m4rcu5nl / ansible-role-zerotier Goto Github PK

View Code? Open in Web Editor NEW

77.0 77.0 49.0 70 KB

Ansible role to install Zerotier-One and join a Zerotier network

License: GNU General Public License v3.0

Shell 100.00%

ansible-galaxy ansible-role automation networking zerotier

ansible-role-zerotier's People

Contributors

Stargazers

Watchers

Forkers

gbraad samdbmg flantel andyshinn madandroid ngerstle number0 etcet zhaofengli g10h4ck trobotham indigos33k3r eth0h4ckr isakrubin papanito clashthebunny quivalen dsteinkopf unrelatedinfo tymiles003 coinchirp flathub-infra ifeulner aredridel mcdowellmountains thelittlebug jkraemer cornelicorn kennethehmsen gmcintire erikh evo-eco primarycanary watonomous isc-karl esm-esm bogsen jakoberpf insanity54 pbicskei htwalid beerygaz beardstack gleepwurp palonsoro localuser fnltochka

ansible-role-zerotier's Issues

Typo in role of example playbook

The role in the playbook is listed as:
role: m4rcu5nl.zerotier
On ansible galaxy the role name is zerotier-one so it worked better with:
role: m4rcu5nl.zerotier-one

How do I use this?

Hi, I'm trying to use this, but I don't know how. Where do I put "m4rcu5nl.zerotier"? I don't see a role named zerotier or a file name zerotier.yml.

This ansible module is ignoring my variables 'zerotier_member_ip_assignments' and 'zerotier_member_description'. They aren't being set in the zerotier web ui. The IP is auto and there is no description.

Am I doing something wrong here? I'm new to ansible, so I probably am :-)

Playbook:

- hosts: pis
  remote_user: pi
  vars:
      zerotier_network_id: ...
  roles:
      - { role: m4rcu5nl.zerotier-one, become: true }

Inventory:

[pis]
raspberry-1 zerotier_member_ip_assignments='["10.144.100.1"]'

[pis:vars]
zerotier_member_description='Rasberry Pi'
user_basedir=/home/pi

Installation fails on an Ubuntu Cosmic system

On a Cosmic Cuttlefish system, role will fail when trying to install the deb package from ZerotierOne.

The core problem is the "Add ZerotTier APT repository" task which generates the repository string based on the ansible_distribution_release variable. Zerotier does not provide a repository for cosmic. (I'm guessing Zerotier will only provide repos for LTS releases),

I worked around the issue by adding a new variable - zerotier_apt_repo - which then permits one to override the generated value.

I'd be happy to submit my changes - including doc updates - as a patch or pull request if this solution is acceptable.

The use of 'include' for tasks has been deprecated.

Update tasks/main.yml conform deprecation warning to prevent stuff from breaking with future Ansible update.

Couldn't get it to work with ubuntu 20.04 focal fossa

Would be great if it could be updated to support. Notice it is not one of the listed OS's on ansible galaxy. Had to go with the less full-featured cchurch.zerotier.

Script to create facts fails when Zerotier network name contains a space

The script to create the facts file splits the output of the zerotier-cli command based on spaces. If the ZT network name contains a space then indexing is out resulting in incorrect field mapping.

Does not seem to allow setting ip - API changed ?!

Hi,

I tried to setup my network with a custom IP and it failed.

I set this var to a host and it did not work.
Commenting that line fixed it, but no IP assignement.

zerotier_member_ip_assignments: '["172.23.0.1"]'

