Let’s Encrypt – How do I Cron?

Let’s Encrypt was really easy to setup, but Cron was less so. I kept getting emails that the Let’s Encrypt renewal was failing:

2017-03-09 02:51:02,285:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/bbbburns.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping.
1 renew failure(s), 0 parse failure(s)

I had a cron job setup with the absolute bare minimum:

crontab -e
56 02 * * * /usr/bin/letsencrypt renew >> /var/log/le-renew.log

When I ran
/usr/bin/letsencrypt renew
at the command line, everything worked just fine. I was like, “Oh – this must be some stupid cron thing that I used to know, but never remember.”

Turns out the problem was the cron environment PATH variable. Cron didn’t have access to /usr/sbin and apparently certbot was using that for access to the apache2 binary. The fix was to change the cron to the following:

56 02 * * * /root/le-renew.sh

Then create a script that runs the renewal after the PATH variable is set correctly:

cat /root/le-renew.sh
#!/bin/bash
#Automate the LE renewal process

#Need /usr/sbin for apache2
# https://github.com/certbot/certbot/issues/1833
export PATH=$PATH:/usr/sbin

#Renew the certs and log the results
/usr/bin/letsencrypt renew >> /var/log/le-renew.log

It was a good thing I put the link to the problem right in the script, or I never would have been able to find it again to write this blog.

NOW my renewal works absolutely fine. Problem solved. Thanks Cron.

Let’s Encrypt – Easy – Free – Awesome

I recently saw a news article about StartCom being on Mozilla and Google’s naughty list. Things looked bad, and my StartCom certs were up for renewal on the blog.

I have seen articles flying around about Let’s Encrypt for a while now. The idea seemed awesome, but the website seemed so light on technical instructions that I didn’t know if it would actually work. I wanted to know EXACTLY what lines it would propose to hack into my carefully manicured Apache configuration. And by carefully manicured, I mean “strung together with stuff I copied and pasted from stack overflow“.

I couldn’t find the information I really wanted – so I just JUMPED in and started installing things and running commands. 30 seconds later, I had a fully functioning cert on my site. I was blown away. It copied my existing non-ssl vhost config and created a new vhost with SSL enabled. All I had to do was enter my email address, select the vhost to enabled SSL for, and hit GO.

I had to put in a crontab entry myself to get the auto-renewal to work but that wasn’t so bad. I would hope they improve that in the future – but cron is no big deal.

I’m interested to see if everything works when my web certs expire 90 days from now! Crazy times. I used to do this and dread it once per year because the process was so manual. Now that it’s automated – I’ll get new certs while I’m sleeping. Woohoo.

Nutanix Performance and IOPS

My colleagues Gary Little and John Williamson are starting up a blog series on Nutanix performance. Have you ever wondered how Nutanix would perform for your application? Do you wonder how Nutanix compares to a traditional SAN? Do you ever wonder what it means to have 1 hojillion IOPS? I know I do – so I thought maybe you would too.

IOPS on Nutanix

I know the blog here has turned into “All Nutanix All The Time”, but I think this performance series is worth a read. Maybe I’ll be posting more about motorcycles, security, and rock climbing in the future. (Oh, I’ve taken up indoor rock climbing) I’ve started using Keybase.io and Signal – so that could also be worth a tech post.

Check out the first Nutanix performance post here.

VMware NSX Software Defined Networking with Nutanix

Take a look at the latest Nutanix solution note, detailing VMware NSX for vSphere in a Nutanix environment. With these two technologies combined, customers can now virtualize their entire infrastructure. This solution note describes common customer use cases and advantages of NSX software defined networking. We also test two important deployment scenarios and give configuration recommendations.

Find more information on my Nutanix NEXT community blog post (upcoming) or download the full solution note.

Light Board Series: AHV Open vSwitch Networking – Part 4

We’re wrapping up our four part series on Nutanix AHV networking today with a look at the User VM Networking. Check out the Nutanix Connect Blog for full details.

We cover the difference between managed and unmanaged networks for VMs. VM networks can be rapidly created through the Prism GUI, the Acropolis CLI, or the REST API.

Cisco UC on Nutanix Webinar

I recently presented a webinar for Cisco UC on Nutanix to highlight exactly how Nutanix could save time and money, while adding features and flexibility, on your next deployment.

Take a look at the live webinar here:

Light Board Series: AHV Open vSwitch Networking – Part 3

For part 3 in our series I want to tackle VLANs in AHV. I don’t actually have a light board video for this one 🙁

What I do have are some diagrams for you to look at!

Here’s the default VLAN configuration that we’d recommend:

acropolis_default_vlan

Here is a non-default configuration where a VLAN tag is added to the AHV host and the Controller Virtual Machine:
acropolis_custom_vlan

 

Learn more about VLANs in the Acropolis Hypervisor here on the official Nutanix NEXT Community Blog. Find complete details in the AHV Best Practice Guide.

