Develop Reference

Ansible - Run playbooks using systemd (.service files)

I would like to start an ansible playbook through a service.
Problem is that there is an exception occurring if i try to start a specific playbook with the help of a .service file.
Normal execution via the command line doesn't throw any exceptions.
The exact error is as follows:
ESTABLISH LOCAL CONNECTION FOR USER: build
EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /tmp"&& mkdir "echo /tmp/ansible-tmp-1628159196.970389-90181-42979741793270" && echo ansible-tmp-1628159196.970389-90181-42979741793270="echo /tmp/ansible-tmp-1628159196.970389-90181-42979741793270" ) && sleep 0'
fatal: [Ares]: UNREACHABLE! => changed=false
msg: 'Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p "echo /tmp"&& mkdir "echo /tmp/ansible-tmp-1628159196.970389-90181-42979741793270" && echo ansible-tmp-1628159196.970389-90181-42979741793270="echo /tmp/ansible-tmp-1628159196.970389-90181-42979741793270" ), exited with result 127'
unreachable: true'
I've tried the following:
Authentication or permission failure, did not have permissions on the remote directory
https://github.com/ansible/ansible/issues/43830
Generally searching for an answer, but all i could find is to change remote_config to /tmp
Changing the permissions to 777 for the /tmp folder
Changing the user for the service to both build and root
Changing the group for the service to both build and root
Current configuration:
The remote_tmp is set to /tmp
The rights for /tmp are: drwxrwxrwt. 38 root root
This is the service i am starting:
[Unit]
Description=Running vmware in a service
After=network.target
[Service]
User=build
Group=build
WorkingDirectory=/home/build/dev/sol_project_overview/ansible-interface
Environment="PATH=/home/build/dev/sol_project_overview/ansible-interface/venv/bin"
ExecStart=/home/build/dev/sol_project_overview/ansible-interface/venv/bin/ansible-playbook ./playbooks/get_vm_data_playbook.yml --vault-password-file password.txt -vvv
[Install]
WantedBy=multi-user.target
The exact ansible task that throws this exception:
- name: Write Disks Data to file
template:
src: template.j2
dest: /home/build/dev/sol_project_overview/tmp/vm_data
delegate_to: localhost
run_once: yes
Also normally I would run a python script via this service file, that would call ansible when special conditions are met. But the same error occurs with a python script started by the service.
All of this lets me think that the problem is with the .service file... i just don't know what.
Any help is appreciated.
EDIT: SELinux is disabled

So i found the problem:
When debugging with -vvvv => 4 * verbose you get an even more precise error message:
"msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p "echo /tmp/.ansible/tmp"&& mkdir "echo /tmp/.ansible/tmp/ansible-tmp-1629205650.8804808-397364-56399467035196" && echo ansible-tmp-1629205650.8804808-397364-56399467035196="echo /tmp/.ansible/tmp/ansible-tmp-1629205650.8804808-397364-56399467035196" ), exited with result 127**, stderr output: /bin/sh: mkdir: command not found\n",**
and in the last part there is this information:, stderr output: /bin/sh: mkdir: command not found\n",
So after googling i realized the problem was with that "PATH" variable I am setting in my .service file.
This was the problem:
Environment="PATH=/home/build/dev/sol_project_overview/ansible-interface/venv/bin"
it couldn't find mkdir because the "bin" folder, where "mkdir" is located at, wasn't specified in the "PATH" variable
What was left to do is to change the PATH variable of the service correctly. In order to do so I took the the PATH variable from the corresponding virtual environment when it was active.
Lesson: If you are working with virtual environments and want to use services using their environments, then change the PATH variable to that of the virtual machine.

how to call the sudo command in linux using Puppet

Using the below script to call sudo command in redhat linux with the puppet version 3.7.
Exec {
cwd => "/home/dev02",
command => "sudo -su dev01",
path => "/usr/bin/",
logoutput => "on_failure",
}
I am not getting any errors, but after executing this script,
when i checked to see my user with "whoami", still am seeing as dev02
instead of dev01.
Can someone help me on this.?
Thanks in advance.

This command will not do what you expect because all exec resource commands are executed in a spawned process. If you want to execute a command as another user, then the exec resource has a user parameter.
For example:
exec { 'Touch some file':
cwd => '/home/dev02',
command => 'touch some_file',
path => '/usr/bin/',
logoutput => 'on_failure',
user => 'dev01'
}

Cacti extend snmp by a custom script

I have created a graph on Cacti about time to access to a specific page on our infrastructure with cacti and net-snmp.
I have extended the capability with adding two new lines in file /etc/snmp/snmpd.conf :
extend stat_page1 /usr/local/bin/cacti/access_page.sh context1
extend stat_page2 /usr/local/bin/cacti/access_page.sh context2
I have restarted the daemon snmpd to load this configuration.
The script called is describe below, with other value, because for some reason, i can show this.
#!/bin/bash
domain="mydomain"
cookie_name="myCookie"
token="myToken"
if [ $# -eq 1 ]
then
if [ "$1" = "context1" ]
then
target_url="https://${domain}/${1}/page1.html"
TIME=$(curl -s -w "%{time_total}" -o /dev/null --cookie \"${cookie_name}=${token}\" ${target_url})
echo "$TIME"
elif [ "$1" = "context2" ]
then
target_url="https://${domain}/${1}/page2.html"
TIME=$(curl -s -w "%{time_total}" -o /dev/null --cookie \"${cookie_name}=${token}\" ${target_url})
echo "$TIME"
fi
If I launch the script manually i have this
$ /usr/local/bin/cacti/access_page.sh context2
0.061
$ /usr/local/bin/cacti/access_page.sh context1
0.041
When I launch the script with snmpget, I have this result:
snmpwalk -v2c -c myCommunity localhost NET-SNMP-EXTEND-MIB::nsExtendOutput2Table
NET-SNMP-EXTEND-MIB::nsExtendOutLine."stat_page1".1 = STRING: 0.000
NET-SNMP-EXTEND-MIB::nsExtendOutLine."stat_page2".1 = STRING: 0.000
All time, I get 0.000 value by snmp command and manually a real value.
Could you help me about it?, please

