Ansible - Debian Based Gotchas - Part-1

4 minute read

As I am currently running through some Docker setups between Debian Jessie and Ubuntu Trusty using Ansible I ran into a few gotchas. Now I would have assumed that everything SHOULD be identical but not so much. With this being said, I figured I would begin to start putting some context around some gotchas that I run into from time to time. And hopefully this will help out others as well.

Docker

When using the following task which is part of this Ansible role for Docker. ansible-docker

---
- name: debian | updating apt-cache
  apt:
    update_cache: yes
    cache_valid_time: 86400
  become: true

- name: debian | installing pre-reqs
  apt:
    name: "{{ item }}"
    state: present
  become: true
  with_items:
    - 'apt-transport-https'
    - 'ca-certificates'
    - 'software-properties-common'

# We are removing the old Docker info
- name: debian | Removing Legacy Docker apt-key
  apt_key:
    keyserver: "hkp://p80.pool.sks-keyservers.net:80"
    id: "58118E89F3A912897C070ADBF76221572C52609D"
    state: "absent"
  become: true

# We are removing the old Docker info
- name: debian | Removing Legacy Docker Repo
  apt_repository:
    repo: "deb https://apt.dockerproject.org/repo {{ ansible_distribution | lower }}-{{ ansible_distribution_release }} main"
    state: "absent"
  become: true

- name: debian | adding docker apt-key
  apt_key:
    url: "{{ docker_ubuntu_repo_info['url'] }}"
    id: "{{ docker_ubuntu_repo_info['id'] }}"
    state: "present"
  become: true

- name: debian | adding docker repo
  apt_repository:
    repo: "{{ docker_ubuntu_repo_info['repo'] }}"
    state: present
  become: true

# We remove docker-engine as this is old package to install. The new package is
# docker-ce
- name: debian | uninstalling old docker package (if exists)
  apt:
    name: "{{ item }}"
    state: "absent"
    purge: yes
  become: true
  with_items:
    - 'docker-engine'
    - 'lxc-docker'

- name: debian | installing docker pre-reqs
  apt:
    name: "linux-image-extra-{{ ansible_kernel }}"
    state: present
  become: true
  when: >
        ansible_distribution == "Ubuntu" and
        (ansible_distribution_version >= '14.04')

- name: debian | installing docker
  apt:
    name: "docker-ce={{ docker_version_debian }}"
    state: "present"
  become: true

- name: debian | setting grub memory limit (if set)
  lineinfile:
    dest: /etc/default/grub
    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT"
    line: 'GRUB_CMDLINE_LINUX_DEFAULT="cgroup_enable=memory swapaccount=1"'
  register: grub_updated
  become: true
  when: >
        docker_set_grub_memory_limit is defined and
        docker_set_grub_memory_limit

- name: debian | updating grub (if updated)
  command: update-grub
  become: true
  when: grub_updated['changed']

- name: debian | installing additonal packages
  apt:
    name: "{{ item }}"
    state: "present"
  become: true
  with_items:
    - bridge-utils

First thing I found was that for some reason when installing python-pip using APT it caused issues with Debian Jessie. It would throw and error when executing PIP commands. This does not happen on Ubuntu Trusty. So to get around this I had to add the following bit of logic to the Ansible task(s). Notice the when: ansible_distribution == "". We use this Ansible fact that is gathered to determine if we are running Debian or Ubuntu, do not confuse this with ansible_os_family == "Debian" as both Debian and Ubuntu will report this.

Ubuntu:

when: ansible_distribution == "Ubuntu"

Debian:

when: ansible_distribution == "Debian"

Below is the code that is part of the task mentioned above.

- name: uninstall python-pip (If installed) - Debian
  apt:
    name: python-pip
    state: absent
  when: ansible_distribution == "Debian"

- name: debian | installing python packages
  apt:
    name: "{{ item }}"
    state: present
  with_items:
    - python-pip
  when: ansible_distribution == "Ubuntu"

- name: debian | installing python packages
  easy_install:
    name: "{{ item }}"
#    state: present
  with_items:
    - pip
  when: ansible_distribution == "Debian"

Now we could change both to use easy_install: as our module to use from an Ansible perspective but…

Another little cool fact that can be used when adding the Docker APT repositories for Debian and Ubuntu is to use the following Ansible facts gathered:

ansible_distribution
ansible_distribution_release

And we can use these as the following defined var in: (adding | lower will ensure that the ansible_distribution will be ubuntu/debian instead of Ubuntu/Debian so that it does not cause issues with adding the APT repositories)

defaults/main.yml

docker_ubuntu_repo_info:  #defines docker ubuntu repo info for installing from
  - id: 58118E89F3A912897C070ADBF76221572C52609D
    keyserver: hkp://p80.pool.sks-keyservers.net:80
    repo: "deb https://apt.dockerproject.org/repo {{ ansible_distribution | lower }}-{{ ansible_distribution_release }} main"

tasks/debian.yml

- name: debian | adding docker repo
  apt_repository:
    repo: "{{ item.repo }}"
    state: present
  with_items: docker_ubuntu_repo_info

Using these variables will yield the following based on OS.

Ubuntu:

{{ ansible_distribution }} will be Ubuntu
{{ ansible_distribution_release }} will be trusty

Debian:

{{ ansible_distribution }} will be Debian
{{ ansible_distribution_release }} will be jessie

UFW

When I began to configure the UFW (Uncomplicated Firewall) for some firewall rules to be used with Docker I ran into an issue on Debian Jessie stating that an invalid syntax error occurred when defining the routed default policy. Again, this works just fine on Ubuntu but not so much on Debian Jessie. After attempting a few different approaches to using the ufw Ansible module I finally pulled up the man page on UFW for Debian Jessie and Ubuntu. Well there is the issue right there. For some reason on Debian Jessie the UFW settings do not allow defining the default routed policy whereas on Ubuntu it does. Go figure. ansible-ufw

So how do we get around this one? It ended up being fairly simple but then again…Why do I need to do this?

Below is the bit of code that allows us to get around this (for now). Again we will use the ansible_distribution fact to determine if we are running Ubuntu or Debian when our policy direction is set to routed.\ defaults/main.yml

ufw_policies:  #defines default policy for incoming, outgoing and routed (forwarded) traffic...allow, deny or reject
  - direction: incoming
    policy: deny
  - direction: outgoing
    policy: allow
  - direction: routed
    policy: deny

tasks/configure_firewall.yml

- name: configure_firewall | setting default UFW policies (incoming, outgoing)
  ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  with_items: ufw_policies
  when: item.direction != "routed"

- name: configure_firewall | setting default UFW policies (routed)
  ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  with_items: ufw_policies
  when: item.direction == "routed" and ansible_distribution != "Debian"

And that is all for now. I will be returning to this post and updating from time to time as I find additional gotchas.

Enjoy!

Leave a Comment