Adding the nginx-plus Repository to apt-mirror and Puppet

Nginx Inc. provides access to the nginx-plus package and repository using SSL certificates. Their instructions include the configuration of apt for Ubuntu, but for people using apt-mirror and Puppet to manage their internal servers, additional custom configurations are required.

The standard apt configuration for nginx-plus might look like this:

$ cat /etc/apt/apt.conf.d/90nginx 
Acquire::https::plus-pkgs.nginx.com::Verify-Peer "true";
Acquire::https::plus-pkgs.nginx.com::Verify-Host "true";
Acquire::https::plus-pkgs.nginx.com::CaInfo      "/etc/ssl/nginx/CA.crt";
Acquire::https::plus-pkgs.nginx.com::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
Acquire::https::plus-pkgs.nginx.com::SslKey      "/etc/ssl/nginx/nginx-repo.key";

The connection to the nginx-plus repository must be made using HTTPS and authentication is handled by client certificates. As provided, apt-mirror is not able to manage SSL certificates, so two sections in the apt-mirror script must be modified. The %config_variables array defines the settings read from its configuration files. We will add the ‘certificate’, ‘private_key’, and ‘ca_certificate’ settings to the array.

Continue reading


Remove MultiArch / i386 in Ubuntu with Puppet

Here’s a little snippet I use to remove multiarch / i386 support from Ubuntu with Puppet.

if versioncmp( $::lsbdistrelease, "12.04" ) > 0 {
    exec { "remove-architecture i386":
        command => "/usr/bin/dpkg --remove-architecture i386",
        onlyif => "/usr/bin/dpkg --print-foreign-architectures | /bin/grep -q i386",
    }
} else {
    file { "/etc/dpkg/dpkg.cfg.d/multiarch": ensure => absent, }
}

Continue reading


Multiple MongoDB Instances with Ubuntu’s Upstart

Recently a client asked me to setup multiple instances of MongoDB on a Linux Ubuntu server. Ubuntu does not use standard /etc/init.d/ scripts, instead it uses upstart, an event-based replacement for the /sbin/init daemon, that handles starting of tasks and services during boot, stopping them during shutdown and supervising them while the system is running. Upstart uses it’s own limited syntax to describe a service or task. I tried launching several processes from a single upstart config, but upstart could not track the service properly. Instead, I broke-up the upstart script into two — one master to define the instances, and another to start each one independently.

Continue reading


Shell Script to Route Multiple Public/Private Interfaces

If you have a server with multiple interfaces – either public and/or private – your routing table might look something like this:

sh# ip route list
default via 17.10.20.1 dev eth1  metric 100 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.51 
17.10.20.0/23 dev eth1  proto kernel  scope link  src 17.10.20.51 
105.104.72.16/28 dev eth2  proto kernel  scope link  src 105.104.72.23 

This example shows one private interface with IP 192.168.0.51, two public interfaces with IPs 17.10.20.51 and 105.104.72.23, and a default route to 17.10.20.1. This means that any traffic to/from an IP outside the interface’s subnets is sent to 17.10.20.1 — and this is where problems occur (and probably why you’re reading this article). ;-)

Continue reading


Autossh Startup Script for Multiple Tunnels

When an encrypted VPN is not available, the next best solution is usually port-forwarding one or more port(s) through an SSH tunnel. The down-side of SSH is that by itself it cannot maintain a persistent connection — network issues may force the tunnel to stop responding, or even drop completely. Autossh is a small front-end for SSH that can monitor the connection, and restart the tunnel if it drops or stops responding. I found that the startup scripts available for autossh on the internet were a little too basic for my needs — I wanted autossh to start multiple connections, and to start/stop each one individually if I needed — so I wrote my own.

Continue reading