2-webservers
    INSTANCE        i-9fafc2f2      ami-5d0f8034                    terminated      eucaHF  ...
    

Shameless plug: I'll talk about the ansible and euca2ools packages at pkgsrcCon 2013 in Berlin. Join in if you're curious about what the actual playbooks used in the above examples look like!

[Tags: amazon, ansible, apache, ec2, mysql, php, xen]

Now the next step is to replace the VM with an Amazon EC2 instance. I have previously written about how to manage Amazon/EC2 NetBSD instances, and here are the steps that I make to first prepare an EC2 instance with NetBSD and Ansible, and then use a regular Ansible playbook to talk to all my EC2 instances. Note that the connection between the machines setup via euca2ools and ansible is in the security group names. In this case, the security group "ec2-webservers" is assumed to exist.

1. Make sure SSH agent runs and has the EC2 SSH-key added:

   % ssh-add -l
   Could not open a connection to your authentication agent.
   % eval `ssh-agent`
   Agent pid 9304
   % ssh-add -l
   The agent has no identities.
   % ssh-add .../key-ec2HF.pem 
   Identity added: ../../euca2ools/key-ec2HF.pem (../../euca2ools/key-ec2HF.pem)
   % ssh-add -l
   2048 d5:25:19:3d:59:40:35:32:03:f7:c5:83:de:19:b6:d0 ../../euca2ools/key-ec2HF.pem (RSA)
   % 
   

2. When using a VM to talk to EC2, pay special attention that it has the correct time, else funny things will happen:

   % date
   Sun Mar 10 14:42:33 CET 2013
   

3. Setup the ec2-webservers security (firewall) group. This is used both when creating the EC2 instances, and when accessing them. It's the link between EC2 and Ansible's ec2.py script.

   % euca-add-group -d 'Web servers' ec2-webservers
   % euca-authorize -P tcp -p 80-80 -s 0.0.0.0/0 ec2-webservers
   % euca-authorize -P tcp -p 22-22 -s 0.0.0.0/0 ec2-webservers
   % euca-authorize -P icmp -s 0.0.0.0/0 ec2-webservers
   % 
   % euca-describe-groups
   GROUP   sg-a854b3c3     749335780469    ec2-webservers  Web servers
   PERMISSION      749335780469    ec2-webservers  ALLOWS  tcp     22      22     FROM     CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-webservers  ALLOWS  tcp     80      80     FROM     CIDR    0.0.0.0/0
   PERMISSION      749335780469    ec2-webservers  ALLOWS  icmp    -1      -1     FROM     CIDR    0.0.0.0/0
   

4. List out EC2 instances:

   % euca-describe-instances
   % 
   

   None so far.

5. Let's use our playbook to prepare our first EC2 instance:

   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml
   
   PLAY [localhost] ********************* 
   
   TASK: [Launch new EC2 instance] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Give the system 30 seconds to boot up] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Get rid of SSH "Are you sure you want to continue connecting (yes/no)?" query] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Fix /usr/bootstrap.sh to run pkgin with -y] ********************* 
   changed: [127.0.0.1] => (item={'cmd': 'install /usr/bootstrap.sh /usr/bootstrap.sh.orig'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod +w /usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'sed "s,bin/pkgin update,bin/pkgin -y update," </usr/bootstrap.sh.orig >/usr/bootstrap.sh'})
   changed: [127.0.0.1] => (item={'cmd': 'chmod -w /usr/bootstrap.sh'})
   
   TASK: [Install pkgin via /usr/bootstrap.sh] ********************* 
   changed: [127.0.0.1] => (item={'cmd': u'env PATH=/usr/sbin:${PATH} /usr/bootstrap.sh binpkg'})
   
   TASK: [Copy over Ansible binary package] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Install Ansible dependencies] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Install Ansible package (manually)] ********************* 
   changed: [127.0.0.1]
   
   TASK: [Setup lame /usr/bin/python symlink] ********************* 
   changed: [127.0.0.1]
   
   PLAY RECAP ********************* 
   127.0.0.1                      : ok=9    changed=9    unreachable=0    failed=0    
   
   
   % 
   

6. There we go. Let's list it:

   % euca-describe-instances
   RESERVATION     r-bb3b6ac1      749335780469    ec2-webservers
   INSTANCE        i-2cb9a45f      ami-a754dbce    ec2-54-234-59-5.compute-1.amazonaws.com \
   	ip-10-243-150-74.ec2.internal   running ec2HF  0               t1.micro        \
   	2013-03-10T13:47:32.000Z        us-east-1a      aki-825ea7eb                    \
   	monitoring-disabled     54.234.59.5     10.243.150.74                   ebs                                                                     
   % 
   

7. That worked - excellent! Let's add a few more, just for kicks:

   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml >&/dev/null & 
   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml >&/dev/null & 
   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml >&/dev/null & 
   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml >&/dev/null & 
   % ansible-playbook -i hosts-HF config-ec2-prepare1vm.yml >&/dev/null & 
   % 
   
   <...wait...>
   
   % euca-describe-instances
   RESERVATION     r-bb3b6ac1      749335780469    ec2-webservers
   INSTANCE        i-2cb9a45f      ami-a754dbce    ec2-54-234-59-5.compute-1.amazonaws.com \
   	ip-10-243-150-74.ec2.internal   running ec2HF  0               t1.micro        \
   	2013-03-10T13:47:32.000Z        us-east-1a      aki-825ea7eb                    \
   	monitoring-disabled     54.234.59.5     10.243.150.74                   ebs                                                                     
   RESERVATION     r-8b3c6df1      749335780469    ec2-webservers
   INSTANCE        i-7cb5a80f      ami-a754dbce    ec2-23-20-42-71.compute-1.amazonaws.com \
   	ip-10-203-73-195.ec2.internal   running ec2HF  0               t1.micro        \
   	2013-03-10T13:50:48.000Z        us-east-1a      aki-825ea7eb                    \
   	monitoring-disabled     23.20.42.71     10.203.73.195                   ebs                                                                     
   RESERVATION     r-733f6e09      749335780469    ec2-webservers
   INSTANCE        i-42b5a831      ami-a754dbce    ec2-23-20-87-176.compute-1.amazonaws.com        \
   	ip-10-116-37-145.ec2.internal   running ec2HF  0               t1.micro        \
   	2013-03-10T13:50:54.000Z        us-east-1a      aki-825ea7eb                    \
   	monitoring-disabled     23.20.87.176    10.116.37.145                   ebs                                                                     
   RESERVATION     r-713f6e0b      749335780469    ec2-webservers
   INSTANCE        i-40b5a833      ami-a754dbce    ec2-54-242-254-237.compute-1.amazonaws.com      \
   	ip-10-195-47-153.ec2.internal   running ec2HF  0               t1.micro        \
   	2013-03-10T13:50:54.000Z        us-east-1a      aki-825ea7eb                    \
   	monitoring-disabled     54.242.254.237  10.195.47.153                   ebs                                                                     
   RESERVATION     r-773f6e0d      749335780469    ec2-webservers
   INSTANCE        i-46b5a835      ami-a754dbce    ec2-54-235-232-227.compute-1.amazonaws.com      \
   	ip-10-194-7-72.ec2.internal     running ec2HF  0               t1.micro        \
   	2013-03-10T13:50:54.000Z        us-east-1a      aki-825ea7eb                    \
   	monitoring-disabled     54.235.232.227  10.194.7.72                     ebs                                                                     
   RESERVATION     r-b72475cd      749335780469    ec2-webservers
   INSTANCE        i-b2adb0c1      ami-a754dbce    ec2-50-16-129-62.compute-1.amazonaws.com        \
   	domU-12-31-39-14-C6-CB.compute-1.internal       running ec2HF  0               t1.micro        \
   	2013-03-10T13:55:24.000Z        us-east-1d      aki-825ea7eb                    \
   	monitoring-disabled     50.16.129.62    10.206.197.53                   ebs                                                                     
   % 
   

8. Let's talk to our EC2 instances now. For that, we use the ec2.py script, which enumerates all instances:

   % ./ec2.py --list
   {
     "i-2cb9a45f": [
       "ec2-54-234-59-5.compute-1.amazonaws.com"
     ], 
     "i-40b5a833": [
       "ec2-54-242-254-237.compute-1.amazonaws.com"
     ], 
     "i-42b5a831": [
       "ec2-23-20-87-176.compute-1.amazonaws.com"
     ], 
     "i-46b5a835": [
       "ec2-54-235-232-227.compute-1.amazonaws.com"
     ], 
     "i-7cb5a80f": [
       "ec2-23-20-42-71.compute-1.amazonaws.com"
     ], 
     "i-b2adb0c1": [
       "ec2-50-16-129-62.compute-1.amazonaws.com"
     ], 
     "key_ec2HF": [
       "ec2-54-234-59-5.compute-1.amazonaws.com", 
       "ec2-23-20-42-71.compute-1.amazonaws.com", 
       "ec2-23-20-87-176.compute-1.amazonaws.com", 
       "ec2-54-242-254-237.compute-1.amazonaws.com", 
       "ec2-54-235-232-227.compute-1.amazonaws.com", 
       "ec2-50-16-129-62.compute-1.amazonaws.com"
     ], 
     "security_group_ec2-webservers": [
       "ec2-54-234-59-5.compute-1.amazonaws.com", 
       "ec2-23-20-42-71.compute-1.amazonaws.com", 
       "ec2-23-20-87-176.compute-1.amazonaws.com", 
       "ec2-54-242-254-237.compute-1.amazonaws.com", 
       "ec2-54-235-232-227.compute-1.amazonaws.com", 
       "ec2-50-16-129-62.compute-1.amazonaws.com"
     ], 
     "type_t1_micro": [
       "ec2-54-234-59-5.compute-1.amazonaws.com", 
       "ec2-23-20-42-71.compute-1.amazonaws.com", 
       "ec2-23-20-87-176.compute-1.amazonaws.com", 
       "ec2-54-242-254-237.compute-1.amazonaws.com", 
       "ec2-54-235-232-227.compute-1.amazonaws.com", 
       "ec2-50-16-129-62.compute-1.amazonaws.com"
     ], 
     "us-east-1": [
       "ec2-54-234-59-5.compute-1.amazonaws.com", 
       "ec2-23-20-42-71.compute-1.amazonaws.com", 
       "ec2-23-20-87-176.compute-1.amazonaws.com", 
       "ec2-54-242-254-237.compute-1.amazonaws.com", 
       "ec2-54-235-232-227.compute-1.amazonaws.com", 
       "ec2-50-16-129-62.compute-1.amazonaws.com"
     ], 
     "us-east-1a": [
       "ec2-54-234-59-5.compute-1.amazonaws.com", 
       "ec2-23-20-42-71.compute-1.amazonaws.com", 
       "ec2-23-20-87-176.compute-1.amazonaws.com", 
       "ec2-54-242-254-237.compute-1.amazonaws.com", 
       "ec2-54-235-232-227.compute-1.amazonaws.com"
     ], 
     "us-east-1d": [
       "ec2-50-16-129-62.compute-1.amazonaws.com"
     ]
   }
   

9. ec2.py can also give us information about one instance:

   % ./ec2.py --host ec2-54-234-59-5.compute-1.amazonaws.com
   {
     "ec2__in_monitoring_element": false, 
     "ec2_ami_launch_index": "0", 
     "ec2_architecture": "x86_64", 
     "ec2_client_token": "", 
     "ec2_dns_name": "ec2-54-234-59-5.compute-1.amazonaws.com", 
     "ec2_eventsSet": "", 
     "ec2_group_name": "", 
     "ec2_hypervisor": "xen", 
     "ec2_id": "i-2cb9a45f", 
     "ec2_image_id": "ami-a754dbce", 
     "ec2_instanceState": "", 
     "ec2_instance_type": "t1.micro", 
     "ec2_ip_address": "54.234.59.5", 
     "ec2_item": "", 
     "ec2_kernel": "aki-825ea7eb", 
     "ec2_key_name": "ec2HF", 
     "ec2_launch_time": "2013-03-10T13:47:32.000Z", 
     "ec2_monitored": false, 
     "ec2_monitoring": "", 
     "ec2_networkInterfaceSet": "", 
     "ec2_persistent": false, 
     "ec2_placement": "us-east-1a", 
     "ec2_platform": "", 
     "ec2_previous_state": "", 
     "ec2_private_dns_name": "ip-10-243-150-74.ec2.internal", 
     "ec2_private_ip_address": "10.243.150.74", 
     "ec2_public_dns_name": "ec2-54-234-59-5.compute-1.amazonaws.com", 
     "ec2_ramdisk": "", 
     "ec2_reason": "", 
     "ec2_region": "us-east-1", 
     "ec2_requester_id": "", 
     "ec2_root_device_name": "/dev/sda1", 
     "ec2_root_device_type": "ebs", 
     "ec2_security_group_ids": "sg-a854b3c3", 
     "ec2_security_group_names": "ec2-webservers", 
     "ec2_shutdown_state": "", 
     "ec2_spot_instance_request_id": "", 
     "ec2_state": "running", 
     "ec2_state_code": 16, 
     "ec2_state_reason": "", 
     "ec2_subnet_id": "", 
     "ec2_tenancy": "default", 
     "ec2_virtualization_type": "paravirtual", 
     "ec2_vpc_id": ""
   }
   

