#298 docstranslation: fix key reading for secrets injection
Merged 3 years ago by kevin. Opened 3 years ago by darknao.
fedora-infra/ darknao/ansible master  into  master

@@ -27,11 +27,15 @@ 

      openssh_keypair:

        path: "/etc/openshift_apps/{{ app }}/id_rsa_docs_trans"

        mode: 0600

-       regenerate: never

        type: rsa

        size: 4096

      register: r_ssh_key

  

+   - name: Retrieve ssh priv key

+     slurp:

+       path: r_ssh_key.filename

+     register: r_docs_priv_key

+ 

    - name: Define imagestream

      include_role:

        name: openshift/imagestream

@@ -7,7 +7,7 @@ 

      app: docstranslation

  stringData:

    id_rsa_docs_trans: |-

-     {{ lookup('file', '/etc/openshift_apps/{{ app }}/id_rsa_docs_trans') }}

+     {{ r_docs_priv_key.content | b64decode | indent(4) }}

    config: |-

        Host pagure.io

          User git

regenerate option come with ansible 2.10, so dropping that for now.
And I missed the fact that all resources are not on batcave, so lookup can't help here.

Sorry for the mess.

rebased onto c366454

3 years ago

Pull-Request has been merged by kevin

3 years ago

And... another one. ;)

TASK [Generate ssh keypair, if none exist] *************************************************************************
Thursday 29 October 2020  16:40:10 +0000 (0:00:00.033)       0:00:11.972 ****** 
Thursday 29 October 2020  16:40:10 +0000 (0:00:00.033)       0:00:11.972 ****** 
fatal: [os-master01.stg.iad2.fedoraproject.org]: FAILED! => {"changed": false, "msg": "'bool' object has no attribute '__getitem__'"}

-_-
this task wasn't completed successfully yesterday already ?

I've no idea what's going on here.
Can you send me a more verbose output (-vvv) ?

This looks like an ansible bug. ;(

The full traceback is:                    
WARNING: The below traceback may *not* be related to the actual failure.                                           
  File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 393, in main
  File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 205, in generate
  File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 308, in isPublicKeyValid
  File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 292, in _pubkey_valid
os-master01.stg.iad2.fedoraproject.org | FAILED! => {
    "changed": false,       
    "invocation": {        
        "module_args": {  
            "attributes": null,
            "backup": null,
            "comment": null,                                                                                       
            "content": null,
            "delimiter": null, 
            "directory_mode": null,
            "follow": false,
            "force": false,
            "group": null, 
            "mode": null,
            "owner": null,
            "path": "/etc/openshift_apps/docstranslation/id_rsa_docs_trans",                                       
            "regexp": null,
            "remote_src": null,  
            "selevel": null,
            "serole": null,
            "setype": null,                              
            "seuser": null,
            "size": 4096,                                                                                           
            "src": null,                                                                                           
            "state": "present",
            "type": "rsa",              
            "unsafe_writes": null                                                                                  
        }                                                                                                          
    },                              
    "msg": "'bool' object has no attribute '__getitem__'"                                                          
}

Possibly due to python3 on the control host and python2 on the target. ;(

Unless we can easily see it we might have to work around it...

Not sure, but the "mode" is null here, when it should be 0600 (or 384).
Maybe something got wrong here and the bitmask has been set incorrectly, we may need to specify "600" as string instead.
Also, can you give me the output of ls -lZ /etc/openshift_apps/docstranslation/id_rsa_docs_trans* ?
This feel like some sort of permission issue, but I can't see why, unless the bitmask was indeed set incorrectly.
The line that seems to fail in the module is this one (i think):

pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path]) 

I would say that either the privkey (self.path here) can't be read or the ssh-keygen command return something unexpected.

We can also try to remove the old keypair to regen a new one at last resort...

I've tried to reproduce the issue using the same version combo of ansible/python on control & target, but no dice :(

Ok, actually, I've just reproduced the issue.
If the key was created with "mode: 600" the bitmask got messed up and i get the very same error message.
So, yeah I'm pretty sure this is what's happening here. Not sure why though since the mode in the playbook is correct...

The mode was unset there because I just ran it directly with ansible -m openssh_keypair... sorry for any confusion that caused.

it fails mostly the same way with the playbook:

The full traceback is:                                                                                             
WARNING: The below traceback may *not* be related to the actual failure.                                           
  File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 393, in main                                                                                  
  File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 205, in generate                                                                              
  File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 308, in isPublicKeyValid                                                                      
  File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens
sh_keypair.py", line 292, in _pubkey_valid                                                                         
fatal: [os-master01.stg.iad2.fedoraproject.org]: FAILED! => {                                                      
    "changed": false,                                                                                              
    "invocation": {                                                                                                
        "module_args": {                                                                                           
            "attributes": null,                                                                                    
            "backup": null,                                                                                        
            "comment": null,                                                                                       
            "content": null,                                                                                       
            "delimiter": null,                                                                                     
            "directory_mode": null,                                                                                
            "follow": false,                                                                                       
            "force": false,                                                                                        
            "group": null,                                                                                         
            "mode": 384,                                                                                           
            "owner": null,                                                                                         
            "path": "/etc/openshift_apps/docstranslation/id_rsa_docs_trans",                                       
            "regexp": null,                                                                                        
            "remote_src": null,                                                                                    
            "selevel": null,                                                                                       
            "serole": null,
            "setype": null,
            "seuser": null,
            "size": 4096,
            "src": null,
            "state": "present",
            "type": "rsa",
            "unsafe_writes": null
        }
    },
    "msg": "'bool' object has no attribute '__getitem__'"
}

so yeah... mode 384?

That's 0600 in decimal, it's all right. Can be 0600, 384 or "600".
If you set it to 600, since the module take the decimal form, that give you 1130 in octal, which end up with something like ---x-wx--T.
What is the current keypair rights on disk ?

  File: ‘/etc/openshift_apps/docstranslation/id_rsa_docs_trans’
  Size: 3243            Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 100689598   Links: 1
Access: (0750/-rwxr-x---)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:etc_t:s0
Access: 2020-10-29 16:40:10.853155289 +0000
Modify: 2020-10-28 23:55:22.825504146 +0000
Change: 2020-10-29 16:39:59.947116009 +0000
 Birth: -
  File: ‘/etc/openshift_apps/docstranslation/id_rsa_docs_trans.pub’
  Size: 726             Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 100699163   Links: 1
Access: (0750/-rwxr-x---)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:etc_t:s0
Access: 2020-10-29 16:40:10.854155293 +0000
Modify: 2020-10-28 23:55:22.825504146 +0000
Change: 2020-10-29 16:39:59.948116012 +0000
 Birth: -

Ok, that's it.
750 is not right. First, It's not 600 like it's supposed to, but it's also too open for openssh use.
ssh-keygen -yf /etc/openshift_apps/docstranslation/id_rsa_docs_trans should throw a big warning instead of printing the pubkey, and that's why the module crashes.
Since the module set the bitmask after reading/generating the key, we have no choice to correct the rights ourself.
Try to set the privkey to 600, and we should be fine.

I'm not sure why we end up with this bitmask in the first place.
We may want to delete the keypair, and run the playbook to see if it's happening again.