search

m4rcu5nl / ansible-role-zerotier

Ansible role to install Zerotier-One and join a Zerotier network
GNU General Public License v3.0
78 stars 50 forks source link

Add and authorized doesn't pass in name, and resulting entry results in ACCESS DENIED #4

Closed Halfwalker closed 7 years ago

Halfwalker commented 7 years ago

This is using Ubuntu 16.04, the role modified to suit. The ansible machine has v2.3.2.0.

Looks like it's not creating a proper record in my.zerotier. The record looks OK, but the name field is blank. And regardless, the client machine is unable to join.

ubuntu@dove1:~$ sudo zerotier-cli info
200 info 8576d20e72 1.2.4 ONLINE
ubuntu@dove1:~$ sudo zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks xxxxxxxxxxxxxxxx  6a:0b:45:ce:90:08 ACCESS_DENIED PRIVATE zt0 -

Running the role with -vvv shows this as the call to Add and Authorize : Note that the name field in the json block is empty, so that looks like a problem with ansible ?

ok: [dove1.local] => {
    "access_control_allow_methods": "GET,PUT,POST,DELETE",
    "access_control_allow_origin": "*",
    "cache_control": "no-cache, no-store, must-revalidate, private, no-transform, proxy-revalidate, max-age=0",
    "changed": false,
    "connection": "close",
    "content_length": "836",
    "content_security_policy": "default-src 'self' blob:;style-src 'self' 'unsafe-inline' https://support.zerotier.com
 ;object-src 'self' blob:;connect-src 'self' https://community.zerotier.com/ https://support.zerotier.com https://api.
stripe.com https://checkout.stripe.com https://piwik.zerotier.com;frame-src 'self' https://community.zerotier.com/ htt
ps://support.zerotier.com https://js.stripe.com https://api.stripe.com https://checkout.stripe.com;script-src 'self' '
unsafe-inline' 'unsafe-eval' https://support.zerotier.com https://piwik.zerotier.com https://js.stripe.com https://api
.stripe.com https://checkout.stripe.com;img-src 'self' https://support.zerotier.com https://piwik.zerotier.com https:/
/api.stripe.com https://js.stripe.com https://q.stripe.com https://checkout.stripe.com https://stripe.com https://www.
stripe.com data: blob:;font-src 'self' data:",
    "content_type": "application/json; charset=utf-8",
    "date": "Tue, 29 Aug 2017 17:42:31 GMT",
    "etag": "0509e94589bc62",
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": {
                "config": {
                    "authorized": true
                },
                "hidden": false,
                "name": "dove1.local"
            },
            "body_format": "json",
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {
                "Authorization": "bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                "Content-Type": "application/json"
            },
            "http_agent": "ansible-httpget",
            "method": "POST",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                200
            ],
            "timeout": 30,
            "unsafe_writes": null,
            "url": "https://my.zerotier.com/api/network/xxxxxxxxxxxxxxxx/member/8576d20e72",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "json": {
        "clientVersion": null,
        "clock": 1504028551677,
        "config": {
            "activeBridge": false,
            "address": "0000000000",
            "authorized": true,
            "capabilities": [],
            "creationTime": 0,
            "id": "0000000000",
            "identity": null,
            "ipAssignments": [],
            "lastAuthorizedCredential": null,
            "lastAuthorizedCredentialType": null,
            "lastAuthorizedTime": 0,
            "lastDeauthorizedTime": 0,
            "noAutoAssignIps": false,
            "nwid": "0000000000000000",
            "objtype": "member",
            "physicalAddr": "",
            "remoteTraceTarget": null,
            "revision": 0,
            "tags": [],
            "vMajor": 0,
            "vMinor": 0,
            "vProto": 0,
            "vRev": 0
        },
        "controllerId": "e5cd7a9e1c",
        "description": "",
        "hidden": false,
        "id": "xxxxxxxxxxxxxxxx-8576d20e72",
        "lastOffline": 0,
        "lastOnline": 0,
        "name": "",
        "networkId": "xxxxxxxxxxxxxxxx",
        "nodeId": "8576d20e72",
        "offlineNotifyDelay": 0,
        "online": false,
        "physicalAddress": null,
        "physicalLocation": null,
        "protocolVersion": 0,
        "supportsRulesEngine": false,
        "type": "Member"
    },
    "msg": "OK (836 bytes)",
    "p3p": "CP=",
    "redirected": false,
    "server": "nginx",
    "status": 200,
    "strict_transport_security": "max-age=63072000; includeSubdomains;",
    "url": "https://my.zerotier.com/api/network/xxxxxxxxxxxxxxxx/member/8576d20e72",
    "x_content_type_options": "nosniff",
    "x_frame_options": "SAMEORIGIN",
    "x_zerotier_central_api_version": "3",
    "x_zerotier_central_version": "1.2.8"
}

