Open kwikmr2 opened 5 months ago
felixfontein
commented
5 months ago You need to install the cryptography dependency for the Python where the module is executed. If you execute the module on a target node, you have to make sure it's also installed there. Ansible, AWX, the collection, requirements.txt, ... won't do that automatically for you.
kwikmr2
commented
5 months ago I just noticed in the debug output that Python2.7 is being used: "04> (0, b'PLATFORM\nLinux\nFOUND\n/usr/libexec/platform-python\n/usr/bin/python2.7\n/usr/bin/python\n/usr/bin/python\nENDFOUND\n', b'')"
How is this possible when the EE is CentOS Stream 9 with Python3.9 installed? The whole purpose of the EE is to execute within that environment.
felixfontein
commented
5 months ago If you ask Ansible to run the task on a remote target, then it won't be run inside the EE, but on the remote target.
If you want to run the module in the EE, you have to use hosts: localhost or delegate_to: localhost.
kwikmr2
commented
5 months ago I made the adjustments and now it fails because the path to the certificate is not on the localhost (the EE)...this is seems to be a paradox.
---
- name: Get information on generated certificate
community.crypto.x509_certificate_info:
path: /data/path/test-ca.crt
register: result
delegate_to: localhostError:
The full traceback is:
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_lcdbcu61/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 444, in main
fatal: [labymrepo01 -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"content": null,
"name_encoding": "ignore",
"path": "/data/path/test-ca.crt",
"select_crypto_backend": "auto",
"valid_at": null
}
},
"msg": "Error while reading certificate file from disk: [Errno 2] No such file or directory: '/data/path/test-ca.crt'"
}Well, if you want to operate on files on the remote, you either first have to fetch them to the controller, or you have to run the module on the target - but then you have to make sure that the module's requirements are available.
kwikmr2
commented
5 months ago Okay, then assuming it is not feasible to install the cryptography python module on every single remote host in the inventory AND using delegate_to: localhost breaks since the certificate to be inspected is not on the EE...that would make this in a way only usable with CLI Ansible and not AWX/Tower.
felixfontein
commented
5 months ago I don't see what the difference between CLI Ansible and AWX/Tower is. In both cases, installing on the controller is easier than installing on all remotes, and you can determine yourself whether to run on the controller or on the targets.
mstyne
commented
3 months ago I'm encountering an issue similar to this on Rocky Linux 9 (works fine on Ubuntu 22.04 and Debian 12) where cryptography is not discovered when Ansible is run in a Python venv.
ansible --version reports the correct Python interpreter path.
# ansible --version
ansible [core 2.15.12]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /root/.local/venv/lib64/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /root/.local/venv/bin/ansible
python version = 3.9.18 (main, Jul 3 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/root/.local/venv/bin/python3)
jinja version = 3.1.4
libyaml = TrueDebug output from:
community.general.python_requirements_info:
dependencies: cryptography "changed": false,
"invocation": {
"module_args": {
"dependencies": [
"cryptography"
]
}
},
"mismatched": {},
"not_found": [
"cryptography"
],
"python": "/usr/bin/python3",
"python_system_path": [
"/tmp/ansible_community.general.python_requirements_info_payload_wo1d5_v7/ansible_community.general.python_requirements_info_payload.zip",
"/usr/lib64/python39.zip",
"/usr/lib64/python3.9",
"/usr/lib64/python3.9/lib-dynload",
"/root/.local/lib/python3.9/site-packages",
"/usr/lib64/python3.9/site-packages",
"/usr/lib/python3.9/site-packages"
],
"python_version": "3.9.18 (main, Jul 3 2024, 00:00:00) \n[GCC 11.4.1 20231218 (Red Hat 11.4.1-3)]",
"python_version_info": {
"major": 3,
"micro": 18,
"minor": 9,
"releaselevel": "final",
"serial": 0
},
"valid": {}
}...indicates cryptography cannot be found, and the python interpreter uses the system python binary, and python_system_path shows the venv nowhere to be found. Yes, the venv has been activated prior to invoking Ansible.
(venv) # pip3 list | grep cryptography
cryptography 43.0.0Overriding ansible_python_interpreter to use the Python binary from the venv resolves the issue, so it's possible this is an "Ansible on CentOS (and friends)" issue, rather than a community.crypto issue. I don't have a great solution for this, but I'm putting this out into the world in case someone else finds their way down this sad path.
felixfontein
commented
3 months ago Overriding
ansible_python_interpreterto use the Python binary from the venv resolves the issue, so it's possible this is an "Ansible on CentOS (and friends)" issue
Yes, that's exactly it. You need to point ansible_python_interpreter to the venv, otherwise Ansible won't use it to run modules when using connection: local.
mstyne
commented
3 months ago Overriding
ansible_python_interpreterto use the Python binary from the venv resolves the issue, so it's possible this is an "Ansible on CentOS (and friends)" issueYes, that's exactly it. You need to point
ansible_python_interpreterto the venv, otherwise Ansible won't use it to run modules when usingconnection: local.
I don't encounter this additional configuration requirement with Ubuntu or Debian, but I'll have to double check to verify. If that output is interesting, I can post it here.
felixfontein
commented
2 months ago You probably already have cryptography installed on system level on Debian and Ubuntu, and thus don't notice that it does not use the cryptography you explicitly installed but the system one.
SUMMARY
Built AWX EE from https://github.com/Frewx/awx-ee-builder.git. Defined "quay.io/ansible/awx-ee:latest" in execution-environment.yml for base_image. Included "cryptography" in requirements.txt. Included "community.general" (latest) and "community.crypto" (latest) in requirements.yml.
When executing a simple task via AWX, the following error occurs: "Cannot detect any of the required Python libraries cryptography (>= 1.6)"
ISSUE TYPE
COMPONENT NAME
community.crypto.x509_certificate_info
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
quay.io/ansible/awx-ee:latest based on CentOS Stream release 9
STEPS TO REPRODUCE
Deploy EE based on the settings posted above. Setup EE in AWX (24.3.1) and execute simple playbook against target host.
EXPECTED RESULTS
That the information about a certificate would return
ACTUAL RESULTS