Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,792 questions
Ansible playbook not working, web VM's will not install/remove/update
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 48%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
A
0
Reputation points
I am trying to run an ansible playbook to setup one of my web VM's to remove and/or install certain packages so we can start our week of web applications (cyber blog project). I use Microsoft Azure. SSH and HTTP are allowed.
Below is the playbook:
---
- name: Config Web VM with Docker
hosts: webservers
become: true
tasks:
- name: Uninstall apache if needed
ansible.builtin.apt:
update_cache: yes
name: apache2
state: absent
- name: docker.io
ansible.builtin.apt:
update_cache: yes
name: docker.io
state: present
- name: Install pip3
ansible.builtin.apt:
force_apt_get: yes
name: python3-pip
state: present
- name: Install Docker python module
pip:
name: docker
state: present
extra_args: --break-system-packages
- name: revert requests to 2.31.0 to bypass https://github.com/docker/docker-py/issues/3256
ansible.builtin.command:
cmd: pip install --force-reinstall requests==2.31.0
- name: download and launch a docker web container
docker_container:
name: dvwa
image: cyberxsecurity/dvwa
state: started
published_ports: 80:80
restart_policy: always
- name: Enable docker service
systemd:
name: docker
enabled: yes
When running this playbook, I get:
root@2b61bbccc5f2:/etc/ansible# ansible-playbook pentest.yml
[WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly calculated text
widths that can cause Display to print incorrect line lengths
PLAY [Config Web VM with Docker] ***************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [10.0.0.5]
ok: [10.0.0.6]
TASK [Uninstall apache if needed] **************************************************************************************
fatal: [10.0.0.6]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: unknown reason"}
fatal: [10.0.0.5]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: unknown reason"}
PLAY RECAP *************************************************************************************************************
10.0.0.5 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
10.0.0.6 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
The errors:
fatal: [10.0.0.6]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: unknown reason"}
fatal: [10.0.0.5]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: unknown reason"}
Below is a list of the steps I have taken to create my virtual machines:
- Create resource group
- Create virtual network
- Create network security group
- Create jumpbox VM
- Create and add SSH id_rsa.pub key to jumpbox VM from personal computer
- Add inbound rule to allow SSH from personal computer to jumpbox in network security group
- Test if SSH works to jumpbox VM from personal computer (it does)
- Update the jumpbox VM doing sudo apt-get update (it completes fine)
- Install docker.io using sudo apt-get install docker.io
- Pull the "cyberxsecurity/ansible" image using sudo docker pull cyberxsecurity/ansible
- Run an ansible container using sudo docker run -it cyberxsecurity/ansible /bin/bash
- Create and add SSH id_rsa.pub key from within the ansible container
- Create web1 VM, and create an availability set
- Add SSH id_rsa.pub key to web1 VM from ansible container
- Add inbound rule to allow SSH from jumpbox within the virtual network
- Test if SSH works to web1 VM (it does)
- Repeat and create web2 VM with same SSH id_rsa.pub key and with same availability set
- Test if SSH works to web2 VM (it does)
- From ansible container, nano ansible.cfg to add remote_user using the admin of azure's username
- From ansible container, nano "hosts" to add the web(s) VM' internal IP, as well as add ansible_python_interpreter=/usr/bin/python3
- From ansible container, nano "pentest.yml" with custom playbook (it works)
- "Checking Facts" works and connects through SSH
- Tasks then fail and hang
I tried the playbook without the apache2 task, starting with docker.io - I get this error:
root@2b61bbccc5f2:/etc/ansible# ansible-playbook pentest.yml
[WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly calculated text
widths that can cause Display to print incorrect line lengths
PLAY [Config Web VM with Docker] ***************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [10.0.0.6]
ok: [10.0.0.5]
TASK [docker.io] *******************************************************************************************************
fatal: [10.0.0.6]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not get lock /var/lib/apt/lists/lock. It is held by process 2324 (apt-get)"}
fatal: [10.0.0.5]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not get lock /var/lib/apt/lists/lock. It is held by process 2659 (apt-get)"}
PLAY RECAP *************************************************************************************************************
10.0.0.5 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
10.0.0.6 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
The errors:
fatal: [10.0.0.6]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not get lock /var/lib/apt/lists/lock. It is held by process 2324 (apt-get)"}
fatal: [10.0.0.5]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not get lock /var/lib/apt/lists/lock. It is held by process 2659 (apt-get)"}
I then SSH into a web VM to do these manually; this is what I get when removing apache2 using sudo apt-get remove apache2:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'apache2' is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
That is okay (or is it?)
I then try to install docker.io, using sudo apt-get install docker.io:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package docker.io is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package 'docker.io' has no installation candidate
This doesn't make any sense because on the jumpbox machine, it installs perfectly normal. Everything on the jumpbox machine works fine.
