How to configure the firewall of an LXC via Ansible module proxmox?

J

jsabater

Member
Oct 25, 2021
110
11
23
48
Palma, Mallorca, Spain
Good day everyone!

I am trying to provision some LXC in my 4-node Proxmox 7.2 cluster via Ansible using the proxmox module. After much struggle I've been able to provision the container but I am stuck at the firewall configuration. Currently I am trying to template a firewall.j2 file into a /etc/pve/firewall/<ctid>.fw file on the host where the LXC resides, but it's giving me this error:

Code: 
The error was: PermissionError: [Errno 1] Operation not permitted: b'/etc/pve/firewall/.ansible_tmprq3twd6j110.fw'
fatal: [nginx2.domain.com -> proxmox2.domain.com(46.4.119.240)]: FAILED! => {"changed": false, "checksum": "0b9846acfc8e004b03866f37d47021c351916bd8", "msg": "Failed to replace file: b'/root/.ansible/t
mp/ansible-tmp-1668374971.1686177-877382-46644331251500/source' to /etc/pve/firewall/110.fw: [Errno 1] Operation not permitted: b'/etc/pve/firewall/.ansible_tmprq3twd6j110.fw'"}

If I go to the WebGUI and enable the firewall through the Firewall: Options: Firewall: Yes menu option, then it allows me to overwrite the file with the desired template:

Code: 
[OPTIONS]

enable: 1

[RULES]

GROUP ansible -i net0 # Allow access from Ansible controller
GROUP ping_public_ip -i net1 # Allow ping from management IP addresses
GROUP webserver -i net1 # Allow HTTP/HTTPS traffic to Nginx

How am I supposed to overcome this situation? I was thinking of maybe calling the API directly via HTTP, or using an ansible.builtin.shell task to run pvesh, just to enable the option, then continue the playbook. For reference, the task doing the job is this one:

YAML: 
- name: builtin | template | deploy firewall configuration
  ansible.builtin.template:
    src: "templates/provision/firewall.j2"
    dest: "/etc/pve/firewall/{{ proxmox_ctid }}.fw"
    owner: root
    group: www-data
    mode: "0640"
  delegate_to: proxmox2.domain.com
 
Last edited:
I am trying to enable de firewall of the container via pvesh and this is the command I am using:

Bash: 
pvesh set /nodes/{node}/lxc/{ctid}/firewall/options --enable '1'

So far it seems to be working fine, although I've realised that it does not check whether it needs to actually enable it or not. Same when adding a secondary network interface which is already there.
 
No, not really. Only thing I could do to improve it was check for the value of the enable property beforehand:

Code: 
# Enable and configure the firewall of a LXC

- name: Check the status of the container firewall
  ansible.builtin.command:
    cmd: "pvesh get /nodes/{{ proxmox_node }}/lxc/{{ proxmox_ctid }}/firewall/options --output-format json"
  register: fw
  delegate_to: "{{ proxmox_node }}.{{ proxmox_dnszone }}"
  tags:
    - firewall

- name: Enable the container firewall
  ansible.builtin.command:
    cmd: "pvesh set /nodes/{{ proxmox_node }}/lxc/{{ proxmox_ctid }}/firewall/options --enable '1'"
  when: (fw.stdout | from_json).enable is not defined
  delegate_to: "{{ proxmox_node }}.{{ proxmox_dnszone }}"
  tags:
    - firewall

- name: Deploy container firewall configuration
  ansible.builtin.template:
    src: "templates/provision/{{ proxmox_fw_tmpl }}.j2"
    dest: "/etc/pve/firewall/{{ proxmox_ctid }}.fw"
    owner: root
    group: www-data
    mode: "0640"
  delegate_to: "{{ proxmox_node }}.{{ proxmox_dnszone }}"
  tags:
    - firewall

I hope it helps. Please let me know if I can be of further assistance.
 
  • Like
Reactions: fitbrian
Hey,

I faced the same issue; Just touching the file prior to making it seems to work.

Code: 
- name: ensure firewall dir exists
  file:
    path: "/etc/pve/firewall"
    owner: root
    group: www-data
    mode: "0640"
    state: directory

- name: Ensure the existence of the firewall configuration file for the CLUSTER
  file:
    path: "/etc/pve/firewall/cluster.fw"
    state: touch
    owner: root
    group: www-data
    mode: '0640'
    modification_time: preserve
    access_time: preserve
    
- name: render and copy firewall cluster
  template:
    src: "files/proxmox/cluster.j2"
    dest: /etc/pve/firewall/cluster.fw
    owner: root
    group: www-data
    mode: '0640'
    force: true
 
svennd said:
Hey,

I faced the same issue; Just touching the file prior to making it seems to work.
Click to expand...

I like this idea as it is quicker (no need to do a remote call to the API). On the other hand, calling the API ensures that, were the guys behind Proxmox change the behaviour in the future (e.g. the method were to perform some other tasks), it would still be valid.

Thanks for the heads-up!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back