I have hit this a few times and never figured it out/ it resolved itself.
Running below playbook gives an error but it does make the change requested. . . .
If I run the same play again it does show the message but that is cause it is not updating the sysctl.
---
- hosts: "{{ target }}"
gather_facts: yes
become: yes
become_user: root
tasks:
- name: add a vm.overcommit_memory setting at the end of the sysctl.conf
sysctl: name=vm.overcommit_memory value=0 state=present reload=yes
The error is:
fatal: [testbox.local]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: net.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_synack_retries = 2\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_ra = 0\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1\nkernel.randomize_va_space = 0\nvm.swappiness = 5\nvm.overcommit_memory = 0\nkernel.shmmni = 15872\nkernel.shmmax = 67546587136\nkernel.shmall = 32981732\nkernel.sem = 250 256000 32 15872\nkernel.msgmni = 64417\nkernel.msgmax = 65536\nkernel.msgmnb = 65536\nsysctl: setting key \"kernel.msgmni\": Invalid argument\nsysctl: cannot stat /proc/sys/randomize_va_space: No such file or directory\nsysctl: cannot stat /proc/sys/“vm/overcommit_memory”: No such file or directory\n"}
There is likely problem with /etc/sysctl.conf prior the change applied by play. If you look at error message there is typo in kernel.msgmni (which should be really kernel.msgmin) and also double quotes around the path to vm.overcommit_memory. From that I suspect there are bad lines in file from previous attempts? Try to comment out these or try again with vanilla file obtained from your distribution.
On reload, good lines are still applied by sysctl; but there are some wrong lines in file which sysctl fails to apply, report and also why it exits with non-zero exit code - which makes play to fail.
According the error message
No such file or directory\nsysctl: cannot stat /proc/sys/“vm/overcommit_memory”: No such file or directory\n"
it seems you are running into a barely documented issue. The file path isn't constructed correctly. For possible reasons you may a look into #blami's answer, since there is also a correct entry in the message with vm.overcommit_memory = 0.
Furthermore may need to use use the YAML notation like
- name: Add a 'vm.overcommit_memory' setting at the end of the 'sysctl.conf'
sysctl:
name: vm.overcommit_memory
value: 0
state: present
reload: yes
which is also used in linux-system-roles/kernel_settings for vm. settings.
Further Q&A
Using Ansible, can we edit kernel level setting?
Related
I'm trying to automate VirtualGL configuration using command vglserver_config. This script uses this menu :
1) Configure server for use with VirtualGL (GLX + EGL back ends)
2) Unconfigure server for use with VirtualGL (GLX + EGL back ends)
3) Configure server for use with VirtualGL (EGL back end only)
4) Unconfigure server for use with VirtualGL (EGL back end only)
X) Exit
Choose:
I need to feed two different answers to the "Choose:" question :
'1' first time, to configure VirtualGL, followed by actual responses of configuration script (see below)
'x' when exiting the command
Here's the task I've come to:
- name: configure VirtualGL (vglserver_config)
ansible.builtin.expect:
command: "{{ vglserver_config_cmd }}"
responses:
(.*)Choose:(.*): 1
(.*)Continue?(.*): y
(.*)Restrict 3D X server access to vglusers group (recommended)?(.*): y
(.*)Restrict framebuffer device access to vglusers group (recommended)?(.*): y
(.*)Disable XTEST extension (recommended)?(.*): y
(.*)Choose:(.*): x
This does not work: as the entry (.*)Choose!(.*): is duplicated (Ansible complains about that), the command is answered 'X' by expect module, and thus nothing happen.
I tried an alternative code:
- name: configure VirtualGL (vglserver_config)
ansible.builtin.expect:
command: "{{ vglserver_config_cmd }}"
responses:
Question:
- 1
- y
- y
- y
- y
- x
But this syntax is incorrect. Ansible throws an error.
How can I solve this issue ?
Thx !
Jose
PS. Edited the 2nd code example to reflect the exact one I also tested (same error raised by Ansible)
Ok...
Why would I want to use expect module for a command that has unattended mode parameters...
I'm so dumb.
I've changed the "expect" task to a "command" with proper parameters.
I am a newbie to Ansible and I want to verify if an application (non service) is running, if not, start it. So basically look for the output of "splunkd is running".
Output of 'status' command is
splunkd is running (PID: 15111).
splunk helpers are running (PIDs: 15214 15420 15431 15500).
Also want to check said app's log file for a string "does not exists!" and if it exists restart app (until that string no longer exists in log - the log currently does rotate upon restart). The servers in question only exists in Production and I don't feel too comfortable executing code there for the 1st time. Below is what I have so far, I feel like the 1st block and 3rd block need editing. Thanks for any assistance and feedback!
- name: Splunk status
command: sudo /splunk/bin/splunk status
changed_when: false
- name: Read log
shell: cat /splunk/log/splunkd.log
register: splunk_log
- name: Restart if "does not exists!", exists
command: sudo /splunk/bin/splunk restart
until: splunk_log.stdout.find('does not exists!') == 0
#when: splunk_log.stdout.find('does not exists!') != -1
debug: msg="does not exists! exists, restarting"
retries: 5
delay: 60
I don't understand the first task but I think you're trying to do something like this example of changed_when. Also, for task three follow this when-statement.
i want to use the key login some host, but some err happened
my files is this below:
[jenkins#ci-jenkins-slave-dev test]$ ls
ansible.cfg hosts test.yml
my hosts file:
[jenkins#ci-jenkins-slave-dev test]$ cat hosts
[controller]
10.90.0.2 ssh_key_pass=passw0rd ansible_ssh_user=root
my playbook:
[jenkins#ci-jenkins-slave-dev test]$ cat test.yml
---
- name: test
hosts: controller
tasks:
- name: add key
authorized_key:
user: root
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
when run playbook :
[jenkins#ci-jenkins-slave-dev test]$ ansible-playbook test.yml
PLAY [test] ******************************************************************************************************************************************************************************************************************************************************************
TASK [add key] ***************************************************************************************************************************************************************************************************************************************************************
fatal: [10.90.0.2]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '10.90.0.2' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).\r\n", "unreachable": true}
to retry, use: --limit #/home/jenkins/ansible-test/test/test.retry
PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************
10.90.0.2 : ok=0 changed=0 unreachable=1 failed=0
I can use "ssh root#10.90.0.2 "and input "passw0rd" to login but ansible can't ,i want to know what's wrong ?
my ansible.cfg :
[jenkins#ci-jenkins-slave-dev test]$ cat ansible.cfg
# config file for ansible -- http://ansible.com/
# ==============================================
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
# some basic default values...
hostfile = ./hosts
library = /usr/share/ansible
remote_tmp = $HOME/.ansible/tmp
pattern = *
forks = 5
poll_interval = 15
sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
transport = smart
remote_port = 22
module_lang = C
# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered
# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
gathering = explicit
# additional paths to search for roles in, colon separated
#roles_path = /etc/ansible/roles
# uncomment this to disable SSH key host checking
host_key_checking = False
# change this for alternative sudo implementations
sudo_exe = sudo
# what flags to pass to sudo
#sudo_flags = -H
# SSH timeout
timeout = 10
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
remote_user = root
# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log
# default module name for /usr/bin/ansible
#module_name = command
# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh
# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together? The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace
# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
private_key_file = ~/.ssh/id_rsa
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#display_skipped_hosts = True
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True
# set plugin path directories here, separate with colons
action_plugins = /usr/share/ansible_plugins/action_plugins
callback_plugins = /usr/share/ansible_plugins/callback_plugins
connection_plugins = /usr/share/ansible_plugins/connection_plugins
lookup_plugins = /usr/share/ansible_plugins/lookup_plugins
vars_plugins = /usr/share/ansible_plugins/vars_plugins
filter_plugins = /usr/share/ansible_plugins/filter_plugins
# don't like cows? that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
#nocows = 1
# don't like colors either?
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
#nocolor = 1
# the CA certificate path used for validating SSL certs. This path
# should exist on the controlling node, not the target nodes
# common locations:
# RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt
# Fedora : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Ubuntu : /usr/share/ca-certificates/cacert.org/cacert.org.crt
