search

Oefenweb / ansible-fail2ban

Ansible role to set up fail2ban in Debian-like systems
MIT License
117 stars 55 forks source link

Error on Debian on first check_mode run #76

Open Al-thi opened 1 year ago

Al-thi commented 1 year ago

Hello,

This role fails on Debian when playing the following tasks in check_mode on a fresh server : 

- name: get fail2ban version
  ansible.builtin.command: >
    fail2ban-server -V
  changed_when: false
  check_mode: false
  register: _fail2ban_version_raw
  tags:
    - configuration
    - fail2ban
    - fail2ban-install

fails with : 

fatal: [xxx]: FAILED! => {"changed": false, "cmd": "fail2ban-server -V", "msg": "[Errno 2] No such file or directory: b'fail2ban-server'", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

and : 

- name: update configuration file - /etc/fail2ban/jail.local
  ansible.builtin.template:
    src: etc/fail2ban/jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: 0644
  notify: restart fail2ban
  tags:
    - configuration
    - fail2ban
    - fail2ban-configuration
    - fail2ban-configuration-update

fails with : 

fatal: [xxx]: FAILED! => {"changed": false, "msg": "AnsibleFilterError: Input version value cannot be empty"}

and : 

- name: start and enable service
  ansible.builtin.service:
    name: fail2ban
    state: "{{ service_default_state | default('started') }}"
    enabled: "{{ service_default_enabled | default(true) | bool }}"
  tags:
    - configuration
    - fail2ban
    - fail2ban-start-enable-service

fails with :

fatal: [xxx]: FAILED! => {"changed": false, "msg": "Could not find the requested service fail2ban: host"}

because fail2ban is not installed and therefore the version cannot be parsed.

I suggest adding the following line to these tasks to ignore check_mode errors : 

- name: get fail2ban version
  ansible.builtin.command: >
    fail2ban-server -V
  changed_when: false
  check_mode: false
  register: _fail2ban_version_raw
  tags:
    - configuration
    - fail2ban
    - fail2ban-install
  ignore_errors: "{{ ansible_check_mode }}" # fixes error
- name: update configuration file - /etc/fail2ban/jail.local
  ansible.builtin.template:
    src: etc/fail2ban/jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: 0644
  notify: restart fail2ban
  tags:
    - configuration
    - fail2ban
    - fail2ban-configuration
    - fail2ban-configuration-update
  ignore_errors: "{{ ansible_check_mode and fail2ban_version == '' }}" # fixes error
- name: start and enable service
  ansible.builtin.service:
    name: fail2ban
    state: "{{ service_default_state | default('started') }}"
    enabled: "{{ service_default_enabled | default(true) | bool }}"
  tags:
    - configuration
    - fail2ban
    - fail2ban-start-enable-service
  ignore_errors: "{{ ansible_check_mode and fail2ban_version == '' }}" # fixes error
Al-thi commented 1 year ago

I also had to ignore errors in the handler, for the same reasons.

Al-thi commented 1 year ago

FYI I edited my post to fix a syntax error in the ignore_errors condition

Al-thi commented 1 year ago

FYI I updated again my message. Now it works :sweat: