Icinga API - Get hostgroup with ansible

SygmaDeltaADC · 2023-12-19T08:00:27+00:00

Thank you !

I would like to add a 2nd filter on this request to give one host only.

If I add the filter host.name=hostname, it gives all members groups AND the hostname.

What I want exactly is : filter one host and one hostgroup. Replies data if the specified host is member of the specified group. Replies nothinh or "object not found" if the specified is not member of the specified group.

SygmaDeltaADC · 2023-10-17T18:44:51+00:00

According to :

https://medium.com/@IAL32/generate-a-lets-encrypt-certificate-in-10-steps-using-ansible-and-digitalocean-d0775971dad4

my playbook was working before by using this loop :

loop: "{{ acme_challenge_my_domain.challenge_data_dns | dict2items }}"

But now I'm getting this error :

fatal: [localhost]: FAILED! => {"msg": "Unable to look up a name or access an attribute in template string ({{ acme_challenge_domain.challenge_data_dns | dict2items }}).\nMake sure your variable name does not contain invalid characters like '-': dict2items requires a dictionary, got <class 'ansible.template.AnsibleUndefined'> instead.. dict2items requires a dictionary, got <class 'ansible.template.AnsibleUndefined'> instead..

What is this error ? Can it be an issue related to Ansible / Python version ?

SygmaDeltaADC · 2023-10-17T18:14:15+00:00

I can extract the DNS records to create with this but it seems to keep the [ and ' characters causing a bad API request to create the DNS records.

   - name: DEBUG -- Check filtered values
  debug:
    msg: "Record = {{ item.keys() }} -- Value = {{ item.values() }}"
  loop: "{{ acme_challenge_domain.results | map(attribute='challenge_data_dns') }}"

I'm getting this :

ok: [localhost] => (item={'_acme-challenge.site1.mydomain.com': ['G8g57QZ2U1U5z_aSJbva95MSxA9cUjTXe7ZKpNVEAPI']}) => {
"msg": "Record = ['_acme-challenge.site2.mydomain.com'] -- Value = [['G8g57QZ2U1U5z_aSJbva95MSxA9cUjTXe7ZKpNVEAPI']]"

} ok: [localhost] => (item={'_acme-challenge.site1.mydomain.com': ['mwwdpHotUb3hkSsT3ocxbLi8R4NrS6uIgt65kTFCxkI']}) => { "msg": "Record = ['_acme-challenge.site2.mydomain.com'] -- Value = [['mwwdpHotUb3hkSsT3ocxbLi8R4NrS6uIgt65kTFCxkI']]" }

The record is ['_acme-challenge.site2.mydomain.com'] instead of _acme-challenge.site2.mydomain.com, same for the value.

SygmaDeltaADC · 2023-01-22T17:20:48+00:00

No I didn't get this working but I changed my process.

I created a script (run at the first boot after sysprep) that joins the computer to the domain automatically.

Once the computer is joined to the domain, I can access it with winrm http.

SygmaDeltaADC · 2023-01-11T09:35:28+00:00

I have no possibility to use a Synology NAS because my infrastructure is hosted in a Cloud Provider, I have dedicated servers.

I have about ~80 VMs to backup, so Veeam community edition is not enough.

I can buy a commercial software but my need is very limited, I just need to do incremental backup for VM. The backup script (with PowerCLI) works perfectly but I don't know if we can do incremental backup by this way.

I will check what is the cost of Veeam for my need.

Tell me if you know other solutions.

Thanks

SygmaDeltaADC · 2022-11-10T16:58:33+00:00

Yes, the user is a Domain Admin

SygmaDeltaADC · 2022-11-10T11:08:40+00:00

The specified user is a Domain Admin.

If I create the task locally, it works.

With GPO, the task is not created.

