Open kwikmr2 opened 1 month ago
You need to install the cryptography
dependency for the Python where the module is executed. If you execute the module on a target node, you have to make sure it's also installed there. Ansible, AWX, the collection, requirements.txt, ... won't do that automatically for you.
I just noticed in the debug output that Python2.7 is being used: "04> (0, b'PLATFORM\nLinux\nFOUND\n/usr/libexec/platform-python\n/usr/bin/python2.7\n/usr/bin/python\n/usr/bin/python\nENDFOUND\n', b'')"
How is this possible when the EE is CentOS Stream 9 with Python3.9 installed? The whole purpose of the EE is to execute within that environment.
If you ask Ansible to run the task on a remote target, then it won't be run inside the EE, but on the remote target.
If you want to run the module in the EE, you have to use hosts: localhost
or delegate_to: localhost
.
I made the adjustments and now it fails because the path to the certificate is not on the localhost (the EE)...this is seems to be a paradox.
---
- name: Get information on generated certificate
community.crypto.x509_certificate_info:
path: /data/path/test-ca.crt
register: result
delegate_to: localhost
Error:
The full traceback is:
File "/tmp/ansible_community.crypto.x509_certificate_info_payload_lcdbcu61/ansible_community.crypto.x509_certificate_info_payload.zip/ansible_collections/community/crypto/plugins/modules/x509_certificate_info.py", line 444, in main
fatal: [labymrepo01 -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"content": null,
"name_encoding": "ignore",
"path": "/data/path/test-ca.crt",
"select_crypto_backend": "auto",
"valid_at": null
}
},
"msg": "Error while reading certificate file from disk: [Errno 2] No such file or directory: '/data/path/test-ca.crt'"
}
Well, if you want to operate on files on the remote, you either first have to fetch them to the controller, or you have to run the module on the target - but then you have to make sure that the module's requirements are available.
Okay, then assuming it is not feasible to install the cryptography python module on every single remote host in the inventory AND using delegate_to: localhost
breaks since the certificate to be inspected is not on the EE...that would make this in a way only usable with CLI Ansible and not AWX/Tower.
I don't see what the difference between CLI Ansible and AWX/Tower is. In both cases, installing on the controller is easier than installing on all remotes, and you can determine yourself whether to run on the controller or on the targets.
SUMMARY
Built AWX EE from https://github.com/Frewx/awx-ee-builder.git. Defined "quay.io/ansible/awx-ee:latest" in execution-environment.yml for base_image. Included "cryptography" in requirements.txt. Included "community.general" (latest) and "community.crypto" (latest) in requirements.yml.
When executing a simple task via AWX, the following error occurs: "Cannot detect any of the required Python libraries cryptography (>= 1.6)"
ISSUE TYPE
COMPONENT NAME
community.crypto.x509_certificate_info
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
quay.io/ansible/awx-ee:latest based on CentOS Stream release 9
STEPS TO REPRODUCE
Deploy EE based on the settings posted above. Setup EE in AWX (24.3.1) and execute simple playbook against target host.
EXPECTED RESULTS
That the information about a certificate would return
ACTUAL RESULTS