10. Now let's use a regular playbook with the ec2.py script to get a list of all instances in the 'ec2-webservers' group and then use ansible's ping module on all of them:

    % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-basic.yml
    
    PLAY [security_group_ec2-webservers] ********************* 
    
    GATHERING FACTS ********************* 
    ok: [ec2-50-16-129-62.compute-1.amazonaws.com]
    ok: [ec2-54-235-232-227.compute-1.amazonaws.com]
    ok: [ec2-23-20-42-71.compute-1.amazonaws.com]
    ok: [ec2-23-20-87-176.compute-1.amazonaws.com]
    ok: [ec2-54-242-254-237.compute-1.amazonaws.com]
    ok: [ec2-54-234-59-5.compute-1.amazonaws.com]
    
    TASK: [ping] ********************* 
    ok: [ec2-54-235-232-227.compute-1.amazonaws.com]
    ok: [ec2-50-16-129-62.compute-1.amazonaws.com]
    ok: [ec2-23-20-87-176.compute-1.amazonaws.com]
    ok: [ec2-23-20-42-71.compute-1.amazonaws.com]
    ok: [ec2-54-234-59-5.compute-1.amazonaws.com]
    ok: [ec2-54-242-254-237.compute-1.amazonaws.com]
    
    PLAY RECAP ********************* 
    ec2-23-20-42-71.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
    ec2-23-20-87-176.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
    ec2-50-16-129-62.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
    ec2-54-234-59-5.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
    ec2-54-235-232-227.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
    ec2-54-242-254-237.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
    
    
    % 
    

11. Finally, clean up and use euca-terminate-instance to delete all instances:

    % euca-describe-instances | grep INSTANCE | awk '{print $2}' | xargs -n 1 euca-terminate-instances
    INSTANCE        i-60829f13
    INSTANCE        i-2cb9a45f
    INSTANCE        i-7cb5a80f
    INSTANCE        i-42b5a831
    INSTANCE        i-40b5a833
    INSTANCE        i-46b5a835
    INSTANCE        i-b2adb0c1
    % euca-describe-instances
    RESERVATION     r-bb3b6ac1      749335780469    ec2-webservers
    INSTANCE        i-2cb9a45f      ami-a754dbce                    terminated      ec2HF  \
    	0               t1.micro        2013-03-10T13:47:32.000Z        us-east-1a      \
    	aki-825ea7eb                    monitoring-disabled                                     ebs                                                                     
    RESERVATION     r-8b3c6df1      749335780469    ec2-webservers
    INSTANCE        i-7cb5a80f      ami-a754dbce                    terminated      ec2HF  \
    	0               t1.micro        2013-03-10T13:50:48.000Z        us-east-1a      \
    	aki-825ea7eb                    monitoring-disabled                                     ebs                                                                     
    RESERVATION     r-733f6e09      749335780469    ec2-webservers
    INSTANCE        i-42b5a831      ami-a754dbce                    terminated      ec2HF  \
    	0               t1.micro        2013-03-10T13:50:54.000Z        us-east-1a      \
    	aki-825ea7eb                   monitoring-disabled                                     ebs                                                                     
    RESERVATION     r-713f6e0b      749335780469    ec2-webservers
    INSTANCE        i-40b5a833      ami-a754dbce                    terminated      ec2HF  \
    	0               t1.micro        2013-03-10T13:50:54.000Z        us-east-1a      \
    	aki-825ea7eb                    monitoring-disabled                                     ebs                                                                     
    RESERVATION     r-773f6e0d      749335780469    ec2-webservers
    INSTANCE        i-46b5a835      ami-a754dbce                    terminated      ec2HF  \
    	0               t1.micro        2013-03-10T13:50:54.000Z        us-east-1a      \
    	aki-825ea7eb                    monitoring-disabled                                     ebs                                                                     
    RESERVATION     r-b72475cd      749335780469    ec2-webservers
    INSTANCE        i-b2adb0c1      ami-a754dbce                    terminated      ec2HF  \
    	0               t1.micro        2013-03-10T13:55:24.000Z        us-east-1d      \
    	aki-825ea7eb                    monitoring-disabled                                     ebs                                                             
    % 
    

12. The terminated instances will be removed by EC2 eventually, and you can start all over.

Shameless plug: I'll talk about the ansible and euca2ools packages at pkgsrcCon 2013 in Berlin. Join in if you're curious about what the actual playbooks used in the above examples look like!

References: CapsUnlock blog post, CentOS Wiki.

[Tags: ansible, ec2, xen]

The documentation covers an introduction with a brief note on NPF's design followed by elements of a NPF configuration file. This is followed by instructions for dynamic rules, stateful filtering and network address translation (NAT). Further paragraphs describe the extension API, troubleshooting and appendixes with more information.

[Tags: nat, npf]

Here's a teaser:

1. Start EC2 instances, put them into ec2-webservers group. Repeat the following command for more than one instance:

   % ansible -i hosts-HF localhost -m ec2 -a 'image=ami-a754dbce instance_type=t1.micro \
   key_name=eucaHF group=ec2-webservers'
   

2. Prepare instances for Ansible (omitted - needs cleanup & automation)

3. Use Ansible to ping all servers in the ec2-webservers group:

   % env ANSIBLE_HOSTS=./ec2.py ansible-playbook config-ec2-basic.yml
   
   PLAY [security_group_ec2-webservers] ********************* 
   
   GATHERING FACTS ********************* 
   ok: [ec2-23-23-15-202.compute-1.amazonaws.com]
   ok: [ec2-54-235-230-206.compute-1.amazonaws.com]
   
   TASK: [ping] ********************* 
   ok: [ec2-23-23-15-202.compute-1.amazonaws.com]
   ok: [ec2-54-235-230-206.compute-1.amazonaws.com]
   
   PLAY RECAP ********************* 
   ec2-23-23-15-202.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    
   ec2-54-235-230-206.compute-1.amazonaws.com : ok=2    changed=0    unreachable=0    failed=0    

• pkgsrc release engineering
• pkgsrc on SmartOS
• Mancoosi tools for the analysis and quality assurance of FOSS distributions
• Go On NetBSD
• Rehabilitating pkglint
• DeforaOS and pkgsrc (presentation with workshop)

The playbooks are too emberassing to publish, but here are the steps to get things going:

1. Setup NetBSD 6.0 with "base" and "etc" set, also add "pkgin" from menu
2. Allow root logins via ssh (for a start, will be changed later)
3. Install ansible-1.0nb1 binary package with all its depends
4. From a management station, run: ansible-playbook -k -i hosts-HF config-netbsd-basic.yml
5. Then, run: ansible-playbook -i hosts-HF config-netbsd-dbserver.yml
6. Last, run: ansible-playbook -i hosts-HF config-netbsd-webserver.yml

Now to tweak the ansible playbooks to look less ugly, use variables, and then separate database and webserver into two separate machines - all in preparation to move them into the Amazon EC2 cloud. Stay tuned!

For the record, here's a log of the three ansible playbooks above, starting from my basic NetBSD installation that already has pkgin and ansible:

% ansible-playbook -k -i hosts-HF config-netbsd-basic.yml
SSH password: 

PLAY [netbsd] ********************* 

GATHERING FACTS ********************* 
ok: [10.0.0.181]

TASK: [Install tcsh] ********************* 
changed: [10.0.0.181]

TASK: [Add user feyrer] ********************* 
changed: [10.0.0.181]

TASK: [Create ~feyrer/.ssh directory] ********************* 
changed: [10.0.0.181]

TASK: [Enable ssh login with ssh-key] ********************* 
changed: [10.0.0.181]

TASK: [Install sudo] ********************* 
changed: [10.0.0.181]

TASK: [Enable PW-less sudo-access for everyone in group 'wheel'] ********************* 
changed: [10.0.0.181]

TASK: [Disable ssh logins as root] ********************* 
changed: [10.0.0.181]

NOTIFIED: [restart sshd] ********************* 
changed: [10.0.0.181]

PLAY RECAP ********************* 
10.0.0.181                     : ok=9    changed=8    unreachable=0    failed=0    


% ansible-playbook    -i hosts-HF config-netbsd-dbserver.yml

PLAY [dbservers] ********************* 

GATHERING FACTS ********************* 
ok: [10.0.0.181]

TASK: [Install mysql] ********************* 
changed: [10.0.0.181]

TASK: [Install MySQL rc.d script] ********************* 
changed: [10.0.0.181]

TASK: [Start MySQL service] ********************* 
changed: [10.0.0.181]

TASK: [Install python-mysqldb (for mysql_user module)] ********************* 
changed: [10.0.0.181]

TASK: [Setup DB] ********************* 
changed: [10.0.0.181]

TASK: [Add db-user] ********************* 
changed: [10.0.0.181]

TASK: [Copy over DB template] ********************* 
changed: [10.0.0.181]

TASK: [Import DB data] ********************* 
changed: [10.0.0.181]

PLAY RECAP ********************* 
10.0.0.181                     : ok=9    changed=8    unreachable=0    failed=0    


%% ansible-playbook    -i hosts-HF config-netbsd-webserver.yml

PLAY [webservers] ********************* 

GATHERING FACTS ********************* 
ok: [10.0.0.181]

TASK: [Installing ap24-php53 package and dependencies] ********************* 
changed: [10.0.0.181]

TASK: [Install Apache rc.d script] ********************* 
changed: [10.0.0.181]

TASK: [Enable and start Apache service] ********************* 
changed: [10.0.0.181]

TASK: [Enable PHP in Apache config file] ********************* 
changed: [10.0.0.181] => (item={'re': 'LoadModule.*mod_php5.so', 'l': 'LoadModule php5_module lib/httpd/mod_php5.so'})
changed: [10.0.0.181] => (item={'re': 'AddHandler.*x-httpd-php', 'l': 'AddHandler application/x-httpd-php .php'})

TASK: [Make Apache read index.php] ********************* 
changed: [10.0.0.181]

TASK: [Add simple PHP test - see http://10.0.0.181/phptest.php] ********************* 
changed: [10.0.0.181]

TASK: [Install phpmyadmin] ********************* 
changed: [10.0.0.181]

TASK: [Enable phpmyadmin in Apache config] ********************* 
changed: [10.0.0.181]

TASK: [Enable PHP modules in PHP config file] ********************* 
changed: [10.0.0.181] => (item={'re': '^extension.*zlib.so', 'l': 'extension=zlib.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*zip.so', 'l': 'extension=zip.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*mysqli.so', 'l': 'extension=mysqli.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*mysql.so', 'l': 'extension=mysql.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*mcrypt.so', 'l': 'extension=mcrypt.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*mbstring.so', 'l': 'extension=mbstring.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*json.so', 'l': 'extension=json.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*gd.so', 'l': 'extension=gd.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*gettext.so', 'l': 'extension=gettext.so'})
changed: [10.0.0.181] => (item={'re': '^extension.*bz2.so', 'l': 'extension=bz2.so'})

TASK: [Fix Apache access control] ********************* 
changed: [10.0.0.181]

TASK: [Create directory for webapp] ********************* 
changed: [10.0.0.181]

TASK: [Deploy example webapp] ********************* 
changed: [10.0.0.181]

TASK: [Create webapp symlink for easy access] ********************* 
changed: [10.0.0.181]

NOTIFIED: [restart apache] ********************* 
changed: [10.0.0.181]

PLAY RECAP ********************* 
10.0.0.181                     : ok=15   changed=14   unreachable=0    failed=0    


% links -dump http://10.0.0.181/webapp/
   Showing table hf.names:

   +--------------------+
   | id | first  | last |
   |----+--------+------|
   | 1  | Donald | Duck |
   |----+--------+------|
   | 2  | Daisy  | Duck |
   +--------------------+

     ----------------------------------------------------------------------

   Enter new values:

   first:     _____________________ 
   last:      _____________________ 
   [ Submit ] 

% 

 ______________________ 
< TASK: [Install tcsh] >
 ---------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

changed: [10.0.0.181]

Playing with ansible, its "ec2" module came to my attention: it is intended to manage virtual machines in Amazon's EC2 cloud. The idea is that you describe a system with the property "needs to run in Amazon's cloud", and ansible then starts the machine if it isn't there already. In order to get to the point where this can be played with, a working version of the euca2ools package was required first.

Packaging was mostly a no-brainer, and a package is currently under review and will end up in pkgsrc eventually. The more interesting part was to verify if the pkg actually worked as expected. This proved tricky for two reasons: 1) my overall lack of how to use the Amazon AWS command line tools (ec2-ami-tools, ec2-api-tools), and 2) the fact that euca2ools is mostly written for the Eucalyptus Cloud infrastructure, which just happens to be compatible with Amazon AWS. To give future parties something to google, here are the steps that to fire up a NetBSD machine in the Amazon cloud.

How - Prerequirements

A login for Amazon Web Services (AWS) is required, of which the Elastic Cloud Computing (EC2) Xen infrastructure is a part of. I won't go into details of this, please see the NetBSD wiki or my article ``NetBSD in der Cloud'' in the German FreeX 5/2012 magazine, pages 58-63, for details.

Before starting, a few environment variables have to be filled with authentication information. Log into the Amazon AWS Console, click on your name in the upper right corner to get to the "Security Credentials" page, and create an access key if not already present. Get the acces key ID and the secret key, and put them into environment variables EC2_ACCESS_KEY and EC2_SECRET_KEY:

% setenv EC2_ACCESS_KEY "AKxxxxxxxxxxxxxxxxxx"
% setenv EC2_SECRET_KEY "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

% setenv EC2_CERT         .../cert-XXX.pem
% setenv EC2_PRIVATE_KEY  .../pk-XXX.pem

% setenv EC2_URL          http://ec2.amazonaws.com
% setenv S3_URL           http://s3.amazonaws.com

So much for the preparations, let's dive into euca2ools.