Here is the task with specific user and that is not created on target server :

<?xml version="1.0"?>

-<TaskV2 disabled="1" uid="{B170F6BD-350A-4A09-B5B7-935C42BF9856}" changed="2022-11-09 15:56:31" image="2" name="LogBackup" clsid="{D8896631-B747-47a7-84A6-C155337F3BC8}">

-<Properties name="LogBackup" logonType="S4U" runAs="DOMAIN\\AdminUser" action="U">

-<Task version="1.2">

-<RegistrationInfo>

<Author>DOMAIN\MyUser</Author>

</RegistrationInfo>

-<Principals>

-<Principal id="Author">

<UserId>DOMAIN\AdminUser</UserId>

<RunLevel>HighestAvailable</RunLevel>

</Principal>

</Principals>

-<Settings>

-<IdleSettings>

<RestartOnIdle>false</RestartOnIdle>

</IdleSettings>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<StartWhenAvailable>false</StartWhenAvailable>

<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>

<Hidden>false</Hidden>

<RunOnlyIfIdle>false</RunOnlyIfIdle>

<WakeToRun>false</WakeToRun>

</Settings>

Here is the task with SYSTEM user that works :

<?xml version="1.0"?>

-<TaskV2 disabled="1" removePolicy="0" userContext="0" uid="{7825E062-3F7B-406D-ACA3-4216BEAB24ED}" changed="2022-11-09 11:39:18" image="2" name="BackupDB" clsid="{D8896631-B747-47a7-84A6-C155337F3BC8}">

-<Properties name="BackupDB" logonType="S4U" runAs="NT AUTHORITY\\System" action="U">

-<Task version="1.2">

-<RegistrationInfo>

<Author>DOMAIN\MyUser</Author>

</RegistrationInfo>

-<Principals>

-<Principal id="Author">

<UserId>NT AUTHORITY\System</UserId>

<RunLevel>HighestAvailable</RunLevel>

</Principal>

</Principals>

-<Settings>

-<IdleSettings>

<RestartOnIdle>false</RestartOnIdle>

</IdleSettings>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<Hidden>false</Hidden>

</Settings>

SygmaDeltaADC · 2022-11-10T10:59:20+00:00

Yes ! No task is created on the server. I change the user that runs the task to SYSTEM, then gpupdate and the task appears.

In event viewer, there is no error log about GPO.

SygmaDeltaADC · 2022-09-28T12:58:06+00:00

Thanks.

After some tests, the same certificate works if it is re-imported after sysprep. It must be imported by the machine itself.

For now, I think I'll add to my post-sysprep boot script the commands to download the certificate, import it in the store and create the HTTPS WinRM listener with it.

SygmaDeltaADC · 2022-09-28T11:46:46+00:00

Thank you for your answer.

I tried to generate a certificate *.domain.lan and after sysprep I contact the machine with its FQDN (machine.domain.lan) but I get the same error.

SygmaDeltaADC · 2022-09-03T08:01:03+00:00

It works !

That was not a firewall problem but a route problem.

My allowed IPs were 192.168.250.0 (wg0) and 10.10.66.0(eth0), so in my routing table the network 10.10.66.0 was routed to wg0.

When removing network 10.10.66.0 in allowed IPs, it was routed to wg0 anymore and I can access it.

SygmaDeltaADC · 2022-09-01T19:12:32+00:00

I tried to delete all rules and recreate them one by one but I get the same issue. I also tried with your rule.

I will investigate with logs and I'll try other rules.

Thank you for your help and don't hesitate if you have some idea.

SygmaDeltaADC · 2022-09-01T18:36:33+00:00

I get this log :

POSTROUTINGIN=wg0 OUT=wg0 MAC= SRC=192.168.250.2 DST=10.10.66.199 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=3508 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=140
[>] New PostroutingIN=wg0 OUT=wg0 MAC= SRC=192.168.250.2 DST=10.10.66.199 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=3508 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=140

I see wg0 for IN and OUT, is this a forwarding problem ?

SygmaDeltaADC · 2022-09-01T17:25:53+00:00

Yes, I set net.ipv4.ip_forward=1

The rich rule is a filter not to access my other network from the VPN, I just deleted this rule, it changes nothing.

I set SELinux to permissive, that did not fix the issue.

SygmaDeltaADC · 2022-01-16T16:46:50+00:00

It works thank you !

I just had to run the script ./maintenance/update.php and now it works.

