Foreman Inventory Plugin fails

martin_angermeier · January 11, 2019, 8:58am

Problem:
Host parameters are not recognized by ansible and therefore defaults are set.

Expected outcome:
Host parameters define ansible variables.

Foreman and Proxy versions:
Both 1.19.1

Ansible version:
2.7.5

Other relevant data:
Since Ansible 2.6 there is a foreman inventory plugin which replaces the formerly used ansible inventory plugin from foreman.

github.com

ansible/ansible/blob/v2.7.5/lib/ansible/plugins/inventory/foreman.py

# -*- coding: utf-8 -*-
# Copyright (C) 2016 Guido Günther <agx@sigxcpu.org>, Daniel Lobato Garcia <dlobatog@redhat.com>
# Copyright (c) 2018 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = '''
    name: foreman
    plugin_type: inventory
    short_description: foreman inventory source
    version_added: "2.6"
    requirements:
        - requests >= 1.1
    description:
        - Get inventory hosts from the foreman service.
        - "Uses a configuration file as an inventory source, it must end in ``.foreman.yml`` or ``.foreman.yaml`` and has a ``plugin: foreman`` entry."
    extends_documentation_fragment:
        - inventory_cache
    options:

This file has been truncated. show original

It seems that the issue seems lines 222 - 227 and / or 165 - 170. The ‘set_variables’ function gets somehow wrong datatypes it seems. So the keys are corrupted and not recognized by ansible.
In Python the results from __get_json look like this:

[{u'comment': u'', u'subscription_global_status': 0, u'environment_id': None, u'managed': False, u'content_facet_attributes': {u'content_view_id': 22,....

So basically it’s a Python list containing json elements. My idea was that Python’s unicode format could be the problem here.

Mfg Martin

ekohl · January 11, 2019, 10:46am

It looks like unicode shouldn’t matter:

$ python2
>>> {'comment': True, u'comment': False}
{'comment': False}
$ python3
>>> {'comment': True, u'comment': False}
{'comment': False}

What I do find odd is this part:

github.com

ansible/ansible/blob/a771ed93ab09691e53184c809d88a0f1073ef82d/lib/ansible/plugins/inventory/foreman.py#L170


    return self._cache[self.cache_key][url]


def _get_hosts(self):
    return self._get_json("%s/api/v2/hosts" % self.foreman_url)


def _get_all_params_by_id(self, hid):
    url = "%s/api/v2/hosts/%s" % (self.foreman_url, hid)
    ret = self._get_json(url, [404])
    if not ret or not isinstance(ret, MutableMapping) or not ret.get('all_parameters', False):
        ret = {'all_parameters': [{}]}
    return ret.get('all_parameters')[0]


def _get_facts_by_id(self, hid):
    url = "%s/api/v2/hosts/%s/facts" % (self.foreman_url, hid)
    return self._get_json(url)


def _get_facts(self, host):
    """Fetch all host facts of the host"""


    ret = self._get_facts_by_id(host['id'])
    if len(ret.values()) == 0:

It returns element 0 but according to API documentation the structure is:

{
  "all_parameters": [
    {
      "priority": null,
      "created_at": "2018-11-15 19:01:27 UTC",
      "updated_at": "2018-11-15 19:01:27 UTC",
      "id": 513706444,
      "name": "loc_param",
      "value": "abc"
    },
    {
      "priority": null,
      "created_at": "2018-11-15 19:01:27 UTC",
      "updated_at": "2018-11-15 19:01:27 UTC",
      "id": 32400255,
      "name": "org_param",
      "value": "xyz"
    },
    {
      "priority": null,
      "created_at": "2018-11-15 19:01:27 UTC",
      "updated_at": "2018-11-15 19:01:27 UTC",
      "id": 636252244,
      "name": "test",
      "value": "myvalue"
    }
  ]
}

To me that suggests that it’s getting the very first parameter and iterating over the properties of that parameter. Looks like something like this is needed:

def _get_all_params_by_id(self, hid):
    url = "%s/api/v2/hosts/%s" % (self.foreman_url, hid)
    ret = self._get_json(url, [404])
    if not ret or not isinstance(ret, MutableMapping) or not ret.get('all_parameters', []):
        ret = {'all_parameters': []} 
    return {parameter['name']: parameter['value'] for parameter in ret['all_parameters']}

Disclaimer: I only read documentation and source code. None of this has been tested.

