Blocking YouTube videos with iptables - youtube

I'm trying to find a way to block YouTube video playback on my kid's Ubuntu computer. I created a shell script to get Youtube IPs and add them to iptables for incoming packets to be dropped. To do so I grab IPs with whois -h whois.radb.net -- '-i origin AS15169'
The problem is that I not only get YouTube IPs, but all Google IPs. Thus, blocking them also blocks access to other Google services, among them Google Search, Google Drive, Google Mail, etc.
I added a few exceptions too, with a domain whitelist, but this remains not enough.
Here is the shell script:
#!/bin/bash
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
function block_ips() {
for THIS_IP in $1; do
# IPv4 range
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$ ]]; then
echo "Blocking $THIS_IP"
$IPTABLES -A funban -s $THIS_IP -j fundrop
fi
# IPv4
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Blocking $THIS_IP"
$IPTABLES -A funban -s $THIS_IP -j fundrop
fi
# IPv6 range
if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}\/[0-9]{1,3}$ ]]; then
echo "Blocking $THIS_IP"
$IP6TABLES -A funban -s $THIS_IP -j fundrop
fi
# IPv6
if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}$ ]]; then
echo "Blocking $THIS_IP"
$IP6TABLES -A funban -s $THIS_IP -j fundrop
fi
done
}
function accept_ips() {
for THIS_IP in $1; do
# IPv4 range
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$ ]]; then
echo "Allowing $THIS_IP"
errormessage=$(${IPTABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IPTABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
# IPv4
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
errormessage=$(${IPTABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IPTABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
# IPv6 range
if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}\/[0-9]{1,3}$ ]]; then
errormessage=$(${IP6TABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IP6TABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
# IPv6
if [[ $THIS_IP =~ ^[0-9A-Fa-f]{0,4}:([0-9A-Fa-f]{0,4}:){0,6}[0-9A-Fa-f]{0,4}$ ]]; then
errormessage=$(${IP6TABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IP6TABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
done
}
function get_ip4() {
echo "$(dig ${1} A | grep -E '^[^;]' | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')"
}
function get_ip6() {
echo "$(dig ${1} AAAA | grep -E '^[^;]' | grep -o -E '[0-9A-Fa-f]{0,4}:([0-9A-Fa-f]{0,4}:){0,6}[0-9A-Fa-f]{0,4}')"
}
errormessage=$(${IPTABLES} -n -L funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create funban (IPv4)"
$IPTABLES -N funban
fi
errormessage=$(${IP6TABLES} -n -L funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create funban (IPv6)"
$IP6TABLES -N funban
fi
errormessage=$(${IPTABLES} -L fundrop 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create fundrop (IPv4)"
$IPTABLES -N fundrop
$IPTABLES -A fundrop -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A fundrop -j DROP
fi
errormessage=$(${IP6TABLES} -L fundrop 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create fundrop (IPv6)"
$IP6TABLES -N fundrop
$IP6TABLES -A fundrop -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IP6TABLES -A fundrop -j DROP
fi
errormessage=$(${IPTABLES} -C INPUT -j funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Filter IPv4"
$IPTABLES -A INPUT -j funban
fi
errormessage=$(${IP6TABLES} -C INPUT -j funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Filter IPv6"
$IP6TABLES -A INPUT -j funban
fi
# Flush funban chain
$IPTABLES -F funban
$IP6TABLES -F funban
# Block all Google-related IPs. The "AS15169" is taken from
# http://networktools.nl/asinfo/google.com
# Add these IPs to make google search to work (NOTE: This is not sufficient and blocks Google searches)
block_ips "$(whois -h whois.radb.net -- '-i origin AS15169' | grep -E '^route6?\:')"
while read domain; do
echo "Whitelisting $domain"
accept_ips $(get_ip4 $domain)
accept_ips $(get_ip6 $domain)
done <whitelist.txt
I am trying to find another robust solution, based on iptables (my kid is clever enough to circumvent hosts blocking, for example).
I though about mDPI netfilter but it seems it's no longer available as an iptables module in Ubuntu 20.04.
$ iptables -mndpi –help
iptables v1.8.4 (legacy): Couldn't load match `ndip':No such file or directory
Any idea?

