Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vmware_guest: error when creating vm with enabled virtualization based security #351

Closed
DevFinGitGovSecChatOps opened this issue Aug 18, 2020 · 10 comments
Closed

vmware_guest: error when creating vm with enabled virtualization based security #351

DevFinGitGovSecChatOps opened this issue Aug 18, 2020 · 10 comments
Assignees
@mariolenz
Labels
affects_2.10 bug This issue/PR relates to a bug cloud has_pr module module plugins plugin (any type) python3 traceback

Comments

@DevFinGitGovSecChatOps
Copy link

DevFinGitGovSecChatOps commented Aug 18, 2020
edited
Loading

SUMMARY

When trying to create a new vm with virt_based_security: true, the task will fail.
Removing the virt_based_security option successfully creates a vm - without virtualization based security though

ISSUE TYPE
  • Bug Report
COMPONENT NAME

vmware_guest

ANSIBLE VERSION
ansible 2.10.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/git/windows-template-creation/venv-beta/lib64/python3.6/site-packages/ansible
  executable location = /home/user/git/windows-template-creation/venv-beta/bin/ansible
  python version = 3.6.8 (default, Sep 26 2019, 11:57:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

vmware collection version: 1.1.0
Also tested with ansible 2.9.12

OS / ENVIRONMENT

os: rhel 7.8
vSphere: 6.7.0.44000

STEPS TO REPRODUCE
---
- name: create vm template
  hosts: ws
  connection: local
  gather_facts: false

  tasks:
    - name: create vm
      vmware_guest:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        datacenter: "{{ vcenter_datacenter }}"
        cluster: "{{ vcenter_cluster }}"
        resource_pool: "{{ vcenter_resource_pool }}"
        folder: "{{ vcenter_folder }}"
        name: "{{ inventory_hostname }}"
        guest_id: windows9Server64Guest
        hardware:
          boot_firmware: "efi"
          hotadd_cpu: true
          hotadd_memory: true
          num_cpus: 2
          memory_mb: 4096
          memory_reservation_lock: true
          nested_virt: true
          scsi: paravirtual
          virt_based_security: true
        cdrom:
          type: none
        disk:
          - size_gb: 50
            datastore: "{{ vcenter_datastore }}"
        networks:
          - name: "{{ vm_network }}"
            device_type: vmxnet3
            start_connected: true
        state: poweredoff
EXPECTED RESULTS

VM should be created with enabled virtualization based security

ACTUAL RESULTS

ansible-playbook 2.10.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/git/windows-template-creation/venv-beta/lib64/python3.6/site-packages/ansible
  executable location = /home/user/git/windows-template-creation/venv-beta/bin/ansible-playbook
  python version = 3.6.8 (default, Sep 26 2019, 11:57:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /home/user/git/windows-template-creation/test-inventory as it did not pass its verify_file() method
script declined parsing /home/user/git/windows-template-creation/test-inventory as it did not pass its verify_file() method
auto declined parsing /home/user/git/windows-template-creation/test-inventory as it did not pass its verify_file() method
Parsed /home/user/git/windows-template-creation/test-inventory inventory source with ini plugin
redirecting (type: modules) ansible.builtin.vmware_guest to community.vmware.vmware_guest

PLAYBOOK: test-virt_based_sec.yml **********************************************
1 plays in test-virt_based_sec.yml

PLAY [create vm template] ******************************************************
META: ran handlers

