anx's questions

A problem I keep running into in ansible is where one deployment step should run when any of a number of preparation step is changed, but the changed status is lost due to fatal errors.

When after one successfull preparation step, ansible cannot continue, I still want the machine to eventually reach the state the playbook was meant to achieve. But ansible forgets, e.g.:

- name: "(a) some task is changed"
  git:
    update: yes
    ...
  notify:
   # (b) ansible knows about having to call handler later!
   - apply

- name: "(c) connection lost here"
  command: ...
  notify:
   - apply

- name: apply
  # (d) handler never runs: on the next invocation git-fetch is a no-op
  command: /bin/never

Since the preparation step (a) is now a no-op, running again does not recover this information. For some tasks, just running ALL handlers is good enough. For others one can rewrite the handlers into tasks that know when: to run. But some tasks & checks are expensive and/or unreliable, so this is not always good enough.

Partial solutions:

1. Write out a file and check for its existence later instead of relying on the ansible handler. This feels like an antipattern. After all, ansible knows whats left to do - I just do not know how to get it to remember it across multiple attempts.
2. Stay in a loop until it works or manual fix is applied, however long that may be: This seems like a bad trade, because now I might not be able to use ansible against the same group of targets .. or I have to safeguard against undesirable side-effects of multiple concurrent runs
3. Just require a higher reliability of targets so its rare enough to justify always manually resolving these situations, using --start-at-task= and checking which handlers are still needed: Experience says, things do occasionally break, and right now I am adding more things that can.

Is there a pattern, feature or trick to properly handle such errors?

• Ansible Tips and Tricks: Dealing with Unreliable Connections and Services
• Ansible Docs: Error handling in playbooks
• Ansible issues #9323: Do not lose handler notifications on failure

I need to override the ExecStart Parameter of a systemd template. I have confirmed that the unit file exists & passes validation. Adding a [email protected]/override.conf file works well on some machines:

user@prod-west-1604$ systemctl --version | head -1
systemd 229
user@prod-west-1604$ file -b /etc/systemd/system/[email protected]
symbolic link to /lib/systemd/system/nginx.service

user@prod-west-1604$ sudo systemctl edit [email protected]
# (opens editor as expected)

However, on machines running newer systemd versions, the operation fails:

user@prod-east-1810$ systemctl --version | head -1
systemd 239
user@prod-east-1810$ file -b /etc/systemd/system/[email protected]
symbolic link to /lib/systemd/system/nginx.service

user@prod-east-1810$ sudo systemctl edit [email protected]
Failed to get the load state of [email protected]: Unit name [email protected] is neither a valid invocation ID nor unit name.

Why?

Company policy requires some ssh keys to be stored securely, e.g. on dedicated USB device. Using keys not stored on the host machine works flawlessly using gnupg with enable-ssh-support, even when multiple keys are used:

Host example.com
    HostName ssh.example.com
    IdentityFile ~/.ssh/smartcard.pub
Host example.net
    HostName git.example.net
    IdentityFile ~/.ssh/another-smartcard.pub
Host example.org
    HostName sftp.example.org
    IdentityFile ~/.ssh/id_rsa.pub

IdentitiesOnly yes
PasswordAuthentication no
PubkeyAuthentication yes

However, when the hardware is unplugged, gpg removes the key from the agent and subsequent ssh calls result in:

Enter passphrase for key '/home/user/.ssh/smartcard.pub':

This seems odd, as both ssh and ssh-agent should be well aware that that file contains a public key only. Is there a good way of making ssh fail verbosely if it has no way of accessing the specified key, instead of asking for a (pointless) passphrase?

Incomplete solutions:

1. remove IdentitiesOnly - ssh will then try all usable keys as expected - but leads to trouble with servers limiting authentication attempts per session
2. wrap ssh in some way alias ssh='grep ^4096 <(ssh-add -l)' && ssh' - works, but will cause headache in case someone ever wants to find out why his ssh setup is broken

My (linux) server has some fairly simple iptables rules.

iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport https -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j NFLOG
iptables -A INPUT -j DROP

ICMP goes unfiltered, but no other uncessessary connections allowed. The NFLOG rule just stores packets into a packet capture fule (pcap). Because syslog got quite spammy, i looked into the details of the packets.

tshark -V -a filesize:1 -r /scooby/doo.pcap (IPs & Ports [replaced])

Frame 1: 52 bytes on wire (416 bits), 52 bytes captured (416 bits)
    Encapsulation type: Raw IP (7)
    [Protocols in frame: raw:ip:gre:ip:udp:data]
Internet Protocol Version 4, Src: [incoming IP] ([incoming IP]), Dst: [my server IP] ([my server IP])
    Version: 4
    Header length: 20 bytes
    Total Length: 52
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
    Time to live: 52
    Protocol: GRE (47)
Generic Routing Encapsulation (IP)
    Flags and Version: 0x0000
    Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: [not my IP1] ([not my IP1]), Dst: [not my IP2] ([not my IP2])
    Version: 4
    Header length: 20 bytes
    Total Length: 28
    Time to live: 64
    Protocol: UDP (17)
User Datagram Protocol, Src Port: [random port1] ([random port1]), Dst Port: [random port2] ([random port2])
    Length: 8

The unsolicited packets are mostly ip:gre:ip:udp packets. The volume of GRE packets - usually multiple per minute - greatly outweights other unsolicited packets (vulnerability scanners / spammers / port scanners). None of the IPs inside the GRE encapsulation have any special meaning to me, just various regular IPs belonging to (exclusively) US-based companies (so, not entirely random addresses).

Why would someone send those GRE packets?

Are there known DoS vulnerabilities related to GRE packets? Is this an attemt to fool misonfigured routers/servers into forwarding the encapsulated packets to their apparent destination? Does the sender try to gather information about the nature of potential GRE tunnels i may have setup?

Bonus: Is the most reasonable reaction really "-j DROP"-ing them?

One website I maintain is composed of multiple local applications, all proxied by the same nginx instance. Each application is running under its own user and exposing a unix socket writable by the web server group www-data.

All application users are part of the www-data group, so they can chown their sockets. How can i improve my setup, so that a vulnerability in one application can no longer be used to attempt further privilege escalation through direct connections to the other sockets?

My previous solution: Create a new group for every user and add the web server to all those. This solution is less preferable, as it complicates adding/removing applications & requires a hard restart of the web server to update groups.

One postfix instance at sub.example.com is pushing mail to example.com via LAN, which is both a mail server and a router:

Internet
|
|
203.0.113.1 
<example.com> (127.0.1.1 in /etc/hosts)
192.168.1.1
|
|
192.168.1.99
<sub.example.com>

Every time a LAN mail is received, a warning message is logged:

postfix/smtpd[1337]: warning: hostname example.com does not resolve to address 203.0.113.1

However, the domain does resolve to the address, with only one A record (but no rdns):

# dig example.com
example.com.          3600   IN   A    203.0.113.1
# dig -x 203.0.113.1
..                       1   IN   PTR  new-customer.isp.example

While reverse DNS is NOT correct, that is not what the warning says, nor does it explain why it is only triggered by LAN mail. As confirmed via tcpdump, the LAN mail server EHLOs with sub.example.com - which is known to the postfix server as 192.168.1.99.

What is triggering the warning?