Implementation using Red Hat Satellite will never work - AAP may need to use a legacy execution environment.

sickbock commented 9 months ago

Describe the Issue The Red Hat Satellite uses different packages on RHEL 8 than normal RHEL. Current release 6.14 uses Ansible Core 2.15, which uses Python 3.11 which is incompatible with the package python3-jamespath from the Red Hat repository. The later is used by community.general.json_query which in turn is used by json_query in this role.

Expected Behavior The playbook run will finish completely without any errors.

Actual Behavior The playbook run will fail with at the first task using json_query and give the error message: “You need to install \”jmespath\“ prior to running json_query filter”

Control(s) Affected At least all controls using json_query - 6.1.10, 6.1.11, 6.1.13 and 6.1.14

Environment (please complete the following information):

branch being used: devel
Ansible Version: 2.14 (local run) and 2.15 (Red Hat Satellite v 6.14)
Host Python Version: 3.9
Ansible Server Python Version:3.11 (Satellite)
Additional Details: A local run will work on a default RHEL 9.3 after installing python3-jmespath from the Red Hat repository.

Additional Notes See upstream documentation on Satellite and Ansible.

A default RHEL 9.3 installation with Ansible Core 2.14, Python 3.9 and python3-jmespath will work with a local playbook run, for now. You may need to install an EPEL package or use pip when using a different Python release than 3.9 (both are not recommended on the Satellite with locked repositories). Otherwise you'll have to disable all controls using json_query.

Possibly, for the same reason, you may need to use a legacy Ansible 2.9 execution environment when using AAP/AWX to implement this role (not tested).

Similar issues may exist for the other pip packages.

Possible Solution A private bug has been closed (won't fix). Red Hat recommends to _"rewrite the code in question so that it does not have to use jsonquery". _"In almost every case, the code using json_query can be rewritten to use a combination of the basic Jinja built-in filters and built-in Ansible filters (excluding jsonquery and ipaddr of course)."

uk-bolly commented 8 months ago

hi @sickbock

Thank you for taking the time to raise this issue, We will be looking at this. We have seen this with other clienst and they have built their own EE with all the required modules etc to make sure this works giving them a little more control over what is in the EE. We have noted that this is causing some issues so we will be looking at replacing this.

Many thanks

uk-bolly

uk-bolly commented 3 months ago

hi @sickbock

Apologies for the delay, client and subscribers requirements im afraid take priority. You should find that jmespath is no longer a dependancy for this role. I am currently in the process of removing it for all roles.

many thanks

uk-bolly

uk-bolly commented 1 month ago

hi @sickbock

Apologies for the time this has taken, you should find that the dependancy for jmespath has now been removed from almost all of our repositories. This has been released to main branch https://github.com/ansible-lockdown/RHEL9-CIS/releases/tag/1.3.2

I will close this issue, please reopen if you are still experiencing issues.

many thanks

uk-bolly

ansible-lockdown / RHEL9-CIS

Implementation using Red Hat Satellite will never work - AAP may need to use a legacy execution environment. #158