Open Pezmc opened 3 years ago
davidemyers
commented
3 years ago There's something non-standard about this Ubuntu instance. In TASK [common : Check apparmor support] part of the output is 0 profiles are loaded, which doesn't seem right. For example, on DigitalOcean you would see 28 profiles are loaded when running apparmor_status on a newly created instance.
I'm not sure what's wrong or how to fix it.
zerkeizi
commented
3 years ago I'm running through the same problem, my log is a bit different though.
[WARNING]: Could not match supplied host pattern, ignoring: vpn-host
PLAY [localhost] ****************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************
ok: [localhost]
TASK [Playbook dir stat] ********************************************************************************************************
ok: [localhost]
TASK [Ensure Ansible is not being run in a world writable directory] ************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Ensure the requirements installed] ****************************************************************************************
ok: [localhost]
TASK [Set required ansible version as a fact] ***********************************************************************************
ok: [localhost] => (item=ansible==2.9.20)
TASK [Verify Python meets Algo VPN requirements] ********************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [Verify Ansible meets Algo VPN requirements] *******************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log
PLAY [Ask user for the input] ***************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
Enter the number of your desired provider
:
12^M
TASK [Cloud prompt] *************************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] *********************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
TASK [Cellular On Demand prompt] ************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
TASK [Wi-Fi On Demand prompt] ***************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:
^M
TASK [Trusted Wi-Fi networks prompt] ********************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:
n^M
TASK [Retain the PKI prompt] ****************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:
TASK [DNS adblocking prompt] ****************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
y^M
TASK [SSH tunneling prompt] *****************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] *********************************************************************************************
ok: [localhost]
PLAY [Provision the server] *****************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************
ok: [localhost]
--> Please include the following block of text when reporting issues:
Algo running on: Ubuntu 20.04.2 LTS (Virtualized: openvz)
Created from git clone. Last commit: 96988f1 Bump actions/setup-python from 1 to 2.2.2 (#14254)
Python 3.8.5
Runtime variables:
algo_provider "local"
algo_ondemand_cellular "True"
algo_ondemand_wifi "True"
algo_ondemand_wifi_exclude "X251bGw="
algo_dns_adblocking "False"
algo_ssh_tunneling "True"
wireguard_enabled "True"
dns_encryption "True"
TASK [Display the invocation environment] ***************************************************************************************
changed: [localhost]
TASK [Install the requirements] *************************************************************************************************
changed: [localhost]
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:
TASK [local : pause] ************************************************************************************************************
ok: [localhost]
TASK [local : Set the facts] ****************************************************************************************************
ok: [localhost]
[local : pause]
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
[localhost]
:
TASK [local : pause] ************************************************************************************************************
ok: [localhost]
TASK [local : Set the facts] ****************************************************************************************************
ok: [localhost]
TASK [Set subjectAltName as a fact] *********************************************************************************************
ok: [localhost]
TASK [Add the server to an inventory group] *************************************************************************************
changed: [localhost]
TASK [Linux | set OS specific facts] ********************************************************************************************
ok: [localhost]
TASK [Set config paths as facts] ************************************************************************************************
ok: [localhost]
TASK [Update config paths] ******************************************************************************************************
changed: [localhost]
TASK [debug] ********************************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "151.106.109.39"
}
[WARNING]: Reset is not implemented for this connection
TASK [Wait 600 seconds for target connection to become reachable/usable] ********************************************************
ok: [localhost] => (item=localhost)
PLAY [Configure the server and install required software] ***********************************************************************
