Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

devsec.hardening.mysql_hardening - Operation not supported on ubuntu 22.04 #633

Open
markuman opened this issue Feb 6, 2023 · 5 comments
Open

devsec.hardening.mysql_hardening - Operation not supported on ubuntu 22.04 #633

markuman opened this issue Feb 6, 2023 · 5 comments
Labels
bug

Comments

@markuman
Copy link

markuman commented Feb 6, 2023
edited

Description

When applying mysql_hardening role on a ubuntu 22.04 host with mariadb 10.6.11 I got

TASK [devsec.hardening.mysql_hardening : Check include-dir directive is present in my.cnf] **********************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported
fatal: [ansible2.osuv.de]: FAILED! => {"changed": false, "details": "Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported\n", "gid": 119, "group": "mysql", "mode": "0640", "msg": "chattr failed", "owner": "root", "path": "/etc/mysql/my.cnf.48637.2023-02-06@20:21:25~", "size": 1126, "state": "file", "uid": 0}

Reproduction steps

- name: apply devsec.hardening.mysql_hardening role
  ansible.builtin.include_role:
    name: devsec.hardening.mysql_hardening
  vars:
    mysql_root_password: "{{ mariadb_root_password }}"

Current Behavior

TASK [devsec.hardening.mysql_hardening : Check include-dir directive is present in my.cnf] **********************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Exception: Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported
fatal: [ansible2.osuv.de]: FAILED! => {"changed": false, "details": "Error while setting attributes: /etc/mysql/my.cnf.48637.2023-02-06@20:21:25~: Operation not supported\n", "gid": 119, "group": "mysql", "mode": "0640", "msg": "chattr failed", "owner": "root", "path": "/etc/mysql/my.cnf.48637.2023-02-06@20:21:25~", "size": 1126, "state": "file", "uid": 0}

Expected Behavior

no error

OS / Environment

Ubuntu 22.04

Ansible Version

ansible [core 2.13.5]
  config file = None
  configured module search path = ['/home/m/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/m/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/m/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/m/.local/bin/ansible
  python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0]
  jinja version = 3.1.2
  libyaml = False

Collection Version

devsec.hardening               8.6.0

Additional information
@markuman markuman added the bug label Feb 6, 2023
@rndmh3ro
Copy link
Member

Hi @markuman,

can you please do the following?

ls -lsah /etc/mysql/*
lsattr -R /etc/mysql/*

and put the output here?

I guess it's got something to do with symlinks..

Also do you run the playbook as root?

@markuman
Copy link
Author

test playbook on a hetzner vm ubuntu 22.04 as user root

---
- hosts: all
  vars:
    mariadb_root_password: hdawuefshhfhv34
  
  tasks:
    - name: install mariadb
      ansible.builtin.apt:
        update_cache: true
        state: latest
        name:
          - mariadb-server
          - mariadb-client
          - python3-pymysql

    - name: init root user
      ansible.builtin.command: >
        sudo mysql -uroot -e "
        SET old_passwords=0;
        SET PASSWORD FOR root@localhost = PASSWORD('{{ mariadb_root_password }}');
        FLUSH PRIVILEGES;"

    - name: apply devsec.hardening.mysql_hardening role
      block:
        - name: apply devsec.hardening.mysql_hardening role
          ansible.builtin.include_role:
            name: devsec.hardening.mysql_hardening
          vars:
            mysql_root_password: "{{ mariadb_root_password }}"

After the error

root@ubuntu-2gb-hel1-1:~# ls -lsah /etc/mysql/*
4.0K -rw------- 1 root  root   544 Feb 10 13:05 /etc/mysql/debian.cnf
4.0K -rwxr-xr-x 1 root  root  1.7K Nov 13 07:48 /etc/mysql/debian-start
4.0K -rw-r----- 1 root  mysql 1.1K Nov 13 07:48 /etc/mysql/mariadb.cnf
   0 lrwxrwxrwx 1 root  root    24 Feb 10 13:05 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
4.0K -rw-r----- 1 root  mysql 1.1K Nov 13 07:48 /etc/mysql/my.cnf.2964.2023-02-10@13:06:51~
4.0K -rw-r--r-- 1 root  root   839 Oct 20  2020 /etc/mysql/my.cnf.fallback

/etc/mysql/conf.d:
total 16K
4.0K drwxr-x--- 2 mysql adm  4.0K Feb 10 13:05 .
4.0K drwxr-xr-x 4 root  root 4.0K Feb 10 13:06 ..
4.0K -rw-r--r-- 1 root  root    8 Oct 20  2020 mysql.cnf
4.0K -rw-r--r-- 1 root  root   55 Oct 20  2020 mysqldump.cnf