I put in a debug: var=apiresult after that to see what comes back from the POST ...

ok: [dove1.local] => {
    "apiresult": {
        "access_control_allow_methods": "GET,PUT,POST,DELETE",
        "access_control_allow_origin": "*",
        "cache_control": "no-cache, no-store, must-revalidate, private, no-transform, proxy-revalidate, max-age=0",
        "changed": false,
        "connection": "close",
        "content_length": "836",
        "content_security_policy": "default-src 'self' blob:;style-src 'self' 'unsafe-inline' https://support.zerotier
.com ;object-src 'self' blob:;connect-src 'self' https://community.zerotier.com/ https://support.zerotier.com https://
api.stripe.com https://checkout.stripe.com https://piwik.zerotier.com;frame-src 'self' https://community.zerotier.com/
 https://support.zerotier.com https://js.stripe.com https://api.stripe.com https://checkout.stripe.com;script-src 'sel
f' 'unsafe-inline' 'unsafe-eval' https://support.zerotier.com https://piwik.zerotier.com https://js.stripe.com https:/
/api.stripe.com https://checkout.stripe.com;img-src 'self' https://support.zerotier.com https://piwik.zerotier.com htt
ps://api.stripe.com https://js.stripe.com https://q.stripe.com https://checkout.stripe.com https://stripe.com https://
www.stripe.com data: blob:;font-src 'self' data:",
        "content_type": "application/json; charset=utf-8",
        "date": "Tue, 29 Aug 2017 17:42:31 GMT",
        "etag": "0509e94589bc62",
        "json": {
            "clientVersion": null,
            "clock": 1504028551677,
            "config": {
                "activeBridge": false,
                "address": "0000000000",
                "authorized": true,
                "capabilities": [],
                "creationTime": 0,
                "id": "0000000000",
                "identity": null,
                "ipAssignments": [],
                "lastAuthorizedCredential": null,
                "lastAuthorizedCredentialType": null,
                "lastAuthorizedTime": 0,
                "lastDeauthorizedTime": 0,
                "noAutoAssignIps": false,
                "nwid": "0000000000000000",
                "objtype": "member",
                "physicalAddr": "",
                "remoteTraceTarget": null,
                "revision": 0,
                "tags": [],
                "vMajor": 0,
                "vMinor": 0,
                "vProto": 0,
                "vRev": 0
            },
            "controllerId": "e5cd7a9e1c",
            "description": "",
            "hidden": false,
            "id": "xxxxxxxxxxxxxxxx-8576d20e72",
            "lastOffline": 0,
            "lastOnline": 0,
            "name": "",
            "networkId": "xxxxxxxxxxxxxxxx",
            "nodeId": "8576d20e72",
            "offlineNotifyDelay": 0,
            "online": false,
            "physicalAddress": null,
            "physicalLocation": null,
           "protocolVersion": 0,
            "supportsRulesEngine": false,
            "type": "Member"
        },
        "msg": "OK (836 bytes)",
        "p3p": "CP=",
        "redirected": false,
        "server": "nginx",
        "status": 200,
        "strict_transport_security": "max-age=63072000; includeSubdomains;",
        "url": "https://my.zerotier.com/api/network/xxxxxxxxxxxxxxxx/member/8576d20e72",
        "x_content_type_options": "nosniff",
        "x_frame_options": "SAMEORIGIN",
        "x_zerotier_central_api_version": "3",
        "x_zerotier_central_version": "1.2.8"
    }
}

Everything looks fine, except for the name field being empty. That's not a problem. The BIG issue is that the machine can't join the network - gets denied.

ubuntu@dove1:~$ sudo zerotier-cli info
200 info 8576d20e72 1.2.4 ONLINE
ubuntu@dove1:~$ sudo zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks xxxxxxxxxxxxxxxx  6a:0b:45:ce:90:08 ACCESS_DENIED PRIVATE zt0 -

If I stop zerotier, delete the /var/lib/zerotier directory and restart it, then join manually (auth'ing the new machine in the UI on my.zerotier.com ... then it works fine. So it seems that something about the creation of the new record is bad, and completely blocks that new system from joining the network.

Halfwalker commented 7 years ago

SIGH Not an issue. I typoed the iptables line for port 9993 ... So it's all good.