You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice in a row (reboot of the target box between the two) on a fresh 18.04.4 distro
#77
I followed the documentation and used all default settings and used the master branch at commit 918ee30. I ran the full playbook using ansible-playbook site.yml on a freshly installed 18.04.4 ubuntu distro on one system (called n0002)...
The problem is that running the playbook once works but not twice:
To Reproduce
Steps to reproduce the behavior:
Install ubuntu18.04.4 on a new server
Run ansible-playbook site.yml => success... i.e. with default settings the full playbook pass:
RUNNING HANDLER [Ubuntu1804-CIS : sysctl flush ipv6 route table] ***************************************************************
fatal: [n0002]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: kernel.randomize_va_space = 2\nfs.suid_dumpable = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.ip_forward = 0\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.route.flush = 1\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_ra: No such file or directory\nsysctl: cannot stat /proc/sys/net/ipv6/route/flush: No such file or directory\n"}
Expected behavior
I was thinking the playbook should be able to always apply even after a reboot and/or could be regularly reused against the server to check for compliance
I logged on the server just after and confirm sysctl -p does not work anymore due to ipv6 "problems"
root@n0002:~# sysctl -p
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_ra: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/route/flush: No such file or directory
net.ipv4.route.flush = 1
The text was updated successfully, but these errors were encountered:
SSSSeb
changed the title
Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice on a fresh 18.04.4 distro
Ubuntu1804-CIS : sysctl flush ipv6 route table fails when playbook invoked twice in a row (reboot of the target box between the two) on a fresh 18.04.4 distro
Jul 9, 2020
This happens due to 3.7 which disables IPv6. This removes the directory /proc/sys/net/ipv6 causing sysctl unable to set the parameters. My suggestion would be to skip 3.7 for now.
@florianutz I'm not sure what the best solution would be in this case. Add a variable in defaults/main.yml which sets IPv6 disabled, and based on that we can either completely disable IPv6 OR set the sysctl parameters?
Describe the bug
I followed the documentation and used all default settings and used the master branch at commit 918ee30. I ran the full playbook using
ansible-playbook site.yml
on a freshly installed 18.04.4 ubuntu distro on one system (called n0002)...The problem is that running the playbook once works but not twice:
To Reproduce
Steps to reproduce the behavior:
ansible-playbook site.yml
againExpected behavior
I was thinking the playbook should be able to always apply even after a reboot and/or could be regularly reused against the server to check for compliance
Software:
Additional context
I logged on the server just after and confirm sysctl -p does not work anymore due to ipv6 "problems"
The text was updated successfully, but these errors were encountered: