search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.17k stars 1.99k forks source link

Setup fails on Debian 8 inside an LXC container #269

Closed ovizii closed 8 years ago

ovizii commented 8 years ago

Trying to install from my MacBook Pro to a LXC container running Debian Jessie.

On my MB it hangs at this step: TASK [openconnect : Execute the PKCS #12 conversion Expect script] *************

Checking the syslog of the target system I see:

Mar  6 23:25:49 drake ansible-<stdin>: Invoked with creates=/etc/ocserv/client.p12 executable=None chdir=None _raw_params=/etc/ocserv/create-pkcs12.exp removes=None warn=True _uses_shell=False
Mar  6 23:26:30 drake ntpd[23556]: adjtime failed: Operation not permitted
Mar  6 23:30:55 drake ntpd[23556]: adjtime failed: Operation not permitted
Mar  6 23:34:03 drake ntpd[23556]: adjtime failed: Operation not permitted
Mar  6 23:37:18 drake ntpd[23556]: adjtime failed: Operation not permitted

Any ideas?

ovizii commented 8 years ago

pressed CTRL+C and tried again, this time I got to this part: TASK [l2tp-ipsec : Install the Libreswan dependencies that are required for compilation] *** failed: [xxx.xxx.xxx.xxx] => (item=[u'bison', u'flex', u'libcap-ng-dev', u'libcap-ng-utils', u'libcurl4-nss-dev', u'libevent-dev', u'libgmp3-dev', u'libnspr4-dev', u'libnss3-dev', u'libnss3-tools', u'libpam0g-dev', u'libselinux1-dev', u'libunbound-dev', u'pkg-config', u'xmlto']) => {"cache_update_time": 0, "cache_updated": false, "failed": true, "item": ["bison", "flex", "libcap-ng-dev", "libcap-ng-utils", "libcurl4-nss-dev", "libevent-dev", "libgmp3-dev", "libnspr4-dev", "libnss3-dev", "libnss3-tools", "libpam0g-dev", "libselinux1-dev", "libunbound-dev", "pkg-config", "xmlto"], "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'bison' 'flex' 'libcap-ng-dev' 'libcap-ng-utils' 'libcurl4-nss-dev' 'libevent-dev' 'libgmp3-dev' 'libnspr4-dev' 'libnss3-dev' 'libnss3-tools' 'libselinux1-dev' 'libunbound-dev' 'xmlto'' failed: E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem. \n", "stderr": "E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem. \n", "stdout": "", "stdout_lines": []}

NO MORE HOSTS LEFT ***** to retry, use: --limit @playbooks/streisand.retry

PLAY RECAP ***** xxx.xxx.xxx.xxx : ok=42 changed=6 unreachable=0 failed=1

ovizii commented 8 years ago

hm, seems an apt-get install got stuck had to fix it with dpkg. Last run seems the most successful so far:

PLAY RECAP *********************************************************************
xxx.xxx.xxx.xxx              : ok=60   changed=22   unreachable=0    failed=1

The errors I see in red on my MacBook:

TASK [l2tp-ipsec : Apply the sysctl values] ************************************
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.sysrq', u'value': 0}) => {"failed": true, "item": {"key": "kernel.sysrq", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.core_uses_pid', u'value': 1}) => {"failed": true, "item": {"key": "kernel.core_uses_pid", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.tcp_syncookies', u'value': 1}) => {"failed": true, "item": {"key": "net.ipv4.tcp_syncookies", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.msgmnb', u'value': 65536}) => {"failed": true, "item": {"key": "kernel.msgmnb", "value": 65536}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.msgmax', u'value': 65536}) => {"failed": true, "item": {"key": "kernel.msgmax", "value": 65536}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.shmmax', u'value': 68719476736}) => {"failed": true, "item": {"key": "kernel.shmmax", "value": 68719476736}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.shmall', u'value': 4294967296}) => {"failed": true, "item": {"key": "kernel.shmall", "value": 4294967296}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
ok: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.ip_forward', u'value': 1})
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.all.accept_source_route', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.all.accept_source_route", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.default.accept_source_route', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.default.accept_source_route", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.all.log_martians', u'value': 1}) => {"failed": true, "item": {"key": "net.ipv4.conf.all.log_martians", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.default.log_martians', u'value': 1}) => {"failed": true, "item": {"key": "net.ipv4.conf.default.log_martians", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.all.accept_redirects", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.default.accept_redirects', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.default.accept_redirects", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.all.send_redirects', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.all.send_redirects", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.default.send_redirects", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.all.rp_filter", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.default.rp_filter', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.default.rp_filter", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.icmp_echo_ignore_broadcasts', u'value': 1}) => {"failed": true, "item": {"key": "net.ipv4.icmp_echo_ignore_broadcasts", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.icmp_ignore_bogus_error_responses', u'value': 1}) => {"failed": true, "item": {"key": "net.ipv4.icmp_ignore_bogus_error_responses", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.all.secure_redirects', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.all.secure_redirects", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.secure_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.ipv4.conf.default.secure_redirects', u'value': 0}) => {"failed": true, "item": {"key": "net.ipv4.conf.default.secure_redirects", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'kernel.randomize_va_space', u'value': 1}) => {"failed": true, "item": {"key": "kernel.randomize_va_space", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\nsysctl: setting key \"kernel.randomize_va_space\": Read-only file system\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.core.wmem_max', u'value': 12582912}) => {"failed": true, "item": {"key": "net.core.wmem_max", "value": 12582912}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\nsysctl: setting key \"kernel.randomize_va_space\": Read-only file system\nsysctl: cannot stat /proc/sys/net/core/wmem_max: No such file or directory\n"}
failed: [xxx.xxx.xxx.xxx] => (item={u'key': u'net.core.rmem_max', u'value': 12582912}) => {"failed": true, "item": {"key": "net.core.rmem_max", "value": 12582912}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nsysctl: setting key \"kernel.sysrq\": Read-only file system\nsysctl: setting key \"kernel.core_uses_pid\": Read-only file system\nsysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory\nsysctl: setting key \"kernel.msgmnb\": Read-only file system\nsysctl: setting key \"kernel.msgmax\": Read-only file system\nsysctl: setting key \"kernel.shmmax\": Read-only file system\nsysctl: setting key \"kernel.shmall\": Read-only file system\nsysctl: setting key \"kernel.randomize_va_space\": Read-only file system\nsysctl: cannot stat /proc/sys/net/core/wmem_max: No such file or directory\nsysctl: cannot stat /proc/sys/net/core/rmem_max: No such file or directory\n"}
ovizii commented 8 years ago

Next run, 1 fail again:

TASK [openvpn : Restart OpenVPN so the 10.8.0.0 interface is available to dnsmasq] ***
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": false, "failed": true, "msg": "Stopping virtual private network daemon:.\nStarting virtual private network daemon: server failed!\n"}

NO MORE HOSTS LEFT *************************************************************
    to retry, use: --limit @playbooks/streisand.retry

PLAY RECAP *********************************************************************
xxx.xxx.xxx.xxx              : ok=93   changed=40   unreachable=0    failed=1
ovizii commented 8 years ago

Last try, about to give up:

TASK [openvpn : Restart OpenVPN so the 10.8.0.0 interface is available to dnsmasq] *** fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"changed": false, "failed": true, "msg": "Stopping virtual private network daemon:.\nStarting virtual private network daemon: server failed!\n"}

NO MORE HOSTS LEFT ***** to retry, use: --limit @playbooks/streisand.retry

PLAY RECAP ***** xxx.xxx.xxx.xxx : ok=92 changed=21 unreachable=0 failed=1

ovizii commented 8 years ago

I would appreciate some help, everytime I run this I get a different error:


TASK [openvpn : Create the client configuration profiles that will be used when connecting via stunnel] ***
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"failed": true, "msg": "failed to resolve remote temporary directory from ansible-tmp-1457344102.85-62527186595959: `mkdir -p \"` echo $HOME/.ansible/tmp/ansible-tmp-1457344102.85-62527186595959 `\" && echo \"` echo $HOME/.ansible/tmp/ansible-tmp-1457344102.85-62527186595959 `\"` returned empty string"}

NO MORE HOSTS LEFT *************************************************************
    to retry, use: --limit @playbooks/streisand.retry

PLAY RECAP *********************************************************************
xxx.xxx.xxx.xxx              : ok=87   changed=18   unreachable=0    failed=1
jlund commented 8 years ago

You are running the playbook on Debian 8, which is an unsupported distribution with many known issues that are seriously problematic--particularly with the OpenVPN daemon and systemd. I also ran into that same error when I explored using Debian 8 as the base foundation to replace Debian 7. You are then further increasing the difficulty by adding local virtualization and LXC into the mix.

I think it's cool to try new stuff, and these types of experiments will prove helpful when I reevaluate whether Debian 8 or Ubuntu 16.04 will become the new foundation, but you need to be using Ubuntu 14.04 right now if you want everything to work out of the box. That's why I added the "probably going to fail" warning to the playbook that gets displayed and pauses execution every single time the playbook is run on an unsupported distribution. Even on Ubuntu 14.04, things might not work well inside an LXC container. I have never tried that before.

I appreciate the feedback. I'm really sorry if this has been frustrating, but you're doing several unconventional things :)

jlund commented 8 years ago

Looking again, the sysctl failures are almost certainly due to processes inside of the LXC container being restricted from modifying those values for security purposes. The same thing happens inside a Docker container unless the container is started with a special flag that essentially removes almost all process isolation. Maybe the same thing is possible with LXC?

Here's the simplest path forward:

ovizii commented 8 years ago

Hey, thanks for the feedback and yes, I was well aware of your warning. I was just looking for confirmation that I wasn't doing anything wrong besides not using the suggested OS:-)

I'll give it another try on an Ubuntu 14.04 LXC container (as in running it on my MacBook installing on an LXC container)

Yes, there is a way to make a container unconstrained with the following option: lxc.aa_profile: unconfined But I'll try without that flag first and report back.