List Regions and Availability Zones

Amazon's service offers is spread across many data centers across different regions of the world. The list of regions is available via the "euca-describe-regions" command:

% euca-describe-regions
REGION  eu-west-1       ec2.eu-west-1.amazonaws.com
REGION  sa-east-1       ec2.sa-east-1.amazonaws.com
REGION  us-east-1       ec2.us-east-1.amazonaws.com
REGION  ap-northeast-1  ec2.ap-northeast-1.amazonaws.com
REGION  us-west-2       ec2.us-west-2.amazonaws.com
REGION  us-west-1       ec2.us-west-1.amazonaws.com
REGION  ap-southeast-1  ec2.ap-southeast-1.amazonaws.com
REGION  ap-southeast-2  ec2.ap-southeast-2.amazonaws.com

% euca-describe-availability-zones
AVAILABILITYZONE        us-east-1a      available
AVAILABILITYZONE        us-east-1b      available
AVAILABILITYZONE        us-east-1c      available
AVAILABILITYZONE        us-east-1d      available

% euca-describe-availability-zones --region eu-west-1
AVAILABILITYZONE        eu-west-1a      available
AVAILABILITYZONE        eu-west-1b      available
AVAILABILITYZONE        eu-west-1c      available

% setenv EC2_URL http://ec2.eu-west-1.amazonaws.com
% euca-describe-availability-zones --region eu-west-1
AVAILABILITYZONE        eu-west-1a      available
AVAILABILITYZONE        eu-west-1b      available
AVAILABILITYZONE        eu-west-1c      available

Now that we have a basic overview of the cloud infrastructure with its regions and availability zones, the next questions are what hardware is available for running virtual machine instances on, and what operating systems can be put on.

Amazon lists available hardware configurations on their "instance types" web sites. Sizes range from Micro Instances with 613MB RAM, up to two CPU cores and no local harddisk (t1.micro) to Extra Large (XL) Instances with 15GB RAM, 8 CPU cores and 1.690 GB local harddisk. Many more configurations are available for situations that require much memory, much CPU, much IO, or do cluster computing with CPU and GPU.

As for the operating system and software to put on those virtual machine instances, there is a VERY wide choice available. The "euca-describe-images --all" command lists all available optione:

% euca-describe-images --all
...
IMAGE   ami-abd0d0df    101367081206/NetBSD-i386-6.0-20121015-1054 \
  101367081206    available       public          i386    machine \
  aki-64695810                    ebs
IMAGE   ami-7fc3c30b    101367081206/NetBSD-x86_64-6.0-20121014-1007 \
  101367081206    available       public          x86_64  machine \
  aki-62695816                    ebs
...

Note that the "euca-describe-images" command depends on the region setting, so you will get (and need) different output depending on the region that you intend your instances to run in.

Setup SSH Access

When starting a NetBSD AMI, access will be via SSH to the root account. For that, a SSH key pair needs to be created with the "euca-add-keypair" command. The command can write the private key to a local file, be sure to protect it properly - it will be the only way of access to the system! Other interesting commands when managing SSH keys are "euca-describe-keypairs" and "euca-delete-keypair":

% euca-describe-keypairs
% euca-add-keypair -f key-eucaHF.pem eucaHF
KEYPAIR eucaHF  b8:e9:05:7e:3a:df:c7:8e:eb:6e:8d:72:ff:77:68:01:e2:03:7e:3e
% euca-describe-keypairs
KEYPAIR eucaHF  b8:e9:05:7e:3a:df:c7:8e:eb:6e:8d:72:ff:77:68:01:e2:03:7e:3e
% euca-delete-keypair eucaHF
KEYPAIR eucaHF
% euca-describe-keypairs
%

% euca-add-keypair -f key-eucaHF.pem eucaHF
KEYPAIR eucaHF  9b:d4:15:09:bc:51:b1:76:5c:db:a3:93:52:f0:d8:08:87:a4:80:c7
% cat key-eucaHF.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAn8rCLhqLyfke+NqeOkqb6BUIbfwBFm/9ddG8ghVt9CUmyKUMRrKFSyaTRreO
...
wA5a3XZuEFw83HdGrhaRgom2ZJ1SEk2889FpAA+yrhveKhDJIe6Zc2rM+crqUWBfnvs=
-----END RSA PRIVATE KEY-----

Now that everything is prepared, telling the cloud infrastructure to find physical hardware, put our preferred operating system on it, and start it is done with the "euca-run-instance" command:

% euca-run-instances -t t1.micro -k eucaHF ami-7fc3c30b
RESERVATION     r-2182506a      749335780469    default
INSTANCE        i-2ed60264      ami-7fc3c30b                    pending \
  eucaHF  0               t1.micro        2013-02-03T15:51:49.000Z        \
  us-east-1b      aki-62695816                    monitoring-disabled \
  ebs 

When the above command was started, this is a good time to go back to the Amazon AWS console and have a look at your instances - you will find the one listed above there now, too! Instead of the web-based console, the "euca-describe-instances" command can be used:

% euca-describe-instances
RESERVATION     r-2182506a      749335780469    default
INSTANCE        i-2ed60264      ami-7fc3c30b    ec2-54-228-22-143.compute.amazonaws.com       \
  ip-10-226-194-20.compute.internal     running eucaHF  0   \
  t1.micro        2013-02-03T15:51:49.000Z        us-east-1b \
  aki-62695816                    monitoring-disabled     \
  54.228.22.143   10.226.194.20                   ebs

To do so, we need the private key file created with the "euca-add-keypair" command, and the host name. The latter is available in the list of instances - be sure to use the one within the "compute.anazonaws.com" domain:

% ssh -i key-eucaHF.pem -l root ec2-54-228-22-143.compute.amazonaws.com
The authenticity of host 'ec2-54-228-22-143.compute.amazonaws.com (54.228.22.143)'
can't be established.
ECDSA key fingerprint is f7:a9:f6:21:fc:d2:0e:46:03:41:f8:d5:c1:72:92:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-54-228-22-143.compute.amazonaws.com,54.228.22.143' (ECDSA)
to the list of known hosts.
NetBSD 6.0 (XEN3_DOMU)
Welcome to NetBSD - Amazon EC2 image!

This system is running a snapshot of a stable branch of the NetBSD
operating system, adapted for running on the Amazon EC2 infrastructure.

The environment is very similar to one provided within a typical Xen domU
installation. It contains a small, autonomous environment (including a
compiler toolchain) that you can run to build your own system.

