Issue running theforeman.foreman_scap_client on RHEL 8

Issue when we start the theforeman.foreman_scap_client Ansible Role on a new RHEL 8. This role run without issue on our RHEL 7 servers.
TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************

    fatal: [XXXXXXXX]: FAILED! => 
      msg: |-
        the field 'args' has an invalid value ({u'rh_consumer_private_key_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_private_key_path')  }}", u'rh_consumer_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_consumer_cert_path') }}", u'rh_ca_cert_path': u"{{ (rh_certs.stdout | from_json).get('rh_ca_cert_path') }}"}), and could not be converted to an dict.The error was: No JSON object could be decoded
        The error appears to be in '/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks/main.yml': line 25, column 3, but may
        be elsewhere in the file depending on the exact syntax problem.

        The offending line appears to be:
        - name: 'Set facts for rh certs'
          ^ here

Expected outcome:

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:
After some troubleshooting regarding this role, I saw a another error and perhaps they’ve connected. When I run this script foreman_scap_client_facts.rb the following error appears (see below):

            # ./foreman_scap_client_facts.rb
            Fatal Python error: Py_Initialize: Unable to get the locale encoding
            Traceback (most recent call last):
              File "/usr/lib64/python3.6/encodings/", line 33, in <module>
              File "<frozen importlib._bootstrap>", line 971, in _find_and_load
              File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
              File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
              File "<frozen importlib._bootstrap_external>", line 674, in exec_module
              File "<frozen importlib._bootstrap_external>", line 780, in get_code
              File "<frozen importlib._bootstrap_external>", line 832, in get_data
            PermissionError: [Errno 1] Operation not permitted: '/usr/lib64/python3.6/encodings/'{}

Why is a Puppet error in a Ruby script? As someone an Idea what is the problem?

Best regards, H

Hi, thank you for reporting this. Does ‘subscription-manager config’ give you any errors?

No, this command run without errors on client.

The errors are indeed connected. Because foreman_scap_client_facts script crashes, it makes the whole role fail. I just set up a clean RHEL8, but unfortunately I was not able to reproduce. The role executed as expected and there were no failures when running the script manually either:

I was counting on subscription-manager to be responsible, because it is the only place I can think of that could cause the python errors in the facts script.

The last error line suggests there is something wrong with file permissions, I looked at the encodings/ on my client: -rw-r–r--. 1 root root

The facts script is < 30 lines long, so it might not be too difficult to pinpoint the exact line that is causing the failure.

Thanks for your reply and your support.
You’re right, after checking this ruby script in details, I’ve found that the issue is produce from the line where subscription-manager is calling. It is strange because this command running well on this client.
I start it with root, so normally the ruby script gets root rights too and the right paths? right? Should I look in this direction? With which version of python is it compatible? 2 or 3 or both?

# python2 --version
Python 2.7.16
# python3 --version
Python 3.6.8

It does not seem like a python version problem when subscription-manager directly on the client. There should be no change in user or permissions when the script runs subscription-manager, but it looks like a problem with permissions to me.

We found finally the problem.
You’re right because the issue was a permission’s problem.
The fapolicyd’s service is running to enforce the security -> ruby was block -> theforeman.foreman_scap_client failed to started the ruby script foreman_scap_client_facts.rb
Now, we’ve whitelisted the ruby into fapolicyd.rules and the foreman script is running again.

Out for curiosity: why this script was wrote in ruby and not in python? :wink:

I am glad you managed to figure it out.

We have essentially the same script in puppet-foreman_scap_client, so I just modified it rather than creating a python version from scratch.