8

I am trying to create ansible playbooks to install and configure kerberos on centos7.

I have a task which yum installs the required rpms

- name: install kerberos
  yum: name={{ item }} state=present
  with_items:
    - krb5-server
    - krb5-libs

And a task to start the service

- name: start kerberos service
  service: name=krb5kdc.service state=started enabled=yes

The playbook fails with 

TASK [kerberos : start the systemd kerberos service]  ********************************
fatal: [zen_wozniak]: FAILED! => {"changed": false, "msg": "Could not find the requested service krb5kdc.service: host"}

This seems like it should be pretty simple, yum install the rpm and then start the service, but the service unit file cant even be found. what am I doing wrong?

For clarity I am using ansible 2.4.2.0 and centos:7.3.1611 docker base image.

edit:: The yum install step is working...

TASK [kerberos : debug] ***********************************************************************************************
ok: [brave_payne] => {
"result": {
    "changed": false,
    "failed": false,
    "results": [
        {
            "arch": "x86_64",
            "envra": "0:krb5-server-1.15.1-8.el7.x86_64",
            "epoch": "0",
            "name": "krb5-server",
            "release": "8.el7",
            "repo": "base",
            "version": "1.15.1",
            "yumstate": "available"
        },
        {
            "arch": "x86_64",
            "envra": "0:krb5-server-1.15.1-8.el7.x86_64",
            "epoch": "0",
            "name": "krb5-server",
            "release": "8.el7",
            "repo": "installed",
            "version": "1.15.1",
            "yumstate": "installed"
        }
    ]
}
}

Logging into the the failed ansible container and manually starting looks like this

    [root@94e29c0e8bdd /]# systemctl status krb5kdc.service
Failed to get D-Bus connection: Operation not permitted

And yes the container is running privileged

docker inspect --format='{{.HostConfig.Privileged}}' 94e29c0e8bdd
true
ayyrex
  • 323
  • 2
  • 3
  • 6
  • This is not an ansible issue one bit - ansible is only reporting what you would see otherwise if you did it manually. – man0v Mar 02 '18 at 11:12
  • My bad, I am still a novice with dockerization and ansible. Part of my confusion is that If I take the same playbook and remove the kerberos installation, the image it produces is able to run all of these commands in the shell without a problem. Once I made it part of the playbook then I have problems like this. – ayyrex Mar 02 '18 at 19:11

2 Answers2

6

UPDATE:

With Ansible systemd module, you can add: daemon_reload: yes

ORIGINAL ANSWER:

It looks like a random issue. The workaround is to run from the machine:

  • systemctl daemon-reload .

Or to run it with Ansible:

  • ansible <host> --become -m shell -a 'systemctl daemon-reload'
forzagreen
  • 2,509
  • 30
  • 38
0

I think the root of the problem is that the container is not privileged and therefore can't talk to dbus which likely means that the systemd status being returned to Ansible contains the text LoadState=not-found in the output of systemctl show krb5kdc.service which is what causes Ansible to provide the error you got.

Adam Miller
  • 872
  • 4
  • 6
  • Checking the in-progress container, it says it is privileged though. – ayyrex Mar 02 '18 at 19:09
  • Is it "super privileged"[0] and has access to the host's IPC and network namespace? [0] - https://developers.redhat.com/blog/2014/11/06/introducing-a-super-privileged-container-concept/ – Adam Miller Mar 04 '18 at 03:54