For anyone looking for advice on the Red Hat Certified Specialist in Developing Automation with Ansible Automation Platform (EX374) exam (wow, what mouthful), I will just parrot the usual “focus on the objectives” line.

I had a great time at AnsibleFest 2022 in Chicago. I’ve never been to this city, but the rivers were really neat:

It’s great to be at conferences in person again, virtual gatherings just don’t provide the same experience. I got to banter about industry, meet a lot of interesting folks, and learned some new best practices.

There were some great talks out there, but one that stood out to me (and will to you if you’re a tinkerer) was Jeff Geerling’s ‘Automating my Homelab with Ansible’. I even got to meet the man himself:

Here’s a quick grab from the keynote kick-off, the room was packed:

I didn’t take many pictures, so here’s a giant Ansible ‘A’ from the venue:

Well, we can leverage facts to get the data we desire, and then output them locally to a template csv.

Create a local jinja2 csv template file with the fields desired. In my case, we’ll be gathering mostly hardware specific information:

servers.csv.j2:

hostname,system_vendor,product_name,platform,memory(mb),number_of_cpus
{% for h in ansible_play_hosts %}
{{ h }},{{ hostvars[h]['ansible_system_vendor'] }},{{ hostvars[h]['ansible_product_name'] }},{{ hostvars[h]['ansible_distribution'] }} {{ hostvars[h]['ansible_distribution_version'] }},{{ hostvars[h]['ansible_memtotal_mb'] }},{{ hostvars[h]['ansible_processor_vcpus'] }}
{% endfor %}

Now, we’ll form our playbook as such:

playbook.yml:

- hosts: all
  become: yes
  gather_facts: yes

  tasks:
    - name: output to template
      template:
        src: servers.csv.j2
        dest: servers.csv
      delegate_to: localhost

Note: This example will require you to have the same credentials locally as well as remotely. If your user account locally differs from your remote account used for fact gathering, you’ll need to play around with your ansible.cfg and likely ansible-vault along with inventory variables to manage separate passwords.

Here’s an example of the resulting local servers.csv file:

hostname,system_vendor,product_name,platform,memory(mb),number_of_cpus
server1,QEMU,Standard PC (Q35 + ICH9, 2009),CentOS 9,3719,2
server2,QEMU,Standard PC (Q35 + ICH9, 2009),CentOS 9,7125,4

• Internal servers: configured to use Centrify/AD for authentication (dzdo for your become method)
• DMZ servers: configured with traditional sudoers files since access to internal AD is not available (sudo for your become method)

Assuming our inventory can’t be grouped by some trait like hostname, network segment, etc, what is the fastest (and laziest) way we can run our playbook against all these hosts?

Disclaimer: You should probably work on creating a stronger inventory. The following serves as a workaround only.

playbook.yml:

- hosts: all
  become: no
  become_method: dzdo
  gather_facts: no

  tasks:
    # fall back to sudo if centrify isn't configured
    - name: get hw info
      block:
        - name: try with dzdo
          gather_facts:
      rescue:
        - name: fallback to sudo
          vars:
            ansible_become_method: sudo
          gather_facts:
      become: yes

If our server isn’t configured with Centrify for AD authentication, the playbook will fallback and attempt to use sudo.

• Fedora Linux 35
• iPhone X
  • iOS 15.1
• libimobiledevice 1.3.1

install dependencies:

dnf install -y libtool automake autoconf libplist-devel libusbmuxd-devel openssl-devel

install libimobiledevice-glue

from source:

git clone https://github.com/libimobiledevice/libimobiledevice-glue.git
cd libimobiledevice-glue
./autogen.sh
make
sudo make install

install libimobiledevice

from source:

git clone https://github.com/libimobiledevice/libimobiledevice.git
cd libimobiledevice
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./autogen.sh
make
sudo make install

backing up

(optional, but recommended) enable encryption with specified password

idevicebackup2 backup encryption on PASSWORD

backup your device

idevicebackup2 backup /path/to/iphone_backup

restoring

“Find My iPhone” must be disabled before proceeding:

Settings > Apple ID (The very first entry with your name) > Find My > Find My iPhone > Off

the --reboot flag passed below will reboot your device after the restore is complete

the same device

idevicebackup2 restore --system --settings --reboot --password PASSWORD /path/to/iphone_backup

to a new device

for this, you’ll need to specify the source UUID of your old device. you can get this by plugging in your old device via usb and running:

idevice_id

then, run the below:

idevicebackup2 --source SOURCE_UUID restore --system --settings --reboot --password PASSWORD /path/to/iphone_backup/

• Rocky Linux 8 Minimal (x86_64) ISO | Torrent
• webtrees 2.0.17
• php 7.4
• mariadb 10.3

patch and reboot the server:

dnf upgrade -y && reboot

install packages

since the latest version of webtrees (2.0.17) at the time of writing this (2021-10-07) only supports up to php 7.4, we’ll have to enable the php 7.4 module:

dnf module enable php:7.4 -y

the next minor release of webtrees (2.1.0) will support php 8.0 and later, since php 7.4 will stop receiving security support in about a year.

