I am experimenting with Ansible and want to set a port forward rule in firewalld.
I've tried the following:
- name: Port forward for 443
become: true
ansible.posix.firewalld:
port_forward:
- port: 443
proto: tcp
toport: 2443
state: enabled
This resulted in:
ERROR: Exception caught: queryForwardPort() got an unexpected keyword argument ''to_port''
If I format it as a list it says
Only one port forward supported at a time
and if I format it as a dict I get:
argument port_forward is of type <class ''dict''> and we were unable to convert to list: <class ''dict''> cannot be converted to a list'
I'm using a Debian 11 VM with Ansible 2.10.8. I've installed the latest ansible.posix (1.3.0) as the included version was older (1.1.1). I can manually create the rule on the target machine (OEL 8).
This is as far as I got using the documentation.
Any idea how to get this working?
Thank you in advance!
At a short glance there seems to be syntax errors. The first error message says
ERROR: Exception caught: queryForwardPort() got an unexpected keyword argument ''to_port''
to_port, whereby it should be toport according the linked documentation of the firewalld_module. Since your are on ansible.posix.collections v1.3.0 and there is bug report open according Ansible Collections Ansible Posix Issue #247, were downgrading to v1.2.0 fix the issue, another approach might be according Ansible Issue #28349 using the parameter rich_rule. That would work for v1.1.1 too.
- name: Redirect port 443 to 8443
firewalld:
rich_rule: rule family={{ item }} forward-port port=443 protocol=tcp to-port=8443
zone: public
permanent: true
immediate: true
state: enabled
with_items:
- ipv4
- ipv6
To get the older version you could use
ansible-galaxy collection install ansible.posix:1.2.0
The syntax error is in the file ansible.posix/plugins/modules/firewalld.py and seems to be simple enough that one can fix it on hisself locally on behalf.
Related
I have to apply the following configuration on several hosts via Ansible:
nmcli device modify "device_name" ens192 ipv6.method "disabled"
I wanted to use the nmcli module instead of a command as it is cleaner. But from what I found on the documentation and forums the nmcli module manage only connections.
Apart from recovering all connections associated to an interface and modifying each one using Ansible nmcli module I could not find a way to do it. This solution beeing, in my opinion, uglier than using command module I will stick with command.
Any informed comment or suggestion would be appreciated.
For the sake of precision the current code used to disable ipv6 if networkmanager is used:
- name: get service facts
service_facts:
- name: Disable ipv6 with network manager
become: yes
command: "/bin/nmcli device modify {{ ansible_default_ipv4.interface }} ipv6.method 'disabled'"
when: ansible_facts.services["NetworkManager.service"] is defined
changed_when: false
I am not sure if I understand your question fully since there is no example what you have tried, problem description, description of your system, used versions, confguration or error messages.
Regarding
I wanted to use the nmcli module instead of a command as it is cleaner
and according the documentation of the module nmcli there is a parameter ifname
The interface to bind the connection to.
The connection will only be applicable to this interface name.
A special value of '*' can be used for interface-independent connections.
The ifname argument is mandatory for all connection types except bond, team, bridge, vlan and vpn.
This parameter defaults to conn_name when left unset for all connection types except vpn that removes it.
So looking at the CLI output of nmcli device show
GENERAL.DEVICE: eth0
GENERAL.TYPE: ethernet
GENERAL.HWADDR: AB:CD:EF:01:02:03
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: eth0
...
and since conn_name obviously points to GENERAL.CONNECTION, wouldn't that parameter
ifname for GENERAL.DEVICE not be that one which you are looking for?
The Examples are showing also the usage of ifname together with conn_name.
Furthermore ipv6.method disabled isn't available in example in RHEL 7, but as of 8.
- name: Make sure IPv6 is disabled
shell:
cmd: nmcli conn mod eth0 ipv6.method disabled
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '8'
I'm using Ubuntu Linux
I have created an inventory file and I have put my own system IP address there.
I have written a playbook to install the nginx package.
I'm getting the following error:
false, msg" : Failed to connect to the host via ssh: connect to host myip : Connection refused, unreachable=true
How can I solve this?
You could use the hosts keyword with the value localhost
- name: Install nginx package
hosts: localhost
tasks:
- name: Install nginx package
apt:
name: nginx
state: latest
Putting your host IP directly in your inventory treats your local machine as any other remote target. Although this can work, ansible will use the ssh connection plugin by default to reach your IP. If an ssh server is not installed/configured/running on your host it will fail (as you have experienced), as well as if you did not configure the needed credentials (ssh keys, etc.).
