lxd_container: add support for remotes with self-signed certificates.

ansible-collections / community.general

Ansible Community General Collection

https://galaxy.ansible.com/ui/repo/published/community/general/

GNU General Public License v3.0

810 stars 1.49k forks source link

lxd_container: add support for remotes with self-signed certificates. #2089

Open cquike opened 3 years ago

cquike commented 3 years ago

Summary

I am trying to create a new container using the lxd_container ansible module which uses an image stored in a LXC server. The playbook looks like this:

name: Create LXD container community.general.lxd_container: name: test-container-ansible state: started source: type: image server: https://my-lxd-image-server.example.com:8443 mode: pull protocol: lxd alias: my-ubuntu-image

However I get the following message: Get https://my-lxd-image-server.example.com:8443/1.0: x509: certificate signed by unknown authority This image server is internal to my company and it is not easy to get a non self-signed certificate so it would be useful if there is a parameter that allows to have self-signed certificates.

Issue Type

Feature Idea

Component Name

lxd_container

Additional Information

Code of Conduct

[X] I agree to follow the Ansible Code of Conduct

ansibullbot commented 3 years ago

Files identified in the description:

plugins/modules/cloud/lxd/lxd_container.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

conloos commented 3 years ago

Hi cquike,

I am currently not using any certificates. But I also didn't see anything in the ansible plugin source code that makes a check here. So I assume this is an lxd issue. I'll do a check on the weekend and get in touch.

Frank

felixfontein commented 3 years ago

The lxd module_utils code has its own HTTP handling (instead of using the things provided by Ansible), so adding this is not as simple as for most other modules.

If someone wants to rewrite it to use fetch_url from the "official" url module_utils, a validate_certs option would be easy to add.

conloos commented 3 years ago

Hi Felix,

i will put it in my backlog after finishing the dynamic inventory.

Have a nice weekend

Frank

pandino commented 3 years ago

Hi cquike,

according to the LXD API you should be able to add a PEM certificate in the source dict using the key certificate.

rnalrd commented 2 years ago

Hi cquike,

according to the LXD API you should be able to add a PEM certificate in the source dict using the key certificate.

Same problem here. I tried this:

    - name: Create container {{ containername }} [=>{{lxc_host}}]
      delegate_to: "{{ lxc_host }}"
      community.general.lxd_container:
        name: "{{ containername }}"
        ephemeral: yes
        profiles: myprofile
        ignore_volatile_options: false
        source:
          type: image
          mode: pull
          server: https://k119h.my.domain.com:8443
          alias: custom_image
          certificate: server.pem

and I'm getting the error below now, instead of "certificate signed by unknown authority":

"msg": "Invalid remote certificate"

ansibullbot commented 1 year ago

Files identified in the description:

plugins/modules/lxd_container.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

conloos commented 1 year ago

Hi @pandino , Hi @rnalrd ,

i think this error is fixed. Can you look please at #6204. Please pull my tree and test.

Thanks Frank