The file system is lightly populated so you have plenty of space to play with.
Should you need a src or pkgsrc tree, please use the "bootstrap" script found
under /usr to download them.  You can also use the script to set up
binary packages using "pkgin":

                /usr/bootstrap.sh [src|pkgsrc|binpkg]

This AMI sends email to the maintainer on first boot, to help get
an idea of what is in use at any given time.

You are encouraged to test this image as thoroughly as possible.  Should you
encounter any problem, please report it back to the development team using the
send-pr(1) utility (requires a working MTA).  If yours is not properly set up,
use the web interface at: http://www.NetBSD.org/support/send-pr.html

Thank you for helping us test and improve NetBSD's quality!
Terminal type is vt220.
We recommend that you create a non-root account and use su(1) for root access.
ip-10-226-194-20# uname -a
NetBSD ip-10-226-194-20.compute.internal 6.0 NetBSD 6.0 (XEN3_DOMU) amd64
ip-10-226-194-20# exit

One word of warning at this point: Amazon AWS is not for free (as you should be aware from the Preparations step). If you do not need machines any more, be sure to remove them from the cluster, else this may drive up your bill for nothing! You can use the "euca-terminate-instances" command to do just that:

% euca-terminate-instances i-2ed60264
INSTANCE        i-2ed60264

What's next?

As stated above, the whole goal of this exercise is to manage Amazon EC2 images from ansible. Weekend's mostly over and we will see where this journey is going. For the time being, I'm happy to hear about any comments of you using NetBSD on Amazon's EC2, and of my euca2ools package.

Appendix: euca2ools Cheat Sheet

Environment variables:
  setenv EC2_ACCESS_KEY "AKxxxxxxxxxxxxxxxxxx"
  setenv EC2_SECRET_KEY "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  setenv EC2_CERT         .../cert-XXX.pem
  setenv EC2_PRIVATE_KEY  .../pk-XXX.pem
  setenv EC2_URL          http://ec2.amazonaws.com
  setenv S3_URL           http://s3.amazonaws.com

Regions & availability zones:
  euca-describe-regions
  euca-describe-availability-zones
  euca-describe-availability-zones --region eu-west-1
Change default region:
  setenv EC2_URL		http://ec2.eu-west-1.amazonaws.com

AMIs:
  euca-describe-images --all

SSH Keypairs:
  euca-add-keypair		-f key-eucaHF.pem eucaHF
  euca-describe-keypairs	
  euca-delete-keypair		eucaHF

Instances:
  euca-run-instances -k eucaHF ami-7fc3c30b
  euca-describe-instances
  euca-describe-instances i-96a773dc
  ssh -i key-eucaHF.pem ec2-54-328-43-220.compute.amazonaws.com -l root
  euca-terminate-instances i-96a773dc

I'm aware that this may cause some distress, and I'm curious to hear your opinion - mail me at the above address (or drop me a line on FB :-).

Also: FB is the only of those apps that I really use these days - I do not currently have plans to add any others. Again, if I'm flooded with pleas, this can be changed. It may actually save me from logging e.g. into Google+ and Twitter to share things there. What do you think?

[Tags: facebook, hubertf]

There are a bunch of new modules in version 1.0, and probably the most exciting one is a "pkgin" module that allows adding and deleting packages:

vmnetbsd6% pkg_info -e figlet
vmnetbsd6% ansible -soi work/ansible/hosts.HF all -m pkgin -a "name=figlet state=absent"
127.0.0.1 | success >> {"changed": false, "msg": "package(s) already absent"}

vmnetbsd6% pkg_info -e figlet
vmnetbsd6% ansible -soi work/ansible/hosts.HF all -m pkgin -a "name=figlet state=present"
127.0.0.1 | success >> {"changed": true, "msg": "present 1 package(s)"}

vmnetbsd6% pkg_info -e figlet
figlet-2.2.5
vmnetbsd6% ansible -soi work/ansible/hosts.HF all -m pkgin -a "name=figlet state=absent"
127.0.0.1 | success >> {"changed": true, "msg": "removed 1 package(s)"}

vmnetbsd6% pkg_info -e figlet
vmnetbsd6% 

I've mused a lot about the transition from system planning over system setup to system operation recently. Different kinds of databases may be involved, that serve different purposes: On the planning end, topics like version management, license management, life cycle management and enterprise architecture management come into play. When this transits into operation, other aspects like system and network configuration get more important, while others fade away.

At the end, someone or something has to make adjustments to systems in order to get them into service, and keep them there. This is either done with a lot of manual labor to keep documentation (CMDB, or whatever serves) and the systems in sync, or - more likely - documentation will grow stale quickly and rot away.

With a growing set of hosts, the latter is not an option, and transparency becomes increasingly important. This is where system "orchestration" tools like cfengine, puppet, chef and ansible come into play. You write a system definition there, and the machine is configured according to this definition automatically: Configuration files can be adjusted, accounts created, software packages installed, services enabled, etc.

System Orchestration Alternatives

Looking at the state of affairs, many people seem to be fond of Puppet these days. This comes with a pretty long list of dependencies (and thus complexity to maintain), and configuration files have to be written in Ruby (which I don't know). So I chose Ansible as alternative to investigate - it comes with very little overhead (no separate daemon on neither the central machine nor any of the configured systems, just using SSH) and its own "Playbook" language seems easy enough to start with, yet complete enough to be used in large environments (as the list of customers listed on the homepage shows).

Packaging Ansible, First Try

My first try to get going with Ansible on NetBSD was to use the version 0.9 archive available, instead of using a GIT checkout. The included (GNU) Makefile tries to determine the version from the git checkout. Which the archive is not. Using information not available in the archive either. Checking if the source code was checked out from GIT by looking if there's a git binary available is not the best idea here, and so I dropped the ball, cursing the fact that not all the world is Linux. Sort of.

Looking briefly at a fresh git checkout that this worked there, but as NetBSD's pkgsrc doesn't support git checkouts (yet, as far as I know?), I moved back to the 0.9 archive.

Packaging Ansible, Second Try

Leaving out the git-based version games, the next fun was to get the Python setup script to install the files in the right place. Having missed much pkgsrc development recently, and not being into Python either way, this proved unneccessary - Joerg Sonnenberg pointed me at existing pkgsrc infrastructure for Python programs, and with them the program was packaged successfully in no time. For now, the package is available on my website, I'll look into review and import into pkgsrc next.