Playbook output

TASK [m4rcu5nl.zerotier-one : Configure members in network] **************************************************************************************************************************************
task path: ansible/roles/m4rcu5nl.zerotier-one/tasks/authorize_node.yml:20
fatal: [daos-v]: FAILED! => {"accept_ranges": "bytes", "access_control_allow_origin": "*", "changed": false, "connection": "close", "content": "{\"type\":\"internal\",\"message\":\"Error updating member: ERROR: invalid input syntax for type inet: \\\"2\\\" (SQLSTATE 22P02)\"}", "content_length": "120", "content_type": "application/json", "date": "Fri, 09 Apr 2021 13:13:18 GMT", "elapsed": 0, "json": {"message": "Error updating member: ERROR: invalid input syntax for type inet: \"2\" (SQLSTATE 22P02)", "type": "internal"}, "msg": "Status code was 500 and not [200]: HTTP Error 500: Internal Server Error", "redirected": false, "status": 500, "strict_transport_security": "max-age=300", "url": "https://my.zerotier.com/api/network/REDACTED/member/REDACTED", "via": "1.1 google, 1.1 varnish", "x_cache": "MISS", "x_cache_hits": "0", "x_frame_options": "SAMEORIGIN", "x_served_by": "cache-hhn4078-HHN", "x_timer": "S1617973998.358212,VS0,VE194"}

Module is not idempotent

Heya!

Not sure this is a bug or a misunderstanding on my part.

The role is not idempotent - the Update ansible_local facts block always reports changed.

Also, if the purpose here is to reload inventory, I think there may be another option using the meta module with the refresh_inventory setting.

Package not installed on Debian Squeeze

Hi,

We're seeing issues where the package doesn't get installed:

       TASK [ansible-role-zerotier : Check if zerotier is already installed] **********
       task path: /tmp/kitchen/roles/ansible-role-zerotier/tasks/install.yml:25
       fatal: [localhost]: FAILED! => {"changed": false, "msg": "No package matching 'zerotier-one' is available"}

It looks as though the when conditional isn't set correctly - the code attempts to install the package before the repo is configured.

Add and authorized doesn't pass in name, and resulting entry results in ACCESS DENIED

This is using Ubuntu 16.04, the role modified to suit. The ansible machine has v2.3.2.0.

Looks like it's not creating a proper record in my.zerotier. The record looks OK, but the name field is blank. And regardless, the client machine is unable to join.

ubuntu@dove1:~$ sudo zerotier-cli info
200 info 8576d20e72 1.2.4 ONLINE
ubuntu@dove1:~$ sudo zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks xxxxxxxxxxxxxxxx  6a:0b:45:ce:90:08 ACCESS_DENIED PRIVATE zt0 -

Running the role with -vvv shows this as the call to Add and Authorize : Note that the name field in the json block is empty, so that looks like a problem with ansible ?

ok: [dove1.local] => {
    "access_control_allow_methods": "GET,PUT,POST,DELETE",
    "access_control_allow_origin": "*",
    "cache_control": "no-cache, no-store, must-revalidate, private, no-transform, proxy-revalidate, max-age=0",
    "changed": false,
    "connection": "close",
    "content_length": "836",
    "content_security_policy": "default-src 'self' blob:;style-src 'self' 'unsafe-inline' https://support.zerotier.com
 ;object-src 'self' blob:;connect-src 'self' https://community.zerotier.com/ https://support.zerotier.com https://api.
stripe.com https://checkout.stripe.com https://piwik.zerotier.com;frame-src 'self' https://community.zerotier.com/ htt
ps://support.zerotier.com https://js.stripe.com https://api.stripe.com https://checkout.stripe.com;script-src 'self' '
unsafe-inline' 'unsafe-eval' https://support.zerotier.com https://piwik.zerotier.com https://js.stripe.com https://api
.stripe.com https://checkout.stripe.com;img-src 'self' https://support.zerotier.com https://piwik.zerotier.com https:/
/api.stripe.com https://js.stripe.com https://q.stripe.com https://checkout.stripe.com https://stripe.com https://www.
stripe.com data: blob:;font-src 'self' data:",
    "content_type": "application/json; charset=utf-8",
    "date": "Tue, 29 Aug 2017 17:42:31 GMT",
    "etag": "0509e94589bc62",
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": {
                "config": {
                    "authorized": true
                },
                "hidden": false,
                "name": "dove1.local"
            },
            "body_format": "json",
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {
                "Authorization": "bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                "Content-Type": "application/json"
            },
            "http_agent": "ansible-httpget",
            "method": "POST",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                200
            ],
            "timeout": 30,
            "unsafe_writes": null,
            "url": "https://my.zerotier.com/api/network/xxxxxxxxxxxxxxxx/member/8576d20e72",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "json": {
        "clientVersion": null,
        "clock": 1504028551677,
        "config": {
            "activeBridge": false,
            "address": "0000000000",
            "authorized": true,
            "capabilities": [],
            "creationTime": 0,
            "id": "0000000000",
            "identity": null,
            "ipAssignments": [],
            "lastAuthorizedCredential": null,
            "lastAuthorizedCredentialType": null,
            "lastAuthorizedTime": 0,
            "lastDeauthorizedTime": 0,
            "noAutoAssignIps": false,
            "nwid": "0000000000000000",
            "objtype": "member",
            "physicalAddr": "",
            "remoteTraceTarget": null,
            "revision": 0,
            "tags": [],
            "vMajor": 0,
            "vMinor": 0,
            "vProto": 0,
            "vRev": 0
        },
        "controllerId": "e5cd7a9e1c",
        "description": "",
        "hidden": false,
        "id": "xxxxxxxxxxxxxxxx-8576d20e72",
        "lastOffline": 0,
        "lastOnline": 0,
        "name": "",
        "networkId": "xxxxxxxxxxxxxxxx",
        "nodeId": "8576d20e72",
        "offlineNotifyDelay": 0,
        "online": false,
        "physicalAddress": null,
        "physicalLocation": null,
        "protocolVersion": 0,
        "supportsRulesEngine": false,
        "type": "Member"
    },
    "msg": "OK (836 bytes)",
    "p3p": "CP=",
    "redirected": false,
    "server": "nginx",
    "status": 200,
    "strict_transport_security": "max-age=63072000; includeSubdomains;",
    "url": "https://my.zerotier.com/api/network/xxxxxxxxxxxxxxxx/member/8576d20e72",
    "x_content_type_options": "nosniff",
    "x_frame_options": "SAMEORIGIN",
    "x_zerotier_central_api_version": "3",
    "x_zerotier_central_version": "1.2.8"
}

I put in a debug: var=apiresult after that to see what comes back from the POST ...

ok: [dove1.local] => {
    "apiresult": {
        "access_control_allow_methods": "GET,PUT,POST,DELETE",
        "access_control_allow_origin": "*",
        "cache_control": "no-cache, no-store, must-revalidate, private, no-transform, proxy-revalidate, max-age=0",
        "changed": false,
        "connection": "close",
        "content_length": "836",
        "content_security_policy": "default-src 'self' blob:;style-src 'self' 'unsafe-inline' https://support.zerotier
.com ;object-src 'self' blob:;connect-src 'self' https://community.zerotier.com/ https://support.zerotier.com https://
api.stripe.com https://checkout.stripe.com https://piwik.zerotier.com;frame-src 'self' https://community.zerotier.com/
 https://support.zerotier.com https://js.stripe.com https://api.stripe.com https://checkout.stripe.com;script-src 'sel
f' 'unsafe-inline' 'unsafe-eval' https://support.zerotier.com https://piwik.zerotier.com https://js.stripe.com https:/
/api.stripe.com https://checkout.stripe.com;img-src 'self' https://support.zerotier.com https://piwik.zerotier.com htt
ps://api.stripe.com https://js.stripe.com https://q.stripe.com https://checkout.stripe.com https://stripe.com https://
www.stripe.com data: blob:;font-src 'self' data:",
        "content_type": "application/json; charset=utf-8",
        "date": "Tue, 29 Aug 2017 17:42:31 GMT",
        "etag": "0509e94589bc62",
        "json": {
            "clientVersion": null,
            "clock": 1504028551677,
            "config": {
                "activeBridge": false,
                "address": "0000000000",
                "authorized": true,
                "capabilities": [],
                "creationTime": 0,
                "id": "0000000000",
                "identity": null,
                "ipAssignments": [],
                "lastAuthorizedCredential": null,
                "lastAuthorizedCredentialType": null,
                "lastAuthorizedTime": 0,
                "lastDeauthorizedTime": 0,
                "noAutoAssignIps": false,
                "nwid": "0000000000000000",
                "objtype": "member",
                "physicalAddr": "",
                "remoteTraceTarget": null,
                "revision": 0,
                "tags": [],
                "vMajor": 0,
                "vMinor": 0,
                "vProto": 0,
                "vRev": 0
            },
            "controllerId": "e5cd7a9e1c",
            "description": "",
            "hidden": false,
            "id": "xxxxxxxxxxxxxxxx-8576d20e72",
            "lastOffline": 0,
            "lastOnline": 0,
            "name": "",
            "networkId": "xxxxxxxxxxxxxxxx",
            "nodeId": "8576d20e72",
            "offlineNotifyDelay": 0,
            "online": false,
            "physicalAddress": null,
            "physicalLocation": null,
           "protocolVersion": 0,
            "supportsRulesEngine": false,
            "type": "Member"
        },
        "msg": "OK (836 bytes)",
        "p3p": "CP=",
        "redirected": false,
        "server": "nginx",
        "status": 200,
        "strict_transport_security": "max-age=63072000; includeSubdomains;",
        "url": "https://my.zerotier.com/api/network/xxxxxxxxxxxxxxxx/member/8576d20e72",
        "x_content_type_options": "nosniff",
        "x_frame_options": "SAMEORIGIN",
        "x_zerotier_central_api_version": "3",
        "x_zerotier_central_version": "1.2.8"
    }
}

