luks_device fails idempotent state: opened if container already exists on Arch Linux

[gdrosos]

SUMMARY

The luks_device module fails to perform an idempotent state: opened operation when the LUKS container is already open. Instead of returning ok with "changed": false, it raises an error:

Error while opening LUKS container on /dev/loopX: Device luks-... already exists.

This only occurs on Arch Linux. Other distributions (e.g. Debian, Rocky, Fedora, Ubuntu, RHEL, Alpine) return the expected ok status. The module should detect that the container is already mapped and skip the open operation to preserve idempotency.

ISSUE TYPE

• Bug Report

COMPONENT NAME

luks_device

ANSIBLE VERSION

ansible [core 2.18.3]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /venv3.12/lib/python3.12/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /venv3.12/bin/ansible
  python version = 3.12.3 (main, Feb  4 2025, 14:48:35) [GCC 13.3.0] (/venv3.12/bin/python)
  jinja version = 3.1.6
  libyaml = True

COLLECTION VERSION

devel

OS / ENVIRONMENT

This issue occurs on Arch Linux and was reprduced using its official docker image

STEPS TO REPRODUCE

On Arch Linux, run the integration tests of luks_device

ansible-test integration luks_device -vvv   --allow-destructive --requirements --allow-root --continue-on-error `

in order to run this task:

community.crypto/tests/integration/targets/luks_device/tasks/tests/create-destroy.yml

Lines 66 to 71 in a5a4e02

	- name: Open (idempotent)
	luks_device:
	device: "{{ cryptfile_device }}"
	state: opened
	keyfile: "{{ remote_tmp_dir }}/keyfile1"
	become: true

EXPECTED RESULTS

We would expect the aforementioned task to succeed and report a ok status. This occurs as expected on Rocky, Fedora, RHEL, Alpine, Debian and Ubuntu

TASK [luks_device : Open (idempotent)] *****************************************
ok: [testhost]

