I got locked out by this role

[muelli]

I don't think it should ever happen, but I was locked out of my system when using this role.

I'm basically trying to

- include: ~/.local/share/debops/debops-playbooks/playbooks/common.yml
  roles:
    - role: debops.sshd

but that leaves me unconnectable.

TASK: [debops.ferm | Allow SSH access from Ansible Controller] **************** 
ok: [foo.local] => {"changed": false, "gid": 4, "group": "adm", "mode": "0644", "owner": "root", "path": "/etc/ferm/filter-input.d/10_ansible_controller.conf", "size": 236, "state": "file", "uid": 0}

TASK: [debops.ferm | Configure forwarding in ip(6)tables if enabled] ********** 
ok: [foo.local] => {"changed": false, "gid": 4, "group": "adm", "mode": "0644", "owner": "root", "path": "/etc/ferm/ferm.d/10_forward.conf", "size": 112, "state": "file", "uid": 0}

TASK: [debops.ferm | Remove ip(6)tables rules if requested] ******************* 
skipping: [foo.local] => (item={'category': 'filter', 'table': 'filter/input', 'type': 'conntrack', 'weight': '20'})
skipping: [foo.local] => (item={'category': 'filter', 'table': 'filter/forward', 'type': 'conntrack', 'weight': '20'})
skipping: [foo.local] => (item={'category': 'filter', 'table': 'filter/output', 'type': 'conntrack', 'weight': '20'})

TASK: [debops.ferm | Configure ip(6)tables rules] ***************************** 
ok: [foo.local] => (item={'category': 'filter', 'table': 'filter/input', 'type': 'conntrack', 'weight': '20'}) => {"changed": false, "gid": 4, "group": "adm", "item": {"category": "filter", "table": "filter/input", "type": "conntrack", "weight": "20"}, "mode": "0644", "owner": "root", "path": "/etc/ferm/filter/input/20_conntrack_rules.conf", "size": 190, "state": "file", "uid": 0}
ok: [foo.local] => (item={'category': 'filter', 'table': 'filter/forward', 'type': 'conntrack', 'weight': '20'}) => {"changed": false, "gid": 4, "group": "adm", "item": {"category": "filter", "table": "filter/forward", "type": "conntrack", "weight": "20"}, "mode": "0644", "owner": "root", "path": "/etc/ferm/filter/forward/20_conntrack_rules.conf", "size": 190, "state": "file", "uid": 0}
fatal: [foo.local] => ssh connection closed waiting for a privilege escalation password prompt

FATAL: all hosts have already failed -- aborting

I was lucky enough to be able to have physical access so I flushed iptables and stopped ferm. Then things worked again.

[drybjed]

First of all, the use of include on the playbook level with roles: key doesn't make any sense. You are just including the whole playbook, not a specific role.

DebOps at the start of the run gets the IP address from which you are connecting, it's then used by debops.ferm to allow connections from that IP address. I'm not sure at what time you got blocked, but if it really happened in the middle of ferm rule generation, debops.ferm shouldn't be the reason - at this time iptables rules aren't even reloaded.

But I assume that it was at some later time, when debops.ferm was called by another role via a dependency. In that case the Ansible Controller whitelist should have been already enabled and not block your IP address. You can check in ferm local facts if your IP address is present.

[ValentinFunk]

Just got locked out as well, is there a way to disable SSH blocking completely? Or whitelist all hosts? @drybjed

[drybjed]

The issue is not that the debops.ferm blocks SSH, but it does not unblock it. The role has some basic support to allow access from the Ansible Controller to SSH service, but relies on other DebOps roles to configure this more specifically.

There are a few ways to deal with this.

Add the debops.core role to your playbook (explanation of how it should be used). This role gathers the IP address of the Ansible Controller and passes it to debops.ferm using Ansible local facts, that way debops.ferm knows which IP addresses are allowed to connect to SSH service.

Alternatively, in the inventory, specify a list of Ansible Controller IP addresses or subnets using the ferm__ansible_controllers variable. For example:

ferm__ansible_controllers: [ '192.0.2.0/24' ]

The role will use that variable to configure firewall rules that allow these hosts access to the SSH service.

You can also start using the debops.sshd role, which uses debops.ferm and debops.tcpwrappers roles. It has a set of variables to specify what hosts can access the service, you most likely want to use the sshd__whitelist variable which similarly holds IP addresses or subnets.

Or, you can create firewall rules for SSH manually:

ferm__rules:
  - name: 'accept-ssh'
    type: 'accept'
    weight: '00'
    saddr: [ '192.0.2.0/24' ]

[ValentinFunk]

Thanks a lot for the speedy and very detailed answer! 👍 😄
As i'm using this with docker i'll try going with

    - role: "debops.ferm"
      vars:
        ferm__ansible_controllers: ['0.0.0.0/0'] # Disable ferm ssh access filter
      tags: [ 'role::ferm' ]
      ferm__dependent_rules:
        - '{{ docker__ferm__dependent_rules }}'

[drybjed]

@kamshak Wery well. However be aware, that if you use the ferm__ansible_controllers variable as a role dependent variable, and then use the debops.ferm role without it somewhere else, the role will not see this value anymore and firewall rules for Ansible Controllers will change. To avoid that, put the ferm__ansible_controllers variable in the Ansible inventory, this way the value will be always present no matter what role you use.

[ValentinFunk]

I see, thanks :)