[ansible-project] Re: Blockinfile triggers every run

[Guy Knights]

Actually, never mind - I just realised that the problem is the loop that
I've got around each blockinfile task, which will overwrite each item in
the list until it reaches the last one.

On Fri, Jun 23, 2017 at 3:51 PM, Guy Knights  wrote:

> I have a blockinfile task that sets some lines in /etc/ufw/before.rules,
> and which notifies handler to reload ufw if the task registers a change. I
> was running it on a host and noticed that I had the same prerouting rule
> from before.rules multiple times, so I took a closer look at the task as I
> was running it, and I noticed that it keeps triggering every time it runs.
>
> Here are mytasks the add pre and post routing rules to
> /etc/ufw/before.rules:
>
> - name: set nat and port forwarding start section
>   blockinfile:
> dest: /etc/ufw/before.rules
> marker: "# {mark} bbg nat rules"
> insertbefore: "# Don't delete these required lines, otherwise there
> will be errors"
> block: |
>   # NAT table rules
>   *nat
>   :PREROUTING ACCEPT [0:0]
>   :POSTROUTING ACCEPT [0:0]
>   when: firewall.nat is defined or firewall.pf is defined
>   notify:
> - reload ufw
>
> - name: set individual port forwarding rules if specified
>   blockinfile:
> dest: /etc/ufw/before.rules
> insertafter: "# END bbg nat rules"
> marker: "# {mark} {{ item.desc|default(omit) }}"
> block: |
>   # Forward port for {{ item.desc }}
>   -A PREROUTING -p tcp --dport {{ item.src_port }} -j REDIRECT
> --to-port {{ item.dst_port }}
>   with_items: "{{ firewall.pf|default(omit) }}"
>   when: firewall.pf is defined
>   notify:
> - reload ufw
>
> - name: set individual nat rules if specified
>   blockinfile:
> dest: /etc/ufw/before.rules
> insertbefore: "# BEGIN bbg nat rules commit"
> marker: "# {mark} {{ item.desc|default(omit) }}"
> block: |
>   # Forward traffic through {{ item.out_in|default(eth0) }} - Change
> to match you out-interface for {{ item.desc|default(omit) }}
>   -A POSTROUTING -s {{ item.source|default("0.0.0.0/0") }} -d {{
> item.dest|default("0.0.0.0/0") }} -o {{ item.out_in|default(eth0) }} -j
> MASQUERADE
>   with_items: "{{ firewall.nat|default(omit) }}"
>   when: firewall.nat is defined
>   notify:
> - reload ufw
>
> - name: set nat rules commit if specified
>   blockinfile:
> dest: /etc/ufw/before.rules
> marker: "# {mark} bbg nat rules commit"
> insertbefore: "# Don't delete these required lines, otherwise there
> will be errors"
> block: |
>   # don't delete the 'COMMIT' line or these nat table rules won't
>   # be processed
>   COMMIT
>   when: firewall.nat is defined or firewall.pf is defined
>   notify:
> - reload ufw
>
> The rule that keeps triggering is the 2nd one, set individual port
> forwarding rules if specified.
>
> I can't see that it's changing anything in the file after it initially
> adds the lines, and in fact I did a test and ran a checksum against the
> file before and after running the playbook and the checksum value was the
> same, so it hasn't changed the file in any way.
>
> Can anyone explain why it keeps triggering and running the ufw reload?
>
> Thanks,
> Guy
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CANNH9mt_NBiDm8tcTE1hL118dsAyYGjzYMAPi4umNrkbm76VcA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Blockinfile triggers every run

[Guy Knights]

I have a blockinfile task that sets some lines in /etc/ufw/before.rules,
and which notifies handler to reload ufw if the task registers a change. I
was running it on a host and noticed that I had the same prerouting rule
from before.rules multiple times, so I took a closer look at the task as I
was running it, and I noticed that it keeps triggering every time it runs.

Here are mytasks the add pre and post routing rules to
/etc/ufw/before.rules:

- name: set nat and port forwarding start section
  blockinfile:
dest: /etc/ufw/before.rules
marker: "# {mark} bbg nat rules"
insertbefore: "# Don't delete these required lines, otherwise there
will be errors"
block: |
  # NAT table rules
  *nat
  :PREROUTING ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  when: firewall.nat is defined or firewall.pf is defined
  notify:
- reload ufw

- name: set individual port forwarding rules if specified
  blockinfile:
dest: /etc/ufw/before.rules
insertafter: "# END bbg nat rules"
marker: "# {mark} {{ item.desc|default(omit) }}"
block: |
  # Forward port for {{ item.desc }}
  -A PREROUTING -p tcp --dport {{ item.src_port }} -j REDIRECT
--to-port {{ item.dst_port }}
  with_items: "{{ firewall.pf|default(omit) }}"
  when: firewall.pf is defined
  notify:
- reload ufw

- name: set individual nat rules if specified
  blockinfile:
dest: /etc/ufw/before.rules
insertbefore: "# BEGIN bbg nat rules commit"
marker: "# {mark} {{ item.desc|default(omit) }}"
block: |
  # Forward traffic through {{ item.out_in|default(eth0) }} - Change to
match you out-interface for {{ item.desc|default(omit) }}
  -A POSTROUTING -s {{ item.source|default("0.0.0.0/0") }} -d {{
item.dest|default("0.0.0.0/0") }} -o {{ item.out_in|default(eth0) }} -j
MASQUERADE
  with_items: "{{ firewall.nat|default(omit) }}"
  when: firewall.nat is defined
  notify:
- reload ufw

- name: set nat rules commit if specified
  blockinfile:
dest: /etc/ufw/before.rules
marker: "# {mark} bbg nat rules commit"
insertbefore: "# Don't delete these required lines, otherwise there
will be errors"
block: |
  # don't delete the 'COMMIT' line or these nat table rules won't
  # be processed
  COMMIT
  when: firewall.nat is defined or firewall.pf is defined
  notify:
- reload ufw

The rule that keeps triggering is the 2nd one, set individual port
forwarding rules if specified.