TASK [create vm] ***************************************************************
task path: /home/user/git/windows-template-creation/test-virt_based_sec.yml:8
<test-vbs> ESTABLISH LOCAL CONNECTION FOR USER: user
<test-vbs> EXEC /bin/sh -c 'echo ~user && sleep 0'
<test-vbs> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828 `" && echo ansible-tmp-1597764030.5870066-108225-277272799383828="` echo /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.vmware_guest to community.vmware.vmware_guest
<test-vbs> Attempting python interpreter discovery
<test-vbs> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<test-vbs> EXEC /bin/sh -c '/usr/bin/python && sleep 0'
Using module file /home/user/git/windows-template-creation/collections/ansible_collections/community/vmware/plugins/modules/vmware_guest.py
<test-vbs> PUT /home/user/.ansible/tmp/ansible-local-108217z6fqd9c3/tmpf50qtwkb TO /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py
<test-vbs> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/ /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py && sleep 0'
<test-vbs> EXEC /bin/sh -c '/usr/bin/python /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py && sleep 0'
<test-vbs> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py", line 102, in <module>
    _ansiballz_main()
  File "/home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.community.vmware.plugins.modules.vmware_guest', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python2.7/runpy.py", line 176, in run_module
    fname, loader, pkg_name)
  File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code
    mod_name, mod_fname, mod_loader, pkg_name)
  File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py", line 3570, in <module>
  File "/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py", line 3559, in main
  File "/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py", line 3069, in deploy_vm
  File "/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py", line 1828, in configure_hardware_params
AttributeError: 'NoneType' object has no attribute 'split'
fatal: [test-vbs]: FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/user/.ansible/tmp/ansible-tmp-1597764030.5870066-108225-277272799383828/AnsiballZ_vmware_guest.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.community.vmware.plugins.modules.vmware_guest', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n    fname, loader, pkg_name)\n  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n    mod_name, mod_fname, mod_loader, pkg_name)\n  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py\", line 3570, in <module>\n  File \"/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py\", line 3559, in main\n  File \"/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py\", line 3069, in deploy_vm\n  File \"/tmp/ansible_vmware_guest_payload_ZjSqWb/ansible_vmware_guest_payload.zip/ansible_collections/community/vmware/plugins/modules/vmware_guest.py\", line 1828, in configure_hardware_params\nAttributeError: 'NoneType' object has no attribute 'split'\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

PLAY RECAP *********************************************************************
test-vbs                   : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
@DevFinGitGovSecChatOps
Copy link
Author

Maybe relevant: #89

@ansibullbot
Copy link

cc @Akasurde @Tomorrow9 @goneri @lparkes @nerzhul @pdellaert @pgbidkar @warthog9
click here for bot help

@ansibullbot ansibullbot added affects_2.10 bug This issue/PR relates to a bug module module needs_triage Needs a first human triage before being processed. python3 traceback labels Aug 19, 2020
@ansibullbot ansibullbot added cloud plugins plugin (any type) labels Aug 28, 2020
@DevFinGitGovSecChatOps
Copy link
Author

Just adding a second task with virt_based_security: true seems to work!
It doesn't solve the issue though, since a person reading the official doc would expect it to work in one task (as I did)

---
- name: create vm template
  hosts: ws
  connection: local
  gather_facts: false

  tasks:
    - name: create vm
      vmware_guest:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        datacenter: "{{ vcenter_datacenter }}"
        cluster: "{{ vcenter_cluster }}"
        resource_pool: "{{ vcenter_resource_pool }}"
        folder: "{{ vcenter_folder }}"
        name: "{{ inventory_hostname }}"
        guest_id: windows9Server64Guest
        hardware:
          boot_firmware: "efi"
          hotadd_cpu: true
          hotadd_memory: true
          num_cpus: 2
          memory_mb: 4096
          memory_reservation_lock: true
          nested_virt: true
          scsi: paravirtual
          virt_based_security: true
        cdrom:
          type: none
        disk:
          - size_gb: 50
            datastore: "{{ vcenter_datastore }}"
        networks:
          - name: "{{ vm_network }}"
            device_type: vmxnet3
            start_connected: true
        state: poweredoff

    - name: enable virt_based_security
      vmware_guest:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        datacenter: "{{ vcenter_datacenter }}"
        cluster: "{{ vcenter_cluster }}"
        resource_pool: "{{ vcenter_resource_pool }}"
        folder: "{{ vcenter_folder }}"
        name: "{{ inventory_hostname }}"
        guest_id: windows9Server64Guest
        hardware:
          virt_based_security: true

@mariolenz
Copy link
Collaborator

I think the module crashes here:

https://github.com/ansible-collections/vmware/blob/aee551dc1d1f8a57f58f2da47bef7678b2461973/plugins/modules/vmware_guest.py#L1828-L1829

The module tries to make sure that the chosen hardware version supports virtualization based security, but self.configspec.version seems to be None when creating a new VM without explicitly setting the version. I'll have to have a closer look into this, according to the documentation the default hardware version is 10. This means the module should fail (version 10 doesn't support virtualization based security) but it shouldn't crash.

As a quick'n'dirty workaround, you can explicitly set the hardware version to 14, 15 or 17 ("latest" doesn't work, either, I've tested this).

@DevFinGitGovSecChatOps
Copy link
Author

DevFinGitGovSecChatOps commented Sep 2, 2020
edited
Loading

I can confirm it! The following playbook is working as intended.

- name: create vm template
  hosts: ws
  connection: local
  gather_facts: false

  tasks:
    - name: create vm
      vmware_guest:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vcenter_validate_certs }}"
        datacenter: "{{ vcenter_datacenter }}"
        cluster: "{{ vcenter_cluster }}"
        resource_pool: "{{ vcenter_resource_pool }}"
        folder: "{{ vcenter_folder }}"
        name: "{{ inventory_hostname }}"
        guest_id: windows9Server64Guest
        hardware:
          boot_firmware: "efi"
          hotadd_cpu: true
          hotadd_memory: true
          num_cpus: 2
          memory_mb: 4096
          memory_reservation_lock: true
          nested_virt: true
          scsi: paravirtual
          version: 14 # added
          virt_based_security: true
        cdrom:
          type: none
        disk:
          - size_gb: 50
            datastore: "{{ vcenter_datastore }}"
        networks:
          - name: "{{ vm_network }}"
            device_type: vmxnet3
            start_connected: true
        state: poweredoff

@mariolenz mariolenz mentioned this issue Sep 8, 2020
Merged
@Tomorrow9 Tomorrow9 self-assigned this Sep 9, 2020
@Tomorrow9
Copy link
Collaborator

I'll take a look at this issue, thanks for reporting and debugging.

@mariolenz
Copy link
Collaborator

@Tomorrow9 shared some interesting information on this in PR #384:

There are 3 restrictions on enabling VBS:

1. vSphere 6.7 or later, and >= hardware version 14.
2. Windows 10, Windows Server 2016/2019, or later.
3. EFI firmware

If "virt_based_security" is set to True, then there are 3 variables to be set:

1.  self.configspec.bootOptions.efiSecureBootEnabled
2. self.configspec.flags.vbsEnabled
3. self.configspec.flags.vvtdEnabled
4. self.configspec.nestedHVEnabled

Only the first one will return error if VM firmware is not EFI. The other 3 configs will not fail if above 1. and 2. restrictions not meet. So that if user set this parameter "virt_based_security" on Linux VM with EFI firmware, there is no error returned. My concern is if these similar situations with not failed result may cause user confusing, or I think too much, users may know about this and do according to the doc.

@Akasurde Akasurde mentioned this issue Nov 23, 2020
Closed
@Akasurde
Copy link
Member

@mariolenz What is the action item here?

@mariolenz
Copy link
Collaborator

mariolenz commented Nov 27, 2020
edited
Loading

@Akasurde

What is the action item here?

Sorry, I didn't have another look at this issue since @Tomorrow9 wanted to. I'll assign it to myself and try to find a solution.

edit:
Note to myself: vbsEnabled in vim.vm.VirtualMachineFlagInfo, part of vim.vm.ConfigSpec

@mariolenz mariolenz assigned mariolenz and unassigned Tomorrow9 Nov 27, 2020
@ansibullbot ansibullbot added has_pr and removed needs_triage Needs a first human triage before being processed. labels Jan 15, 2021
@mariolenz mariolenz mentioned this issue Apr 27, 2021
Merged
@mariolenz
Copy link
Collaborator

@Akasurde

@mariolenz What is the action item here?

Actually, I'm quite sure this has been fixed with PR #384. So I'll close this issue for now.

However, I think there are some problems when it comes to visualization based security. I've opened PR #816 for this, but it's still work in progress at the moment.

@mariolenz mariolenz mentioned this issue Dec 8, 2021
Merged
ansible-zuul bot pushed a commit that referenced this issue Dec 27, 2021
@mariolenz
vmware_guest: Make VBS requirements explicit (#1149)
2595bdb 
vmware_guest: Make VBS requirements explicit

SUMMARY
#351 made me think about how we handle virtualization based security and I don't like it. I really don't think it's a good idea if modules silently configure something, I think it should always be explicit.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
vmware_guest
ADDITIONAL INFORMATION
#816

Reviewed-by: None <None>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mariolenz mariolenz

Labels
affects_2.10 bug This issue/PR relates to a bug cloud has_pr module module plugins plugin (any type) python3 traceback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Akasurde @mariolenz @Tomorrow9 @DevFinGitGovSecChatOps @ansibullbot