Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error on applying the sysctl vars on Debian Jessy #230

Closed
hanckmann opened this issue Sep 27, 2019 · 3 comments
Closed

Error on applying the sysctl vars on Debian Jessy #230

hanckmann opened this issue Sep 27, 2019 · 3 comments
Labels
enhancement hacktoberfest help wanted
Projects
Hacktoberfest 2019

Comments

@hanckmann
Copy link

Describe the bug
After executing the role, a permission error appears (see below).

Expected behavior
I would like to be able to disable certain parts of the role.

Actual behavior

failed: [xxxx] (item={'key': 'net.ipv4.tcp_timestamps', 'value': 1}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "net.ipv4.tcp_timestamps", "value": 1}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 0\nnet.ipv6.conf.all.forwarding = 0\nnet.ipv6.conf.all.accept_ra = 0\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.icmp_ratelimit = 100\nnet.ipv4.icmp_ratemask = 88089\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv4.conf.all.arp_ignore = 1\nnet.ipv4.conf.all.arp_announce = 2\nnet.ipv4.conf.all.shared_media = 1\nnet.ipv4.conf.default.shared_media = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv6.conf.default.router_solicitations = 0\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0\nnet.ipv6.conf.default.accept_ra_pinfo = 0\nnet.ipv6.conf.default.accept_ra_defrtr = 0\nnet.ipv6.conf.default.autoconf = 0\nnet.ipv6.conf.default.dad_transmits = 0\nnet.ipv6.conf.default.max_addresses = 1\nkernel.randomize_va_space = 2\nvm.mmap_min_addr = 65536\nsysctl: permission denied on key 'net.ipv4.tcp_timestamps'\nsysctl: permission denied on key 'net.ipv4.tcp_rfc1337'\nsysctl: permission denied on key 'kernel.sysrq'\nsysctl: permission denied on key 'fs.suid_dumpable'\nsysctl: permission denied on key 'kernel.core_uses_pid'\nsysctl: permission denied on key 'kernel.kptr_restrict'\n"}


failed: [xxxx] (item={'key': 'net.ipv4.tcp_rfc1337', 'value': 0}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "net.ipv4.tcp_rfc1337", "value": 0}, "msg": "Failed to reload sysctl: net.ipv4.ip_forward = 0\nnet.ipv6.conf.all.forwarding = 0\nnet.ipv6.conf.all.accept_ra = 0\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.icmp_ratelimit = 100\nnet.ipv4.icmp_ratemask = 88089\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv4.conf.all.arp_ignore = 1\nnet.ipv4.conf.all.arp_announce = 2\nnet.ipv4.conf.all.shared_media = 1\nnet.ipv4.conf.default.shared_media = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv6.conf.default.router_solicitations = 0\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0\nnet.ipv6.conf.default.accept_ra_pinfo = 0\nnet.ipv6.conf.default.accept_ra_defrtr = 0\nnet.ipv6.conf.default.autoconf = 0\nnet.ipv6.conf.default.dad_transmits = 0\nnet.ipv6.conf.default.max_addresses = 1\nkernel.randomize_va_space = 2\nvm.mmap_min_addr = 65536\nsysctl: permission denied on key 'net.ipv4.tcp_timestamps'\nsysctl: permission denied on key 'net.ipv4.tcp_rfc1337'\nsysctl: permission denied on key 'kernel.sysrq'\nsysctl: permission denied on key 'fs.suid_dumpable'\nsysctl: permission denied on key 'kernel.core_uses_pid'\nsysctl: permission denied on key 'kernel.kptr_restrict'\n"}

OS / Environment
Debian Jessie, amd64, running on OpenVZ.
I actually think that OpenVZ is my real issue here. Maybe it is possible to detect that and ignore some of the parts when running on top of OpenVZ.

Ansible Version

ansible 2.8.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/xxxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.7.4 (default, Jul 16 2019, 07:12:58) [GCC 9.1.0

I am running on Arch Linux with the latest updates applied.
@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 2, 2019

Hey @hanckmann,

this problem also exists when running against docker-container. There we skip the whole sysctl-tasks with --skip-tags "sysctl".

However Ansible has the fact ansible_virtualization_type (https://github.com/ansible/ansible/blob/3b42b1796c8e282d3159f04812f2666c1fc0ad2d/lib/ansible/module_utils/facts/virtual/linux.py)
This fact shows if the machine is a docker container, a openvz machine, lxc and so on..

We could probably use this variable and only apply sysctl-changes on certain systems. However I'm not sure what systems these are. So I'm happy to accept a PR here.

@rndmh3ro rndmh3ro added this to Up for grabs in Hacktoberfest 2019 Oct 2, 2019
@ghost
Copy link

ghost commented Oct 28, 2019
edited by ghost

Hello! Let's discuss my PR
#240

rndmh3ro pushed a commit that referenced this issue Jul 24, 2020
@MatthiasLohr
added support for ssh_server_match_address (#230)
b60fe1b 
Signed-off-by: Matthias Lohr <mail@mlohr.com>
rndmh3ro added a commit that referenced this issue Jul 24, 2020
@rndmh3ro
Merge pull request #231 from MatthiasLohr/feature/MatchAddress
b7bc40b 
added support for `ssh_server_match_address` (#230)
@rndmh3ro
Copy link
Member

Should be fixed via #240

Hacktoberfest 2019 automation moved this from Up for grabs to Done Dec 12, 2020
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@MatthiasLohr
added support for ssh_server_match_address (dev-sec#230)
addcffa 
Signed-off-by: Matthias Lohr <mail@mlohr.com>
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#231 from MatthiasLohr/feature/MatchAddress
a8b3f71 
added support for `ssh_server_match_address` (dev-sec#230)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement hacktoberfest help wanted
Projects
No open projects
Hacktoberfest 2019
  
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hanckmann @rndmh3ro