ACTUAL RESULTS

TASK [luks_device : Open (idempotent)] *****************************************
task path: /root/.ansible/collections/ansible_collections/community/crypto/tests/output/.tmp/integration/luks_device-ir1kz7vl-ÅÑŚÌβŁÈ/tests/integration/targets/luks_device/tasks/tests/create-destroy.yml:66
Using module file /root/.ansible/collections/ansible_collections/community/crypto/plugins/modules/luks_device.py
Pipelining is enabled.
<172.18.0.2> ESTABLISH SSH CONNECTION FOR USER: root
<172.18.0.2> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'IdentityFile="/root/.ansible/test/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/root/.ansible/cp/5b80634bb5"' 172.18.0.2 '/bin/sh -c '"'"'/opt/python3.12/bin/python3.12 && sleep 0'"'"''
<172.18.0.2> (1, b'\n{"failed": true, "msg": "luks_device error: Error while opening LUKS container on /dev/loop1: Device luks-eb13ab91-6e59-41b7-bd0c-94a8b5fd0fc5 already exists.\\n", "exception": "  File \\"/tmp/ansible_luks_device_payload_1a8j3wjd/ansible_luks_device_payload.zip/ansible_collections/community/crypto/plugins/modules/luks_device.py\\", line 1106, in run_module\\n  File \\"/tmp/ansible_luks_device_payload_1a8j3wjd/ansible_luks_device_payload.zip/ansible_collections/community/crypto/plugins/modules/luks_device.py\\", line 664, in run_luks_open\\n", "invocation": {"module_args": {"device": "/dev/loop1", "state": "opened", "keyfile": "/root/tmp/ansible.kanc972_.test/keyfile1", "passphrase_encoding": "text", "force_remove_last_key": false, "perf_same_cpu_crypt": false, "perf_submit_from_crypt_cpus": false, "perf_no_read_workqueue": false, "perf_no_write_workqueue": false, "persistent": false, "allow_discards": false, "name": null, "new_keyfile": null, "remove_keyfile": null, "passphrase": null, "new_passphrase": null, "remove_passphrase": null, "keyslot": null, "new_keyslot": null, "remove_keyslot": null, "keysize": null, "label": null, "uuid": null, "type": null, "cipher": null, "hash": null, "pbkdf": null, "sector_size": null}}, "warnings": ["Module did not set no_log for passphrase_encoding"]}\n', b"OpenSSH_9.6p1 Ubuntu-3ubuntu13.9, OpenSSL 3.0.13 30 Jan 2024\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files\r\ndebug1: /etc/ssh/ssh_config line 21: Applying options for *\r\ndebug2: resolve_canonicalize: hostname 172.18.0.2 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master at '/root/.ansible/cp/5b80634bb5'\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 106\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet_timeout: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\n")
<172.18.0.2> Failed to connect to the host via ssh: OpenSSH_9.6p1 Ubuntu-3ubuntu13.9, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 172.18.0.2 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug1: auto-mux: Trying existing master at '/root/.ansible/cp/5b80634bb5'
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 106
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet_timeout: read header failed: Broken pipe
debug2: Received exit status from master 1
The full traceback is:
  File "/tmp/ansible_luks_device_payload_1a8j3wjd/ansible_luks_device_payload.zip/ansible_collections/community/crypto/plugins/modules/luks_device.py", line 1106, in run_module
  File "/tmp/ansible_luks_device_payload_1a8j3wjd/ansible_luks_device_payload.zip/ansible_collections/community/crypto/plugins/modules/luks_device.py", line 664, in run_luks_open
fatal: [testhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "allow_discards": false,
            "cipher": null,
            "device": "/dev/loop1",
            "force_remove_last_key": false,
            "hash": null,
            "keyfile": "/root/tmp/ansible.kanc972_.test/keyfile1",
            "keysize": null,
            "keyslot": null,
            "label": null,
            "name": null,
            "new_keyfile": null,
            "new_keyslot": null,
            "new_passphrase": null,
            "passphrase": null,
            "passphrase_encoding": "text",
            "pbkdf": null,
            "perf_no_read_workqueue": false,
            "perf_no_write_workqueue": false,
            "perf_same_cpu_crypt": false,
            "perf_submit_from_crypt_cpus": false,
            "persistent": false,
            "remove_keyfile": null,
            "remove_keyslot": null,
            "remove_passphrase": null,
            "sector_size": null,
            "state": "opened",
            "type": null,
            "uuid": null
        }
    },
    "msg": "luks_device error: Error while opening LUKS container on /dev/loop1: Device luks-eb13ab91-6e59-41b7-bd0c-94a8b5fd0fc5 already exists.\n"
}

[felixfontein]

How did you run this in a Docker container? The reason why the luks_device tests aren't running in containers in CI is that loopback device creation does not work there.

[gdrosos]

I run the luks_device integration test using:

• an Ubuntu-based container as the control node (Ansible runner),
• an Arch Linux-based container as the target (managed node), accessible via SSH.
  My test runner connects to the Arch container over SSH using :

ansible-test integration luks_device \
  --target ssh root@<arch-container-ip>:<port-num> \
  --allow-destructive --requirements --allow-root --continue-on-error

This only fails on Arch Linux; other OSes (Fedora, RHEL, Ubuntu, Debian, Rocky, Alpine etc.) work fine.

Below is the Dockerfile I use to build the managed Arch Linux container:

ARG VERSION=latest
FROM archlinux:${VERSION}

# Keyring and system update
RUN pacman-key --init && \
    pacman -Sy --noconfirm archlinux-keyring && \
    pacman -Syu --noconfirm

# Install required build dependencies
RUN pacman -S --noconfirm --needed \
    gcc make wget openssh \
    zlib bzip2 xz openssl libffi readline sqlite tk gdbm \
    expat ncurses

