encfs creation failed or partially failed (jessie branch) [coded - more testing required]

[jmcgnh]

TASK: [common | If /encrypted is empty, create the encfs there] *** failed: [jessie] => {"changed": true, "cmd": "printf \"p\ntestPassword\" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test", "delta": "0:00:04.123265", "end": "2015-12-21 06:46:05.672522", "rc": 1, "start": "2015-12-21 06:46:01.549257", "warnings": []} stderr: fuse: device not found, try 'modprobe fuse' first fuse failed. Common problems:

• fuse kernel module not installed (modprobe fuse)
• invalid options -- see usage message stdout: Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> Paranoia configuration selected.

Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 3:0:2 Filename encoding: "nameio/block", version 3:0:1 Key Size: 256 bits Block Size: 1024 bytes, including 8 byte MAC header Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File data IV is chained to filename IV. File holes passed through to ciphertext.

-------------------------- WARNING -------------------------- The external initialization-vector chaining option has been enabled. This option disables the use of hard links on the filesystem. Without hard links, some programs may not work. The programs 'mutt' and 'procmail' are known to fail. For more information, please see the encfs mailing list. If you would like to choose another configuration setting, please press CTRL-C now to abort and start over.

Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl.

FATAL: all hosts have already failed -- aborting

Then, on retrying, get:

TASK: [common | Create encrypted directory] *** ok: [jessie]

TASK: [common | Check if the /encrypted directory is empty] *** failed: [jessie] => {"changed": false, "cmd": "ls /encrypted/_", "delta": "0:00:00.006089", "end": "2015-12-21 07:02:37.148157", "rc": 2, "start": "2015-12-21 07:02:37.142068", "stdoutlines": [], "warnings": []} stderr: ls: cannot access /encrypted/: No such file or directory ...ignoring

TASK: [common | If /encrypted is empty, create the encfs there] *** failed: [jessie] => {"changed": true, "cmd": "printf \"p\ntestPassword\" | encfs /encrypted /decrypted --public --stdinpass && touch /decrypted/test", "delta": "0:00:03.191178", "end": "2015-12-21 07:02:40.534868", "rc": 1, "start": "2015-12-21 07:02:37.343690", "warnings": []} stdout: Error decoding volume key, password incorrect

[jmcgnh]

This is happening persistently. Perhaps something changed in the packages?

[jmcgnh]

Additional clues from the mailserver1 branch?

TASK: [common | Install encfs & fuse] ***** failed: [10.200.200.77] => (item=encfs,fuse,libfuse-dev) => {"failed": true, "item": "encfs,fuse,libfuse-dev"} stderr: E: Unable to correct problems, you have held broken packages.

stdout: Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation:

The following packages have unmet dependencies: libfuse-dev : Depends: libfuse2 (= 2.9.0-2+deb7u2) but 2.9.3-15+deb8u1 is to be installed Depends: libselinux-dev

msg: '/usr/bin/apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" install 'encfs' 'libfuse-dev'' failed: E: Unable to correct problems, you have held broken packages.

FATAL: all hosts have already failed -- aborting

[jmcgnh]

There's some indication that this message can occur when a kernel update has occurred but not yet rebooted.

https://lists.debian.org/debian-user/2014/05/msg00354.html

Indeed, rebooting does alter the message.

[jmcgnh]

Next failure says encfs can't successfully decode volume key. Removing both /encrypted and /decrypted then allows the provisioning to continue.

[jmcgnh]

I found the Dupuy command in this blogpost to be suitable.

https://coderwall.com/p/0nckqg/ansible-reboot-ubuntu-if-needed

I added lines to roles/common/tasks/main.yml

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 4fbb1be..3da3e96 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -41,6 +41,10 @@ tags:

• dependencies

+- name: Reboot system if required

• command: shutdown -r now 'Rebooting to complete system upgrade'
• removes=/var/run/reboot-required +
  • name: timezone - configure /etc/timezone copy: content: "{{ common_timezone | regex_replace('$', '\n') }}"

and also added to to roles/common/tasks/encfs.yml after the fuse package is updated.

[jmcgnh]

This is the code that finally worked:

git diff roles/common/tasks/encfs.yml diff --git a/roles/common/tasks/encfs.yml b/roles/common/tasks/encfs.yml index e7c33de..c91b5c6 100644 --- a/roles/common/tasks/encfs.yml +++ b/roles/common/tasks/encfs.yml @@ -7,6 +7,28 @@ tags:

• dependencies

+- name: check status of fuse

• shell: modprobe fuse
• ignore_errors: True
• changed_when: False # never report as "changed"
• register: fuse_check + +- name: fuse status check
• debug: var=fuse_check
• when: fuse_check.stderr.find('ERROR') != -1 + +- name: Reboot system if required
• command: /sbin/shutdown -r now "Reboot triggered by Ansible"
• async: 1
• poll: 0
• ignore_errors: true
• when: fuse_check.stderr.find('ERROR') != -1 + +- name: Wait for reboot
• local_action: wait_for host={{ inventory_hostname }} timeout={{ 5 * 60 }} delay=90 state=started
• sudo: false
• when: fuse_check.stderr.find('ERROR') != -1 +
  • name: Create encrypted directory file: state=directory path=/encrypted