Related

how to differentiate two tls/ssl certification keys to keep the good one in deployment pipeline

I have a deployment pipeline using this great tutorial : https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
Im using this shell script to first generate a dummy key to run nginx and then replacing it with the good key at the same path. I would like to be able to identify the good key from the dummy key to keep the good key in following deployment pipeline and avoid recreating new dummy key, deleting them and replacing them with new keys.
The dummy key is issued to "localhost" but i dont see anything in the privkey.pem or fullchain.pem that i can identify to differentiate it from the good key.
How could i do that ?
Here is the shell script
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(domaine www.domaine)
rsa_key_size=4096
data_path="./data/certbot"
email="aurel.pere#gmail.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
#if [ -d "$data_path" ]; then
# read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
# if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
# exit
# fi
#fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
sudo mkdir -p "$data_path/conf"
sudo curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
sudo curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
if [ ! -e "$data_path/conf/live/domaine/fullchain.pem" ]; then
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
fi
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
#if [ ! -e "$data_path/conf/live/domaine/fullchain.pem" ]; then
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
#fi
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[#]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
#if [ ! -e "$data_path/conf/live/domaine/fullchain.pem" ]; then
docker-compose run --rm --entrypoint "\
certbot certonly --non-interactive --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
#fi
echo "### Reloading nginx ..."
docker-compose exec -T nginx nginx -s reload
echo "nginx reloaded"

Iptables block access docker container from host

I have iptables rules that blocking access to DOCKER Container from host (accessing from outside network is working fine), most of these rules is writen by my ex-coworking so basically i have no experience on writing iptables rules
could someone help me with some advice of which line of the rules should I edit/remove/add so I can simply CURL my DOCKER Container from host
here is my iptables rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N cphulk
-N dynamic
-N loc-fw
-N loc_frwd
-N logdrop
-N logflags
-N logreject
-N net-fw
-N net-loc
-N net_frwd
-N reject
-N sha-lh-f039fe5b47b48a558b61
-N sha-rh-5f1a9db64e7d114e7d5b
-N shorewall
-N smurflog
-N smurfs
-N tcpflags
-A INPUT -j cphulk
-A INPUT -i eth0 -j net-fw
-A INPUT -i eth1 -j loc-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6
-A INPUT -g reject
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d7d9cacee34d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d7d9cacee34d -j DOCKER
-A FORWARD -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j ACCEPT
-A FORWARD -i br-d7d9cacee34d -o br-d7d9cacee34d -j ACCEPT
-A FORWARD -o br-72d36b8824e3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-72d36b8824e3 -j DOCKER
-A FORWARD -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j ACCEPT
-A FORWARD -i br-72d36b8824e3 -o br-72d36b8824e3 -j ACCEPT
-A FORWARD -i eth0 -j net_frwd
-A FORWARD -i eth1 -j loc_frwd
-A FORWARD -m addrtype --dst-type BROADCAST -j DROP
-A FORWARD -m addrtype --dst-type ANYCAST -j DROP
-A FORWARD -m addrtype --dst-type MULTICAST -j DROP
-A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6
-A FORWARD -g reject
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1337 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d7d9cacee34d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-72d36b8824e3 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:20:09 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:39:50 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:17 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:18 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:13:35 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T23:25:36 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:53 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:54 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T03:21:43 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T07:59:55 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T15:33:49 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T16:09:47 -j DROP
-A loc-fw -j dynamic
-A loc-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loc-fw -p tcp -j tcpflags
-A loc-fw -j ACCEPT
-A loc_frwd -j dynamic
-A loc_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loc_frwd -p tcp -j tcpflags
-A loc_frwd -o eth0 -j ACCEPT
-A logdrop -j DROP
-A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -j dynamic
-A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A net-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A net-fw -p tcp -j tcpflags
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 22,53,80,443,10000,3306,5500,2087,2083,21,110,995,993,25,465 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 587,2096,5432,8080 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 8181 -j ACCEPT
-A net-fw -p udp -m udp --dport 53 -j ACCEPT
-A net-fw -m addrtype --dst-type BROADCAST -j DROP
-A net-fw -m addrtype --dst-type ANYCAST -j DROP
-A net-fw -m addrtype --dst-type MULTICAST -j DROP
-A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6
-A net-fw -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-loc -m addrtype --dst-type BROADCAST -j DROP
-A net-loc -m addrtype --dst-type ANYCAST -j DROP
-A net-loc -m addrtype --dst-type MULTICAST -j DROP
-A net-loc -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-loc DROP " --log-level 6
-A net-loc -j DROPn
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A smurflog -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "smurfs DROP " --log-level 6
-A smurflog -j DROP
-A smurfs -s 0.0.0.0/32 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog
-A smurfs -s 224.0.0.0/4 -g smurflog
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
Thank you

