Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice in a row (reboot of the target box between the two) on a fresh 18.04.4 distro #77

Open
SSSSeb opened this issue Jul 9, 2020 · 2 comments

Comments

@SSSSeb
Copy link

SSSSeb commented Jul 9, 2020

Describe the bug

I followed the documentation and used all default settings and used the master branch at commit 918ee30. I ran the full playbook using ansible-playbook site.yml on a freshly installed 18.04.4 ubuntu distro on one system (called n0002)...

The problem is that running the playbook once works but not twice:

To Reproduce
Steps to reproduce the behavior:

  1. Install ubuntu18.04.4 on a new server
  2. Run ansible-playbook site.yml => success... i.e. with default settings the full playbook pass:
n0002                      : ok=278  changed=131  unreachable=0    failed=0    skipped=110  rescued=0    ignored=0   
  1. reboot the box (because 131 changes were done, so to be sure...)
  2. try again to apply the playbook using ansible-playbook site.yml again
  3. playbook goes smoothly until reaching step " sysctl flush ipv6 route table "
RUNNING HANDLER [Ubuntu1804-CIS : sysctl flush ipv6 route table] ***************************************************************
fatal: [n0002]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: kernel.randomize_va_space = 2\nfs.suid_dumpable = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.ip_forward = 0\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.route.flush = 1\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_ra: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/route/flush: No such file or directory\n"}

Expected behavior

I was thinking the playbook should be able to always apply even after a reboot and/or could be regularly reused against the server to check for compliance

Software:

  • Ansible Version: 2.9.10
  • Role/Repo Version master @ 918ee30

Additional context

I logged on the server just after and confirm sysctl -p does not work anymore due to ipv6 "problems"

root@n0002:~# sysctl -p
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_ra: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/route/flush: No such file or directory
net.ipv4.route.flush = 1

@SSSSeb SSSSeb changed the title Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice on a fresh 18.04.4 distro Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice in a row (reboot of the target box between the two) on a fresh 18.04.4 distro Jul 9, 2020
@JimKlapwijk
Copy link
Contributor

This happens due to 3.7 which disables IPv6. This removes the directory /proc/sys/net/ipv6 causing sysctl unable to set the parameters. My suggestion would be to skip 3.7 for now.

@florianutz I'm not sure what the best solution would be in this case. Add a variable in defaults/main.yml which sets IPv6 disabled, and based on that we can either completely disable IPv6 OR set the sysctl parameters?

@SSSSeb
Copy link
Author

SSSSeb commented Jul 23, 2020

thanks a lot for your comment, this what I did already. I can help fixing if the plan is clear/understood.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants