First deploy tests fail - due to private-IP/NAT-problem?

Helmi · September 18, 2015, 2:14pm

Hi,

i’m doing my first deploy tests with a test project and looks like ansible fails with ferm for me.

Here’s my log/output:

TASK: [ferm | ensure iptables rules are enabled] ****************************** 
failed: [212.47.250.123] => {"changed": false, "cmd": ["ferm", "--slow", "/etc/ferm/ferm.conf"], "delta": "0:00:00.330372", "end": "2015-09-18 14:01:44.816909", "rc": 1, "start": "2015-09-18 14:01:44.486537", "warnings": []}
stderr: iptables: No chain/target/match by that name.

Firewall rules rolled back.

NOTIFIED: [fail2ban | restart fail2ban] *************************************** 
changed: [212.47.250.123]

NOTIFIED: [ferm | restart ferm] *********************************************** 
failed: [212.47.250.123] => {"failed": true}
msg: iptables: No chain/target/match by that name.

Firewall rules rolled back.


PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/Users/helmi/server.retry

212.47.250.123             : ok=24   changed=15   unreachable=0    failed=2

Don’t worry about the IP address being public - this is just a test machine that i will delete afterwards.

May there be a problem with the fact that this servers network interface only has a private IP instead of the public IP? I guess the provider does a NAT to map the public to the private IP, the interface itself only has a private one:

# ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:07:cb:03:2a:69  
          inet addr:10.1.16.97  Bcast:10.1.17.255  Mask:255.255.254.0
          inet6 addr: fe80::207:cbff:fe03:2a69/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2631956 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2059778 errors:0 dropped:7 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:381706753 (381.7 MB)  TX bytes:3104558709 (3.1 GB)
          Interrupt:8

The playbook stops at this point so i can’t continue testing. Is there anything i can reconfigure for such a case?

Thanks
Frank

swalkinshaw · September 18, 2015, 3:03pm

Haven’t ever seen or come across that error, but the easy solution for the time being is just to skip ferm by setting ferm_enabled: false.

You could further debug by looking at the generated /etc/ferm/ferm.conf and the files in /etc/ferm/conf.d to see what’s going on. You could then try commenting things out until you got it working to actually narrow down the problem.

By default we only apply a few basic ferm rules: https://github.com/roots/trellis/blob/7f78498a099784816d7ee25987a57f6791c71bd9/group_vars/all/security.yml#L1-L8

swalkinshaw · September 18, 2015, 3:05pm

I should also point out there’s a ton of results on Google for exactly this error. You can probably assume it’s not directly a problem with Trellis/Ansible but with ferm and your networking setup (not saying you caused it though )

Helmi · September 18, 2015, 4:54pm

thanks, @swalkinshaw. Probably it was a bit too optimistic to try it on an arm based Ubuntu

Even when disabling ferm this led to serveral other problems. I switched to DigitalOcean for a bit more easiness

And i’ve come way further but i’m stuck a bit. I enabled hhvm which made ansible not skip the php5-fpm installation which i think should be right but then in the deploy process it seems to want to restart php5-fpm what i don’t understand.

TASK: [deploy | Run post_finalize_commands] *********************************** 
changed: [1.2.3.4] => (item=if wp core is-installed; then wp eval 'wp_clean_themes_cache(); switch_theme(get_stylesheet());'; fi)
failed: [1.2.3.4] => (item=sudo service php5-fpm reload) => {"changed": true, "cmd": "sudo service php5-fpm reload", "delta": "0:00:00.037030", "end": "2015-09-18 16:48:38.742472", "item": "sudo service php5-fpm reload", "rc": 1, "start": "2015-09-18 16:48:38.705442", "warnings": []}
stderr: php5-fpm: unrecognized service

or am I probably just understanding things wrong?

swalkinshaw · September 18, 2015, 5:13pm

That’s a known bug: https://github.com/roots/trellis/issues/188.

We’re actively working on HHVM fixes here: https://github.com/roots/trellis/pull/343

In the meantime I wouldn’t use it. Please start a new thread if you have further separate issues. We don’t like these threads continuing on with multiple different subjects.

Helmi · September 18, 2015, 5:21pm

won’t happen again. sorry.

If you want just split it out and link it - looks like my karma isn’t yet good enough to do so myself.