 

Light Board Series: AHV Open vSwitch Networking – Part 1

I’m happy to announce the release of the first Light Board Videos I recorded with the Nutanix nu.school education team. These videos were a blast to record. The education team here at Nutanix is top notch and made my scribbles and rambling look and sound great! A video production team is an amazing asset to have sitting behind you in the office!

AHV provides an alternative to traditional hypervisors – and with that alternative comes a new virtual switch! This virtual switch bridges the VMs to the physical network.

To find more information about the video, including all of the rationale behind the decisions made – check out the Nutanix .NEXT Community blog I wrote describing AHV Host Networking.

Here’s the embedded first part of the video. I talk about Open vSwitch bridges and bonds, and how to connect the CVM and the User Virtual Machines to the 10gb or 1gb network interfaces. Follow the Nutanix .NEXT community blog, my site here, or the nu.school YouTube page to watch the rest of the series.

We’ll cover Load Balancing, Managed and Unmanaged VM networks, and more in the coming weeks!

Nutanix AHV Best Practices Guide

In my last blog post I talked about networking with Open vSwitch in the Nutanix Acropolis Hypervisor. Today I’m happy to announce the continuation of that initial post – the Nutanix Acropolis Hypervisor Best Practices Guide.

Nutanix Acropolis introduced the concept of AHV, based on the open source Linux KVM hypervisor. A new Nutanix node comes installed with AHV by default with no additional licensing required. It’s a full-featured virtualization solution that is ready to run VMs right out of the box. ESXi and Hyper-V are still great on Nutanix, but AHV should be seriously considered because it has a lot to offer, with all of KVMs rough edges rounded off.

Part of introducing a new hypervisor is describing all of the features, and then recommending some best practices for those features. In this blog post I wanted to give you a taste of the doc with some choice snippets to show you what this Best Practice Guide and AHV are all about.

Take a look at Magnus Andersson’s excellent blog post on terminology for some more detailed background on terms.

Acropolis Overview

Acropolis (one word) is the name of the overall project encompassing multiple hypervisors, the distributed storage fabric, and the app mobility fabric. The goal of the Acropolis project is to provide seamless invisible infrastructure whether your VMs exist in AWS, Hyper-V, ESXi, or the AHV. The sister project, Prism, provides the user interface to manage via GUI, CLI, or REST API.

Acropolis_Prism_Block_Diagram
AHV Overview

AHV is based on the open source KVM hypervisor, but is enhanced by all the other components of the Acropolis project. Conceptually, AHV has access to the Distributed Storage Fabric for storage, and the App Mobility Fabric powers the management plane for VM operations like scheduling, high availability, and live migration.

Acropolis Architecture CVM Scale

The same familiar Nutanix architecture exists, with a network of Controller Virtual Machines providing storage access to VMs. The CVM takes direct control of the underlying disks (SSD and HDD) with PCI passthrough, and exposes these disks to AHV via iSCSI (The blue dotted VM I/O line). The management layer is spread across all Nutanix nodes in the CVMs using the same web-scale principles of the storage layer. This means that by-default, a highly available VM management layer exists. No single point of failure anymore! No additional work to setup VM management redundancy – it just works that way.

AHV Networking Overview

Networking in AHV is provided by an Open vSwitch instance (OVS) running on each AHV host. The BPG doc has a comprehensive overview of the different components inside OVS and how they’re used. I’ll share a teaser diagram of the default network config after installation in a single AHV node.

acropolis_initial_install

AHV Networking Best Practices

Bridges, Bonds, and Ports – oh my. What you really want to know is “How do I plug this thing into my switches, setup my VLANs, and get the best possible load balancing. You’re in luck, because the Best Practice Guide covers the most common scenarios for creating different virtual switches and configuring load balancing.

Here’s a closer look at one possible networking configuration, where the 10gigabit adapters and 1gigabit adapters have been connected into separate OVS bridges. User VM2 has the ability to connect to multiple physically separate networks with this design to allow things like virtual firewalls.

acropolis_ovs_reco_2-10g

After separating network traffic, the next thing is load balancing. Here’s a look at another possible load balancing method called active-slb. Not only does the BPG provide the configuration for this, but also the rationale. Maybe fault tolerance is important to you. Maybe active-active configuration with LACP is important. The BPG will cover the config and the best way to achieve your goals.

For information on VLAN configuration, check out the Best Practices Guide.

Other AHV Best Practices

This BPG isn’t just networking specific. The standard features you expect from a hypervisor are all covered.

  • VM Deployment
    • Leverage the fantastic aCLI, GUI, or REST API to deploy or clone VMs.
  • VM Data Protection
    • Backup up VMs with local or remote snapshots.
  • VM High Availability
    • During physical host failure, ensure that VMs are started elsewhere in the cluster.
  • Live Migration
    • Move running VMs around in the cluster.
  • CPU, Memory, and Disk Configuration
    • Add the right resources to machines as needed.
  • Resource Oversubscription
    • Rules for fitting the most VMs onto a running cluster for max efficiency.

Take a look at the AHV Best Practice Guide for information on all of these features and more. With this BPG in hand you can be up and running with AHV in your datacenter and get the most out of all the new features Nutanix has added.