same playbook between jenkins and ansible server doesn't work

I try to manage my Ansible server with Jenkins job and I observe two differents results for two similars actions.
This is my playbook :
- hosts: lpdepmld2
gather_facts: no
tasks:
- shell: whoami; hostname; pwd
register: test
- debug:
msg: "{{ test.stdout_lines }}"
Locally on Ansible serveur, I execute :
cd /etc/ansible
whoami; hostname; pwd
ansible-playbook /etc/ansible/playbooks/test.yml --private-key /home/ansible/.ssh/id_rsa -u ansible -vvv
And it works as expected, result :
root
lpansmld1
/etc/ansible
ansible-playbook 2.8.4
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/etc/ansible/library']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible-playbook
python version = 2.7.5 (default, Jun 11 2019, 14:33:56) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Parsed /etc/ansible/hosts inventory source with ini plugin
PLAYBOOK: test.yml **********************************************************************************************************************************************************************************************************************
1 plays in /etc/ansible/playbooks/test.yml
PLAY [lpdepmld2] ************************************************************************************************************************************************************************************************************************
META: ran handlers
TASK [shell] ****************************************************************************************************************************************************************************************************************************
task path: /etc/ansible/playbooks/test.yml:6
Tuesday 29 December 2020 16:35:05 +0100 (0:00:00.111) 0:00:00.112 ******
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'echo ~ansible && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '/home/ansible\n', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057 `" && echo ansible-tmp-1609256105.11-16196748238057="` echo /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057 `" ) && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, 'ansible-tmp-1609256105.11-16196748238057=/home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057\n', '')
<lpdepmld2> Attempting python interpreter discovery
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, 'PLATFORM\nLinux\nFOUND\n/usr/bin/python\n/usr/bin/python2.7\n/usr/bin/python\nENDFOUND\n', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '{"osrelease_content": "NAME=\\"Red Hat Enterprise Linux Server\\"\\nVERSION=\\"7.5 (Maipo)\\"\\nID=\\"rhel\\"\\nID_LIKE=\\"fedora\\"\\nVARIANT=\\"Server\\"\\nVARIANT_ID=\\"server\\"\\nVERSION_ID=\\"7.5\\"\\nPRETTY_NAME=\\"Red Hat Enterprise Linux Server 7.5 (Maipo)\\"\\nANSI_COLOR=\\"0;31\\"\\nCPE_NAME=\\"cpe:/o:redhat:enterprise_linux:7.5:GA:server\\"\\nHOME_URL=\\"https://www.redhat.com/\\"\\nBUG_REPORT_URL=\\"https://bugzilla.redhat.com/\\"\\n\\nREDHAT_BUGZILLA_PRODUCT=\\"Red Hat Enterprise Linux 7\\"\\nREDHAT_BUGZILLA_PRODUCT_VERSION=7.5\\nREDHAT_SUPPORT_PRODUCT=\\"Red Hat Enterprise Linux\\"\\nREDHAT_SUPPORT_PRODUCT_VERSION=\\"7.5\\"\\n", "platform_dist_result": ["redhat", "7.5", "Maipo"]}\n', '')
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<lpdepmld2.uem.lan> PUT /root/.ansible/tmp/ansible-local-102513iMMnYg/tmpzX9hsf TO /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057/AnsiballZ_command.py
<lpdepmld2.uem.lan> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee '[lpdepmld2.uem.lan]'
<lpdepmld2.uem.lan> (0, 'sftp> put /root/.ansible/tmp/ansible-local-102513iMMnYg/tmpzX9hsf /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057/AnsiballZ_command.py\n', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'chmod u+x /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057/ /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057/AnsiballZ_command.py && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee -tt lpdepmld2.uem.lan '/bin/sh -c '"'"'/usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057/AnsiballZ_command.py && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '\r\n{"changed": true, "end": "2020-12-29 16:35:06.054473", "stdout": "ansible\\nlpdepmld2\\n/home/ansible", "cmd": "whoami; hostname; pwd", "rc": 0, "start": "2020-12-29 16:35:06.047227", "stderr": "", "delta": "0:00:00.007246", "invocation": {"module_args": {"creates": null, "executable": null, "_uses_shell": true, "strip_empty_ends": true, "_raw_params": "whoami; hostname; pwd", "removes": null, "argv": null, "warn": true, "chdir": null, "stdin_add_newline": true, "stdin": null}}}\r\n', 'Shared connection to lpdepmld2.uem.lan closed.\r\n')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'rm -f -r /home/ansible/.ansible/tmp/ansible-tmp-1609256105.11-16196748238057/ > /dev/null 2>&1 && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '', '')
changed: [lpdepmld2] => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"cmd": "whoami; hostname; pwd",
"delta": "0:00:00.007246",
"end": "2020-12-29 16:35:06.054473",
"invocation": {
"module_args": {
"_raw_params": "whoami; hostname; pwd",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"rc": 0,
"start": "2020-12-29 16:35:06.047227",
"stderr": "",
"stderr_lines": [],
"stdout": "ansible\nlpdepmld2\n/home/ansible",
"stdout_lines": [
"ansible",
"lpdepmld2",
"/home/ansible"
]
}
TASK [debug] ****************************************************************************************************************************************************************************************************************************
task path: /etc/ansible/playbooks/test.yml:9
Tuesday 29 December 2020 16:35:06 +0100 (0:00:01.067) 0:00:01.179 ******
ok: [lpdepmld2] => {
"msg": [
"ansible",
"lpdepmld2",
"/home/ansible"
]
}
META: ran handlers
META: ran handlers
PLAY RECAP ******************************************************************************************************************************************************************************************************************************
lpdepmld2 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Tuesday 29 December 2020 16:35:06 +0100 (0:00:00.034) 0:00:01.214 ******
===============================================================================
shell ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1.07s
/etc/ansible/playbooks/test.yml:6 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
debug ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.04s
/etc/ansible/playbooks/test.yml:9 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Playbook run took 0 days, 0 hours, 0 minutes, 1 seconds
And the /var/log/secure log on remote server at this moment :
Dec 29 16:35:05 lpdepmld2 sshd[61126]: Accepted publickey for ansible from 192.168.210.101 port 55946 ssh2: RSA SHA256:iZKO/9tfS6am2YAk8JRKDalRRwDNDubC5FAm+UUA9qw
Dec 29 16:35:05 lpdepmld2 sshd[61126]: pam_unix(sshd:session): session opened for user ansible by (uid=0)
So now, i'm doing the same thing with Jenkins, through this job :
#!/bin/bash
cd /etc/ansible
whoami; hostname; pwd
ansible-playbook /etc/ansible/playbooks/test.yml --private-key /home/ansible/.ssh/id_rsa -u ansible -vvv
The Jenkins result :
Started by user adminlocal
Running as SYSTEM
Building remotely on lpansmld1 in workspace /data/jenkins_agent/workspace/test/test
[test] $ /bin/bash /tmp/jenkins1557636937643197894.sh
root
lpansmld1
/etc/ansible
ansible-playbook 2.8.4
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/etc/ansible/library']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.5 (default, Jun 11 2019, 14:33:56) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
[WARNING]: Invalid characters were found in group names but not replaced, use
-vvvv to see details
Parsed /etc/ansible/hosts inventory source with ini plugin
PLAYBOOK: test.yml *************************************************************
1 plays in /etc/ansible/playbooks/test.yml
PLAY [lpdepmld2] ***************************************************************
META: ran handlers
TASK [shell] *******************************************************************
task path: /etc/ansible/playbooks/test.yml:6
Tuesday 29 December 2020 16:38:53 +0100 (0:00:00.106) 0:00:00.106 ******
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'echo ~ansible && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '/home/ansible\n', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394 `" && echo ansible-tmp-1609256333.17-248021594072394="` echo /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394 `" ) && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, 'ansible-tmp-1609256333.17-248021594072394=/home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394\n', '')