next, install all neccesary packages:

dnf install -y vim nginx php wget mariadb-server policycoreutils-python-utils php-gd php-intl php-zip php-mysqlnd

enable services

systemctl enable nginx mariadb --now

open the firewall

firewall-cmd --zone=public --permanent --add-service={http,https,mysql}

firewall-cmd --reload

configure the database

complete the secure mysql install:

mysql_secure_installation

connect to mysql and create service account user ‘webtrees’ (replace ‘password’ below with something more secure please):

create user 'webtrees'@'localhost' identified by 'password';

grant all privileges on webtrees.* to 'webtrees'@'localhost';

flush privileges;

configure the web server

test that nginx via browser:

or by using curl:

curl http://localhost

(optional) remove default webserver files:

rm -f /usr/share/nginx/html/*

download webtrees and unzip it to nginx web server directory:

wget https://github.com/fisharebest/webtrees/releases/download/2.0.17/webtrees-2.0.17.zip

unzip webtrees-2.0.17.zip -d /usr/share/nginx/html/

now you’ll need to make sure webtrees has correct permissions for the data directory. change the selinux context on the following directory and make sure correct permissions are set:

semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/webtrees/data(/.*)?"

restorecon -R -v /usr/share/nginx/html/webtrees/data

chmod 777 /usr/share/nginx/html/webtrees/data

install webtrees

navigate to your web browser to complete installation:

http://SERVER_IP/webtrees/

make sure to select “MySQL”: fill in the appropriate data from the database setup step: complete the administrator account sign up as neccesary: (note: it may take a moment or two after clicking ‘next’) create your first family tree and enjoy!

(optional) additional nginx configuration

you may want to modify your nginx configuration to use ‘pretty URLs’ (this is purely preference):

before:

replace /etc/nginx/nginx.conf on your server with my modified version

additionally you’ll need to add the following line to /usr/share/nginx/html/webtrees/data/config.ini.php:

rewrite_urls="1"

after:

closing

today you learned how to install webtrees on Rocky Linux 8. please note that this installation is NOT secure. for now, I’m leaving it as an exercise to the reader to configure HTTPS.

on the webtrees end, all you need to do is change the line containing ‘base_url’ in /usr/share/nginx/html/webtrees/data/config.ini.php to the following:

base_url="https://www.example.com/webtrees"

You need to download an ISO to create a bootable flash drive, but you don’t have enough storage left on your system.

What can you do?

wget to the rescue

wget retrieves files by using popular application layer protocols found within the Internet protocol suite via the commandline. A traditional wget workflow involves specifying a remote source to download and optionally explicitly specifying an output location like so:

sudo wget "https://example.com/file" -O /some/local/location

Since everything is a file, including attached devices, we can write the the downloaded file directly to our attached device.

demo

I’ll be using a live ISO of Fedora 34 in my example along with /dev/sdc on my system. Be sure you specify the correct device (triple-check, then check again).

lsblk /dev/sdc

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sdc      8:32   1 57.3G  0 disk
└─sdc1   8:33   1 57.3G  0 part

write the ISO straight to your device:

sudo wget "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-34-1.2.iso" -O /dev/sdc

...
Length: 2007367680 (1.9G) [application/octet-stream]
Saving to: ‘/dev/sdc’

/dev/sdc                                             100%[=====================================================================================================================>]   1.87G  11.5MB/s    in 4m 35s

2021-08-21 16:30:22 (6.95 MB/s) - ‘/dev/sdc’ saved [2007367680/2007367680]

note the new partitions

lsblk /dev/sdc

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sdc      8:32   1 57.3G  0 disk
├─sdc1   8:33   1  1.9G  0 part
├─sdc2   8:34   1  9.9M  0 part
└─sdc3   8:35   1 20.9M  0 part

optionally you can use qemu-kvm to verify your device is indeed bootable

sudo qemu-kvm -drive format=raw -hdb /dev/sdc

While this might not be very practical, it’s a neat little “did you know?” that showcases some of the best featues of Unix architecture.

further reading

wget can do a whole bunch that I couldn’t possibly cover here, so I encourage you to learn more if you’re interested.

• ‘everything is a stream of bytes’
• The UNIX system: Program design in the UNIX environment

Originally this post was a lot longer, detailing each and every step suited for you to copy and paste. I decided to go ahead and automate the whole process with ansible instead.

A few things to keep in mind:

• only run this after you’ve audited the playbook and understand what it’s doing
• you’re using this at your own risk
• Secure Boot must be disabled
• this has only been tested with Fedora 34

FAQ

• Where can I read more about why I can’t do this anymore?
  • Pagure
  • Reddit
• Does btrfs make a difference?

Yes, you may notice the steps to create a swapfile are different than what you’re used to. We’ll have to use kernel 5.0+, and set NOCOW in order to gain btrfs swapfile support. More information is available on the btrfs wiki along with the ArchWiki.

Process

Below provides a very high level overview of the process, for more detail, check out my ansible playbook.

• create an empty swapfile
  • set its attributes to NOCOW (chattr +C)
  • allocate the swapfile to be the same size as your system’s memory
    • note: you may be okay with a swap partition smaller than the size of your memory
• set up a Linux swap area on your swapfile
• enable your swapfile for paging and swapping
• update /etc/fstab with your swapfile information
• since there’s already an existing swap target (default zram device), create systemd overrides to avoid false positive errors about swap size.
• get the physical swap offset by running btrfs_map_physical.c, as recommended by the ArchWiki.
  • since this step includes running some C program from the internet, I’ve opted to use a container (you should be auditing the code regardless though)
• calculate the real swap offset
  • this is done by dividing the physical swap offset from above by the system’s page size
• construct resume arguments for grub
  • use the uuid of your swapfile along with the swap offset calculated above
  • use grubby to update kernel arguments to include resume and resume_offset
• add the resume module to dracut and regenerate the initramfs
  • add resume module under /etc/dracut.conf.d/resume.conf
  • dracut -f

After this, you’ll need to reboot and test hibernation with:

sudo systemctl hibernate

If you’re on GNOME, and would like hibernation back in in the status menu, check out the Hibernate Status Button GNOME shell extension.

You can read more about the release here. Looking forward to what the future holds!

A HUGE thank you to our community that made this possible.