search

ansible-collections / azure

Development area for Azure Collections
https://galaxy.ansible.com/azure/azcollection
GNU General Public License v3.0
238 stars 317 forks source link

Download Blobs using Ansible module storageblob required internet connection although access via private network is available #1103

Open barcastel opened 1 year ago

barcastel commented 1 year ago
SUMMARY

My Ansible target instances are on Azure, with no internet access. I want to download/upload files to my Azure Blob Storage Account via Azure's backbone network using my instances' virtual network. I did everything that is needed to make sure the instance have a connection to Blob via backbone network (I believe). [service endpoints, blob firewall rules, network security rules etc...] Running `nslookup my-storage-account.blob.core.windows.net returns my storage account's IP so connection is verified.

Using Ansible Blob module azure_rm_storageblob, I'm getting timeout, only when I'm allowing my target instance a public internet access (using Public IP or NAT GW] the task is successfully executes.

ISSUE TYPE
COMPONENT NAME

azure_rm_storageblob

ANSIBLE VERSION
ansible [core 2.13.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.8.12 (default, Dec 25 2022, 16:13:03) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection         Version
------------------ -------
azure.azcollection 1.14.0
CONFIGURATION
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 25
DEFAULT_GATHERING(/etc/ansible/ansible.cfg) = explicit
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/home/user/platform/ansible/inventory']
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /home/user/.ssh/id_user
DEFAULT_REMOTE_USER(/etc/ansible/ansible.cfg) = user
DEFAULT_STRATEGY(/etc/ansible/ansible.cfg) = free
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = /usr/bin/python3
OS / ENVIRONMENT
Azure Instance - CentOS Linux release 7.9.2009 (Core)
STEPS TO REPRODUCE
  1. Create Azure CentOS 7 Instance
  2. Allow Service endpoint to Microsoft.Storage on the subnet
  3. Allow Outbound traffic between VirtualNetwork Service Tag to Storage Service Tag.
    - name: Pull files from Blob
      azure.azcollection.azure_rm_storageblob:
        client_id: "{{ azure_client }}"
        secret: "{{ azure_secret }}"
        subscription_id: "{{ azure_subscription }}"
        tenant: "{{ azure_tenant }}"
        resource_group: "{{ azure_resource_group }}"
        storage_account_name: "{{ azure_storage_account }}"
        container: "{{ azure_container_name }}"
        blob: "{{ blob_path }}"
        dest: "{{ blob_dest }}"
      when: cloud == "Azure"
      timeout: 30
EXPECTED RESULTS

Blob files located on my target hosts in desired location.

ACTUAL RESULTS

Playbook hangs until timeout reached. if timeout is not set it hangs "forever".

fatal: [TARGET_NODE]: FAILED! => {"changed": false, "msg": "The azure.azcollection.azure_rm_storageblob action failed to execute in the expected time frame (30) and was terminated"}
Fred-sun commented 1 year ago

@barcastel Ansible works based on OpenSSH. Generally, it needs to be connected to the public IP address. As for you saying that it can be connected through private network, it needs to be explored whether it can work. Thanks!

barcastel commented 1 year ago

@Fred-sun That's true that Ansible based on OpenSSH, but OpenSSH doesn't require public access, it just requires a access, no matter weather its via private internal network or public internet. (My Ansible controller and target hosts are connected via internal network only and I'm able to run playbooks).

My issue is with azure_rm_storageblob module specific, that although I'm able to access my Blob account with wget or nslookup via Azure's private virtual network only, the task (download/upload file from/to Blob) hangs until timeout is reached. Only when the Ansible targets are connected to the internet (Public IP, NAT GW, etc.) the task manage to finish successfully.

eranborovik commented 1 year ago

+1 I'm having the same issue when trying to access Blobs from Ansible target which is not configured with Public IP.

Fred-sun commented 1 year ago

@barcastel @eranborovik I see, I will recheck it! Thank you very much!

barcastel commented 1 year ago

Hi @Fred-sun , any insights ? Thank you.

Fred-sun commented 1 year ago

@eranborovik I don't have a clear explanation for this, I will discuss it with other developers, thank you!

barcastel commented 1 year ago

@Fred-sun follow-up so it wont fall through the cracks.. any idea? ETA for diagnostic/solution? Please keep me up-to-date. Thank you.

barcastel commented 1 year ago

@Fred-sun its been almost 2 months, any updates??

paultaiton commented 11 months ago

I believe this is related to my #1222 , but from the opposite perspective of only wanting data plane access to be required for ops that don't happen on the azure management plane.