Ansible on NetBSD - What Works, And What Needs More Work

Modules tested successfully on NetBSD 6:

• ping
• command
• copy
• facter
• group add/delete
• mysql_db add/delete
• user add/delete (without system=true)

• user add/delete (with system=true)
• service (needs work)

Examples: Ansible On NetBSD

Here's an example session with basic operation:

% cat work/ansible/hosts.HF
#127.0.0.1 ansible_python_interpreter=/usr/pkg/bin/python2.7
127.0.0.1
    
% ansible -i work/ansible/hosts.HF -s all -m ping
  127.0.0.1 | success >> {  
    "changed": false,
    "ping": "pong"
  }

% finger testuser
finger: testuser: no such user

% ansible -i work/ansible/hosts.HF -s all -m user -a "name=testuser state=present"
127.0.0.1 | success >> {
    "changed": true, 
    "comment": "", 
    "createhome": true, 
    "group": 100, 
    "home": "/home/testuser", 
    "name": "testuser", 
    "shell": "/bin/sh", 
    "state": "present", 
    "system": false, 
    "uid": 1005
}

% finger testuser
Login: testuser                         Name: 
Directory: /home/testuser               Shell: /bin/sh
Never logged in.
No Mail.
No Plan.

% ansible -i work/ansible/hosts.HF -s all -m user -a "name=testuser state=absent"
127.0.0.1 | success >> {
    "changed": true, 
    "force": false, 
    "name": "testuser", 
    "remove": false, 
    "state": "absent"
}

% finger testuser
finger: testuser: no such user

The conference was about hardware hacking, and the talk shows how to use NetBSD as base for a handheld environment, including hardware platforms as well as drivers for touchscreens, GPS and GSM.

An excellent ressource for people interested in NetBSD as base for a mobile platform!

[Tags: ehsm, presentations]

There is also this posting on the port-arm mailinglist that gives details on an updates kernel image, Xorg.conf file to get X going and more news hidden in that thread. Anyone up for compiling a comprehensive NetBSD/RaspberryPi webpage, maybe on the NetBSD Wiki?

[Tags: arm, dmesg, raspberrypi]

• Improving network stack concurrency and performance.
• Development of modern file systems and improvement of existing ones.
• Features which are useful in embedded environments, such as high resolution timers and execute in place (XIP) support.
• Automatic testing and quality assurance.

To save you from searching, here is the list of relevant changes from the release notes:

Complete source and binaries for NetBSD 6.0.1 are available for download at many sites around the world. A list of download sites providing FTP, AnonCVS, SUP, and other services may be found at http://www.NetBSD.org/mirrors/.

P.S.: Don't miss out on the end of NetBSD 2012 fundraise!

[Tags: Release, Security]

P.S.: Any volunteers to put blosxom into pkgsrc?

[Tags: blosxom, hubertf]

1. a presentation
2. an article

Very well seconded!

[Tags: Release]

The NetBSD Project is pleased to announce NetBSD 6.0, the fourteenth
major release of the NetBSD operating system. Changes from the
previous release include scalability improvements on multi-core
systems, many new and updated device drivers, Xen and MIPS port
improvements, and brand new features such as a new packet filter.

Some NetBSD 6.0 highlights are: support for thread-local storage
(TLS), Logical Volume Manager (LVM) functionality, rewritten disk
quota subsystem, new subsystems to handle flash devices and NAND
controllers, an experimental CHFS file system designed for flash
devices, support for Multiprotocol Label Switching (MPLS) protocol,
and more. This release also introduces NPF - a new packet filter,
designed with multi-core systems in mind, which can do TCP/IP traffic
filtering, stateful inspection, and network address translation (NAT).

In addition to many other features, NetBSD 6.0 includes significant
developments in various ports. Some highlights:

o SMP support for Xen domU kernels, initial suspend/resume support for
  Xen domU, PCI pass-through support for Xen3, and addition of the
  balloon driver.

o Major rework of MIPS port adding support for SMP and 64-bit (O32,
  N32, N64 ABIs are supported) processors, DSP v2 ASE extension, various
  NetLogic/RMI processor models, Loongson family processors, and new SoC
  boards.

o Improved SMP on PowerPC port and added support for Book E Freescale
  MPC85xx (e500 core) processors.

o ARM has gained support for Cortex-A8 processors, various new SoCs,
  and initial support for Raspberry Pi. Full support for Raspberry Pi
  and major ARM improvements to come in a future NetBSD release.

o time_t is now a 64-bit quantity on all NetBSD ports. This means that
  the NetBSD world no longer ends in 2037.

Please read the release notes for a full list of changes in NetBSD 6.0:

http://www.NetBSD.org/releases/formal-6/NetBSD-6.0.html

The generous donations of companies and individuals to the NetBSD
Foundation in previous years has enabled TNF to sponsor some exciting
developments in NetBSD 6.0, including the Xen DOMU multiprocessor
support. See our donations page for information about how you or your
company can donate to help sponsor future projects!  Complete source
and binaries for NetBSD 6.0 are available for download at many sites
around the world. A list of download sites providing FTP, AnonCVS,
SUP, and other services may be found at:

http://www.NetBSD.org/mirrors/

We encourage users who wish to install via ISO or USB disk images to
download via BitTorrent by using the torrent files supplied in the
images area. A list of hashes for the NetBSD 6.0 distribution has been
signed with the well-connected PGP key for the NetBSD Security
Officer:

ftp://ftp.NetBSD.org/pub/NetBSD/security/hashes/NetBSD-6.0_hashes.asc

NetBSD is free. All of the code is under non-restrictive licenses, and
may be used without paying royalties to anyone. Free support services
are available via our mailing lists and website. Commercial support is
available from a variety of sources. More extensive information on
NetBSD is available from our website:

http://www.NetBSD.org/

Dedication 
----------

NetBSD 6.0 is dedicated to the memory of Allen Briggs, who
passed away in March of 2012.

Allen's technical contributions to NetBSD were significant, and
many. He was a NetBSD developer from the very beginning of the
project, and was the main driving force behind the initial import of
some of our hardware ports. He also served on NetBSD's core team from
2003 until 2006. More than that, however, he was a mentor to many on
the project, and always willing to help when he could. Even for those
he didn't mentor, his civilized example was often a guiding
influence. He worked with many of us on the project, and in a field
where prickly personalities are common, he was always pleasant and
kind regardless of your status or technical expertise. He will be
sorely missed.

Acknowledgments
--------------- 

The NetBSD Foundation would like to thank all those who have
contributed code, hardware, documentation, funds, colocation for our
servers, web pages and other documentation, release engineering, and
other resources over the years. More information on the people who
make NetBSD happen is available at:

http://www.NetBSD.org/people/

We would like to especially thank the University of California at
Berkeley and the GNU Project for particularly large subsets of code
that we use. We would also like to thank the Internet Systems
Consortium Inc., the Network Security Lab at Columbia University's
Computer Science Department, and Ludd (Lulea Academic Computer
Society) computer society at Lulea University of Technology for
current colocation services.

Juraj Sipos started his project originally on FreeBSD (and still continues that), but there's a variant based on NetBSD 5.1.2 now, too. The system comes up read-write, so you can make changes to it - as Juraj writes on the webpage: ``With this USB image I can now use NetBSD the same way as if it was installed on a hard drive.''

Oh, and for those impatient to try, the root password is "netbsd5".

[Tags: live-cd, mahesha, usb]

The code's not integrated into mainline NetBSD-current yet, but rest assured that that will happen when the code is ripe. Good work, Nick!

[Tags: arm, dmesg, raspberrypi]

Please join in and help test the code, and send your feedback to the lists. If no serious issues come up, the code will be merged within a week.

See Matt's posting to tech-kern for more details, inclusing diffs and links for amd64 and i386 GENERIC (+usbmp) kernels.

Further information on the state of the code - what is and what is not converted yet - can be found in the TODO.usbmp file.

[Tags: smp, usb]

Here's the dmesg output, and I'm sure this is a lot faster than simulating 128 CPUs in qemu.

So, how to go beyone 128 CPUs for testing? Anyone played with Qemu recently, or even have some decent hardware at hand? If so, be sure to post dmesg output (and CC: me)!

[Tags: dmesg, xen]

[Tags: amazon, ec2, top]

``The NetBSD Foundation is pleased to announce completion of Multiprocessing Support for the port of its Open Source Operating System to the Xen hypervisor.

The NetBSD Fundation started the Xen MP project 8 month ago; the goal was to add SMP support to NetBSD/Xen domU kernels. This project has officially completed, and after a few bug fixes in the pmap(9) code it is now considered stable on both i386 and amd64. NetBSD 6.0 will ship with option MULTIPROCESSOR enabled by default for Xen domU kernels.

The availability of Xen MP support in NetBSD allows to run the NetBSD Open Source Operating Systems on a range of available infrastructure providers' systems. Amazon's Web Services with their Elastic Cloud Computing is a prominent examples here.

Xen is a virtualization software that enables several independent operating system instances ("domains") to run concurrently on the same computer hardware. The hardware is managed by the first domain (dom0), and further guest/user domains (domU) are spawned and managed by dom0. Operating systems available for running as dom0 and domU guests include Microsoft Windows, Solaris and Linux besides NetBSD.

NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is available for a wide range of platforms, from large-scale servers and powerful desktop systems to handheld and embedded devices. Its clean design and advanced features make it excellent for use in both production and research environments, and the source code is freely available under a business-friendly license. NetBSD is developed and supported by a large and vivid international community. Many applications are readily available through pkgsrc, the NetBSD Packages Collection.

NetBSD has been available for the Xen hypervisor since Xen 1 and NetBSD 2.0, released in 2004 , but until now only a single processor was supported in each NetBSD/xen domain.''

[Tags: amazon, ec2, smp, xen]

Components merged from NetBSD include:

• NetBSD C library
• NetBSD password file format
• NetBSD bootloader
• New NetBSD userland utilities: ext2 fsck&mkfs, gzip, m4, man&tools, mkdep, mkdir, mkfifo, mktemp, rm, rmdir, tic, uniq, libcurses, libcrypt, libprop, libterminfo, libutil, bzip2, date, indent, mdocml (mandoc), sed, zoneinfo ports

Detailled setup instructions are available on the port-arm mailing list and Paul's homepage. Paul is also looking for feedback on the port, so if you have a Mini2440 board, give it a spin and report back to Paul!

[Tags: arm, dmesg, friendlyarm, Hardware, mini2440]

The files are available at http://ftp.netbsd.org/pub/NetBSD/arch/cobalt/restore-cd/5.1.2/. Citing from the announcement: ``The only changes from 5.1.1 version are CHANGES file and 5.1.2 binaries, so the following instructions are same as 5.1.1 ones:

restorecd-5.1.2-20120205.iso.gz is a gzipped RestoreCD ISO9660 image as prior releases.

restoreusb-5.1.2-20120205.img.gz is a new "RestoreUSB" image which has almost identical functions with RestoreCD but is intended to be burned into USB memory sticks for USB bootable PCs.

You can write the image using gzip(1) + dd(1) on Unix like OSes, or you can also use "Rawrite32" utility on MS Windows: http://www.NetBSD.org/~martin/rawrite32/index.html

To use the RestoreUSB for cobalt installation, write the image into >=512MB USB memory stick (or USB HDD etc.) and boot your PC from it, then all other procedures are same as RestoreCD. You no longer have to burn a coaster for every installation ;-)

See also "Restore CD Howto" for actual installation procedures: http://www.NetBSD.org/ports/cobalt/restorecd-howto.html: (though RestoreUSB is not mentioned yet) and see files in .tar.gz archive for more details.''

[Tags: cobalt, usb]

• NetBSD and MirBSD developer Benny Siegert gave a talk titled "pkgsrc on MirBSD" - see his slides! pkgsrc is a framework for packaging and building 3rd party applications from source. Besides MirBSD, it runs on many other platforms like Linux and Mac OS X.
• While building from source is fine, it costs a lot of time. pkgsrc can also create binary packages, and to manage those, there is "pkgin", a binary package manager. Its developer, Emile 'iMil' Heitor introduced it in a talk - see the slides (PDF)!

• MINIX3 and BSD, by Arun Thomas
• The Lua Scripting Language in the NetBSD Kernel, by Marc Balmer
• Touch your NetBSD - towards tablet integration, by Pierre Pronchery
• pkgsrc on MirBSD, by Benny Siegert (slides)
• Introduction to pkgsrc, and to package creation in NetBSD, by Noud de Brouwer
• pkgin, a binary package manager for pkgsrc, also by Emile Heitor (slides)
• Automated package building, by Nicolas Thauvin

This work is continued by Jean-Yves Migeon, who is working on build scripts for Amazon EC2, so the "AMI" images can be provided easily, with the eventual goal to include them into the NetBSD build process by Jeff Rizzo, so EC2 images can be automatically generated easily, e.g. by NetBSD's build cluster.

[Tags: amazon, ec2, xen]

• make up your mind if you want to participate, either as student or mentor

• hash out details of project proposals and possible implementation details, and also see how much time you can devote as possible mentor. Also, think about choosing criteria for students and how to communicate with them on a daily basis and also in cases where problems arise (reallife on either side, student going AWOL, ...)

• go over the list of project proposals, esp. the ones with the right dimension for GSoC, and suggest changes and additions of new projects

• make yourself familiar with NetBSD from a user/admin viewpoint and esp. from a developer point if you intend to apply as student.

  A (slightly dated?) tour through the NetBSD source tree is available for userland, libraries, and the kernel. Also of interest: a guide on NetBSD internals.

• review our guidelines for applying for a project if you're an interested student. We get many really bad, dull and uninformed project proposals each year, and we wish more students would be as serious as YOU probably are (as you're already here :-).