I can't see that it's changing anything in the file after it initially adds
the lines, and in fact I did a test and ran a checksum against the file
before and after running the playbook and the checksum value was the same,
so it hasn't changed the file in any way.

Can anyone explain why it keeps triggering and running the ufw reload?

Thanks,
Guy

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CANNH9mu7hexGko7oXq7SHBjLH1im0FyktxxkFrMHgsMqU01%3Dtg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] wait_for_connection: doesn't do the job (as expected)

[Reiner Nippes]

Hi,

I'm starting  two ec2 SLES12 instances with ansible. After they are 
up the same playbook should configure the machines.

So I inculde 

  - name: Wait for connection to 
wait_for_connection:

after the ec2: module. Ansible is waiting for connecting some seconds. 
That's OK.

But the check doesn't work as expected, because when the playbook continues 
doing something on the ec2s I'm getting a 

FAILED! => {"failed": true, "msg": "Timeout (12s) waiting for privilege 
escalation prompt: "}

OK. Shit happens. But we have a do-until loop. 

  - name: start config
setup: gather_timeout=120
register: result
ignore_errors: yes 
until: result|success
retries: 10
delay: 10

I would expect that this loop would continue until both machines succeeded 
with the setup task.

But

TASK [Wait for connection to] 
**

ok: [ip-10-104-30-63.eu-central-1.compute.internal]
ok: [ip-10-104-28-82.eu-central-1.compute.internal]

TASK [start config] 
**

ok: [ip-10-104-30-63.eu-central-1.compute.internal]
fatal: [ip-10-104-28-82.eu-central-1.compute.internal]: FAILED! => 
{"failed": true, "msg": "Timeout (12s) waiting for privilege escalation 
prompt: "}
...ignoring

If I don't ignore the error the playbook would stop right here.
If I ignore the error on maschine ip-10-104-28-82 no facts where gathered, 
so the playbook failes later.

a) Is this a bug in "wait_for_connection:"? (I think yes.)
b) How to write a playbook that is fail safe?

Thanks,
Reiner

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f2cb9db2-bbee-4f11-806e-237c0a79a137%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: Facing Ansible bug & how to use the most recent Ansible branch with fixed code ?

[P]

Sorry - I haven't sent any update but after I sent this post did the same 
test with devel branch and have the same error.
Raised a bug: https://github.com/ansible/ansible/issues/25967

On Wednesday, June 21, 2017 at 6:04:30 PM UTC+1, Brian Coca wrote:
>
> But in your error you were using (detached from v2.3.1.0-1)? 
>
>
> -- 
> Brian Coca 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b9eed3d9-6f79-41d9-8066-0961b0283205%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible WinRM Connection 'Connection reset by peer' only when Windows Role ADFS/WAP is Installed and Post Configuration Finished

['J Hawkesworth' via Ansible Project]

My guess would be that something about these windows server roles causes 
some kind of reset or restart of some part of the http stack (which WinRM 
depends on).

I know kerberos needs DNS to work properly - the hostname is important for 
kerberos for reasons I forget, but it needs to be able to go from ip -> 
hostname and hostname -> ip in order to work fully.

Is it difficult for you to make use of the hostname in your environment?

There are modules now for configuring dns resolution 
(https://docs.ansible.com/ansible/win_dns_client_module.html) and also a 
module for updating DNS 
https://docs.ansible.com/ansible/nsupdate_module.html 

So you might be able to configure things so you can use hostnames from the 
start.

Hope this helps,

Jon

On Wednesday, June 21, 2017 at 5:29:57 PM UTC+1, David Baumann wrote:
>
> Hi i got a realy akward Problem with Ansible(devel)
>
>
> Got Multiple Servers and all works fine with WinRM and Kerberos on Ansible 
> Side until i Install/Configure follow Windows Roles on hosts
>
>  - Active Directory Federation Service
>  - WebapplicationProxy
>
> All Servers are based on the Same VM Template
>
> Connection
>  
> over WinRM first with SSL/Basic Auth for Provisioning then i Switch on the 
> Fly to SSL/Kerberos
>
> Basic ansible_user: username
> Kerberos ansible_user: user...@domain.tld 
>
> Got always requests.exceptions.ConnectionError: ('Connection aborted.', 
> error(104, 'Connection reset by peer'))
>
> What i found out if i use the FQDN it works both with Basic and Kerberos 
> over SSL on the Server with ADFS/WAP Installed
> With an IP Address it only works on Server without ADFS or WAP Installed.
>
> *More Details and Debugging Writeout under *
>
> https://gist.github.com/daBONDi/4f9a4f6f5feb49fdcb3f7451b92612e9
>
> Maybe a some of you find out the same with an ADFS / WAP Server and could 
> help me diagnose it
>
> Thanks in advance for you Time
>
> David Baumann(daBONDI@Github)
> www.davidbaumann.at
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a2785dd0-1489-426a-ada7-03ac9d98d33a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.