Hi All,
I’m currently trying to build a role to maintain auditd across our machines. We got a couple of different flavours of Linux as well as versions thereof running in our environment so I’m trying to get it to work across all of them.
This is mainly working well, unless I count Centos 7.
When the config and/or rules files have been updated I’m calling a handler named ‘reload_auditd’ which looks as follows:
- name: reload_auditd
service:
name: auditd
state: restarted
This works fine on Centos6 and Ubuntu but Centos 7 fires the following error message:
← Cut →
fatal: [nsm-rh-silk]: FAILED! => {“changed”: false, “failed”: true, “msg”: “Unable to restart service auditd: Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only.\nSee system logs and ‘systemctl status auditd.service’ for details.\n”}
← Cut →
I had a look in the archive of this mailing list and could find one previous question where the only reply ended with: “in short, use the service command.”. Since I am using the service command I’m a little bit stuck here - does anyone have any further info/help to provide?
Thanks in advance, Mike
Just some further info.
I updated to Ansible 2.3.0 but the problem still persists.
Just to test things, I wrote a bit of a ‘dirty’ handler like this:
← Cut →
- name: reload_auditd_C7
command: service “{{ audit_service }}” restart
← Cut →
This works, although it throws a warning: “[WARNING]: Consider using service module rather than running service”
To me it starts to feel like there might be some kind of bug when it comes to this?
Cheers, Mike
a)
Which Ansible version is in use? Same behavior with 2.2.2 or 2.3.0?
b)
Can you run successfully the following on the command line ( centos 7 )?
systemctl status auditd.service
systemctl restart auditd.service
Does the Ansible user have the rights to restart auditd.service ?
c)
Ugli hack as a last resort, use Ansible Modul command instead of
Ansible module service for centos 7 only.
Hi there,
a) I have the same behavior on both versions.
b) The status command works, the restart command doesn’t. If I run ‘service auditd restart’ it works as expected.
c) I did another ugly hack that works, for now. I got a handler that looks like this. It fires a warning that I should use the ‘service’ command instead though. 
← Cut →
- name: reload_auditd_C7
command: service auditd restart
← Cut →
It almost looks like using the ‘service’ command in Ansible against Centos7 actually calls the ‘systemctl’ functionality in the other end?
Cheers, Mike