Everything looks fine, except for the name field being empty. That's not a problem. The BIG issue is that the machine can't join the network - gets denied.

ubuntu@dove1:~$ sudo zerotier-cli info
200 info 8576d20e72 1.2.4 ONLINE
ubuntu@dove1:~$ sudo zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks xxxxxxxxxxxxxxxx  6a:0b:45:ce:90:08 ACCESS_DENIED PRIVATE zt0 -

If I stop zerotier, delete the /var/lib/zerotier directory and restart it, then join manually (auth'ing the new machine in the UI on my.zerotier.com ... then it works fine. So it seems that something about the creation of the new record is bad, and completely blocks that new system from joining the network.

seems incompatible with ansible 2.9

Update to latest ansible version (2.9.0) on ubuntu 18.04 lead to the message Unsupported parameters for (uri) module: register.

fixed by PR #32

Check-mode crashes on task "Get Zerotier NodeID"

Either the network ID check (the task before it) needs to always run, or this tasks needs to be set to skip in check-mode

Member name and description not set in ZeroTier

When applying the role to a fresh machine the hostname and description aren't being populated in ZeroTier.

The machine is a VirtualBox VM running Raspbian (2017-06-22-rpd-x86-jessie) which is based on Debian 8.10. I've tested using the current ansible-galaxy version of the role as well as the latest version from master.

I can see that the necessary fields are included correctly in the JSON data being POSTed to the API:

{
  "hidden": false,
  "config": {
    "ipAssignments": [],
    "authorized": true
  },
  "name": "MYTEST",
  "description": "Test member"
}

When I view the member in the ZeroTier web console I can see that it has been automatically authorized and connected to the network as expected, however the name and description are left blank.

I've been able to reproduce the issue by calling the ZeroTier API manually. If I POST a new member to the API before it has ever actually connected to the ZeroTier network, the name and description don't get set. If I send exactly the same request to the API after the machine first appears in the ZeroTier web console then the name and description are populated correctly.

This makes me think it is a timing issue: Ansible is running the task to authorize the new member after telling the machine to join the network but before it has actually managed to do so. For whatever reason ZeroTier doesn't retain the name and description when this happens.

Interestingly, if I repeat the POST a second time the name and description get populated even if the machine hasn't yet connected to the network. I seem to have been able to work around the issue successfully by including the role twice to exploit this behaviour:

roles:
    - { role: m4rcu5nl.zerotier-one, duplicate_run: 1 }
    - { role: m4rcu5nl.zerotier-one, duplicate_run: 2 }

If I'm right this is probably more of a bug in the ZeroTier API than an issue with the Ansible role, but I wanted to raise it here in case there is a better workaround and/or I'm missing something obvious.

Thanks!