You don't need to (and in most common situations you don't want to) declare localhost in your inventory to use it as it is implicit by default. The implicit localhost uses the local connection plugin which does not need ssh at all and will use the same user to run the tasks as the one running the playbook.
For more information on connection plugins, see the current list
See #gary lopez answer for an example playbook to use localhost as target.
I want to test if the host I am provisioning can reach a specific server and connect to a specific TCP port. If it can't the playbook should fail.
How can I do that?
There is wait_for module for this.
To check that target.host can access remote.host:8080:
- hosts: target.host
tasks:
- wait_for: host=remote.host port=8080 timeout=1
- debug: msg=ok
There are a lot of other examples in the documentation.
Using wait_for is fine, however it requires the service is actually running and gives a reply.
If you just like to check whether the port is open in your firewall, you can use curl.
- name: Check if host is reachable
shell:
cmd: "/usr/bin/curl --connect-timeout 10 --silent --show-error remote.host:8080"
warn: no
executable: /bin/bash
register: res
failed_when: res.rc in [28] or res.stderr is search("No route to host")
When the port is open but service does not run you get an curl: (7) Failed connect to 10.192.147.224:27019; Connection refused" which you would consider as OK.
A connection blocked by firewall will return curl: (28) Connection timed out after 10001 milliseconds
So I'm running Kibana on a server in the cloud and I'm getting the following error:
Error: Uncaught ReferenceError: ZeroClipboard is not defined (http://.../index.js?_b=6004:89886)
at window.onerror (http://.../index.js?_b=6004:45829:24)
I've googled this and I've only found people talking about this issue on pre-release versions of Kibana. I'm running version 4.0.2 and I get the same issue when I run 4.0.1. Anyone see this before?
Here's a public url to my kibana server: http://52.7.27.45:5601/
UPDATE:
kibana.yml
port: 5601
host: "0.0.0.0"
elasticsearch_url: "http://...:9200"
elasticsearch_preserve_host: true
kibana_index: ".kibana"
default_app_id: "discover"
ping_timeout: 300000
request_timeout: 300000
shard_timeout: 0
verify_ssl: true
Update 2:
I just tried running kibana on the same instance as one of my elasticsearch nodes and I didn't get this error. This seems to be related to running kibana on a host that isn't running an elasticsearch node. Seems crazy to me...
I had a similar problem in the past and I believe the plugins are not being loaded and in the kibana.yml, you should have the following:
# Plugins that are included in the build, and no longer found in the plugins/ folder
bundled_plugin_ids:
- plugins/dashboard/index
- plugins/discover/index
- plugins/doc/index
- plugins/kibana/index
- plugins/markdown_vis/index
- plugins/metric_vis/index
- plugins/settings/index
- plugins/table_vis/index
- plugins/vis_types/index
- plugins/visualize/index
Related: https://github.com/elastic/kibana/issues/2617
I'm following this guide (http://yvoinov.blogspot.it/2014/05/windows-7-unbound-dnscrypt.html) and others but nothing:
I have Windows 8.1 x64, DNSCrypt 1.4.3, Unbound last version downloaded from the site.
I started DNSCrypt on 127.0.0.1:53, changed my DNS setup in network card to 127.0.0.1 and I set this in service.conf of Unbound:
# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
# verbosity level 0-4 of logging
verbosity: 4
# if you want to log to a file use
logfile: "C:\unbound.log"
prefetch: yes
prefetch-key: yes
minimal-responses: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-not-query-localhost: no
local-zone: "example.com" redirect
local-data: "example.com A 127.0.0.1"
forward-zone:
name: "."
forward-addr: 127.0.0.1#53
server: auto-trust-anchor-file: "C:\Program Files (x86)\Unbound\root.key"
Where I'm wrong?
If I go to example.com the site shows, also if Unbound have to redirect it to 127.0.0.1 as I set it.
This means that Unbound is not correctly configured and not works. Isn't it?
forward-addr: 127.0.0.1#53 doesn't make sense, since Unbound is probably also listening to port 53.
You need to have dnscrypt-proxy listen to a different port, such as 5353, and forward to that port in Unbound's configuration.
I installed dnscrypt with:
dnscrypt-proxy.exe -R “dnscrypt.eu-nl” -a 127.0.0.2:40 –install
& added at the end of:
C:\Program Files (x86)\Unbound\service :
##### Settings for dnscrypt #####
forward-zone:
name: “.”
forward-addr: 127.0.0.2#40
& in the Windows network interface properties set the dns server to 127.0.0.1 (unbound listens by default on port 53 # 127.0.0.1 && ::1)
Tested in Windows 10.