ansible-collections / ansible-consul

:satellite: Ansible role for Hashicorp Consul clusters
https://galaxy.ansible.com/ansible-community/consul/
BSD 2-Clause "Simplified" License
457 stars 317 forks source link

dnsmasq regression #469

Open zllovesuki opened 2 years ago

zllovesuki commented 2 years ago

f5425ddff5853566991e3b72f380384ce021bc4e introduces regression with dnsmasq configuration (target hosts are Debian 11):

TASK [consul : Create Dnsmasq configuration] *****************************************************************************************************************************************
changed: [swarm5] => (item={'dest': '/etc/dnsmasq.d/10-consul', 'group': 'root', 'when': 'ansible_os_family|lower != "freebsd"'})
changed: [swarm1] => (item={'dest': '/etc/dnsmasq.d/10-consul', 'group': 'root', 'when': 'ansible_os_family|lower != "freebsd"'})
changed: [swarm0] => (item={'dest': '/etc/dnsmasq.d/10-consul', 'group': 'root', 'when': 'ansible_os_family|lower != "freebsd"'})
changed: [swarm2] => (item={'dest': '/etc/dnsmasq.d/10-consul', 'group': 'root', 'when': 'ansible_os_family|lower != "freebsd"'})
changed: [swarm4] => (item={'dest': '/etc/dnsmasq.d/10-consul', 'group': 'root', 'when': 'ansible_os_family|lower != "freebsd"'})
failed: [swarm5] (item={'dest': '/usr/local/etc/dnsmasq.d/consul.conf', 'group': 'wheel', 'when': 'ansible_os_family|lower == "freebsd"'}) => {"ansible_loop_var": "item", "changed": false, "checksum": "bc7eee12916de28288f07c04d49c6494a6d5e543", "item": {"dest": "/usr/local/etc/dnsmasq.d/consul.conf", "group": "wheel", "when": "ansible_os_family|lower == \"freebsd\""}, "msg": "Destination directory /usr/local/etc/dnsmasq.d does not exist"}
failed: [swarm1] (item={'dest': '/usr/local/etc/dnsmasq.d/consul.conf', 'group': 'wheel', 'when': 'ansible_os_family|lower == "freebsd"'}) => {"ansible_loop_var": "item", "changed": false, "checksum": "bc7eee12916de28288f07c04d49c6494a6d5e543", "item": {"dest": "/usr/local/etc/dnsmasq.d/consul.conf", "group": "wheel", "when": "ansible_os_family|lower == \"freebsd\""}, "msg": "Destination directory /usr/local/etc/dnsmasq.d does not exist"}
failed: [swarm0] (item={'dest': '/usr/local/etc/dnsmasq.d/consul.conf', 'group': 'wheel', 'when': 'ansible_os_family|lower == "freebsd"'}) => {"ansible_loop_var": "item", "changed": false, "checksum": "bc7eee12916de28288f07c04d49c6494a6d5e543", "item": {"dest": "/usr/local/etc/dnsmasq.d/consul.conf", "group": "wheel", "when": "ansible_os_family|lower == \"freebsd\""}, "msg": "Destination directory /usr/local/etc/dnsmasq.d does not exist"}
failed: [swarm2] (item={'dest': '/usr/local/etc/dnsmasq.d/consul.conf', 'group': 'wheel', 'when': 'ansible_os_family|lower == "freebsd"'}) => {"ansible_loop_var": "item", "changed": false, "checksum": "bc7eee12916de28288f07c04d49c6494a6d5e543", "item": {"dest": "/usr/local/etc/dnsmasq.d/consul.conf", "group": "wheel", "when": "ansible_os_family|lower == \"freebsd\""}, "msg": "Destination directory /usr/local/etc/dnsmasq.d does not exist"}
failed: [swarm4] (item={'dest': '/usr/local/etc/dnsmasq.d/consul.conf', 'group': 'wheel', 'when': 'ansible_os_family|lower == "freebsd"'}) => {"ansible_loop_var": "item", "changed": false, "checksum": "bc7eee12916de28288f07c04d49c6494a6d5e543", "item": {"dest": "/usr/local/etc/dnsmasq.d/consul.conf", "group": "wheel", "when": "ansible_os_family|lower == \"freebsd\""}, "msg": "Destination directory /usr/local/etc/dnsmasq.d does not exist"}

Running:

➜  ansible git:(main) ✗ ansible --version
ansible [core 2.12.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/rachel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/rachel/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]
  jinja version = 2.10.1
  libyaml = True
➜  ansible git:(main) ✗ ansible-playbook --version
ansible-playbook [core 2.12.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/rachel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/rachel/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]
  jinja version = 2.10.1
  libyaml = True

Vars:

consul_gather_server_facts: true
consul_data_path: /mirage/consul
consul_version: 1.11.4
consul_group_name: all
consul_iface: mirage0
consul_domain: mirage
consul_addresses_http: 0.0.0.0
consul_dnsmasq_enable: true
consul_dnsmasq_listen_addresses:
  - 127.0.0.1
consul_dnsmasq_servers:
  - 1.1.1.1
  - 1.0.0.1
ellie-idb commented 2 years ago