Recently i had an issue with snmp and the execution script that call the curl command.
This post was the closest of the problem when i searched some solutions.
I found a solution without disabling SELinux.
I am a newbie in SELinux but i solved this issue with some SELinux configuration, that could interest someone in the future.
Context :
Centos 7
Content of the configuration file for SNMP /etc/snmp/snmpd.conf :
# sec.name source community
com2sec myuser default public
# groupName securityModel securityName
group mygroup v2c pad
# name incl/excl subtree mask(optional)
view systemview included .1.3.6.1.4
view systemview included .1.3.6.1.4.1
view systemview included .1.3.6.1.4.1.1234
view systemview included .1.3.6.1.4.1.1234.1
# group context sec.model sec.level prefix read write notif
access mygroup "" any noauth exact systemview none none
perl do "/appli/snmp_scripts/agent.pl"
SNMAP agent agent.pl :
#!/usr/bin/perl
use NetSNMP::agent (':all');
use NetSNMP::ASN qw(ASN_OCTET_STR ASN_INTEGER);
sub handler {
my ($handler, $registration_info, $request_info, $requests) = #_;
my $request;
for($request = $requests; $request; $request = $request->next()) {
my $oid = $request->getOID();
if ($request_info->getMode() == MODE_GET) {
if ($oid == new NetSNMP::OID(".1.3.6.1.4.1.1581.1.6.2.1.5")) {
$request->setValue(ASN_OCTET_STR,`/path/to/myscript`);
}
}
}
}
my $AGENT_OID = ".1.3.6.1.4.1.1234";
$agent->register("MYAGENT", ".1.3.6.1.4.1.1234",
\&handler);
Solution:
When i looked for trace of the execution, with sudo systemctl status snmpd, some trace of curl were display :
snmpd: curl: (7) Failed to connect to 127.0.0.1:8081 Permission denied
However, the server was running well at this port and the script executed outside SNMP worked well.
SELinux errors have been generated in audit logs :
$> sudo grep snmp /var/log/audit/audit.log | audit2allow -w -a
type=AVC msg=audit(1528188940.802:2025): avc: denied { name_connect } for pid=26809 comm="curl" dest=8081 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
$> sudo grep snmp /var/log/audit/audit.log | audit2allow -M mysnmpmodule
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i snmpdcanopensocket.pp
Follow the step told by audit2allow comm apply to SELinux the new created module for snmp_t. The audit2allow -M command generated two files snmpdcanopensocket.pp snmpdcanopensocket.te in your current directory.
SELinux needs the .pp file to remap it's security rules.
$> semodule -i snmpdcanopensocket.pp
Restart the SNMP service with sudo systemctl restart snmp
Now the curl in the script executed by SNMP behaves well and does not quit with a (7) error code.

I have done this test and when i call the script i have permission denied when I do this : line 34: /tmp/echo-curl: Permission denied, and I have done a script with just id to be sure that is launched with privilege user.
I have find the source of the problem, which is probably due to enforcing of SELinux – user3249935

Vagrant Puppet using wget to fetch and extract .zip file

Hi I am creating a Vagrant setup and I am needing to fetch a .zip file which will be put in /vagrant/www directory.
They way I am trying to do this is:
exec { 'setup octobercms':
command => "/bin/sh -c 'wget -P /vagrant/www https://github.com/octobercms/install/archive/master.zip'",
timeout => 900,
logoutput => true
}
When vagrant up has been triggered I can see that the file is downloading but it is not appearing in the /vagrant/www directory. The file is not really anything to do with vagrant but will be used to install October CMS.
When using puppet what would be the best way to fetch a zipped file and extract its contents into a directory and remove the zipped archive?
Any help would be much appreciated.

The exec command is run in a generic construct of the shell, and doesn't obey the constraints of the user account evoking it. Try:
exec { 'setup octobercms':
command => "cd /vagrant/www/; /bin/sh -c 'wget https://github.com/octobercms/install/archive/master.zip'",
timeout => 900,
logoutput => true
}

Puppet - How to chage umask setting for the previlage user

for changing the umask setting , i had created the puppet script which insert the line "umask 0027" in the file "/etc/profile" , but it doesn't show the umask value as 0027, when we echo the umask. but when we relogin then it show the value 0027. so it take effect only after relogin.
but we want the immediate effect of the change without relogin , so we added one more line to my puppet script as "source /etc/profile" but it doesnot work and gave the error as below
'source /etc/profile' is not qualified and no path was specified. Please qualify the command or specify a path.
Could somebody help me on this issue ?
my puppet file looks like below
exec {"modify-umask-entry":
command => "sed -i 's/umask [0-9]\{3,\}/umask 027/g' /etc/profile",
path => "/bin:/usr/bin/",
}
exec { "/bin/echo 'umask 027' >> '/etc/profile'":
unless => "/bin/grep -Fx 'umask[\t][0-9]{3}' '/etc/profile'",
# onlyif => "/bin/grep -i 'umask[ \t][0-9]{3}' /etc/profile | wc -w",
}
exec {"seeting_new_umask":
command => "source /etc/profile",
}