<lpdepmld2> Attempting python interpreter discovery
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, 'PLATFORM\nLinux\nFOUND\n/usr/bin/python\n/usr/bin/python2.7\n/usr/bin/python\nENDFOUND\n', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '{"osrelease_content": "NAME=\\"Red Hat Enterprise Linux Server\\"\\nVERSION=\\"7.5 (Maipo)\\"\\nID=\\"rhel\\"\\nID_LIKE=\\"fedora\\"\\nVARIANT=\\"Server\\"\\nVARIANT_ID=\\"server\\"\\nVERSION_ID=\\"7.5\\"\\nPRETTY_NAME=\\"Red Hat Enterprise Linux Server 7.5 (Maipo)\\"\\nANSI_COLOR=\\"0;31\\"\\nCPE_NAME=\\"cpe:/o:redhat:enterprise_linux:7.5:GA:server\\"\\nHOME_URL=\\"https://www.redhat.com/\\"\\nBUG_REPORT_URL=\\"https://bugzilla.redhat.com/\\"\\n\\nREDHAT_BUGZILLA_PRODUCT=\\"Red Hat Enterprise Linux 7\\"\\nREDHAT_BUGZILLA_PRODUCT_VERSION=7.5\\nREDHAT_SUPPORT_PRODUCT=\\"Red Hat Enterprise Linux\\"\\nREDHAT_SUPPORT_PRODUCT_VERSION=\\"7.5\\"\\n", "platform_dist_result": ["redhat", "7.5", "Maipo"]}\n', '')
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<lpdepmld2.uem.lan> PUT /root/.ansible/tmp/ansible-local-105179U75Grh/tmp7Lwygf TO /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/AnsiballZ_command.py
<lpdepmld2.uem.lan> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee '[lpdepmld2.uem.lan]'
<lpdepmld2.uem.lan> (0, 'sftp> put /root/.ansible/tmp/ansible-local-105179U75Grh/tmp7Lwygf /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/AnsiballZ_command.py\n', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'chmod u+x /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/ /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/AnsiballZ_command.py && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '', '')
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee -tt lpdepmld2.uem.lan '/bin/sh -c '"'"'/usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/AnsiballZ_command.py && sleep 0'"'"''
<lpdepmld2.uem.lan> (2, "/usr/bin/python: can't open file '/home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/AnsiballZ_command.py': [Errno 13] Permission denied\r\n", 'Shared connection to lpdepmld2.uem.lan closed.\r\n')
<lpdepmld2.uem.lan> Failed to connect to the host via ssh: Shared connection to lpdepmld2.uem.lan closed.
<lpdepmld2.uem.lan> ESTABLISH SSH CONNECTION FOR USER: ansible
<lpdepmld2.uem.lan> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=60 -o ControlPath=/root/.ansible/cp/a35139d2ee lpdepmld2.uem.lan '/bin/sh -c '"'"'rm -f -r /home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/ > /dev/null 2>&1 && sleep 0'"'"''
<lpdepmld2.uem.lan> (0, '', '')
fatal: [lpdepmld2]: FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"module_stderr": "Shared connection to lpdepmld2.uem.lan closed.\r\n",
"module_stdout": "/usr/bin/python: can't open file '/home/ansible/.ansible/tmp/ansible-tmp-1609256333.17-248021594072394/AnsiballZ_command.py': [Errno 13] Permission denied\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 2
}
PLAY RECAP *********************************************************************
lpdepmld2 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Tuesday 29 December 2020 16:38:54 +0100 (0:00:00.956) 0:00:01.063 ******
===============================================================================
shell ------------------------------------------------------------------- 0.96s
/etc/ansible/playbooks/test.yml:6 ---------------------------------------------
Playbook run took 0 days, 0 hours, 0 minutes, 1 seconds
Build step 'Execute shell' marked build as failure
Finished: FAILURE
And the /var/log/secure log on remote server at this moment :
Dec 29 16:38:53 lpdepmld2 sshd[64613]: Accepted publickey for ansible from 192.168.210.101 port 56150 ssh2: RSA SHA256:iZKO/9tfS6am2YAk8JRKDalRRwDNDubC5FAm+UUA9qw
Dec 29 16:38:53 lpdepmld2 sshd[64613]: pam_unix(sshd:session): session opened for user ansible by (uid=0)
In both case, I can see on the remote user i'm correctly connect with the private key and with "Ansible" user. So that's why I don't understand the Jenkins error result..
I'm already try to set something like this in ansible.cfg :
remote_tmp = /tmp/.ansible-${USER}/tmp
But it doesn't works too.
Can somebody knows what's the problem ?
Thanks.