Found three other things wrong with that PR:

https://github.com/ansible-community/ansible-consul/blob/7106794ade97c26abbf9c319820cfcbbed5c9f57/tasks/dnsmasq.yml#L70 link_source should be lnk_source, and this shouldn't be wrapped in quotation marks as ATM it'll always evaluate as true

https://github.com/ansible-community/ansible-consul/blob/7106794ade97c26abbf9c319820cfcbbed5c9f57/tasks/dnsmasq.yml#L68-L70 Missing a check if resolv_dot_conf.stat.islnk is defined in the first place, which will make this fail outright if /etc/resolv.conf doesn't exist

https://github.com/ansible-community/ansible-consul/blob/7106794ade97c26abbf9c319820cfcbbed5c9f57/tasks/dnsmasq.yml#L62-L67 This should really be:

file:
  path: /etc/resolv.conf
  state: absent

as state: link creates or modifies the link, which is not what we want to do


Was this PR tested at all? I feel like these errors shouldn't have gone un-noticed like this.

xeroc commented 2 years ago

+1

robbixc commented 2 years ago

Since the module is removing the symlink between and systemd, shouldn't it also create a new static /etc/resolv.conf file with a nameserver pointing to the dnsmasq listen-address?

NOBLES5E commented 1 year ago

This bugs me

vitabaks commented 1 year ago

ERROR: src file does not exist

TASK [consul : Disable systemd-resolved service] ****************************************************************************************************************************************************************
changed: [172.31.15.62]
changed: [3.223.140.234]
changed: [172.31.5.27]

TASK [consul : Check if resolv.conf is pointing to systemd-resolved] ********************************************************************************************************************************************
ok: [172.31.15.62]
ok: [3.223.140.234]
ok: [172.31.5.27]

TASK [consul : Remove resolv.conf association with systemd-resolved] ********************************************************************************************************************************************
fatal: [3.223.140.234]: FAILED! => {"changed": false, "gid": 0, "group": "root", "mode": "0777", "msg": "src file does not exist, use \"force=yes\" if you really want to create the link: /run/resolvconf/resolv.conf", "owner": "root", "path": "/etc/resolv.conf", "size": 39, "src": "/run/resolvconf/resolv.conf", "state": "link", "uid": 0}
fatal: [172.31.15.62]: FAILED! => {"changed": false, "gid": 0, "group": "root", "mode": "0777", "msg": "src file does not exist, use \"force=yes\" if you really want to create the link: /run/resolvconf/resolv.conf", "owner": "root", "path": "/etc/resolv.conf", "size": 39, "src": "/run/resolvconf/resolv.conf", "state": "link", "uid": 0}
fatal: [172.31.5.27]: FAILED! => {"changed": false, "gid": 0, "group": "root", "mode": "0777", "msg": "src file does not exist, use \"force=yes\" if you really want to create the link: /run/resolvconf/resolv.conf", "owner": "root", "path": "/etc/resolv.conf", "size": 39, "src": "/run/resolvconf/resolv.conf", "state": "link", "uid": 0}

NO MORE HOSTS LEFT **********************************************************************************************************************************************************************************************

PLAY RECAP ******************************************************************************************************************************************************************************************************
172.31.15.62               : ok=48   changed=19   unreachable=0    failed=1    skipped=68   rescued=0    ignored=0   
172.31.5.27                : ok=54   changed=21   unreachable=0    failed=1    skipped=69   rescued=0    ignored=1   
3.223.140.234              : ok=48   changed=19   unreachable=0    failed=1    skipped=68   rescued=0    ignored=0   
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0   

ubuntu@ip-172-31-5-27:~/postgresql_cluster$ ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Dec  1 11:06 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
ubuntu@ip-172-31-5-27:~/postgresql_cluster$ ls -la /run/resolvconf/resolv.conf
ls: cannot access '/run/resolvconf/resolv.conf': No such file or directory
vitabaks commented 1 year ago

I rewrote the block to this form:

- name: Disable systemd-resolved
  when: ansible_service_mgr == "systemd"
  block:

    - name: Disable systemd-resolved service
      service:
        name: systemd-resolved
        enabled: false
        state: stopped
      become: true

    - name: Check if resolv.conf is pointing to systemd-resolved
      stat:
        path: /etc/resolv.conf
      register: resolv_dot_conf

    - block:
        - name: Remove resolv.conf association with systemd-resolved
          file:
            path: /etc/resolv.conf
            state: absent

        - name: Create /etc/resolv.conf
          file:
            path: /etc/resolv.conf
            state: touch
            owner: root
            group: root
            mode: u=rw,g=r,o=r

        - name: Add a nameserver entry poining to localhost for dnsmasq
          lineinfile:
            path: /etc/resolv.conf
            regexp: "^nameserver 127.0.0.1"
            line: "nameserver 127.0.0.1"
            unsafe_writes: true  # to prevent failures in CI
      become: true
      when:
        - resolv_dot_conf.stat.islnk is defined
        - resolv_dot_conf.stat.islnk
        - resolv_dot_conf.stat.lnk_source == "/run/systemd/resolve/stub-resolv.conf"

result:

ubuntu@source-pgnode02:~$ cat /etc/dnsmasq.d/10-consul
server=/consul/127.0.0.1#8600
server=8.8.8.8
server=8.8.4.4
ubuntu@source-pgnode02:~$ ls -la /etc/resolv.conf 
-rw-r--r-- 1 root root 21 Jan  4 19:22 /etc/resolv.conf
ubuntu@source-pgnode02:~$ 
ubuntu@source-pgnode02:~$ cat /etc/resolv.conf 
nameserver 127.0.0.1
ubuntu@source-pgnode02:~$ 
ubuntu@source-pgnode02:~$ dig +short master.patroni.service.consul SRV
1 1 6432 source-pgnode01.node.us-east-1d.consul.
vitabaks commented 1 year ago

PR https://github.com/ansible-community/ansible-consul/pull/519