Assuming you have your bridge configured as br0, and are are running a webserver on port 9880 (either unbound or bound the primary IP of the bridge ‘br0’), the following should allow a KVM VM, LXC container, etc. to connect to http://169.254.169.254/ just like they can in Amazon EC2. This has to be run on the server hosting the VMs, of course.
# sysctl net.bridge.bridge-nf-call-iptables=1
# sysctl net.bridge.bridge-nf-call-arptables=1
# ip addr add 169.254.169.254/32 dev br0
# iptables -t nat -A PREROUTING -d 169.254.169.254 -p tcp --dport 80 -j REDIRECT --to-port 9880
or using DNAT:
# ip addr add 169.254.169.254/32 dev lo
# iptables -t nat -A PREROUTING -j DNAT -d 169.254.169.254 -p tcp --dport 80 --to 169.254.169.254:9880
Your webserver should probably ensure that the request is coming from the IP of one of the VMs currently running on the server itself.
— by Robert Thomson, created 14th Feb, 2014, last modified 14th Feb, 2014 | Tags: Tech
I love software that "just works", and packer.io is one of them. It builds disk images in various image formats and for various cloud providers.
With a small JSON configuration file, a kickstart file, and a set of provisioning scripts, I can have a QEMU image automatically built from the install CD and customised as I wish.
With a different config file, I can have the same thing for EC2 images.
And because it's JSON, I can dynamically generate custom configuration files quickly and easily.
There seems to be a positive trend of self-contained, single-purpose and well designed software coming from the Golang camp. Keep at it! :-)
— by Robert Thomson, created 9th Jan, 2014, last modified 9th Jan, 2014 | Tags: Tech
Following up from my post about Ansible, I decided to look into SaltStack.
SaltStack looks like one of the more promising tools to appear recently on the system management landscape.
It's primary features are:
- Remote method invocation with result caching (supporting asynchronous jobs)
- "Broadcast" command execution (pub/sub with ZeroMQ) with filters
- Secure data/config-snippet distribution
- State Management ala Puppet/Chef
This is an impressive set of features for a single solution, but there are some areas of concern:
- It's still under heavy development and some breakages in the latest (0.17) release suggest that their testing isn't yet up to par.
- Some non-core components lack documentation and tests (eg. halite, a web frontend)
- Architectural documentation is severely lacking. Before I deploy this in a production environment, I want to know exactly what it's doing and what the implications of my decisions are. A few pretty diagrams aren't a substitute for real docs.
- As a new open source product, support is lacking. Simple questions get answered on IRC, but hard ones get blank stares.
- The primary developer seems to be a bottleneck and a risk - many questions and decisions get deferred to him because he seems to be the only one who understands it. If he got hit by a bus, the project would be in jeopardy.
Some specific technical issues appear to be:
- There's only client-side filtering of broadcast commands, so information leakage is possible, since broadcast commands are readable by every minion and they decide themselves whether they match a filter or not. (https://github.com/saltstack/salt/issues/7669)
- There's too much trust that the minions (clients) will do the right thing. When it comes to security, some things should be enforced server-side. (https://github.com/saltstack/salt/issues/7556)
I hold out hope that these issues will be addressed. In the meantime, I won't be recommending it as a general purpose solution for a large organisation.
— by Robert Thomson, created 15th Oct, 2013, last modified 15th Oct, 2013 | Tags: Tech
I bought a skull... then I painted it...
I expect he'll be drawn/painted many more times over the years.. but this painting is the first. :-)
— by Rob, created 15th Sep, 2013, last modified 15th Sep, 2013 | Tags: Private
Sophia and I will be in Australia until the start of June. It's just a quick trip this time to catch up with family and friends.
Update: We're back from Australia. It was fun!
— by Robert Thomson, created 9th May, 2013, last modified 4th Jun, 2013 | Tags: Private