I’ve been using Terraform and Terragrunt to manage infrastructure on OpenStack and AWS for quite a long time, and I made the transition to OpenTofu (almost painlessly) when Hashicorp changed Terraform’s licensing. Recently I wanted to quickly create some VMs to play with a cloud-init configuration I was working on.

Since my laptop has qemu/kvm available via libvirt, I decided to try a libvirt provider for tofu. In line with other posts on here, I wanted the primary out-of-band management interface to be serial, and since my motivation for this was to play with cloud-init I decided to start from one of the cloud images for ubuntu server. Here are the terraform/tofu declarations I came up with (main.tf).

We got a new router and decided to re-flash it with OpenWRT. The openwrt page for the E8450 covers the current support status. We went with the “non-UBI” installation because…

The caveat is that this change is essentially permanent so once you have OpenWRT, I hope you like it (I’m sure you will ;-). The official page says that since 2021-08-27, it is no longer possible to keep the default vendor flash layout (a.k.a. “non-UBI”), as it contains ECC errors out of the factory, and these errors are not compatible with the new SPI-NAND driver, that means you cannot install the non-UBI firmware (*.bin).

This is an update of a previous post where I argued for the importance of being able to control virtual machines using serial lines as an out-of-band tool. I still think that this is an important thing to do and this post gathers some updated examples.

UEFI Boot and Mirrored Disks - almalinux

This example is a test-bed for a physical (non-VM) install I needed to do on a system which uses UEFI and where we wanted RAID1 support. The virt-install command specifies --boot uefi and two --disk elements. These appear as vda and vdb and the associated kickstart file builds RAID1 filesystems on top. We have small partitions for /boot and /boot/efi and the rest of the space is given to LVM. We configure LVs for /, swap and /home.

This is a follow-up to my earlier post on running gitlab-ce on a qnap NAS using nginx and letsencrypt. The basic ideas are discussed in that post. This post achieves the same result but via docker compose. The resulting docker-compose file is available in this repository.

docker-compose

We will use version 3 of docker-compose. I’m not a docker-compose expert, and I’m quite lazy so there are probably better ways of doing this (e.g. I didn’t look at how to re-implement the -volumes-from feature). Instead, I did what I found simplest to produce the equivalent state as the manual commands in my previous post.

I’ve been experimenting with glacier from aws to backup some of our content. The glacier service sounds very attractive (great durability, uptime etc.) but the pricing can be quite difficult to pick apart. This post documents an experiment to see how it might work for us and to get an idea of any potential costs. I think everything I want to do will fit in the free tier, but time will tell!

From time to time I still find the need to install virtual machines over a serial connection. I configure a serial console on ALL of my virtual machines as an out-of-band management option for when I screw up their network config, so it seems natural to want to install them using a serial connection as well. One advantage this brings is that I don’t forget to leave them configured with an unnecessary and potentially problematic VNC server configured after install.

I’ve gotten comfortable with terraform using the openstack provider to build infrastructure. At home, I don’t have openstack, but I do have libvirt. The terraform-provider-libvirt plugin allows terraform to talk directly with libvirt to manage new resources. The main problem I faced with this setup is I don’t know go at all, so installing the plugin was a bit of a chore. The instructions below are the first thing that worked and might not be correct.

I’ve used apcupsd quite a lot, and intended to use it to protect our qnap, but but the default on qnap is to use a system called NUT. The two are quite similar so the transition wasn’t too hard; the main problem was trying to remember I wasn’t running apcupsd.

QNAP configuration

The package was already installed on the qnap, so all there was to do was plug in the UPS (an APC Back-UPS 550G and navigate to the config section `Control Panel -> External Device-> UPS.

This is well documented elsewhere, but that doesn’t mean I can remember it, or where to find it. The theme for this site is added as a git submodule. That means that when you checkout the repository and run hugo you’ll end up with a blank white page because the theme directory is empty. The submodule(s) must be initialized and updated before they will be found, e.g.

  $ git clone https://gitlab.hippo-toes.com/iana/hippo-toes.git 
  $ cd hippo-toes
  $ git submodule init
  $ git submodule update

After those steps it should be possible to build the site HTML.

We’re now using LEDE on our main router (a WNDR3800). I end up accessing it remotely quite a bit so this page just collects together a few commonly used (but easily forgotten) commands.

Add A New DHCP Host

I quite like bridging the KVM hosts on fyodor onto the main network for development. To add a new DHCP entry on the router, something like the following should work

  root@LEDE# uci add dhcp host 
  root@LEDE# uci set dhcp.@host[-1].dns='1'
  root@LEDE# uci set dhcp.@host[-1].ip='10.128.128.92'
  root@LEDE# uci set dhcp.@host[-1].name='worker2'
  root@LEDE# uci set dhcp.@host[-1].mac='52:54:00:ec:a6:57'
  root@LEDE# uci commit dhcp
  root@LEDE# /etc/init.d/dnsmasq restart

The final step needs to be a restart, not a reload. The ‘dns’ option adds an entry to /tmp/host/dhcp.* which is used by dnsmasq in it’s role as a resolver.

Update 2019-03-21

The steps below have been implemented with docker-compose in this post

We want to run the GitLab CE docker container on our QNAP and access it over HTTPS. One way to do this is to use nginx to proxy connections through to the github container with SSL termination happening in nginx. If we use the nginx-proxy container and docker-letsencrypt-nginx-proxy-companion we can automate the management of the certificates associated with the gitlab.hippo-toes.com (and other) hostnames.