TASK [common : Check the system] ************************************************************************************************
ok: [localhost]
included: /home/meeg/vpn/algo/roles/common/tasks/ubuntu.yml for localhost
TASK [common : Gather facts] ****************************************************************************************************
ok: [localhost]
TASK [common : Install unattended-upgrades] *************************************************************************************
ok: [localhost]
TASK [common : Configure unattended-upgrades] ***********************************************************************************
changed: [localhost]
TASK [common : Periodic upgrades configured] ************************************************************************************
ok: [localhost]
TASK [common : Disable MOTD on login and SSHD] **********************************************************************************
ok: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
ok: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})
TASK [common : Ensure fallback resolvers are set] *******************************************************************************
ok: [localhost]
TASK [common : Loopback for services configured] ********************************************************************************
ok: [localhost]
TASK [common : systemd services enabled and started] ****************************************************************************
ok: [localhost] => (item=systemd-networkd)
ok: [localhost] => (item=systemd-resolved)
TASK [common : Check apparmor support] ******************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["apparmor_status"], "delta": "0:00:00.140170", "end": "2021-07-26 21:52:51.850919", "msg": "non-zero return code", "rc": 1, "start": "2021-07-26 21:52:51.710749", "stderr": "apparmor module is not loaded.", "stderr_lines": ["apparmor module is not loaded."], "stdout": "", "stdout_lines": []}
...ignoring
TASK [common : Define facts] ****************************************************************************************************
ok: [localhost]
TASK [common : Set facts] *******************************************************************************************************
ok: [localhost]
TASK [common : Set IPv6 support as a fact] **************************************************************************************
ok: [localhost]
TASK [common : Check size of MTU] ***********************************************************************************************
ok: [localhost]
TASK [common : Set OS specific facts] *******************************************************************************************
ok: [localhost]
TASK [common : Install tools] ***************************************************************************************************
ok: [localhost]
included: /home/meeg/vpn/algo/roles/common/tasks/iptables.yml for localhost
TASK [common : Iptables configured] *********************************************************************************************
ok: [localhost] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})
TASK [common : Sysctl tuning] ***************************************************************************************************
ok: [localhost] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
ok: [localhost] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
included: /home/meeg/vpn/algo/roles/dns/tasks/ubuntu.yml for localhost
TASK [Install dnscrypt-proxy] ***************************************************************************************************
ok: [localhost]
TASK [Ubuntu | Configure AppArmor policy for dnscrypt-proxy] ********************************************************************
ok: [localhost]
TASK [Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] **********************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["aa-enforce", "usr.bin.dnscrypt-proxy"], "delta": "0:00:00.341897", "end": "2021-07-26 21:53:07.839755", "msg": "non-zero return code", "rc": 1, "start": "2021-07-26 21:53:07.497858", "stderr": "\nERROR: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)\nWarning: unable to find a suitable fs in /proc/mounts, is it mounted?\nUse --subdomainfs to override.", "stderr_lines": ["", "ERROR: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)", "Warning: unable to find a suitable fs in /proc/mounts, is it mounted?", "Use --subdomainfs to override."], "stdout": "Setting /etc/apparmor.d/usr.bin.dnscrypt-proxy to enforce mode.", "stdout_lines": ["Setting /etc/apparmor.d/usr.bin.dnscrypt-proxy to enforce mode."]}
included: /home/meeg/vpn/algo/playbooks/rescue.yml for localhost
TASK [debug] ********************************************************************************************************************
ok: [localhost] => {
"fail_hint": [
"Sorry, but something went wrong!",
"Please check the troubleshooting guide.",
"https://trailofbits.github.io/algo/troubleshooting.html"
]
}
TASK [Fail the installation] ****************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}
PLAY RECAP **********************************************************************************************************************
localhost : ok=56 changed=5 unreachable=0 failed=1 skipped=24 rescued=1 ignored=1
@zerkeizi I don't know why your instance of Ubuntu doesn't have AppArmor enabled, but Algo should still work.
