search

debops / ansible-ferm

Manage iptables firewall using ferm
GNU General Public License v3.0
33 stars 20 forks source link

'ferm' alternatively enabled/disabled when role included multiple times #95

Closed antoineco closed 8 years ago

antoineco commented 8 years ago

Description

When I execute a playbook which calls the debops.ferm multiple times, ferm gets alternatively enabled and disabled during the play.

ferm__enabled is left to its default value, and the cap12s fact looks as follows when I execute the setup module with become = True:

            "cap12s": {
                "enabled": "true", 
                "list": [
                    "cap_chown", 
                    "cap_dac_override", 
                    "cap_dac_read_search", 
                    "cap_fowner", 
                    "cap_fsetid", 
                    "cap_kill", 
                    "cap_setgid", 
                    "cap_setuid", 
                    "cap_setpcap", 
                    "cap_linux_immutable", 
                    "cap_net_bind_service", 
                    "cap_net_broadcast", 
                    "cap_net_admin", 
                    "cap_net_raw", 
                    "cap_ipc_lock", 
                    "cap_ipc_owner", 
                    "cap_sys_module", 
                    "cap_sys_rawio", 
                    "cap_sys_chroot", 
                    "cap_sys_ptrace", 
                    "cap_sys_pacct", 
                    "cap_sys_admin", 
                    "cap_sys_boot", 
                    "cap_sys_nice", 
                    "cap_sys_resource", 
                    "cap_sys_time", 
                    "cap_sys_tty_config", 
                    "cap_mknod", 
                    "cap_lease", 
                    "cap_audit_write", 
                    "cap_audit_control", 
                    "cap_setfcap", 
                    "cap_mac_override", 
                    "cap_mac_admin", 
                    "cap_syslog", 
                    "cap_wake_alarm", 
                    "cap_block_suspend", 
                    "37+ep"
                ]
            }

My assumption is that the value of cap12s gets overwritten somewhere.

Playbook

lab.yml


---

  # Manage Consul agents
- include: consul.yml

  # Manage Nomad agents
- include: nomad.yml

  # Add extra firewall rules
- name: Ferm rules
  hosts: all 
  become: True

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ other_ferm_dependent_rules }}'

consul.yml


---

- name: Consul
  hosts: [ 'service_consul' ]
  become: True

  pre_tasks:

      # used when the '--limit' flag does not include all members of 'consul_servers_group'
    - name: Gather facts from Consul servers
      setup:
      delegate_facts: True
      delegate_to: '{{ item }}'
      with_items: "{{ groups[consul_servers_group] }}"
      become: False
      tags: [ 'consul:pre' ]

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ consul_ferm_dependent_rules }}'

    - role: consul
      tags: [ 'role::consul' ]

nomad.yml


---

- name: Nomad
  hosts: [ 'service_nomad' ]
  become: True

  pre_tasks:

      # used when the '--limit' flag does not include all members of 'consul_servers_group'
    - name: Gather facts from Consul servers
      setup:
      delegate_facts: True
      delegate_to: '{{ item }}'
      with_items: "{{ groups[consul_servers_group] }}"
      become: False
      tags: [ 'consul:pre' ]

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ nomad_ferm_dependent_rules }}'

    - role: nomad
      tags: [ 'role::nomad' ]

Log samples

PLAY [Consul] ******************************************************************

[...]

TASK [debops.ferm : Configure ferm status in debconf] **************************
changed: [noah]

TASK [debops.ferm : Configure sysctl] ******************************************
changed: [noah]
--- before: /etc/sysctl.d/30-ferm.conf
+++ after: dynamically generated
@@ -1,8 +1,3 @@
 # This file is managed remotely, all changes will be lost

-# Enable reverse path filtering
-net.ipv4.conf.default.rp_filter = 1
-net.ipv4.conf.all.rp_filter = 1
-
-# Forwarding in ip(6)tables is not enabled
-
+# ferm support is disabled

TASK [debops.ferm : Reload sysctl configuration if changed] ********************
changed: [noah]

TASK [debops.ferm : Configure forwarding in ifupdown if enabled] ***************
changed: [noah]
--- before: /etc/network/if-pre-up.d/ferm-forward
+++ after: dynamically generated
@@ -2,5 +2,5 @@

 # This file is managed remotely, all changes will be lost

-# Network forwarding in ip(6)tables is not enabled
+# ferm support is disabled

TASK [debops.ferm : Disable ferm after changes when requested] *****************
changed: [noah]
--- before: /etc/default/ferm (content)
+++ after: /etc/default/ferm (content)
@@ -12,5 +12,5 @@
 OPTIONS=

 # Enable the ferm init script? (i.e. run on bootup)
-ENABLED="yes"
+ENABLED="no"

TASK [debops.ferm : Save ferm local facts] *************************************
changed: [noah]
--- before: /etc/ansible/facts.d/ferm.fact
+++ after: dynamically generated
@@ -1,5 +1,5 @@
 {
-"enabled": "true",
+"enabled": "false",
 "forward": "false",
 "ansible_controllers": [
     "10.0.0.223"

[...]

PLAY [Nomad] *******************************************************************

[... nothing changed here ...]

PLAY [Ferm rules] **************************************************************

[...]

TASK [debops.ferm : Configure ferm status in debconf] **************************
changed: [noah]

TASK [debops.ferm : Configure ferm default variables] **************************
changed: [noah]
--- before: /etc/default/ferm
+++ after: dynamically generated
@@ -12,5 +12,5 @@
 OPTIONS=

 # Enable the ferm init script? (i.e. run on bootup)
-ENABLED="no"
+ENABLED="yes"

TASK [debops.ferm : Configure sysctl] ******************************************
changed: [noah]
--- before: /etc/sysctl.d/30-ferm.conf
+++ after: dynamically generated
@@ -1,3 +1,8 @@
 # This file is managed remotely, all changes will be lost

-# ferm support is disabled
+# Enable reverse path filtering
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Forwarding in ip(6)tables is not enabled
+

TASK [debops.ferm : Reload sysctl configuration if changed] ********************
changed: [noah]

TASK [debops.ferm : Configure forwarding in ifupdown if enabled] ***************
changed: [noah]
--- before: /etc/network/if-pre-up.d/ferm-forward
+++ after: dynamically generated
@@ -2,5 +2,5 @@

 # This file is managed remotely, all changes will be lost

-# ferm support is disabled
+# Network forwarding in ip(6)tables is not enabled

TASK [debops.ferm : Save ferm local facts] *************************************
changed: [noah]
--- before: /etc/ansible/facts.d/ferm.fact
+++ after: dynamically generated
@@ -1,5 +1,5 @@
 {
-"enabled": "false",
+"enabled": "true",
 "forward": "false",
 "ansible_controllers": [
     "10.0.0.223"
antoineco commented 8 years ago

My assumption was right. I printed the value of cap12s in a debug task, and the result is:

TASK [Print cap12s] ***************************************************************
ok: [noah => {
    "ansible_local.cap12s": {
        "enabled": "true", 
        "list": [
            "="
        ]
    }
}

The problem is that the Gather facts from Consul servers _pretask is executed with become = False, which overwrites the value of the cap12s fact.

Workarounds: