Ansible callback plugin issue

I installed foreman 1.16.1 and trying to get ansible callback plugin to work correctly but no success

OS: Centos7
FOREMAN: 1.16.1

cat /etc/environment


bin_ansible_callbacks = True                                                                                                                                                               
callback_whitelist = foreman

Note: ansible roles are running correctly but no callback to foreman
foreman console:

ok: [raid-host.local]
 [WARNING]: Failure using method (v2_runner_on_ok) in callback plugin
(<ansible.plugins.callback.foreman.CallbackModule object at 0x1f72250>): Could
not find the TLS key file, invalid path: /etc/foreman/client_key.pem



The certs are most likely wrong. I didn’t get the environment variables running. Therefore I have done:

wget -O /usr/lib/python2.7/site-packages/ansible/plugins/callback/

Use this configuration in ansible.cfg then:

verify_certs = True # this is a boolean
ssl_key = /etc/foreman/client_key.pem
ssl_cert = /etc/foreman/client_cert.pem

Additionally, do:
#Change access right
chmod 444 /etc/foreman/client_key.pem

#Create and change the ownership of the local ansible directory:
mkdir /usr/share/foreman-proxy/.ansible
chown -R foreman-proxy:foreman-proxy /usr/share/foreman-proxy/.ansible

Best regards,

ATIX - The Linux & Open Source Company

For the record, we have made some changes in the latest version:

  • Storing /etc/foreman-proxy/ansible.cfg leaving a symlink in /usr/share/foreman-proxy/.ansible.cfg
  • Storing /var/lib/foreman-proxy/ansible leaving a symlink in /usr/share/foreman-proxy/.ansible

The installer and the packages (in nightly) already do it

We’re updating docs in if you have suggestions :smile:

If you’re using Foreman with Katello you need to use the correct locations. You can find them in /etc/foreman-proxy/settings.yml. foreman_ssl_* if they’re set, otherwise ssl_* should work.

On a multi user system this is a bad idea. It means any user can read the private key and that might have a lot of permissions.

Now i’m facing a new issue :
HTTPSConnectionPool(host=‘vagrant-foreman.local’, port=443): Max retries exceeded with url: /api/v2/hosts/facts (Caused by SSLError(SSLError(1, u’[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)’),))

Now my setup looks like this:
cat /etc/ansible.cfg

verify_certs = True
ssl_key = "/etc/puppetlabs/puppet/ssl/private_keys/vagrant-foreman.local.pem"
ssl_cert = "/etc/puppetlabs/puppet/ssl/certs/vagrant-foreman.local.pem"
url = "https://vagrant-foreman.local"
# some basic default values...

bin_ansible_callbacks = True
callback_whitelist = foreman

Ignore my reply
I changed “verify_certs” = False
Thanks again

Now i’m trying version 1.7.1
I get this error:
RuntimeError: Could not use any proxy. Consider configuring remote_execution_global_proxy, remote_execution_fallback_proxy or remote_execution_no_proxy in settings

ignore again. Sorry for that

I think you should include a ssl_ca in your [callback_foreman], which should provide some additional security.

My suspicion about foreman_ansible + /etc/environment not working is that the daemon doesn’t load the file. IMHO we should set it in the plugin (and read it from the foreman-proxy config so it just works. I’ll see about coming up with a PR.

/usr/share/foreman-proxy/.ansible.cfg <- this didn’t work for me in the ansible version which is available in foreman 1.16.1

I know that

#Change access right
chmod 444 /etc/foreman/client_key.pem

isn’t very nice, but it was necessary to use the ansible plugin. Do you have another / better solution?

Sadly I don’t. Within the context of foreman_ansible it’s fine and we can use the foreman credentials. Nightly does introduce personal access tokens and I think we should investigate those so individual users can still run ansible and send reports back. They should be easy to revoke and live in ~/.ansible.cfg (or similar).

Correction: reading the source you can set ssl_verify = /path/to/ca.pem if you use a cert that’s not in the system bundle.

My intention is to make it work out of the box when using the installer. I’m going to test if works.

It turns out the callback is broken in Ansible 2.5 (including in RHEL/CentOS/Fedora). does fix it, but that hasn’t shipped yet.

There are also other issues, like handling of 0 / 1 ints for verify_certs is broken. Note that the default is 1. I’ve updated to include a fix.

The PR has now been updated and I’ve verified it works when the reporting callback is patched locally.

I tried the nightly version, its much better.
Question, is there a way to pass ansible “tags” to job template.
I use the job templates as playbooks.
- hosts: all
gather_facts: true
- {role: elasticsearch, tags: elasticsearch }
I wan’t to call the “elasticsearch” tag
or a “tag” inside the role
Thanks again

isn’t very nice, but it was necessary to use the ansible plugin. Do you have another / better solution?

Possibly using set_facl to set more granular permissions.