This repository was archived by the owner on Mar 23, 2019. It is now read-only.
This repository was archived by the owner on Mar 23, 2019. It is now read-only.
systemd enable tasks fail #865
Description
ISSUE TYPE
- Bug Report
container.yml
version: "2"
settings:
conductor:
# The Conductor container does the heavy lifting, and provides a portable
# Python runtime for building your target containers. It should be derived
# from the same distribution as you're building your target containers with.
base: centos:7
# roles_path: # Specify a local path containing Ansible roles
# volumes: # Provide a list of volumes to mount
# environment: # List or mapping of environment variables
# Set the name of the project. Defaults to basename of the project directory.
# For built services, concatenated with service name to form the built image name.
project_name: suricata
# The deployment_output_path is mounted to the Conductor container, and the
# `run` and `deployment` commands then write generated Ansible playbooks to it.
# deployment_output_path: ./ansible-deployment
# When using the k8s or openshift engines, use the following to authorize with the API.
# Values set here will be passed to the Ansible modules. Any file paths will be mounted
# to the conductor container, allowing the `run` command to access the API.
#k8s_auth:
# path to a K8s config file
#config_file:
# name of a context found within the config file
#context:
# URL for accessing the K8s API
#host:
# An API authentication token
#api_key:
# Path to a ca cert file
#ssl_ca_cert:
# Path to a cert file
#cert_file:
# Path to a key file
#key_file:
# boolean, indicating if SSL certs should be validated
#verify_ssl:
# When using the k8s or openshift engines, use the following to set the namespace.
# If not set, the project name will be used. For openshift, the namespace maps to a project,
# and description and display_name are supported.
#k8s_namespace:
# name:
# description:
# display_name:
services:
# Add your containers here, specifying the base image you want to build from.
# To use this example, uncomment it and delete the curly braces after services key.
# You may need to run `docker pull ubuntu:trusty` for this to work.
suricata:
from: "rocknsm/base:latest"
roles:
- rock-repo
- suricata
#registries:
# Add optional registries used for deployment. For example:
# google:
# url: https://gcr.io
# namespace: my-cool-project-xxxxxx
OS / ENVIRONMENT
Ansible Container, version 0.9.2
Linux, rocksensor1.lan, 3.10.0-693.11.6.el7.x86_64, #1 SMP Thu Jan 4 01:06:37 UTC 2018, x86_64
2.7.5 (default, Aug 4 2017, 00:39:18)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] /usr/bin/python2
{
"ContainersPaused": 0,
"Labels": [],
"CgroupDriver": "cgroupfs",
"ContainersRunning": 1,
"ContainerdCommit": {
"Expected": "89623f28b87a6004d4b785663257362d1658a729",
"ID": "89623f28b87a6004d4b785663257362d1658a729"
},
"InitBinary": "docker-init",
"NGoroutines": 41,
"Swarm": {
"ControlAvailable": false,
"NodeID": "",
"Error": "",
"RemoteManagers": null,
"LocalNodeState": "inactive",
"NodeAddr": ""
},
"LoggingDriver": "json-file",
"OSType": "linux",
"HttpProxy": "",
"Runtimes": {
"runc": {
"path": "docker-runc"
}
},
"DriverStatus": [
[
"Backing Filesystem",
"xfs"
],
[
"Supports d_type",
"true"
],
[
"Native Overlay Diff",
"true"
]
],
"OperatingSystem": "CentOS Linux 7 (Core)",
"Containers": 2,
"HttpsProxy": "",
"BridgeNfIp6tables": false,
"MemTotal": 16658903040,
"SecurityOptions": [
"name=seccomp,profile=default"
],
"Driver": "overlay2",
"IndexServerAddress": "https://index.docker.io/v1/",
"ClusterStore": "",
"InitCommit": {
"Expected": "949e6fa",
"ID": "949e6fa"
},
"GenericResources": null,
"Isolation": "",
"SystemStatus": null,
"OomKillDisable": true,
"ClusterAdvertise": "",
"SystemTime": "2018-01-28T04:26:38.970232628Z",
"Name": "rocksensor1.lan",