/etc/mysql/mariadb.conf.d:
total 28K
4.0K drwxr-xr-x 2 root root 4.0K Feb 10 13:05 .
4.0K drwxr-xr-x 4 root root 4.0K Feb 10 13:06 ..
4.0K -rw-r--r-- 1 root root  575 Nov 13 07:48 50-client.cnf
4.0K -rw-r--r-- 1 root root  231 Nov 13 07:48 50-mysql-clients.cnf
4.0K -rw-r--r-- 1 root root  927 Nov 13 07:48 50-mysqld_safe.cnf
4.0K -rw-r--r-- 1 root root 3.5K Nov 13 07:48 50-server.cnf
4.0K -rw-r--r-- 1 root root  570 Nov 13 07:48 60-galera.cnf
root@ubuntu-2gb-hel1-1:~# 
root@ubuntu-2gb-hel1-1:~# lsattr -R /etc/mysql/*
--------------e------- /etc/mysql/conf.d/mysql.cnf
--------------e------- /etc/mysql/conf.d/mysqldump.cnf
--------------e------- /etc/mysql/debian.cnf
--------------e------- /etc/mysql/debian-start
--------------e------- /etc/mysql/mariadb.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-server.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-client.cnf
--------------e------- /etc/mysql/mariadb.conf.d/60-galera.cnf
--------------e------- /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
lsattr: Operation not supported While reading flags on /etc/mysql/my.cnf
--------------e------- /etc/mysql/my.cnf.2964.2023-02-10@13:06:51~
--------------e------- /etc/mysql/my.cnf.fallback
root@ubuntu-2gb-hel1-1:~#

@rndmh3ro
Copy link
Member

Thanks, can you do the same on /etc/alternatives/my.cnf, please? Meanwhile I'll get myself a VM to test.

@jerryorr
Copy link

@rndmh3ro I'm getting a similar error on Ubuntu 22.04 with MySQL 8.0.34:

Exception: Error while setting attributes: /etc/mysql/my.cnf.68739.2023-08-22@15:36:39~: Operation not supported

Here's my output from what you requested from the original issue creator:

me@myhost:~$ ls -lsah /etc/mysql/*
4.0K -rw------- 1 root root  317 Aug 22 10:07 /etc/mysql/debian.cnf
4.0K -rwxr-xr-x 1 root root  120 Jul 21 09:03 /etc/mysql/debian-start
   0 lrwxrwxrwx 1 root root   24 Aug 22 10:07 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
4.0K -rw-r--r-- 1 root root  839 Jul 14  2016 /etc/mysql/my.cnf.fallback
4.0K -rw-r--r-- 1 root root  682 Jun 14 15:23 /etc/mysql/mysql.cnf

/etc/mysql/conf.d:
total 16K
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 10:07 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 22 10:07 ..
4.0K -rw-r--r-- 1 root root    8 Jul 14  2016 mysql.cnf
4.0K -rw-r--r-- 1 root root   55 Jul 14  2016 mysqldump.cnf

/etc/mysql/mysql.conf.d:
total 16K
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 10:07 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 22 10:07 ..
4.0K -rw-r--r-- 1 root root  132 Jun 14 15:23 mysql.cnf
4.0K -rw-r--r-- 1 root root 2.2K Jun 14 15:23 mysqld.cnf
me@myhost:~$ lsattr -R /etc/mysql/*
--------------e------- /etc/mysql/conf.d/mysqldump.cnf
--------------e------- /etc/mysql/conf.d/mysql.cnf
lsattr: Permission denied While reading flags on /etc/mysql/debian.cnf
--------------e------- /etc/mysql/debian-start
lsattr: Operation not supported While reading flags on /etc/mysql/my.cnf
--------------e------- /etc/mysql/my.cnf.fallback
--------------e------- /etc/mysql/mysql.cnf
--------------e------- /etc/mysql/mysql.conf.d/mysqld.cnf
--------------e------- /etc/mysql/mysql.conf.d/mysql.cnf
me@myhost:~$ ls -lsah /etc/alternatives/my.cnf
0 lrwxrwxrwx 1 root root 20 Aug 22 10:07 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
me@myhost:~$ lsattr -R /etc/alternatives/my.cnf
lsattr: Operation not supported While reading flags on /etc/alternatives/my.cnf
me@myhost:~$

I'd guess it has something to do with a command trying to use the output of the lsattr command, not expecting the output to be lsattr: Operation not supported. But I'm not at all familiar with what's going on in this role.

@rndmh3ro
Copy link
Member

rndmh3ro commented Aug 24, 2023
edited

The role at this task changes the my.cnf and creats a backup-file, in your case /etc/mysql/my.cnf.68739.2023-08-22@15:36:39~.

This seems to be a known bug in Ansible: ansible/ansible#76727

And a PR: ansible/ansible#78707

If anyone wants to try the PR out and comment on it, maybe it would help in getting it merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jerryorr @rndmh3ro @markuman