Ansible callback plugin issue

Strijd · April 10, 2018, 1:19pm

All
I installed foreman 1.16.1 and trying to get ansible callback plugin to work correctly but no success

ENV:
OS: Centos7
FOREMAN: 1.16.1
ANSIBLE: 2.4.3.0

cat /etc/environment
FORMAN_URL=https://vagrant-foreman.local                                                                                                                                                   
FOREMAN_SSL_CERT=/etc/puppetlabs/puppet/ssl/certs/vagrant-foreman.local.pem                                                                                                               
FOREMAN_SSL_KEY=/etc/puppetlabs/puppet/ssl/private_keys/vagrant-foreman.local.pem                                                                                                         
FOREMAN_SSL_VERIFY=/etc/puppetlabs/puppet/ssl/certs/ca.pem

ansible.cfg:

[defaults]                                                                                                                                                                                
bin_ansible_callbacks = True                                                                                                                                                               
callback_whitelist = foreman

Note: ansible roles are running correctly but no callback to foreman
foreman console:

ok: [raid-host.local]
 [WARNING]: Failure using method (v2_runner_on_ok) in callback plugin
(<ansible.plugins.callback.foreman.CallbackModule object at 0x1f72250>): Could
not find the TLS key file, invalid path: /etc/foreman/client_key.pem

thanks

Bernhard_Suttner · April 10, 2018, 1:29pm

Hi,

The certs are most likely wrong. I didn’t get the environment variables running. Therefore I have done:

wget https://raw.githubusercontent.com/ansible/ansible/7c998027c0f0a8bce9c13bf3af644cad1167aa37/lib/ansible/plugins/callback/foreman.py -O /usr/lib/python2.7/site-packages/ansible/plugins/callback/foreman.py

Use this configuration in ansible.cfg then:

[callback_foreman]
verify_certs = True # this is a boolean
ssl_key = /etc/foreman/client_key.pem
ssl_cert = /etc/foreman/client_cert.pem

Additionally, do:
#Change access right
chmod 444 /etc/foreman/client_key.pem

#Create and change the ownership of the local ansible directory:
mkdir /usr/share/foreman-proxy/.ansible
chown -R foreman-proxy:foreman-proxy /usr/share/foreman-proxy/.ansible

Best regards,
Bernhard

–
ATIX - The Linux & Open Source Company

dLobatog · April 10, 2018, 4:23pm

For the record, we have made some changes in the latest version:

Storing /etc/foreman-proxy/ansible.cfg leaving a symlink in /usr/share/foreman-proxy/.ansible.cfg
Storing /var/lib/foreman-proxy/ansible leaving a symlink in /usr/share/foreman-proxy/.ansible

The installer and the packages (in nightly) already do it https://github.com/theforeman/foreman-packaging/blob/rpm/develop/packages/plugins/rubygem-foreman_ansible/rubygem-foreman_ansible.spec

We’re updating docs in https://github.com/theforeman/theforeman.org/pull/1033/files if you have suggestions

ekohl · April 10, 2018, 6:20pm

If you’re using Foreman with Katello you need to use the correct locations. You can find them in /etc/foreman-proxy/settings.yml. foreman_ssl_* if they’re set, otherwise ssl_* should work.

On a multi user system this is a bad idea. It means any user can read the private key and that might have a lot of permissions.

Strijd · April 11, 2018, 6:29am

Thanks
Now i’m facing a new issue :
HTTPSConnectionPool(host=‘vagrant-foreman.local’, port=443): Max retries exceeded with url: /api/v2/hosts/facts (Caused by SSLError(SSLError(1, u’[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)’),))

Now my setup looks like this:
cat /etc/ansible.cfg

[callback_foreman]
verify_certs = True
ssl_key = "/etc/puppetlabs/puppet/ssl/private_keys/vagrant-foreman.local.pem"
ssl_cert = "/etc/puppetlabs/puppet/ssl/certs/vagrant-foreman.local.pem"
url = "https://vagrant-foreman.local"
# some basic default values...

[defaults]
bin_ansible_callbacks = True
callback_whitelist = foreman

Strijd · April 11, 2018, 6:35am

Ignore my reply
I changed “verify_certs” = False
Thanks again

Strijd · April 11, 2018, 7:21am

All
Now i’m trying version 1.7.1
I get this error:
RuntimeError: Could not use any proxy. Consider configuring remote_execution_global_proxy, remote_execution_fallback_proxy or remote_execution_no_proxy in settings

Strijd · April 11, 2018, 7:28am

ignore again. Sorry for that

ekohl · April 11, 2018, 11:51am

I think you should include a ssl_ca in your [callback_foreman], which should provide some additional security.

My suspicion about foreman_ansible + /etc/environment not working is that the daemon doesn’t load the file. IMHO we should set it in the plugin (and read it from the foreman-proxy config so it just works. I’ll see about coming up with a PR.

Bernhard_Suttner · April 11, 2018, 11:51am

/usr/share/foreman-proxy/.ansible.cfg <- this didn’t work for me in the ansible version which is available in foreman 1.16.1

Bernhard_Suttner · April 11, 2018, 11:54am

I know that

#Change access right
chmod 444 /etc/foreman/client_key.pem

isn’t very nice, but it was necessary to use the ansible plugin. Do you have another / better solution?

ekohl · April 11, 2018, 11:57am

Sadly I don’t. Within the context of foreman_ansible it’s fine and we can use the foreman credentials. Nightly does introduce personal access tokens and I think we should investigate those so individual users can still run ansible and send reports back. They should be easy to revoke and live in ~/.ansible.cfg (or similar).

ekohl · April 11, 2018, 12:19pm

Correction: reading the source you can set ssl_verify = /path/to/ca.pem if you use a cert that’s not in the system bundle.

ekohl · April 11, 2018, 12:29pm

My intention is to make it work out of the box when using the installer. I’m going to test if works.

https://github.com/theforeman/puppet-foreman_proxy/pull/424

ekohl · April 11, 2018, 2:16pm

It turns out the callback is broken in Ansible 2.5 (including in RHEL/CentOS/Fedora). https://github.com/ansible/ansible/commit/082b03c829fe568e179c7917fd72274ad1db7980 does fix it, but that hasn’t shipped yet.

There are also other issues, like handling of 0 / 1 ints for verify_certs is broken. Note that the default is 1. I’ve updated https://github.com/ansible/ansible/pull/36527 to include a fix.

The PR has now been updated and I’ve verified it works when the reporting callback is patched locally.

Strijd · April 12, 2018, 6:05am

All
I tried the nightly version, its much better.
Question, is there a way to pass ansible “tags” to job template.
I use the job templates as playbooks.
example:
- hosts: all
gather_facts: true
roles:
- {role: elasticsearch, tags: elasticsearch }
I wan’t to call the “elasticsearch” tag
or a “tag” inside the role
Thanks again

paulcalabro · October 22, 2018, 5:43pm

isn’t very nice, but it was necessary to use the ansible plugin. Do you have another / better solution?

Possibly using set_facl to set more granular permissions.