"CPUSet": true,
"RegistryConfig": {
"AllowNondistributableArtifactsCIDRs": [],
"Mirrors": [],
"IndexConfigs": {
"docker.io": {
"Official": true,
"Name": "docker.io",
"Secure": true,
"Mirrors": []
}
},
"AllowNondistributableArtifactsHostnames": [],
"InsecureRegistryCIDRs": [
"127.0.0.0/8"
]
},
"DefaultRuntime": "runc",
"ContainersStopped": 1,
"NCPU": 1,
"NFd": 27,
"Architecture": "x86_64",
"KernelMemory": true,
"CpuCfsQuota": true,
"Debug": false,
"ID": "4TIW:6WHH:TLBN:U7YZ:3SVS:HVWP:TBHE:EKNH:UO6M:4QZR:YQ5K:TXFK",
"IPv4Forwarding": true,
"KernelVersion": "3.10.0-693.11.6.el7.x86_64",
"BridgeNfIptables": false,
"NoProxy": "",
"LiveRestoreEnabled": false,
"ServerVersion": "17.12.0-ce",
"CpuCfsPeriod": true,
"ExperimentalBuild": false,
"MemoryLimit": true,
"SwapLimit": true,
"Plugins": {
"Volume": [
"local"
],
"Network": [
"bridge",
"host",
"macvlan",
"null",
"overlay"
],
"Authorization": null,
"Log": [
"awslogs",
"fluentd",
"gcplogs",
"gelf",
"journald",
"json-file",
"logentries",
"splunk",
"syslog"
]
},
"Images": 18,
"DockerRootDir": "/opt/rocknsm/docker",
"NEventsListener": 0,
"CPUShares": true,
"RuncCommit": {
"Expected": "b2567b37d7b75eb4cf325b77297b140ea686ce8f",
"ID": "b2567b37d7b75eb4cf325b77297b140ea686ce8f"
}
}
{
"KernelVersion": "3.10.0-693.11.6.el7.x86_64",
"Components": [
{
"Version": "17.12.0-ce",
"Name": "Engine",
"Details": {
"KernelVersion": "3.10.0-693.11.6.el7.x86_64",
"Os": "linux",
"BuildTime": "2017-12-27T20:12:46.000000000+00:00",
"ApiVersion": "1.35",
"MinAPIVersion": "1.12",
"GitCommit": "c97c6d6",
"Arch": "amd64",
"Experimental": "false",
"GoVersion": "go1.9.2"
}
}
],
"Arch": "amd64",
"BuildTime": "2017-12-27T20:12:46.000000000+00:00",
"ApiVersion": "1.35",
"Platform": {
"Name": ""
},
"Version": "17.12.0-ce",
"MinAPIVersion": "1.12",
"GitCommit": "c97c6d6",
"Os": "linux",
"GoVersion": "go1.9.2"
}
SUMMARY
Running the systemd module results in an error. This may be helpful:
https://serverfault.com/questions/824975/failed-to-get-d-bus-connection-operation-not-permitted
STEPS TO REPRODUCE
Try to enable a service in the systemd container:
- name: Enable Suricata
systemd:
name: suricata
enabled: yes
EXPECTED RESULTS
I expected the service to be enabled within the container as if I ran RUN systemctl enable suricata in a regular Dockerfile.
ACTUAL RESULTS
TASK [suricata : Enable Suricata] **********************************************
fatal: [suricata]: FAILED! => {"changed": false, "cmd": "/usr/bin/systemctl", "failed": true, "msg": "Failed to get D-Bus connection: Operation not permitted", "rc": 1, "stderr": "Failed to get D-Bus connection: Operation not permitted\n", "stderr_lines": ["Failed to get D-Bus connection: Operation not permitted"], "stdout": "", "stdout_lines": []}
to retry, use: --limit @/tmp/tmpS5Y3mH/playbook.retry
PLAY RECAP *********************************************************************
suricata : ok=24 changed=22 unreachable=0 failed=1
ERROR Error applying role! engine=<container.docker.engine.Engine object at 0x29a85d0> exit_code=2 playbook=[{'hosts': u'suricata', 'roles': ['suricata'], 'vars': {}}]
Traceback (most recent call last):
File "/usr/bin/conductor", line 11, in <module>
load_entry_point('ansible-container', 'console_scripts', 'conductor')()
File "/_ansible/container/__init__.py", line 19, in __wrapped__
return fn(*args, **kwargs)
File "/_ansible/container/cli.py", line 399, in conductor_commandline
**params)
File "/_ansible/container/__init__.py", line 19, in __wrapped__
return fn(*args, **kwargs)
File "/_ansible/container/core.py", line 813, in conductorcmd_build
raise RuntimeError('Build failed.')
RuntimeError: Build failed.
Conductor terminated. Cleaning up. command_rc=1 conductor_id=5e56e9240fb39fbc904f595d02eb8c60ca47184fd9ddd8676dffb07755d3db5e save_container=False
ERROR Conductor exited with status 1