ansible-collection-hardening
ansible-collection-hardening copied to clipboard
Published
20 hours ago •
dev-sec
dev-sec
devsec.hardening.mysql_hardening - Operation not supported on ubuntu 22.04
Description
When applying mysql_hardening role on a ubuntu 22.04 host with mariadb 10.6.11 I got
TASK [devsec.hardening.mysql_hardening : Check include-dir directive is present in my.cnf] **********************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported
fatal: [ansible2.osuv.de]: FAILED! => {"changed": false, "details": "Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported\n", "gid": 119, "group": "mysql", "mode": "0640", "msg": "chattr failed", "owner": "root", "path": "/etc/mysql/my.cnf.48637.2023-02-06@20:21:25~", "size": 1126, "state": "file", "uid": 0}
Reproduction steps
- name: apply devsec.hardening.mysql_hardening role
ansible.builtin.include_role:
name: devsec.hardening.mysql_hardening
vars:
mysql_root_password: "{{ mariadb_root_password }}"
Current Behavior
TASK [devsec.hardening.mysql_hardening : Check include-dir directive is present in my.cnf] **********************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported
fatal: [ansible2.osuv.de]: FAILED! => {"changed": false, "details": "Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported\n", "gid": 119, "group": "mysql", "mode": "0640", "msg": "chattr failed", "owner": "root", "path": "/etc/mysql/my.cnf.48637.2023-02-06@20:21:25~", "size": 1126, "state": "file", "uid": 0}
Expected Behavior
no error
OS / Environment
Ubuntu 22.04
Ansible Version
ansible [core 2.13.5]
config file = None
configured module search path = ['/home/m/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/m/.local/lib/python3.10/site-packages/ansible
ansible collection location = /home/m/.ansible/collections:/usr/share/ansible/collections
executable location = /home/m/.local/bin/ansible
python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0]
jinja version = 3.1.2
libyaml = False
Collection Version
devsec.hardening 8.6.0
Additional information
Hi @markuman,
can you please do the following?
ls -lsah /etc/mysql/*
lsattr -R /etc/mysql/*
and put the output here?
I guess it's got something to do with symlinks..
Also do you run the playbook as root?
test playbook on a hetzner vm ubuntu 22.04 as user root
---
- hosts: all
vars:
mariadb_root_password: hdawuefshhfhv34
tasks:
- name: install mariadb
ansible.builtin.apt:
update_cache: true
state: latest
name:
- mariadb-server
- mariadb-client
- python3-pymysql
- name: init root user
ansible.builtin.command: >
sudo mysql -uroot -e "
SET old_passwords=0;
SET PASSWORD FOR root@localhost = PASSWORD('{{ mariadb_root_password }}');
FLUSH PRIVILEGES;"
- name: apply devsec.hardening.mysql_hardening role
block:
- name: apply devsec.hardening.mysql_hardening role
ansible.builtin.include_role:
name: devsec.hardening.mysql_hardening
vars:
mysql_root_password: "{{ mariadb_root_password }}"
After the error
root@ubuntu-2gb-hel1-1:~# ls -lsah /etc/mysql/*
4.0K -rw------- 1 root root 544 Feb 10 13:05 /etc/mysql/debian.cnf
4.0K -rwxr-xr-x 1 root root 1.7K Nov 13 07:48 /etc/mysql/debian-start
4.0K -rw-r----- 1 root mysql 1.1K Nov 13 07:48 /etc/mysql/mariadb.cnf
0 lrwxrwxrwx 1 root root 24 Feb 10 13:05 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
4.0K -rw-r----- 1 root mysql 1.1K Nov 13 07:48 /etc/mysql/my.cnf.2964.2023-02-10@13:06:51~
4.0K -rw-r--r-- 1 root root 839 Oct 20 2020 /etc/mysql/my.cnf.fallback
/etc/mysql/conf.d:
total 16K
4.0K drwxr-x--- 2 mysql adm 4.0K Feb 10 13:05 .
4.0K drwxr-xr-x 4 root root 4.0K Feb 10 13:06 ..
4.0K -rw-r--r-- 1 root root 8 Oct 20 2020 mysql.cnf
4.0K -rw-r--r-- 1 root root 55 Oct 20 2020 mysqldump.cnf
/etc/mysql/mariadb.conf.d:
total 28K
4.0K drwxr-xr-x 2 root root 4.0K Feb 10 13:05 .
4.0K drwxr-xr-x 4 root root 4.0K Feb 10 13:06 ..