Another note: I don’t understand why this script isn’t getting /hosts lists with include=all_parameters and avoid n API calls where n is the number of hosts. Probably a massive performance boost. Looks like this parameter was added in Foreman 1.14.

martin_angermeier · January 11, 2019, 11:10am

The mentioned part was looking odd to me as well, it simply doesn’t make sense. The function _get_json is building a whole list with multiple API calls which results in a large structure and with our full setup in a running time about 3min.

My first approach was to return the whole structure which broke the items() Iteration in line 223. I tried this construct next:

for param in self._get_all_params_by_id(host['id']):
                    try:
                        self.inventory.set_variable(host['name'], param['name'], { param['value'] })

At first it seemed to work but not all Parameters fit into a dict here. Without coding it from scratch it would be the easiest theoretical way to fetch the whole host list and working with the Python script rather to make so many calls. So I agree with you on this point as well.

I’m not getting the final hint what data structure self.inventory.set_variable is expecting. It looks to me that the first parameter host[‘name’] identifies the sub-structure for the specific host in the inventory object and then simple key -> value parsing is done.

martin_angermeier · January 11, 2019, 11:24am

Update: The changes I’ve made and your idea are matching. I was stuck on the next issue, that the script produces the following.

Target: “AllowUsers user1 user 2”
Acutal State: “AllowUsers u s e r 1 u s e r 2”

ekohl · January 11, 2019, 11:27am

That typically happens when you use ' '.join('user1 user2') instead of ' '.join(['user1', 'user2']). Both are iterables and it’s very easy run into this with Ansible is my experience because it’s not very strict with data types.

martin_angermeier · January 11, 2019, 11:34am

That was my assumption too. This join is done in the Jinja templates as far as I know.
It was just weird that it worked before.

ekohl · January 11, 2019, 11:43am

It could be that before it was just empty and not executed at all or provided as a list via another way. The Jinja template filter join(string) is essentially string.join so it’s also very easy to trigger there.

martin_angermeier · January 16, 2019, 1:43pm

Thank you for your support, it gave me a bunch of ideas to solve this problem.

Basically I dropped the whole Inventory Script and wrote it from scratch using “all_parameters” and some value-parsing-magic to achieve the best results.

At the moment I’m polishing my code and extend it to work with Redis caching and fact caching. After that it would make sense to establish an direct contact to the Ansible team to get it asap into upstream.

ekohl · January 16, 2019, 1:49pm

I did try to make some changes, but they’re still untested:

github.com

ekohl/ansible/blob/foreman-all-parameters-inventory/contrib/inventory/foreman.py

#!/usr/bin/env python
# vim: set fileencoding=utf-8 :
#
# Copyright (C) 2016 Guido Günther <agx@sigxcpu.org>,
#                    Daniel Lobato Garcia <dlobatog@redhat.com>
#
# This script is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with it.  If not, see <http://www.gnu.org/licenses/>.
#
# This is somewhat based on cobbler inventory

This file has been truncated. show original

martin_angermeier · January 18, 2019, 8:29am

Thank you for your suggestions, I used some ideas in my script. It is working now in our environment but cache is not implemented yet.

One question…the _meta object sppeds up the inventory because Ansible does not call every single host the documentation says. But I didn’t find any further information why and how it works.

ekohl · January 21, 2019, 2:00pm

Sadly that’s out of my Ansible knowledge.