ansible.posix
ansible.posix copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
Authorization issue with ansible.posix.firewalld during module initialization
trafficstars
SUMMARY
ansible.posix.firewalld errors out with org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException, even with --become.
ISSUE TYPE
- Bug Report
COMPONENT NAME
ansible.posix.firewalld
ANSIBLE VERSION
ansible 2.9.27
config file = /work/mwilck/nvme-poc/nvmet-server/ansible.cfg
configured module search path = ['/home/mwilck/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.15 (default, Sep 23 2021, 15:41:43) [GCC]
COLLECTION VERSION
ansible-galaxy collection list is unsupported on this platform
cat ~/.ansible/collections/ansible_collections/ansible/posix/MANIFEST.json
{
"collection_info": {
"namespace": "ansible",
"name": "posix",
"version": "1.5.1",
"authors": [
"Ansible (github.com/ansible)"
],
...
CONFIGURATION
DEFAULT_HOST_LIST(/work/mwilck/nvme-poc/nvmet-server/ansible.cfg) = ['/work/mwilck/nvme-poc/nvmet-server/.vagrant/provisioners/ansible/inventory']
DEFAULT_TIMEOUT(/work/mwilck/nvme-poc/nvmet-server/ansible.cfg) = 10
OS / ENVIRONMENT
Host OS: SUSE Linux Enterprise Server 15 SP4. Target OS: openSUSE Leap 15.4
STEPS TO REPRODUCE
ansible -b -m ansible.posix.firewalld -a 'zone=internal service=https state=enabled' all
EXPECTED RESULTS
I expect the command to succeed. The command above succeeds indeed if I use ansible.builtin.firewalld instead of ansible.posix.firewalld (the builtin module still exists in ansible 2.9.27):
ansible -b -m ansible.builtin.firewalld -a 'zone=internal service=https state=enabled' all
vagrant-nvmet | CHANGED => {
"changed": true,
"msg": "Non-permanent operation, Changed service https to enabled"
}
ansible.builtin.firewalld fails without --become (not surprisingly), also with org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.
Running an equivalent command works, too:
ansible -b -m command -a 'firewall-cmd --zone=internal --add-service=https' all`
ACTUAL RESULTS
$ ansible -b -m ansible.posix.firewalld -a 'zone=internal service=https state=enabled' all
ERROR:dbus.proxies:Introspect error on :1.4328:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
vagrant-nvmet | FAILED! => {
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
If run the command verbosely (`-vvv), I see:
<192.168.121.83> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.121.83> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o 'IdentityFile="/work/mwilck/nvme-poc/nvmet-server/.vagrant/machines/vagrant-nvmet/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o ControlPath=/home/mwilck/.ansible/cp/6f7724bcde 192.168.121.83 '/bin/sh -c '"'"'echo ~vagrant && sleep 0'"'"''
<192.168.121.83> (0, b'/home/vagrant\n', b'')
<192.168.121.83> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.121.83> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o 'IdentityFile="/work/mwilck/nvme-poc/nvmet-server/.vagrant/machines/vagrant-nvmet/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o ControlPath=/home/mwilck/.ansible/cp/6f7724bcde 192.168.121.83 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/vagrant/.ansible/tmp `"&& mkdir "` echo /home/vagrant/.ansible/tmp/ansible-tmp-1676482025.4024374-17052-327545317198 `" && echo ansible-tmp-1676482025.4024374-17052-327545317198="` echo /home/vagrant/.ansible/tmp/ansible-tmp-1676482025.4024374-17052-327545317198 `" ) && sleep 0'"'"''
<192.168.121.83> (0, b'ansible-tmp-1676482025.4024374-17052-327545317198=/home/vagrant/.ansible/tmp/ansible-tmp-1676482025.4024374-17052-327545317198\n', b'')
ERROR:dbus.proxies:Introspect error on :1.4328:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
<192.168.121.83> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.121.83> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o 'IdentityFile="/work/mwilck/nvme-poc/nvmet-server/.vagrant/machines/vagrant-nvmet/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o ControlPath=/home/mwilck/.ansible/cp/6f7724bcde 192.168.121.83 '/bin/sh -c '"'"'rm -f -r /home/vagrant/.ansible/tmp/ansible-tmp-1676482025.4024374-17052-327545317198/ > /dev/null 2>&1 && sleep 0'"'"''
<192.168.121.83> (0, b'', b'')
The full traceback is:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ansible/executor/task_executor.py", line 147, in run
res = self._execute()
File "/usr/lib/python3.6/site-packages/ansible/executor/task_executor.py", line 665, in _execute
result = self._handler.run(task_vars=variables)
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/normal.py", line 47, in run
result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/__init__.py", line 825, in _execute_module
(module_style, shebang, module_data, module_path) = self._configure_module(module_name=module_name, module_args=module_args, task_vars=task_vars)
File "/usr/lib/python3.6/site-packages/ansible/plugins/action/__init__.py", line 211, in _configure_module
**become_kwargs)
File "/usr/lib/python3.6/site-packages/ansible/executor/module_common.py", line 1283, in modify_module
environment=environment)
File "/usr/lib/python3.6/site-packages/ansible/executor/module_common.py", line 1120, in _find_module_utils
py_module_cache, zf)
File "/usr/lib/python3.6/site-packages/ansible/executor/module_common.py", line 751, in recursive_finder
[os.path.join(*py_module_name[:-idx])])
File "/usr/lib/python3.6/site-packages/ansible/executor/module_common.py", line 671, in __init__
self.get_source()
File "/usr/lib/python3.6/site-packages/ansible/executor/module_common.py", line 686, in get_source
pkg = import_module(self._package_name)
File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 994, in _gcd_import
File "<frozen importlib._bootstrap>", line 971, in _find_and_load
File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 656, in _load_unlocked
File "<frozen importlib._bootstrap>", line 626, in _load_backward_compatible
File "/usr/lib/python3.6/site-packages/ansible/utils/collection_loader.py", line 107, in load_module
mod = self._find_module(fullname, None, load=True)[1]
File "/usr/lib/python3.6/site-packages/ansible/utils/collection_loader.py", line 247, in _find_module
exec(code_object, newmod.__dict__)
File "/home/mwilck/.ansible/collections/ansible_collections/ansible/posix/plugins/module_utils/firewalld.py", line 28, in <module>
fw.getDefaultZone()
File "<decorator-gen-899>", line 2, in getDefaultZone
File "/usr/lib/python3.6/site-packages/slip/dbus/polkit.py", line 121, in _enable_proxy
return func(*p, **k)
File "<decorator-gen-898>", line 2, in getDefaultZone
File "/usr/lib/python3.6/site-packages/firewall/client.py", line 53, in handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/firewall/client.py", line 3562, in getDefaultZone
return dbus_to_python(self.fw.getDefaultZone())
File "/usr/lib/python3.6/site-packages/dbus/proxies.py", line 72, in __call__
return self._proxy_method(*args, **keywords)
File "/usr/lib/python3.6/site-packages/slip/dbus/proxies.py", line 51, in __call__
return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/dbus/proxies.py", line 147, in __call__
**keywords)
File "/usr/lib/python3.6/site-packages/dbus/connection.py", line 653, in call_blocking
message, timeout)
dbus.exceptions.DBusException: org.fedoraproject.slip.dbus.service.PolKit.NotAuthorizedException.org.fedoraproject.FirewallD1.info:
vagrant-nvmet | FAILED! => {
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
Doing the same with ansible.builtin.firewalld:
<192.168.121.83> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.121.83> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o 'IdentityFile="/work/mwilck/nvme-poc/nvmet-server/.vagrant/machines/vagrant-nvmet/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o ControlPath=/home/mwilck/.ansible/cp/6f7724bcde 192.168.121.83 '/bin/sh -c '"'"'echo ~vagrant && sleep 0'"'"''
<192.168.121.83> (0, b'/home/vagrant\n', b'')
<192.168.121.83> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.121.83> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o 'IdentityFile="/work/mwilck/nvme-poc/nvmet-server/.vagrant/machines/vagrant-nvmet/libvirt/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o ControlPath=/home/mwilck/.ansible/cp/6f7724bcde 192.168.121.83 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/vagrant/.ansible/tmp `"&& mkdir "` echo /home/vagrant/.ansible/tmp/ansible-tmp-1676482660.633314-17483-49686414882584 `" && echo ansible-tmp-1676482660.633314-17483-49686414882584="` echo /home/vagrant/.ansible/tmp/ansible-tmp-1676482660.633314-17483-49686414882584 `" ) && sleep 0'"'"''
<192.168.121.83> (0, b'ansible-tmp-1676482660.633314-17483-49686414882584=/home/vagrant/.ansible/tmp/ansible-tmp-1676482660.633314-17483-49686414882584\n', b'')
Using module file /usr/lib/python3.6/site-packages/ansible/modules/system/firewalld.py
<192.168.121.83> PUT /home/mwilck/.ansible/tmp/ansible-local-17478dnwc9hwm/tmp6232ko31 TO /home/vagrant/.ansible/tmp/ansible-tmp-1676482660.633314-17483-49686414882584/AnsiballZ_firewalld.py
It never gets this far in the error case.
The problem seems to be that the module runs
try:
fw = FirewallClient()
fw.getDefaultZone()
early during initialization, and the fw.getDefaultZone() command runs into this error. But ansible.builtin.firewalld has the same initialization code yet does not fail.
For now, I work around the issue by replacing my references to ansible.posix.firewalld with simply firewalld.