How to user cron inside docker container

I tryed to add crontab inside docker image "jenkinsci/blueocean" but after it, jenkins does not start. Where could be the problem?
Many thanks in advance for any help.
<Dockerfile>
FROM jenkinsci/blueocean:1.17.0
USER root
ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64 \
SUPERCRONIC=supercronic-linux-amd64 \
SUPERCRONIC_SHA1SUM=5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85
RUN curl -fsSLO "$SUPERCRONIC_URL" \
&& echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - \
&& chmod +x "$SUPERCRONIC" \
&& mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
&& ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
ADD crontab /etc/crontab
CMD ["supercronic", "/etc/crontab"]
<crontab>
# Run every minute
*/1 * * * * echo "hello world"
commands:
$docker build -t jenkins_test .
$docker run -it -p 8080:8080 --name=container_jenkins jenkins_test

If use docker inspect jenkinsci/blueocean:1.17.0 you will it's entrypoint is:
"Entrypoint": [
"/sbin/tini",
"--",
"/usr/local/bin/jenkins.sh"
],
So, when start the container it will first execute next script.
/usr/local/bin/jenkins.sh:
#! /bin/bash -e
: "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
: "${JENKINS_HOME:="/var/jenkins_home"}"
touch "${COPY_REFERENCE_FILE_LOG}" || { echo "Can not write to ${COPY_REFERENCE_FILE_LOG}. Wrong volume permissions?"; exit 1; }
echo "--- Copying files at $(date)" >> "$COPY_REFERENCE_FILE_LOG"
find /usr/share/jenkins/ref/ \( -type f -o -type l \) -exec bash -c '. /usr/local/bin/jenkins-support; for arg; do copy_reference_file "$arg"; done' _ {} +
# if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
# read JAVA_OPTS and JENKINS_OPTS into arrays to avoid need for eval (and associated vulnerabilities)
java_opts_array=()
while IFS= read -r -d '' item; do
java_opts_array+=( "$item" )
done < <([[ $JAVA_OPTS ]] && xargs printf '%s\0' <<<"$JAVA_OPTS")
readonly agent_port_property='jenkins.model.Jenkins.slaveAgentPort'
if [ -n "${JENKINS_SLAVE_AGENT_PORT:-}" ] && [[ "${JAVA_OPTS:-}" != *"${agent_port_property}"* ]]; then
java_opts_array+=( "-D${agent_port_property}=${JENKINS_SLAVE_AGENT_PORT}" )
fi
if [[ "$DEBUG" ]] ; then
java_opts_array+=( \
'-Xdebug' \
'-Xrunjdwp:server=y,transport=dt_socket,address=5005,suspend=y' \
)
fi
jenkins_opts_array=( )
while IFS= read -r -d '' item; do
jenkins_opts_array+=( "$item" )
done < <([[ $JENKINS_OPTS ]] && xargs printf '%s\0' <<<"$JENKINS_OPTS")
exec java -Duser.home="$JENKINS_HOME" "${java_opts_array[#]}" -jar ${JENKINS_WAR} "${jenkins_opts_array[#]}" "$#"
fi
# As argument is not jenkins, assume user want to run his own process, for example a `bash` shell to explore this image
exec "$#"
From above script, you can see, if you add CMD ["supercronic", "/etc/crontab"] to your own dockerfile, then when your container starts, it equals to execute next:
/usr/local/bin/jenkins.sh "supercronic" "/etc/crontab"
As if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then not match, it will directly execute the exec "$# at the last line, which results in the jenkins start code never execute.
To fix it, you had to use your own docker-entrypoint.sh to override its default entrypoint:
docker-entrypoint.sh:
#!/bin/bash
supercronic /etc/crontab &
/usr/local/bin/jenkins.sh
Dockerfile:
FROM jenkinsci/blueocean:1.17.0
USER root
ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.1.9/supercronic-linux-amd64 \
SUPERCRONIC=supercronic-linux-amd64 \
SUPERCRONIC_SHA1SUM=5ddf8ea26b56d4a7ff6faecdd8966610d5cb9d85
RUN curl -fsSLO "$SUPERCRONIC_URL" \
&& echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - \
&& chmod +x "$SUPERCRONIC" \
&& mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
&& ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
ADD crontab /etc/crontab
COPY docker-entrypoint.sh /
RUN chmod +x /docker-entrypoint.sh
ENTRYPOINT ["/sbin/tini", "--", "/docker-entrypoint.sh"]

Running a script for wget some resources when openwrt start

!/bin/sh /etc/rc.common
START=95
STOP=10
start(){
while true
do
exist=$(ping -c 2 www.baidu.com |wc -l)
if [ $exist -ne 0 ];then
break
fi
done
wget -O /zhuye.html http://www.baidu.com
}
When openwrt restart,I want the system run the script,but wget doesn't work,Why?

I solved it,just "changed wget -O /zhuye.html http://www.baidu.com" to "wget -O /zhuye.html http://www.baidu.com >/dev/null 2>&1"

Resources