4.0K -rw-r--r-- 1 root root 575 Nov 13 07:48 50-client.cnf
4.0K -rw-r--r-- 1 root root 231 Nov 13 07:48 50-mysql-clients.cnf
4.0K -rw-r--r-- 1 root root 927 Nov 13 07:48 50-mysqld_safe.cnf
4.0K -rw-r--r-- 1 root root 3.5K Nov 13 07:48 50-server.cnf
4.0K -rw-r--r-- 1 root root 570 Nov 13 07:48 60-galera.cnf
root@ubuntu-2gb-hel1-1:~#
root@ubuntu-2gb-hel1-1:~# lsattr -R /etc/mysql/*
--------------e------- /etc/mysql/conf.d/mysql.cnf
--------------e------- /etc/mysql/conf.d/mysqldump.cnf
--------------e------- /etc/mysql/debian.cnf
--------------e------- /etc/mysql/debian-start
--------------e------- /etc/mysql/mariadb.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-server.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-client.cnf
--------------e------- /etc/mysql/mariadb.conf.d/60-galera.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
lsattr: Operation not supported While reading flags on /etc/mysql/my.cnf
--------------e------- /etc/mysql/my.cnf.2964.2023-02-10@13:06:51~
--------------e------- /etc/mysql/my.cnf.fallback
root@ubuntu-2gb-hel1-1:~#
Thanks, can you do the same on /etc/alternatives/my.cnf, please? Meanwhile I'll get myself a VM to test.
@rndmh3ro I'm getting a similar error on Ubuntu 22.04 with MySQL 8.0.34:
Exception: Error while setting attributes: /etc/mysql/my.cnf.68739.2023-08-22@15:36:39~: Operation not supported
Here's my output from what you requested from the original issue creator:
me@myhost:~$ ls -lsah /etc/mysql/*
4.0K -rw------- 1 root root 317 Aug 22 10:07 /etc/mysql/debian.cnf
4.0K -rwxr-xr-x 1 root root 120 Jul 21 09:03 /etc/mysql/debian-start
0 lrwxrwxrwx 1 root root 24 Aug 22 10:07 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
4.0K -rw-r--r-- 1 root root 839 Jul 14 2016 /etc/mysql/my.cnf.fallback
4.0K -rw-r--r-- 1 root root 682 Jun 14 15:23 /etc/mysql/mysql.cnf
/etc/mysql/conf.d:
total 16K
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 10:07 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 22 10:07 ..
4.0K -rw-r--r-- 1 root root 8 Jul 14 2016 mysql.cnf
4.0K -rw-r--r-- 1 root root 55 Jul 14 2016 mysqldump.cnf
/etc/mysql/mysql.conf.d:
total 16K
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 10:07 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 22 10:07 ..
4.0K -rw-r--r-- 1 root root 132 Jun 14 15:23 mysql.cnf
4.0K -rw-r--r-- 1 root root 2.2K Jun 14 15:23 mysqld.cnf
me@myhost:~$ lsattr -R /etc/mysql/*
--------------e------- /etc/mysql/conf.d/mysqldump.cnf
--------------e------- /etc/mysql/conf.d/mysql.cnf
lsattr: Permission denied While reading flags on /etc/mysql/debian.cnf
--------------e------- /etc/mysql/debian-start
lsattr: Operation not supported While reading flags on /etc/mysql/my.cnf
--------------e------- /etc/mysql/my.cnf.fallback
--------------e------- /etc/mysql/mysql.cnf
--------------e------- /etc/mysql/mysql.conf.d/mysqld.cnf
--------------e------- /etc/mysql/mysql.conf.d/mysql.cnf
me@myhost:~$ ls -lsah /etc/alternatives/my.cnf
0 lrwxrwxrwx 1 root root 20 Aug 22 10:07 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
me@myhost:~$ lsattr -R /etc/alternatives/my.cnf
lsattr: Operation not supported While reading flags on /etc/alternatives/my.cnf
me@myhost:~$
I'd guess it has something to do with a command trying to use the output of the lsattr command, not expecting the output to be lsattr: Operation not supported. But I'm not at all familiar with what's going on in this role.
The role at this task changes the my.cnf and creats a backup-file, in your case /etc/mysql/my.cnf.68739.2023-08-22@15:36:39~.
This seems to be a known bug in Ansible: https://github.com/ansible/ansible/issues/76727
And a PR: https://github.com/ansible/ansible/pull/78707
If anyone wants to try the PR out and comment on it, maybe it would help in getting it merged.