#ca_file_path =
# the http user-agent string to use when fetching urls. Some web server
# operators block the default urllib user agent as it is frequently used
# by malicious attacks/scripts, so we set it to something unique to
# avoid issues.
#http_user_agent = ansible-agent
[paramiko_connection]
# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered. Increases performance on new host additions. Setting works independently of the
# host key checking setting above.
record_host_keys=False
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False
[ssh_connection]
# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null
# The path to use for the ControlPath sockets. This defaults to
# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
# very long hostnames or very long path names (caused by long user names or
# deeply nested home directories) this can exceed the character limit on
# file socket names (108 characters for most platforms). In that case, you
# may wish to shorten the string below.
#
# Example:
# control_path = %(directory)s/%%h-%%r
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = False
# if True, make ansible use scp if the connection type is ssh
# (default is sftp)
#scp_if_ssh = True
[accelerate]
accelerate_port = 5099
accelerate_timeout = 30
accelerate_connect_timeout = 5.0
# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
accelerate_daemon_timeout = 30
# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes
If you need any additional information, please let me know, and I will add
I also faced the same problem. I missed a step.
ssh-copy-id localhost
Then you can successfully run,
ansible-playbook -i hosts simple-docker-project.yml --check
The variable for password is ansible_ssh_pass, but you use ssh_key_pass.
Try with this inventory:
[controller]
10.90.0.2 ansible_ssh_pass=passw0rd ansible_ssh_user=root
I'm configuring /etc/security/limits.conf with Ansible' new module pam_limits.
What I've succeeded at:
Setting values for specific domain and type in the default limits.conf. (A new string is appended to the end of the file).
Changing values (the string gets rewritten).
The problem is when I want to completely remove the setting. E.g. I don't want to save core dumps anymore. How should I use pam_limits to remove the string completely?
I've managed to develop the following workaround, but I don't consider it good. It doesn't remove the string but rather sets the limit to 0, which may be not the same.
roles/myrole/tasks/main.yaml
...
- name: enable core dumps for myservice
pam_limits: domain='*' limit_type='-' limit_item=core value="{{ 'unlimited' if myrole_save_core_dumps else 0 }}"
...
group_vars/myhosts.yaml:
myrole_save_core_dumps: true
myservice.yaml
hosts: myhosts
become: yes
roles:
- myrole
I believe this would be an feature which is currently not implemented. But there is a feature request on github for this feature.
I'm trying to get a cloud config script working properly with my DigitalOcean droplet, but I'm testing on local lxc containers in the interim.
One consistent problem I have is that I can never get the write_files directive working properly for more than one file. It seems to behave in weird ways that I cannot understand.
For example, this configuration is incorrect, and only outputs a single file (.tarsnaprc) in /tmp:
#cloud-config
users:
- name: julian
shell: /bin/bash
ssh_authorized_keys:
- ssh-rsa myrsakeygoeshere julian#hostname
write_files:
- path: /tmp/.tarsnaprc
permissions: "0644"
content: |
cachedir /home/julian/tarsnap-cache
keyfile /home/julian/tarsnap.key
nodump
print-stats
checkpoint-bytes 1G
owner: julian:julian
- path: /tmp/lxc
content: |
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
permissions: "0644"
However, if I swap the two items in the write_files array, it magically works, and creates both files, .tarsnaprc and lxc. What am I doing wrong, do I have a syntax error?
It may be too late, as it was posted 1 year ago. The problem is setting the owner in /tmp/.tarsnaprc as the user does not exist when the file is created.
Check cloud-init: What is the execution order of cloud-config directives? answer that clearly explains the order of cloud-config directives.
Do not write files under /tmp during boot because of a race with systemd-tmpfiles-clean that can cause temp files to get cleaned during the early boot process. Use /run/somedir instead to avoid race LP:1707222.
ref: https://cloudinit.readthedocs.io/en/latest/topics/modules.html#write-files
Came here because of using canonicals multipass. Nowadays the answers of #rvelaz and #Christian still hint to the right direction. The corrected example whould look like this:
#cloud-config
users:
- name: julian
shell: /bin/bash
ssh_authorized_keys:
- ssh-rsa myrsakeygoeshere julian#hostname
write_files:
# not writing to /tmp
- path: /data/.tarsnaprc
permissions: "0644"
content: |
cachedir /home/julian/tarsnap-cache
keyfile /home/julian/tarsnap.key
nodump
print-stats
checkpoint-bytes 1G
# at execution time, this owner does not yet exist (see runcmd)
# owner: julian:julian
- path: /data/lxc
content: |
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
permissions: "0644"
runcmd:
- "chown julian:julian /data/lxc /data/.tarsnaprc"