search

ansibleguy / collection_opnsense

Ansible Collection to manage OPNSense firewalls using their API
https://opnsense.ansibleguy.net
GNU General Public License v3.0
267 stars 36 forks source link

Problem: Unable to see Key file when using via docker #66

Open Renderer6060 opened 7 months ago

Renderer6060 commented 7 months ago

Modules

NA

Version

stable

Ansible Version

stable

OPNSense Version

latest

OPNSense-Plugin Version

NA

Issue

Been plugging away at this for days and am just hitting a wall. I have a docker semaphore install. The requirements and such are all working fine, it just cant see the api key file

For the purposes of testing this - the key file is in the same repo as the playbook

i have tried api_credential_file: '{{ playbook_dir }}/testkey.key' api_credential_file: './testkey.key'

all i want to do is get it to restart unbound and a few other services but having a right nightmare

Config Ansible

- name: Restart Unbound on OpnSense Hosts
  hosts: "{{ hosts | default('all') }}"
  gather_facts: no
  module_defaults:
    group/ansibleguy.opnsense.all:
      firewall: "{{ ansible_host }}"
      api_credential_file: '{{ playbook_dir }}/testkey.key'

  tasks:
    - name: Restarting Unbound DNS service
      ansibleguy.opnsense.service:
        name: 'unbound'
        action: 'restart'

Config OPNSense

NA

Debug Output

FAILED! => {"changed": false, "msg": "Provided 'api_credential_file' at path '/tmp/semaphore/repository_1_29/playbooks/testing/testkey.key' does not exist!"}
1:04:42 PM

Profiling Output

No response

superstes commented 7 months ago

Could you please show the file permissions on the key file? ls -l {{ playbook_dir }}/testkey.key

Is semaphore ran as root user?

The file-check is pretty streight-forward: https://github.com/ansibleguy/collection_opnsense/blob/latest/plugins%2Fmodule_utils%2Fhelper%2Fapi.py#L17

As an alternative you could provide the API key/secret like this: https://opnsense.ansibleguy.net/en/latest/usage/2_basic.html#vault

Renderer6060 commented 7 months ago

What permissions are needed? I'll make sure its set as such in the repo - I havent specified a user for semaphore to run as in the compose file so i presume its root yes

ansibleguy commented 7 months ago

The executing user needs to be able to read the file. Nothing more. I'm not sure what the context inside the semaphore container is. But we simply:

I too am using these modules from an dockerized application - it works for me.

Renderer6060 commented 7 months ago

Does the file have to exist on the server OS or can it be referenced to a file in the git repo?

Renderer6060 commented 7 months ago

Could you please show the file permissions on the key file? ls -l {{ playbook_dir }}/testkey.key

Is semaphore ran as root user?

The file-check is pretty streight-forward: https://github.com/ansibleguy/collection_opnsense/blob/latest/plugins%2Fmodule_utils%2Fhelper%2Fapi.py#L17

As an alternative you could provide the API key/secret like this: https://opnsense.ansibleguy.net/en/latest/usage/2_basic.html#vault

Output of ls -al in the tmp dir within the docker container

/tmp/semaphore/repository_1_29/playbooks/testing $ ls -al
total 20
drwxr-xr-x    3 semaphor root          4096 Mar 26 21:35 .
drwxr-xr-x   10 semaphor root          4096 Mar 26 21:18 ..
drwxr-xr-x    2 semaphor root          4096 Mar 26 21:18 collections
-rw-r--r--    1 semaphor root           391 Mar 26 21:35 restart-unbound.yaml
-rw-r--r--    1 semaphor root           173 Mar 26 21:35 test.key

So it can see the key but ansible logs show this when running.

fatal: [my.opnsense.host]: FAILED! => {"changed": false, "msg": "Provided 'api_credential_file' at path '/tmp/semaphore/repository_1_29/playbooks/testing/test.key' does not exist!"}

API key file content

key=STRING
secret=STRING

This is now irrelevant, I have tried both and neither work

noob question - they keyfile - i created an api key in opnsense but it exports a txt file - not a key file - i just changed the file type to key - is this correct? I couldn't find anything in the docs on how or where opnsense generated a key file?

UPDATE: I have now tested .key and .txt file extensions - both have same result I have also tested having the .key/.txt file within the docker container as opposed to the repo - mounting it with 777 sempahore:root ownership (as is every working file and folder than my playbooks currently use) and the issue persists

The API_KEY and API_SECRET work fine if passed as arguments in the playbook.

The same playbook when running a debug file check on a different file in the same repo (not using the opnsense collection) can see and parse the file correctly without issue.

I have tried variations of the below as the key path: Using the playbook git repo as the host of the file:

api_credential_file: './test.txt
api_credential_file: '{{playbook_dir}}/test.txt
api_credential_file:  '{{pwd}}/test.txt'
api_credential_file: '/tmp/semaphore/repository_1_29/playbooks/testing/test.txt'

Using a file located directly in the container via a bindmount 

api_credential_file: '~/test.txt
api_credential_file: '/home/semaphore/test.txt

All yield variations of the same error

fatal: [my.opnsense.host]: FAILED! => {"changed": false, "msg": "Provided 'api_credential_file' at path '/tmp/semaphore/repository_1_29/playbooks/testing/test.key' does not exist!"}

Semaphore doesnt use vaults in the same way ansible does natively, so thats not a viable option for a workaround sadly, besides, i like to have a file to rotate the keys every so often.

Aside from manually specifying api_secret and api_key so far I have been unable to get this working at all so any help greatly appreciated. Happy to provide any further logs or debugging