What Is Second Generation CM?

Question
What is a second generation configuration management tool?

Answer
Page xiii of The DevOps Handbook refers to John Willis characterizing Luke Kanies' thoughts on configuration mangaement as "second generation CM." But according to https://www.cmcrossroads.com/article/cm-generations-and-vision-future there are four generations of CM. This may or may not be compatible with what John Willis hand in mind, but we do not see how Luke Kanies' vision could be the second oldest of the four generations. We look forward to more sources defining different generations of configuration management tools (such as Docker, Puppet, Ansible etc.). Clearly configuration management has evolved over the years.

Configuration management is very important for managing codebases and for DevOps in general. Fred Brooks, the author of The Mythical Man-Month, envisioned a Configuration Manager as a code librarian (according to page 221 of The Cathedral and The Bazaar). GitOps is taking CM principles and making them a way that we communicate. To learn more about communication structures in business and how to reconcile Conway's Law with the DevOps movement, see this posting.

What Do You Do If CloudWatch Metrics Are Not Showing Up in the Dashboard?

Problem scenario
You used a .json file and the AWS CLI to configure customized metrics. When you go to the GUI you do not see the graphs. The commands that were run with the .json file completed without errors or problems. How do you get the web console to show the metrics you configured for various AWS components?

Possible Solution #1
CloudWatch metrics are not all necessarily graphed. Some of the metrics may not be graphed. Verify the metrics you configured are graphed at all.

Possible Solution #2
Find the instance ID or resource ID of the resource you want to monitor. Go to the web console for AWS. Click on "Metrics" on the left. Search for the instance ID or resource ID. It should be there when it may not have been in a different AWS web console dashboard.

How Do You Troubleshoot “The filter VolumeId” is invalid?

Problem scenario
You run an aws ec2 command and you get use the --filters flag with Name=VolumeId (consistent with the casing that you see in other AWS CLI contexts). You receive a message about "the filter VolumeId" being invalid. What should you do?

Solution
Use "volume-id" instead of "VolumeId".

In general we find that the syntax of the name itself, for an AWS CLI --filters flag, should be lowercase and hyphenated. We do not know why it is relatively undocumented. We find the hyphens are right before what would be medial captials of a given name.

You can use unfiltered output to see what is returned from a given AWS command. You can use the "." dot notation to drill into a given value that is nested in JSON with the nested key to the right of its parent.

Here you see VpcId nested inside of RequesterVpcInfo:

"RequesterVpcInfo": {
…
"VpcId": "vpc-123456",

To refer to the VPC ID itself for filtering purposes, you would use the following (e.g., with an 'aws ec2 desribe-vpc-peering-connections' command) dot notation as illustrated:
--filters Name=requester-vpc-info.vpc-id,Values=vpc-123456

You can add more restrictions by adding additional Name-Values pairs with a space after the above snippet. Here is an example:
--filters Name=requester-vpc-info.vpc-id,Values=vpc-123456 Name=accepter-vpc-info.region,Values=us-west-2

Output would have to meet both the requirements of the VPC ID as vpc-123456 and the accepter VPC would have to be in the region us-west-2.

Why Does a User Not Have Access to a VPC when The Configuration Appears to Allow For Connectivity?

Problem scenario
A user has no access to a VPC from her workstation. What are three ways a user can be given access to resources in a VPC?

Four Possible, Independent Solutions

  1. Network Access Control lists. These are IP address firewalls for the VPCs themselves. Based on the IP address of the user's workstation, Network Access Control lists can allow or disallow traffic to the VPC.
  2. Security Groups. These are two-way firewalls that have inbound and outbound rules for EC-2 instances and other AWS components. Based on the IP address of the user's workstation, the Security Group and can allow traffic to the VPC.
  3. AWS Active Directory Services. If your enterprise has Windows desktops, you can use AWS Active Directory Services. The centralized authentication can allow or disallow the user from gaining access to a VPC. To learn more, see this link https://aws.amazon.com/directoryservice/
  4. On-premise routers and firewalls that do not allow connectivity to the internet or to AWS VPCs.

How Do You Solve Jira’s Web UI Problem of Refreshing Rapidly?

Problem scenario
Jira refreshes rapidly and indefinitely when you log in or go to a specific link. Jira's web UI is unusable. What should you do?

Solution
Root cause: A full URL may not be browsable directly yet.

Procedures
Browse to a dashboard of home page. There may be a "Welcome" guide that was skipped.

How Do You Troubleshoot the Message “jq: error…Cannot iterate over null”?

Problem scenario
You are running a jq command (e.g., piping output to jq). You receive message "jq: error…Cannot iterate over null." What should you do?

Solution
Change the word "Parameters" to "Parameter". By omitting an "s" from "Parameters", the error may go away.

Verify there is output. Try running the command without the "jq" utility if possible. This error can happen if there is no output to parse.

How Do You Get an Ansible Playbook to Not Skip a Section?

Problem scenario
You are running a playbook. A section is being skipped. When you use "-vvvv" to enhance the verbosity of the output messages, you see "Condition result was false". How do you get the playbook section that is being skipped to execute?

Solution
The most likely cause is that you have a "when" statement that governs the clause of the playbook that is being skipped. This condition is false -- at least that is what the Ansible engine thinks. Check the logic of the "when" statement that pertains to the section of the playbook not running.

How Do You Troubleshoot the AWS CLI Error “Invalid Document Name”?

Problem scenario
You run an AWS SSM command. You receive "An error occurred (ValidationException) when calling the CreateDocument operation: Invalid document Amazon…" What do you do to get the command to work?

Solution
Document names cannot begin with three strings (regardless of capitalization): "aws", "amazon", or "amzn".

Change the document name to not have a string such as one of the above.

n.b. The error message, as of early 2020, is not very helpful. We hope Amazon will provide a better error message in the future.

Using Python How Do You Run Bash Commands That Include More Than One Word?

Problem scenario
You are trying to have Python run Bash commands. As soon as the command includes a flag or a second argument, there is no value being assigned in Python. Two or more words in the Bash command cause no value to be assigned. What can you do?

Solution
This only works if you have complete control of the Bash command arguments. This should not be done with uncleansed data (e.g., user input). Use the shell=True argument (if you know it will be acceptable from a security perspective):

import subprocess
…
proc = subprocess.Popen(['ls', '-lh'], shell=True, stdout=subprocess.PIPE)

# Some people caution against the stdout=subprocess.PIPE.  The biggest potential security flaw is the shell=True however.  Use with care.

How Do You Troubleshoot the Error “DNS: A new record cannot be created. Refused.”?

Problem scenario
Using Windows Server and Active Directory, you try to add a PTR record to a Reverse Lookup Zone. You get "DNS: A new record cannot be created. Refused." What do you do?

Possible Solution #1
Click "Ok" to the pop up. Continue where you were interrupted. The error message should be ignorable (other than the fact that you have to click "Ok" to the pop-up itself and the window to create a New Resource Record).

Possible Solution #2
Try again. For some reason you may need to add the record twice for one to work.

Possible Solution #3
Avoid using the MMC and use PowerShell and a flat .txt file instead. To see how, click here.