dresden-weekly / ansible-network-interfaces Goto Github PK

It would be nice to have network namespaces support (ip netns). Instead of making "single stack" complex network setups, network namespaces are independent of each other. "Multihoming" setups for example can be made much simpler. Or to create an "out of band" management network (mgmt) seperated from "production" traffic, i.e.:

# add a namespace named "mgmt"
/sbin/ip netns add mgmt
# put physical interface "eno1" in mgmt namespace
/sbin/ip link set eno1 netns mgmt
# (optionally) apply sysctl config within mgmt namespace
/sbin/ip netns exec mgmt /sbin/sysctl -p /etc/sysctl.d/sysctl_disable_ra.conf
# bring up lo interface
/sbin/ip netns exec mgmt /sbin/ip link set lo up
# bring up eno1
/sbin/ip netns exec mgmt /sbin/ip link set eno1 up
# Add IPv6 management address
/sbin/ip netns exec mgmt /sbin/ip -6 addr add 2001:dead::beef/64 dev eno1
# Delete IPv6 management default route
/sbin/ip netns exec mgmt /sbin/ip -6 route del default
# Add IPv6 management default route
/sbin/ip netns exec mgmt /sbin/ip -6 route add default via 2001:dead::1

When using role version: a036324 and Ansible 1.9.5 and Ansible 2.1.1.0, execution of the role fails with error message: "ERROR: vars is not a legal parameter in an Ansible task or handler" due to https://github.com/dresden-weekly/ansible-network-interfaces/blob/develop/handlers/main.yml#L26

It is possible for an interface configuration file to include sensive information, such as passwords (e.g. wpa-psk).

By default, the configurations in interfaces.d are 0644 (readable by all).

It would be good to be able to restrict the permissions of these files to 0600.

Great role, but I have some questions on the readme.

1. What does network do? Its not a keyword in /etc/network/interfaces
2. subnets confused me until I read through the template. The readme should explain a bit on its use
3. No mention of CIDR support. Reading, and testing, the template code I realize I didn't have to use netmask but instead able to use CIDR notation in address to specify both. This was also further confused with what purpose subnets fulfill.

This yml throws an error and I can't really figure out why

- hosts: server
  remote_user: root
  roles:
    - role: dresden-weekly.network-interfaces
      network_interfaces:
      - device: eth0
        description: private interface
        auto: true
        family: inet
        method: static
        address: 10.0.0.2
        netmask: 255.255.255.192
        allow:
        - hotplug
        post-up:
        - route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.0.0.1
        - route add -net 161.26.0.0 netmask 255.255.0.0 gw 10.0.0.1

fatal: [...]: FAILED! => {"failed": true, "msg": "the field 'args' has an invalid value, which appears to include a variable that is undefined. The error was: 'dict object' has no attribute 'path'\n\nThe error appears to have been in '/private/etc/ansible/roles/dresden-weekly.network-interfaces/tasks/manage_devices.yml': line 8, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# depending on change the result stores dest or path\n- name: configured files\n  ^ here\n"}

An ideas? Best, Dominik

Thanks for thew great role! I was curious why you use the groupby filter in the following line:
https://github.com/dresden-weekly/ansible-network-interfaces/blob/develop/tasks/main.yml#L34

Doesn't a regular with_items give you enough data (in the correct format) in both tasks, handlers and templates?

It seems quite a lot of users use this role now.

We should make sure we do not accidentally break the experience, with automated testing.

Unfortunately it's quite hard to test network configurations, as most headless servers need a working network. I do not know of a serial connection enabled CI server.

Any suggestions are welcome!

hello, thanks for your module
I can tell it works fine on debian jessie 👍
please make optional the network service restart as it cut all my other interfaces even when network_manage_devices: no is configured

This configuration i working on 1.9.4 but fails on 2.0.0

roles:
  -role: network-interfaces
    network_manage_devices: yes
    network_interfaces:
    - device: eth0
      desciption: eth0
      auto: true
      family: inet
      method: static
      address: 192.168.1.10
      netmask: 255.255.255.0
      gateway: 192.168.1.1
      nameservers:
      - 192.168.1.1

with the following message:

ERROR! The conditional check '(0 != item.1 | selectattr('changed') | list | length) and ((0 != item.1 | selectattr('item.auto', 'undefined') | list | length)
  or (true in item.1 | selectattr('item.auto') | list))' failed.

The error was: ERROR! error while evaluating conditional ((0 != item.1 | selectattr('changed') | list | length) and ((0 != item.1 | selectattr('item.auto', 'undefined') | list | length)
  or (true in item.1 | selectattr('item.auto') | list))): ERROR! 'unicode object' has no attribute 'changed'

The error appears to have been in 'network-interfaces/tasks/main.yml': line 50, column 3, but may be elsewhere in the file depending on the exact syntax problem.

Does anyone have a fix for this?

I tried to add a virtual interface to eth1:

- device: eth1:0
        description: eth1:0 - mydomain.com
        auto: true
        family: inet
        method: static
        address: 1.2.3.4
        netmask: 255.255.255.248
        gateway: 1.2.3.1
        allow:
          - hotplug

which resulted in this error:

dresden-weekly.ansible-network-interfaces : network restart interface command
...
"stderr": "ifdown: interface eth1:0 not configured\nRTNETLINK answers: File exists", 
"stdout": "Failed to bring up eth1:0.",
...

The interface file is written but the restart failes.
And yes the interface is already there and up. But should this not work anyway? (It does for eth0/eth1)

change tasks/main.yml
line 26 from - include: all_interfaces.yml to

    25
    26  - include_tasks: all_interfaces.yml
    27    when: network_interfaces
    28

and

line 40 from - include: manage_devices.yml to

    39
    40  - include_tasks: manage_devices.yml
    41    when:
    42    - network_manage_devices
    43    - network_interfaces

The current implementation only supports a limited number of iface options: https://github.com/dresden-weekly/ansible-network-interfaces/blob/develop/templates/device.j2#L13.

The interfaces documentation states that, in addition to the standard options available for each family and method, options can be made available by other Debian packages. This potentially allows any key to be a valid option name.

My particular interest is in setting wpa_* options.

Looks like Jinja 2.9.x introduced some issue with the groupby filter used in the configurations task:

TASK [network-interfaces : configurations] *************************************
 [WARNING]: Exception in safe_eval() on expr: [_GroupTuple(grouper=u'eth0', ..., "msg": "AnsibleUndefinedVariable: 'unicode object' has no attribute 'device'"}

Tested with Ansible 2.2.0.0 and Jinja2 2.9.3.

The role published on Ansible Galaxy does not support bonding devices at the moment. Plesae push a new release to Ansible Galaxy.

Do you have tunnel interfaces support?

I see there's a variable network_allow_service_restart, but this only seems to cover part of restarting things after interfaces are configured.

Is it (or could it be) possible to also have a way to not to try and restart the interfaces after their configuration is put in place?

The task i'm thinking of specifically is 'network restart interface command'. I want to not run this task at all and then simply reboot the machine afterwards.

Hi there,

Some examples/documentation for bridges would be appreciated.

Also, do your rolesremove/replace the original eg. eth0 entries in /etc/network/interfaces when you define an eth0 using this role?

The manage_devices is useful to delete extra interfaces that are not wanted.
However, there are some devices (e.g. lxc-net-bridge.cfg) that I don't want to configure using this module and I also don't want it to delete. There is currently no way to achieve that without turning off manage_devices.

When configuring a docker Debain image the following error occures:

RUNNING HANDLER [dresden-weekly.network-interfaces : network all interfaces changed] ***
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find the requested service networking: host"}

Installing the ifupdown packege seems to fix the issue.

According to the Network Configuration for Debian documentation, you can have multiple IPs assigned to the same interface name without using virtual or aliased interface names. The file name for devices is as follows device-{{ item.device }}-{{ item.family | default('inet') }}, which is not unique if you use this method of multiple IPs.

For example:

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.42
    netmask 255.255.255.0
    gateway 192.168.1.1

iface eth0 inet static
    address 192.168.1.43
    netmask 255.255.255.0

iface eth0 inet static
    address 192.168.1.44
    netmask 255.255.255.0

You could have an optional unique identifier to append to the config filenames.
i.e.

network_interfaces:
- id: '42'
  device: eth0
  auto: true
  family: inet
  method: static
  address: 192.168.1.42
  ...
- id: '43'
  device: eth0
  auto: true
  family: inet
  method: static
  address: 192.168.1.43
  ...

then
device-{{ item.device }}-{{ item.family | default('inet') }}{{ '-' + item.id if item.id | default('') else '' }} for the file name.