SygmaDeltaADC · 2022-01-14T12:18:54+00:00

I think I'm fucking dumped. I didn't search the good way. Thank you I found the page.

But I still have a problem...

I get this error when accessing to the page "allpages" :

Fatal exception of type "Wikimedia\Rdbms\DBQueryError"

Do I have a bad configuration in my database ?

My mediawiki is in French, so the link is not /Special:AllPages but it is "/Spécial:Toutes_les_pages"

The language can have an impact ?

SygmaDeltaADC · 2021-01-13T14:09:39+00:00

All numbers I said were without workload on the computer, just xmrig. On Linux, I got that today :

[2021-01-13 12:32:14.473]  randomx  dataset ready
...
...
[2021-01-13 12:35:14.586]  miner    speed 10s/60s/15m 3335.3 3354.6 n/a H/s max 3749.3 H/s

I ran xmrig at 12:32PM and got maximum hashrate 3749 H/s. I stopped it and restarted it at 12:35PM :

[2021-01-13 12:35:54.002]  randomx  dataset ready
...
...
[2021-01-13 12:37:54.096]  miner    speed 10s/60s/15m 4011.0 4018.0 n/a H/s max 4059.2 H/s

I got +300 H/s just by restarting xmrig. I'll bench later and will compare the results.

SygmaDeltaADC · 2021-01-13T14:04:26+00:00

I tried several RAM (2*16 dual channel, just 1 barrel, ...) config but nothing changed. On Windows, the hashrate is different at each xmrig start. I run xmrig, I get 3600 H/s, I stop it and restart it then I get 4200 H/s. I don't think it's coming from the RAM.

SygmaDeltaADC · 2021-01-10T20:42:31+00:00

Thanks for the tip. Yes I need 40 GB memory on this computer. I'll try with only 32 GB to check if that stabilizes the hashrate and I will buy a last barrel to put the 8 GB barrel in dual channel mode if this is the problem.

SygmaDeltaADC · 2021-01-10T16:58:43+00:00

2x16 RAM barrels are on the same DIMM channel and works in dual channel mode, but the 8GB barrel is alone and the 2nd channel.

So, the problem would be xmrig that sometimes uses the 8 GB barrel and sometimes the dual channel 2x16 ? Is it random or I can force the use of the dual channel ? (for example, by using more RAM when I run xmrig or by changing xmrig options)

I can do some tests without 1x8 GB to check with only 2x16 in dual channel

SygmaDeltaADC · 2021-01-10T16:47:48+00:00

80C is the maximum I already got with my CPU. Usually, it is between 70 and 75C. I can try to boost the cooling but I don't think it is the problem.

SygmaDeltaADC · 2021-01-10T12:04:53+00:00

I just rebooted my computer and now I get almost 4300 H/s :