So, I try a suggested command when Googling and it is to use sudo apt-get update from the target VM itself. This is what I get:
- First, it will hang on this for some time:
0% [Connecting to azure.archive.ubuntu.com (20.53.66.23)]
- Second, it will spit out these errors:
myadmin@myweb1:~$ sudo apt-get update
Err:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease
Could not connect to azure.archive.ubuntu.com:80 (20.53.66.23), connection timed out
Err:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease
Unable to connect to azure.archive.ubuntu.com:http:
Err:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease
Unable to connect to azure.archive.ubuntu.com:http:
Err:4 http://azure.archive.ubuntu.com/ubuntu focal-security InRelease
Unable to connect to azure.archive.ubuntu.com:http:
Reading package lists... Done
W: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/dists/focal/InRelease Could not connect to azure.archive.ubuntu.com:80 (20.53.66.23), connection timed out
W: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease Unable to connect to azure.archive.ubuntu.com:http:
W: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease Unable to connect to azure.archive.ubuntu.com:http:
W: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/dists/focal-security/InRelease Unable to connect to azure.archive.ubuntu.com:http:
W: Some index files failed to download. They have been ignored, or old ones used instead.
What in the heck do I do?
EDIT: Extra info
When running the playbook to install pip3:
root@2b61bbccc5f2:/etc/ansible# ansible-playbook pentest.yml
[WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly calculated text
widths that can cause Display to print incorrect line lengths
PLAY [Config Web VM with Docker] ***************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [10.0.0.5]
ok: [10.0.0.6]
TASK [Install pip3] ****************************************************************************************************
fatal: [10.0.0.5]: FAILED! => {"changed": false, "msg": "No package matching 'python3-pip' is available"}
fatal: [10.0.0.6]: FAILED! => {"changed": false, "msg": "No package matching 'python3-pip' is available"}
PLAY RECAP *************************************************************************************************************
10.0.0.5 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
10.0.0.6 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
The errors:
fatal: [10.0.0.5]: FAILED! => {"changed": false, "msg": "No package matching 'python3-pip' is available"}
fatal: [10.0.0.6]: FAILED! => {"changed": false, "msg": "No package matching 'python3-pip' is available"}
Steps done to troubleshoot:
- Manually ran tasks (commands)
- Restarted all resources on Azure to start fresh
- Changed regions on Azure to try and see if connection was an issue
- Tried different Ubuntu LTS versions (24 will not work with ansible for me/ needs to be 20.04 or less)
- Tried updating VM's manually (jumpbox works fine)
Azure Virtual Machines
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,161 questions
{count} votes
-
deherman-MSFT 36,836 Reputation points Microsoft Employee2024-09-05T20:29:25.96+00:00 If I am understanding correctly you have an Ubuntu VM and are running two docker containers on it. Installing files on these containers is failing. Let me know if I am misunderstanding something.
Reviewing the errors it appears that your docker containers are unable to access the internet to install the necessary packages. I believe you need to configure docker to properly access the internet. I found these related threads which might be helpful. Let me know if these don't resolve your issue or if you still have questions:No network access from within Docker container
Can’t access internet after installing docker in a fresh ubuntu 18.04 machine
-
A 0 Reputation points
2024-09-05T20:59:31.3366667+00:00 I have a "jumpbox" VM (being the 1st/main VM) that uses Ubuntu 20.04 LTS. It has one docker running for us to use ansible. Using one docker container to run an ansible playbook, it fails on the two (2) "web" VM's. Total of 3 VM's. These also run Ubuntu 20.04 LTS.
I have also tried outside of the docker container, it still replicates the same errors and issues.
Something about the creation of two (2) additional VM's causes them to glitch out and I do not know why.
EDIT: When creating the web VM, the option to either have a public IP or "None" is what allows for internet connection on the VM. HOWEVER, I need it to be "None" and not have a public IP. How can I fix this new issue now?
-
deherman-MSFT 36,836 Reputation points Microsoft Employee
2024-09-06T15:57:02.34+00:00 @A A public IP is not necessary for the VMs to send outbound traffic to the internet. By default this is allowed.
You can utilize Connection Troubleshooter to test outbound traffic and isolate the issue. Please let me know the results. -
A 0 Reputation points
2024-09-11T00:32:48.7466667+00:00 This is what I get.
The details from the "Connectivity test":
btweb1 - Healthy - 10.0.0.5 next hop 10.0.0.4 blueteamjumpbox - ERROR 1. Inbound Error: NetworkSecurityRule 2. Local Error: NoListenerOnDestinationThis does not make any sense. "btweb1" is having the issues, not "blueteamjumpbox".
The "Inbound NSG diagnostic" is intended as it is supposed to block all inbound traffic.
Is there a specific port maybe to open to allow traffic from the "blueteamjumpbox" to the "btweb1" to allow access to internet?
EDIT: When removing all network rules, it still has the "Local Error: NoListenerOnDestination" on the "blueteamjumpbox"
-
A 0 Reputation points
2024-09-11T00:50:46.2133333+00:00 ^^^^^^
UPDATE: I've allowed all inbound and outbound traffic just to test and still I get
"Local Error: NoListenerOnDestination"
Sign in to comment
Sign in to answer