scetoaux's questions

What is the best way to store AWS IAM access credentials in a physical/virtual server so services running in it can access it?

This is a problem which was fixed long ago for EC2 instances through instance profiles but I don't know what the best practices are for non-EC2 servers (i.e. a leased box in a datacenter, a RaspberryPi sitting at home, etc).

Note: I'm not talking about a development environment in a personal desktop or laptop here. There are multiple solutions for that scenario.

I would like to avoid, if at all possible, having long-lived access key ID and secret access key pairs sitting around the hard drive in clear text. Many tools and system that require access to AWS services rely on either including access keys and key ID pairs in config files or using the standard environment variables.

One approach I'm considering is using the AWS System Manager's agent (which is already installed in the box) to periodically pull the keys from AWS secret manager or parameter store. The agent itself uses a custom IAM role when running commands and invoking Automation workflows on the host, so I should be able to add extra IAM policies as needed to access parameter store or other AWS services.

Wondering if there are any good practices to achieve this. I do not want to re-invent the wheel if this is a solved problem or come up with an overcooked and complex custom solution.

Basically, is there any way of doing this [1] via API or AWS CLI?

I need to automate this for new accounts being set-up, and would like to avoid having to log in to each one of them to enable it.

Regards.

[1] http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/configurecostallocreport.html#allocation-report

After installing Ubuntu Server 10.04.1 on a new x86_64 kvm instance (Debian 6.0 hosted) I'm getting -apparently- ramdon disconnects from the server.

Read from remote host myserver: Connection reset by peer Connection to myserver closed

All TCP connections are dropped (ie. ssh and MySQL server) but icmp traffic still gets accepted and responded to (ping works fine all the time).

% ssh myserver ssh: connect to host myserver port 22: Connection refused

% ssh myserver ssh: connect to host myserver port 22: Connection refused

% ssh myserver ssh: connect to host myserver port 22: Connection refused

[...]

10 to 20 seconds after, I can, "magicaly", connect normally again.

I've checked dmesg, messages, auth and syslog logfiles, nothing appears on them (no failed connections attempts are shown).

If I install the OS directly on the physical server (a Dell 2950) I get exactly the same extrange behaviour, which leads me to think that may be an OS config/bug related problem.

My laptop, as well as the rest of the clients, are on the same subnet as the server connected to the same switch, no routing or other networking devices are involved.

No iptables or other firewall is configured.

Has anyone faced a similar problem? Any suggestions on how I can deeply troubleshoot this?

I'm facing a weird problem when executing chef-solo commands on Ubuntu 10.04.

If I execute this (as root):

# chef-solo -c /opt/mycorp/mycorp-chef-code/config/solo.rb -j /opt/mycorp/mycorp-chef-code/config/run_mycorp-config.json
[Tue, 16 Nov 2010 15:28:49 +0100] INFO: Setting the run_list to ["recipe[mycorp-config]"] from JSON
[Tue, 16 Nov 2010 15:28:49 +0100] INFO: Starting Chef Run (Version 0.9.12)
[Tue, 16 Nov 2010 15:28:49 +0100] INFO: Chef Run complete in 0.47172 seconds
[Tue, 16 Nov 2010 15:28:49 +0100] INFO: cleaning the checksum cache
[Tue, 16 Nov 2010 15:28:49 +0100] INFO: Running report handlers
[Tue, 16 Nov 2010 15:28:49 +0100] INFO: Report handlers complete

However If I execute the same exact command whith sudo (either as root or as a sudoer) I get this:

# sudo chef-solo -c /opt/mycorp/mycorp-chef-code/config/solo.rb -j /opt/mycorp/mycorp-chef-code/config/run_mycorp-config.json
[Tue, 16 Nov 2010 15:28:37 +0100] INFO: Setting the run_list to ["recipe[mycorp-config]"] from JSON
[Tue, 16 Nov 2010 15:28:37 +0100] INFO: Starting Chef Run (Version 0.9.12)
[Tue, 16 Nov 2010 15:28:38 +0100] ERROR: Running exception handlers
[Tue, 16 Nov 2010 15:28:38 +0100] ERROR: Exception handlers complete
/opt/mycorp/mycorp-chef-code/chef-repo/cookbooks/tomcat6/attributes/default.rb:45:in `from_file': undefined method `[]' for nil:NilClass (NoMethodError)
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/node.rb:578:in `load_attributes'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/node.rb:576:in `each'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/node.rb:576:in `load_attributes'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/node.rb:575:in `each'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/node.rb:575:in `load_attributes'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/run_context.rb:74:in `load'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/run_context.rb:55:in `initialize'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/client.rb:155:in `new'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/client.rb:155:in `run'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/application/solo.rb:190:in `run_application'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/application/solo.rb:181:in `loop'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/application/solo.rb:181:in `run_application'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/../lib/chef/application.rb:62:in `run'
    from /usr/lib/ruby/gems/1.8/gems/chef-0.9.12/bin/chef-solo:25
    from /usr/bin/chef-solo:19:in `load'
    from /usr/bin/chef-solo:19

Any idea? I'm definitely lost on this, why would using sudo cause a problem, even if the user issuing the command is root.

Thanks in advance.

Is there any way to configure openvpn to "push" routes to a client for a given FQDN instead of an IP/mask?

I mean something that would do the same as the following (broken) line in openvpn.conf file.

push "route my.hostname.mydomain.com"

The host I want to setup the vpn against changes its IP quite often so I need to use its DNS name instead of the address. If there is another way of doing this or I am reinventing some wheel, please, let me know :)

Can this be done with openvpn? If so, how? If not, what other options do I have?

Thanks in advance.

One of the databases I maintain has recently increased its write load by 2x.

In order to find out what insert/update statements are causing that load increase, I'm looking for a tool to report and analyze mysql binlog files.

I've looked at Maatkit, which is a superb toolkit for many tasks, but it does only work with slow and general logs.

Before start reinventing the wheel, is there any tool/s (pereferibly opensource) that can help me with this?

Thanks in advance.

When trying to do a delete operation on a table, mysql reports the following error:

Error code 1227: Access denied; you need the SUPER privilege for this operation.

However, my user has this privilege granted for all tables in the schema:

GRANT ALL PRIVILEGES ON myschema.* TO 'my_admin'@'%'

How come it asks me for SUPER privilege for a delete?