Try this: edit the file roles/dns/defaults/main.yml and delete the line apparmor_enabled: true.
zerkeizi
commented
3 years ago @davidemyers Thank you, it solved this particular problem. Though I'm facing another one now, should I create a new issue on its respective subject?
davidemyers
commented
3 years ago Open an issue if you think it's not related to using OpenVZ. This page says:
Hosting providers that rely on OpenVZ or Docker cannot be used by Algo since they cannot load the required kernel modules or access the required network interfaces.
zerkeizi
commented
3 years ago Thank you for the heads up. I talked to the support team of the VPS hosting provider and they confirmed they rely on OpenVZ.
xanna6
commented
8 months ago I have error related to imports
TASK [dns : Install dnscrypt-proxy] **********************************************************************************************************
ok: [localhost]
TASK [dns : Ubuntu | Configure AppArmor policy for dnscrypt-proxy] ***************************************************************************
ok: [localhost]
TASK [dns : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *****************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["aa-enforce", "usr.bin.dnscrypt-proxy"], "delta": "0:00:00.064262", "end": "2024-01-17 22:13:19.006356", "msg": "non-zero return code", "rc": 1, "start": "2024-01-17 22:13:18.942094", "stderr": "Traceback (most recent call last):\n File \"/usr/sbin/aa-enforce\", line 17, in <module>\n import apparmor.tools\n File \"/usr/lib/python3/dist-packages/apparmor/tools.py\", line 18, in <module>\n import apparmor.aa as apparmor\n File \"/usr/lib/python3/dist-packages/apparmor/aa.py\", line 28, in <module>\n import apparmor.logparser\n File \"/usr/lib/python3/dist-packages/apparmor/logparser.py\", line 19, in <module>\n import LibAppArmor\n File \"/usr/lib/python3/dist-packages/LibAppArmor/__init__.py\", line 4, in <module>\n from LibAppArmor.LibAppArmor import *\n File \"/usr/lib/python3/dist-packages/LibAppArmor/LibAppArmor.py\", line 13, in <module>\n from . import _LibAppArmor\nImportError: cannot import name '_LibAppArmor' from partially initialized module 'LibAppArmor' (most likely due to a circular import) (/usr/lib/python3/dist-packages/LibAppArmor/__init__.py)", "stderr_lines": ["Traceback (most recent call last):", " File \"/usr/sbin/aa-enforce\", line 17, in <module>", " import apparmor.tools", " File \"/usr/lib/python3/dist-packages/apparmor/tools.py\", line 18, in <module>", " import apparmor.aa as apparmor", " File \"/usr/lib/python3/dist-packages/apparmor/aa.py\", line 28, in <module>", " import apparmor.logparser", " File \"/usr/lib/python3/dist-packages/apparmor/logparser.py\", line 19, in <module>", " import LibAppArmor", " File \"/usr/lib/python3/dist-packages/LibAppArmor/__init__.py\", line 4, in <module>", " from LibAppArmor.LibAppArmor import *", " File \"/usr/lib/python3/dist-packages/LibAppArmor/LibAppArmor.py\", line 13, in <module>", " from . import _LibAppArmor", "ImportError: cannot import name '_LibAppArmor' from partially initialized module 'LibAppArmor' (most likely due to a circular import) (/usr/lib/python3/dist-packages/LibAppArmor/__init__.py)"], "stdout": "", "stdout_lines": []}
TASK [include_tasks] *************************************************************************************************************************
included: /home/rafal/algo/playbooks/rescue.yml for localhost
TASK [debug] *********************************************************************************************************************************
ok: [localhost] => {
"fail_hint": [
"Sorry, but something went wrong!",
"Please check the troubleshooting guide.",
"https://trailofbits.github.io/algo/troubleshooting.html"
]
}
TASK [Fail the installation] *****************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}
PLAY RECAP ***********************************************************************************************************************************
localhost : ok=55 changed=2 unreachable=0 failed=1 skipped=28 rescued=1 ignored=0
Describe the bug
Brand new unmodified Ubuntu 20.04 version:
Running the install script on macOS 11.2.1.
Installation falls over at:
To Reproduce
Steps to reproduce the behavior:
./algowith no to all options, use remote IP, passwordless login as rootExpected behavior
Algo installs and doesn't throw AppArmor error.
Additional context
Server is a VPS from https://face-h.eu/
Full log