    RUN pacman -S --noconfirm --needed \
    sudo \
    git \
    unzip \
    zip \
    rsync \
    curl \
    file \
    tar \
    gnupg \
    diffutils \
    iproute2 \
    systemd \
    dbus \
    which \
    shadow \
    acl \
    gettext \
    ca-certificates

# Build and install Python 3.12.2
WORKDIR /tmp
RUN wget https://www.python.org/ftp/python/3.12.2/Python-3.12.2.tgz && \
    tar -xzf Python-3.12.2.tgz && \
    cd Python-3.12.2 && \
    ./configure --prefix=/opt/python3.12 --enable-optimizations && \
    make -j$(nproc) && \
    make install && \
    cd / && rm -rf /tmp/*


RUN /opt/python3.12/bin/python3.12 -m ensurepip && \
    /opt/python3.12/bin/python3.12 -m pip install --upgrade pip
RUN /opt/python3.12/bin/pip3 install --no-cache-dir --ignore-installed \
    jinja2 \
    cryptography \
    lxml \
    mock \
    packaging \
    resolvelib \
    setuptools \
    virtualenv \
    wheel \
    pyyaml \
    passlib \
    coverage==7.6.1


# SSH setup
RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh
ADD id_rsa.pub /root/.ssh/authorized_keys
RUN chmod 600 /root/.ssh/authorized_keys
RUN ssh-keygen -A

RUN pacman -Syu --noconfirm docker net-tools
RUN systemctl enable docker.service
RUN ln -s /opt/python3.12/bin/python3.12 /usr/bin/python
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config && \
    sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config

RUN systemctl enable sshd

ENV container=docker
EXPOSE 22
CMD ["/sbin/init"]

[felixfontein]

The container exists immediately (exit code 255). I used docker run --detach --name arch archtest (the image is named archtest.)

I did run the tests locally by placing the following playbook into tests/integration/targets/luks_device/ and running it there:

---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
#
# Run with:
# ansible-playbook -b -K run-tests-locally.yml
- hosts: localhost
  tasks:
    - set_fact:
        remote_tmp_dir: "{{ 'output-%0x' % ((2**32) | random) }}"
        role_path: "."
    - block:
        - name: Create output directory
          file:
            path: "{{ remote_tmp_dir }}"
            state: directory

        - name: Determine cryptsetup version
          command: cryptsetup --version
          register: cryptsetup_version

        - name: Extract cryptsetup version
          set_fact:
            cryptsetup_version: >-
              {{ cryptsetup_version.stdout_lines[0] | regex_search('cryptsetup ([0-9]+\.[0-9]+\.[0-9]+)') | split | last }}

        - name: Create cryptfile
          command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32

        - name: Create lookback device
          command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
          become: true

        - name: Determine loop device name
          command: losetup -j {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile --output name
          become: true
          register: cryptfile_device_output

        - set_fact:
            cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}"
            cryptfile_passphrase1: "uNiJ9vKG2mUOEWDiQVuBHJlfMHE"
            cryptfile_passphrase2: "HW4Ak2HtE2vvne0qjJMPTtmbV4M"
            cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM"
        - include_vars: ../setup_openssl/vars/main.yml
        - include_vars: vars/main.yml

        - name: Copy keyfiles
          copy:
            src: '{{ item }}'
            dest: '{{ remote_tmp_dir }}/{{ item }}'
          loop:
            - keyfile1
            - keyfile2

        - block:
            - include_tasks: tasks/run-test.yml
              with_fileglob:
                - "tasks/tests/*.yml"
          always:
            - name: Make sure LUKS device is gone
              luks_device:
                device: "{{ cryptfile_device }}"
                state: absent
              become: true
              ignore_errors: true
            - command: losetup -d "{{ cryptfile_device }}"
              become: true
            - file:
                dest: "{{ remote_tmp_dir }}/cryptfile"
                state: absent

      always:
        - name: Remove output directory
          file:
            path: "{{ remote_tmp_dir }}"
            state: absent

It did pass without errors. (I'm running Arch Linux.)