unix socker connection error

[ghost]

Hello, general question. we are having issues when one of our tools is trying to connect to the socket /var/run/docker.sock when we have applied the playbook. not 100% sure why its not working right. it can be cURL fine. the file has very liberal access so its not that. the issues only happens after the role has been applied.

any idea what part of the role could have this impact ?

2019-03-20 09:46:13,480 +0000 [MTP-ResponseMessages-2] WARN  com.sumologic.scala.collector.blade.docker.DockerDelegate - Failed rebuilding client

2019-03-20 09:46:13,481 +0000 [MTP-ResponseMessages-2] ERROR com.sumologic.scala.collector.blade.LocalBladeManager - Error while configuring blade: com.sumologic.scala.collector.blade.docker.DockerLogBlade@7e3eb61

javax.ws.rs.ProcessingException: Could not initialize class org.newsclub.net.unix.NativeUnixSocket

        at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:261)

        at org.glassfish.jersey.client.JerseyInvocation$1.call(JerseyInvocation.java:684)```

[chandanchowdhury]

I can't find any reference to /var/run other than 4.1.8 and 4.1.9 (used for login auditing), so file-system permission issue is very unlikely, unless something else overrode the permission and as the network access is via socket file, not sure if firewall rules can cause it.

I would suggest first apply the roles one section at a time to pin point the section and then narrow down from there.

[chandanchowdhury]

Hi @steven-cuthill-otm, could you please try running the playbook excluding 3.4.2 and let us know what you find?

[ghost]

Sure, will give that a try tomorrow and report back.

Steve

On Mon, 29 Apr 2019 at 20:21, i_virus notifications@github.com wrote:

Hi @steven-cuthill-otm https://github.com/steven-cuthill-otm, could you please try running the playbook excluding 3.4.2 and let us know what you find?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/anthcourtney/ansible-role-cis-amazon-linux/issues/55#issuecomment-487709591, or mute the thread https://github.com/notifications/unsubscribe-auth/AKBPQZS66ZSY4HBHSWFX2ALPS5DE7ANCNFSM4HDKLNZA .

--

Steven Cuthill DevOps Manager

steven.cuthill@onthemarket.com www.onthemarket.com

Download the OnTheMarket.com app...

https://itunes.apple.com/gb/app/onthemarket.com-property-search/id960416200?mt=8 https://play.google.com/store/apps/details?id=com.onthemarket.mobile&hl=en_GB

Follow us on...

https://www.facebook.com/Onthemarketcom-1500133890261960/ https://twitter.com/OnTheMarketCom https://www.linkedin.com/company/onthemarket

[ghost]

Hi @chandanchowdhury , yup so already had this excluded, here are the list we already set.

vars: cis_level_1_exclusions:

• 1.3.1 #Don't install AIDE
• 5.4.4 #Don't set umask to 027
• 3.6.1 #Don't install iptables
• 3.6.2 #Don't set default firewall policy to "DROP"
• 3.6.3 #Don't configure loopback traffic in firewall policy
• 3.6.4 #Don't set iptables outbound configuration
• 3.6.5 #Don't set iptables rules for open ports
• 3.4.2 #Don't set hosts.allow
• 3.4.3 #Don't set hosts.deny