I have been having this issue that the mtu does not get set in my network definitions during my ansible build.

In my playbook the necessary lines are here:

    - role: dresden-weekly.network-interfaces
      network_manage_devices: yes
      when: result.stdout == "2"  ## see pre_tasks

      network_interfaces:
      - device: eth1
        description: Device Listener  
        auto: true
        allow: 
          - hotplug
        family: inet
        method: static
        address: 169.254.2.2
        network: 169.254.0.0
        netmask: 255.255.0.0
        mtu: 9000

However what appears in /etc/network/interfaces.d/device-eth1 is

# Ansible managed

auto eth1
allow-hotplug

iface eth1 inet static
  description Device Listener
  address 169.254.2.2
  netmask 255.255.0.0
  network 169.254.0.0

Nothing else effects that network interface in my build.

Any ideas on why the mtu is not getting set? I have been forced to add it manually on each device which is very annoying so I hope someone has a fix for this.

Just a suggestion on how to manage interfaces/variables

Currently this role doesn't have a (great) manner to remove the configs.

My suggestion is that for management it could be quite easy like this..

Lets pretend my existing vars are like this:

network_interfaces:

- device: eth0
  description: just a description for humans to understand
  auto: true
  family: inet
  method: static
  address: 192.168.1.11
  netmask: 193.168.1.255
  gateway: 192.168.1.1

- device: eth0:1
  description: aliased NIC
  auto: true
  family: inet
  method: static
  address: 192.168.2.11
  netmask: 193.168.2.255

now.. lets say I want to de-configure eth0:1

What I suggest is:

• rename the variable from network_interfaces to network_interfaces_enabled
• create a task that removes the .cfg files under network_interfaces_disabled

Why

Simply.. as an admin.. to unconfigure.. you simple yank/cut the eth0:1 stuff under the _enabled array put it under the _disabled array.

I'm honestly not sure if this is the best way so I thought I would open the dialog before showing the crap I hacked up to do this lol 😄

Also.. I'm in a pub and waiting to watch South Africa play Argentina (rugby) right now so take it all with a pinch of salt.

Side Note

• I did see the network_existing_files stuff and realised it conflicts with the PR (.cfg) I just submitted.
• I'm actually thinking bruteforce "purging" like that may be more elegant for people like me who like things "statefull".. so maybe we should make that only erase .cfg files so we keep backups?

Just throwing ideas out there lol...

Regards -david

This br0 interface was created by ansible-network-interfaces but fails to come up:

root@raspberrypi:/home/pi# ifup br0
Internet Systems Consortium DHCP Client 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Cannot find device "br0"
Bind socket to interface: No such device

If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug.  These pages explain the proper
process and the information we find helpful for debugging..

exiting.
Failed to bring up br0.

If I install bridge-utils manually the same command then succeeds:

root@raspberrypi:/home/pi# apt-get install bridge-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  bridge-utils
0 upgraded, 1 newly installed, 0 to remove and 33 not upgraded.
Need to get 32.1 kB of archives.
After this operation, 60.4 kB of additional disk space will be used.
Get:1 http://mirrordirector.raspbian.org/raspbian/ jessie/main bridge-utils armhf 1.5-9 [32.1 kB]
Fetched 32.1 kB in 0s (36.4 kB/s)
Selecting previously unselected package bridge-utils.
(Reading database ... 118140 files and directories currently installed.)
Preparing to unpack .../bridge-utils_1.5-9_armhf.deb ...
Unpacking bridge-utils (1.5-9) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up bridge-utils (1.5-9) ...
root@raspberrypi:/home/pi# ifup br0

Waiting for br0 to get ready (MAXWAIT is 32 seconds).
Internet Systems Consortium DHCP Client 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/br0/00:19:86:81:33:e7
Sending on   LPF/br0/00:19:86:81:33:e7
Sending on   Socket/fallback
DHCPDISCOVER on br0 to 255.255.255.255 port 67 interval 4
DHCPREQUEST on br0 to 255.255.255.255 port 67
DHCPOFFER from 17.67.247.1
DHCPACK from 17.67.247.1
Restarting ntp (via systemctl): ntp.service.
bound to 17.67.247.102 -- renewal in 32588 seconds.

It looks as though the ensure basic networking tools are installed needs updating.

At the moment it is only possible to use auto DEVICE. It should be possible to use allow-hotplug DEVICE.