ansible-fail2ban icon indicating copy to clipboard operation
ansible-fail2ban copied to clipboard

Published 20 hours ago verified publisher icon Oefenweb

Error on Debian on first check_mode run

Open Al-thi opened this issue 2 years ago • 3 comments

Hello,

This role fails on Debian when playing the following tasks in check_mode on a fresh server :

- name: get fail2ban version
  ansible.builtin.command: >
    fail2ban-server -V
  changed_when: false
  check_mode: false
  register: _fail2ban_version_raw
  tags:
    - configuration
    - fail2ban
    - fail2ban-install

fails with :

fatal: [xxx]: FAILED! => {"changed": false, "cmd": "fail2ban-server -V", "msg": "[Errno 2] No such file or directory: b'fail2ban-server'", "rc": 2, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

and :

- name: update configuration file - /etc/fail2ban/jail.local
  ansible.builtin.template:
    src: etc/fail2ban/jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: 0644
  notify: restart fail2ban
  tags:
    - configuration
    - fail2ban
    - fail2ban-configuration
    - fail2ban-configuration-update

fails with :

fatal: [xxx]: FAILED! => {"changed": false, "msg": "AnsibleFilterError: Input version value cannot be empty"}

and :

- name: start and enable service
  ansible.builtin.service:
    name: fail2ban
    state: "{{ service_default_state | default('started') }}"
    enabled: "{{ service_default_enabled | default(true) | bool }}"
  tags:
    - configuration
    - fail2ban
    - fail2ban-start-enable-service

fails with :

fatal: [xxx]: FAILED! => {"changed": false, "msg": "Could not find the requested service fail2ban: host"}

because fail2ban is not installed and therefore the version cannot be parsed.

I suggest adding the following line to these tasks to ignore check_mode errors :

- name: get fail2ban version
  ansible.builtin.command: >
    fail2ban-server -V
  changed_when: false
  check_mode: false
  register: _fail2ban_version_raw
  tags:
    - configuration
    - fail2ban
    - fail2ban-install
  ignore_errors: "{{ ansible_check_mode }}" # fixes error

- name: update configuration file - /etc/fail2ban/jail.local
  ansible.builtin.template:
    src: etc/fail2ban/jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: 0644
  notify: restart fail2ban
  tags:
    - configuration
    - fail2ban
    - fail2ban-configuration
    - fail2ban-configuration-update
  ignore_errors: "{{ ansible_check_mode and fail2ban_version == '' }}" # fixes error

- name: start and enable service
  ansible.builtin.service:
    name: fail2ban
    state: "{{ service_default_state | default('started') }}"
    enabled: "{{ service_default_enabled | default(true) | bool }}"
  tags:
    - configuration
    - fail2ban
    - fail2ban-start-enable-service
  ignore_errors: "{{ ansible_check_mode and fail2ban_version == '' }}" # fixes error

Al-thi avatar Dec 23 '22 12:12 Al-thi

I also had to ignore errors in the handler, for the same reasons.

Al-thi avatar Dec 23 '22 15:12 Al-thi

FYI I edited my post to fix a syntax error in the ignore_errors condition

Al-thi avatar Dec 26 '22 16:12 Al-thi

FYI I updated again my message. Now it works :sweat:

Al-thi avatar Jan 05 '23 18:01 Al-thi