Develop Reference

How to connect a bridge to a tunnel with netplan?

Well, before I asked this question, I searched a lot and couldn't find a proper answer (or the question was wrongly asked).
I want to connect a bridge to a GRE tunnel on netplan.
I can successfully do the connection, but the routing table doesn't get updated correctly. I am forced to add the route manually for it to work.
So, here's my netplan setup:
network:
version: 2
ethernets:
enp1s0f0:
dhcp4: no
accept-ra: false
addresses:
- 192.168.0.100/24
routes:
- to: default
via: 192.168.0.254
match:
macaddress: d8:5e:d3:43:cd:ae
set-name: enp1s0f0
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
tunnels:
gre1:
mode: gre
remote: 192.168.100.150
local: 192.168.0.100
bridges:
br1:
dhcp4: false
dhcp6: false
optional: true
interfaces: [ gre1 ]
addresses:
- 172.16.20.2/30
routes:
- to: default
via: 172.16.20.1
scope: link
table: 100
routing-policy:
- from: 172.16.20.0/30
table: 100
With the above configuration, the gre1 has a state UNKNOWN and the br1 state is DOWN.
If I try to ping 172.16.20.1 it fails.
But, if I run:
ip route add 172.16.20.0/30 dev gre1
I can ping without any issues.
Anyone has a clue on how to solve this riddle?

Is it possible to write an ansible playbook that can tell me if my ec2 instance has a security group that opens a port?

I would like to write an ansible playbook that will tell me if my ec2 instances have a security group that contains a rule that allows ingress on a specified port. I have seen answers like Test if a server is reachable from host and has port open with Ansible where one would have this in the playbook:
- hosts: target.host
tasks:
- wait_for: host=remote.host port=8080 timeout=1
- debug: msg=ok
But that tells me if something is listening on port 8080 on the remote host. In my circumstance there will be no process listening because the service has not yet been installed.

You could try using the aws ec2 module to get Netword ACLs and apply a filter to get the one's you're after. Using tags could also be an easy method to filter the resources for your playbook. This code is untested, and you'd need to parse the response into your playbook get the information you're after. It's basically a starting point. Check this link for further info.
# Retrieve Port 8080 Network ACLs
- name: Get Port 8080 NACLs
community.aws.ec2_vpc_nacl_info:
region: us-west-2
filters:
'entry.port-range.from': 8080,
'entry.port-range.to': 8080
register: port_8080_nacls

What's the correct way to configure ansible tasks to make helm deployments fault tolerant of internet connection issues?

I'm deploying helm charts using community.kubernetes.helm with ease but I've run into conditions where the connection is refused and it's not clear how best to configure a retries/wait/until. I've run into a case where every now and then, helm can't communicate with the cluster, here's an example (dns/ip faked) showing that the issue is as simple as not being able to connect to the cluster:
fatal: [localhost]: FAILED! => {"changed": false, "command":
"/usr/local/bin/helm --kubeconfig /var/opt/kubeconfig
--namespace=gpu-operator list --output=yaml --filter gpu-operator", "msg": "Failure when executing Helm command. Exited 1.\nstdout:
\nstderr: Error: Kubernetes cluster unreachable: Get
"https://ec2-host/k8s/clusters/c-xrsqn/version?timeout=32s": dial
tcp 192.168.1.1:443: connect: connection refused\n", "stderr": "Error:
Kubernetes cluster unreachable: Get
"https://ec2-host/k8s/clusters/c-xrsqn/version?timeout=32s": dial
tcp 192.168.1.1:443: connect: connection refused\n", "stderr_lines":
["Error: Kubernetes cluster unreachable: Get
"https://ec2-host/k8s/clusters/c-xrsqn/version?timeout=32s": dial
tcp 192.168.1.1:443: connect: connection refused"], "stdout": "",
"stdout_lines": []}
In my experience, I have seen that try/retry will work. I agree that it would be ideal to figure out why I can't connect to the service, but it would be even more ideal to work around this by taking advantage of a catch all "until" block that tries this block until it works or gives up after N tries while taking a break of N seconds.
Here's an example of the ansible block:
- name: deploy Nvidia GPU Operator
block:
- name: deploy gpu operator
community.kubernetes.helm:
name: gpu-operator
chart_ref: "{{ CHARTS_DIR }}/gpu-operator"
create_namespace: yes
release_namespace: gpu-operator
kubeconfig: "{{ STATE_DIR }}/{{ INSTANCE_NAME }}-kubeconfig"
until: ???
retries: 5
delay: 3
when: GPU_NODE is defined
I would really appreciate any suggestions/pointers.

I discovered that registering the output and then testing until it's defined get's ansible to rerun. The key is learning what is going to be a successful output. For helm, it says it will define a status when it works correctly. So, this is what you need to add
register: _gpu_result
until: _gpu_result.status is defined
ignore_errors: true
retries: 5
delay: 3
retries/delay is up to you

Cannot connect to WindowsServer from Centos7 due to ProxyError

I am trying to connect to Windows Server 2012 from my ansible server (Centos7).
Let's assume its host is x and port is y
I managed to connect to other linux based servers but I cannot connect to the windows one.
I followed the tutorial here and after all setups and configurations I get the following error:
root#localhost: ansible# ansible windows -i hosts -m win_ping --ask-vault-pass
Vault password:
WindowsServer | UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='x', port=y): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))",
This is my group_vars/windows.yml file:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_user: Administrator
ansible_password: password
ansible_port: y
ansible_connection: winrm
This is my hosts file snippet:
[windows]
WindowsServer ansible_host=x
I did configure windows server with this file.
Please help, I have no idea what to do to make the connection work.

As J and Mike from ansible google group suggested:
The reason of the error were environment variables HTTP_PROXY and HTTPS_PROXY that ansible used from the system.
To let ansible know that you are using proxy you have to:
1. Locate transport.py that comes with pywinrm
2. modify the following line session.trust_env to make it false.
125 # configure proxies from HTTP/HTTPS_PROXY envvars
126 # session.trust_env = True
127 session.trust_env = False
3. pywinrm will no longer check your local env for a proxy.
After that I also neeeded to add one more variable to group_vars/windows.yml file:
ansible_winrm_server_cert_validation: ignore

Test if a server is reachable from host and has port open with Ansible

I want to test if the host I am provisioning can reach a specific server and connect to a specific TCP port. If it can't the playbook should fail.
How can I do that?

There is wait_for module for this.
To check that target.host can access remote.host:8080:
- hosts: target.host
tasks:
- wait_for: host=remote.host port=8080 timeout=1
- debug: msg=ok
There are a lot of other examples in the documentation.

Using wait_for is fine, however it requires the service is actually running and gives a reply.
If you just like to check whether the port is open in your firewall, you can use curl.
- name: Check if host is reachable
shell:
cmd: "/usr/bin/curl --connect-timeout 10 --silent --show-error remote.host:8080"
warn: no
executable: /bin/bash
register: res
failed_when: res.rc in [28] or res.stderr is search("No route to host")
When the port is open but service does not run you get an curl: (7) Failed connect to 10.192.147.224:27019; Connection refused" which you would consider as OK.
A connection blocked by firewall will return curl: (28) Connection timed out after 10001 milliseconds