How to configure the firewall of an LXC via Ansible module proxmox?

J

jsabater

Member
Oct 25, 2021
130
14
23
49
Palma, Mallorca, Spain
Good day everyone!

I am trying to provision some LXC in my 4-node Proxmox 7.2 cluster via Ansible using the proxmox module. After much struggle I've been able to provision the container but I am stuck at the firewall configuration. Currently I am trying to template a firewall.j2 file into a /etc/pve/firewall/<ctid>.fw file on the host where the LXC resides, but it's giving me this error:

Code: 
The error was: PermissionError: [Errno 1] Operation not permitted: b'/etc/pve/firewall/.ansible_tmprq3twd6j110.fw'
fatal: [nginx2.domain.com -> proxmox2.domain.com(46.4.119.240)]: FAILED! => {"changed": false, "checksum": "0b9846acfc8e004b03866f37d47021c351916bd8", "msg": "Failed to replace file: b'/root/.ansible/t
mp/ansible-tmp-1668374971.1686177-877382-46644331251500/source' to /etc/pve/firewall/110.fw: [Errno 1] Operation not permitted: b'/etc/pve/firewall/.ansible_tmprq3twd6j110.fw'"}

If I go to the WebGUI and enable the firewall through the Firewall: Options: Firewall: Yes menu option, then it allows me to overwrite the file with the desired template:

Code: 
[OPTIONS]

enable: 1

[RULES]

GROUP ansible -i net0 # Allow access from Ansible controller
GROUP ping_public_ip -i net1 # Allow ping from management IP addresses
GROUP webserver -i net1 # Allow HTTP/HTTPS traffic to Nginx

How am I supposed to overcome this situation? I was thinking of maybe calling the API directly via HTTP, or using an ansible.builtin.shell task to run pvesh, just to enable the option, then continue the playbook. For reference, the task doing the job is this one:

YAML: 
- name: builtin | template | deploy firewall configuration
  ansible.builtin.template:
    src: "templates/provision/firewall.j2"
    dest: "/etc/pve/firewall/{{ proxmox_ctid }}.fw"
    owner: root
    group: www-data
    mode: "0640"
  delegate_to: proxmox2.domain.com
 
Last edited:
I am trying to enable de firewall of the container via pvesh and this is the command I am using:

Bash: 
pvesh set /nodes/{node}/lxc/{ctid}/firewall/options --enable '1'

So far it seems to be working fine, although I've realised that it does not check whether it needs to actually enable it or not. Same when adding a secondary network interface which is already there.
 
No, not really. Only thing I could do to improve it was check for the value of the enable property beforehand:

Code: 
# Enable and configure the firewall of a LXC

- name: Check the status of the container firewall
  ansible.builtin.command:
    cmd: "pvesh get /nodes/{{ proxmox_node }}/lxc/{{ proxmox_ctid }}/firewall/options --output-format json"
  register: fw
  delegate_to: "{{ proxmox_node }}.{{ proxmox_dnszone }}"
  tags:
    - firewall

- name: Enable the container firewall
  ansible.builtin.command:
    cmd: "pvesh set /nodes/{{ proxmox_node }}/lxc/{{ proxmox_ctid }}/firewall/options --enable '1'"
  when: (fw.stdout | from_json).enable is not defined
  delegate_to: "{{ proxmox_node }}.{{ proxmox_dnszone }}"
  tags:
    - firewall

- name: Deploy container firewall configuration
  ansible.builtin.template:
    src: "templates/provision/{{ proxmox_fw_tmpl }}.j2"
    dest: "/etc/pve/firewall/{{ proxmox_ctid }}.fw"
    owner: root
    group: www-data
    mode: "0640"
  delegate_to: "{{ proxmox_node }}.{{ proxmox_dnszone }}"
  tags:
    - firewall

I hope it helps. Please let me know if I can be of further assistance.
 
  • Like
Reactions: fitbrian
Hey,

I faced the same issue; Just touching the file prior to making it seems to work.

Code: 
- name: ensure firewall dir exists
  file:
    path: "/etc/pve/firewall"
    owner: root
    group: www-data
    mode: "0640"
    state: directory

- name: Ensure the existence of the firewall configuration file for the CLUSTER
  file:
    path: "/etc/pve/firewall/cluster.fw"
    state: touch
    owner: root
    group: www-data
    mode: '0640'
    modification_time: preserve
    access_time: preserve
    
- name: render and copy firewall cluster
  template:
    src: "files/proxmox/cluster.j2"
    dest: /etc/pve/firewall/cluster.fw
    owner: root
    group: www-data
    mode: '0640'
    force: true
 
svennd said:
Hey,

I faced the same issue; Just touching the file prior to making it seems to work.
Click to expand...

I like this idea as it is quicker (no need to do a remote call to the API). On the other hand, calling the API ensures that, were the guys behind Proxmox change the behaviour in the future (e.g. the method were to perform some other tasks), it would still be valid.

Thanks for the heads-up!
 
You must log in or register to reply here.
Top Bottom