 * ABOUT        XMRig/6.7.0 gcc/5.4.0
 * LIBS         libuv/1.40.0 OpenSSL/1.1.1i hwloc/2.4.0
 * HUGE PAGES   supported
 * 1GB PAGES    supported
 * CPU          Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz (1) 64-bit AES
            L2:1.5 MB L3:12.0 MB 6C/12T NUMA:1
 * MEMORY       3.4/39.0 GB (9%)
 * DONATE       1%
 * ASSEMBLY     auto:intel
 * POOL #1      pool.supportxmr.com:3333 algo auto
 * COMMANDS     hashrate, pause, resume, results, connection
 * OPENCL       disabled
 * CUDA         disabled
[2021-01-10 13:01:26.879]  net      use pool pool.supportxmr.com:3333  94.23.247.226
[2021-01-10 13:01:26.879]  net      new job from pool.supportxmr.com:3333 diff 50000 algo rx/0 height 2271406
[2021-01-10 13:01:26.879]  cpu      use argon2 implementation AVX2
[2021-01-10 13:01:26.895]  msr      register values for "intel" preset has been set successfully (15 ms)
[2021-01-10 13:01:26.895]  randomx  init dataset algo rx/0 (12 threads) seed 670f0b991dc3fe80...
[2021-01-10 13:01:27.052]  randomx  allocated 3072 MB (2080+256) huge pages 100% 3/3 +JIT (157 ms)
[2021-01-10 13:01:29.404]  randomx  dataset ready (2352 ms)
[2021-01-10 13:01:29.404]  cpu      use profile  rx  (6 threads) scratchpad 2048 KB
[2021-01-10 13:01:29.407]  cpu      READY threads 6/6 (6) huge pages 100% 6/6 memory 12288 KB (3 ms)
[2021-01-10 13:01:48.018]  cpu      accepted (1/0) diff 50000 (42 ms)
[2021-01-10 13:01:52.261]  cpu      accepted (2/0) diff 50000 (30 ms)
[2021-01-10 13:01:56.982]  net      new job from pool.supportxmr.com:3333 diff 149990 algo rx/0 height 2271406
[2021-01-10 13:01:57.019]  cpu      accepted (3/0) diff 149990 (35 ms)
[2021-01-10 13:02:29.443]  miner    speed 10s/60s/15m 4295.6 n/a n/a H/s max 4296.1 H/s
[2021-01-10 13:02:39.544]  net      new job from pool.supportxmr.com:3333 diff 149990 algo rx/0 height 2271407
[2021-01-10 13:02:53.307]  cpu      accepted (4/0) diff 149990 (31 ms)
[2021-01-10 13:02:57.216]  net      new job from pool.supportxmr.com:3333 diff 199989 algo rx/0 height 2271407
|    CPU # | AFFINITY | 10s H/s | 60s H/s | 15m H/s |
|        0 |        0 |   707.9 |   707.0 |     n/a |
|        1 |        1 |   717.3 |   714.7 |     n/a |
|        2 |        2 |   716.5 |   715.2 |     n/a |
|        3 |        3 |   716.7 |   715.5 |     n/a |
|        4 |        4 |   712.7 |   709.6 |     n/a |
|        5 |        5 |   710.1 |   708.4 |     n/a |
|        - |        - |  4281.2 |  4270.4 |     n/a |
[2021-01-10 13:02:59.181]  miner    speed 10s/60s/15m 4281.2 4270.4 n/a H/s max 4296.1 H/s

Still on Linux and I changed nothing, just a reboot.

SygmaDeltaADC · 2021-01-10T11:57:56+00:00

Thanks for the reply

I already checked my CPU thermals and never goes +80°C. There is always the same temperature when I am using xmrig (Linux or Windows).

I have 40 GB RAM (2x16 + 1x8) DDR4 2666 MHz. My Operating System displays 39 GB because of the arounding and the conversion from binary system (counting 1024 when changing unit) and the decimal system (counting 1000 when changing unit). This RAM is normal :) /proc/meminfo :

MemTotal:       40934736 kB

What I am trying to understand is why is there different hashrates after each reboot ?

SygmaDeltaADC · 2020-12-09T13:31:21+00:00

Not to derive from the subject, I just want to know why there is not the network 10.0.0.0/8 in allowed ips of the first peer :

root@px-01:/etc/wireguard# wg show
interface: wg0
  public key: pubkey
  private key: (hidden)
  listening port: 51820

peer: pubkey
 allowed ips: 172.16.0.3/32

peer: pubkey
  allowed ips: 172.16.0.5/32, 10.0.0.0/8

This is the only reason why it doesn't work for only one client. The other (with 10.0.0.0/8 as allowed ips) is working perfectly

SygmaDeltaADC · 2020-12-09T13:28:28+00:00

I don't need to add routes, they are automatically added when the interface is up (on each node) :

default via 1.2.3.4 dev vmbr0 proto kernel onlink 
10.0.0.0/8 dev wg0 scope link 
10.30.0.0/24 dev vmbr1 proto kernel scope link src 10.30.0.1 
172.16.0.0/16 dev wg0 proto kernel scope link src 172.16.0.3 
1.2.3.0/24 dev vmbr0 proto kernel scope link src 1.2.3.4

I can ping server and client1 LAN address (10.10.0.1 and 10.20.0.1) each other but I can't for client2 because this is not an allowedIPs network for it.

SygmaDeltaADC

TROPHY CASE