c366454
@@ -27,11 +27,15 @@
openssh_keypair:
path: "/etc/openshift_apps/{{ app }}/id_rsa_docs_trans"
mode: 0600
- regenerate: never
type: rsa
size: 4096
register: r_ssh_key
+ - name: Retrieve ssh priv key
+ slurp:
+ path: r_ssh_key.filename
+ register: r_docs_priv_key
+
- name: Define imagestream
include_role:
name: openshift/imagestream
@@ -7,7 +7,7 @@
app: docstranslation
stringData:
id_rsa_docs_trans: |-
- {{ lookup('file', '/etc/openshift_apps/{{ app }}/id_rsa_docs_trans') }}
+ {{ r_docs_priv_key.content | b64decode | indent(4) }}
config: |-
Host pagure.io
User git
regenerate option come with ansible 2.10, so dropping that for now. And I missed the fact that all resources are not on batcave, so lookup can't help here.
Sorry for the mess.
rebased onto c366454
No problem...
Pull-Request has been merged by kevin
And... another one. ;)
TASK [Generate ssh keypair, if none exist] ************************************************************************* Thursday 29 October 2020 16:40:10 +0000 (0:00:00.033) 0:00:11.972 ****** Thursday 29 October 2020 16:40:10 +0000 (0:00:00.033) 0:00:11.972 ****** fatal: [os-master01.stg.iad2.fedoraproject.org]: FAILED! => {"changed": false, "msg": "'bool' object has no attribute '__getitem__'"}
-_- this task wasn't completed successfully yesterday already ?
I've no idea what's going on here. Can you send me a more verbose output (-vvv) ?
This looks like an ansible bug. ;(
The full traceback is: WARNING: The below traceback may *not* be related to the actual failure. File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 393, in main File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 205, in generate File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 308, in isPublicKeyValid File "/tmp/ansible_openssh_keypair_payload_OmHAAt/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 292, in _pubkey_valid os-master01.stg.iad2.fedoraproject.org | FAILED! => { "changed": false, "invocation": { "module_args": { "attributes": null, "backup": null, "comment": null, "content": null, "delimiter": null, "directory_mode": null, "follow": false, "force": false, "group": null, "mode": null, "owner": null, "path": "/etc/openshift_apps/docstranslation/id_rsa_docs_trans", "regexp": null, "remote_src": null, "selevel": null, "serole": null, "setype": null, "seuser": null, "size": 4096, "src": null, "state": "present", "type": "rsa", "unsafe_writes": null } }, "msg": "'bool' object has no attribute '__getitem__'" }
Possibly due to python3 on the control host and python2 on the target. ;(
Unless we can easily see it we might have to work around it...
Not sure, but the "mode" is null here, when it should be 0600 (or 384). Maybe something got wrong here and the bitmask has been set incorrectly, we may need to specify "600" as string instead. Also, can you give me the output of ls -lZ /etc/openshift_apps/docstranslation/id_rsa_docs_trans* ? This feel like some sort of permission issue, but I can't see why, unless the bitmask was indeed set incorrectly. The line that seems to fail in the module is this one (i think):
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
I would say that either the privkey (self.path here) can't be read or the ssh-keygen command return something unexpected.
We can also try to remove the old keypair to regen a new one at last resort...
I've tried to reproduce the issue using the same version combo of ansible/python on control & target, but no dice :(
Ok, actually, I've just reproduced the issue. If the key was created with "mode: 600" the bitmask got messed up and i get the very same error message. So, yeah I'm pretty sure this is what's happening here. Not sure why though since the mode in the playbook is correct...
The mode was unset there because I just ran it directly with ansible -m openssh_keypair... sorry for any confusion that caused.
it fails mostly the same way with the playbook:
The full traceback is: WARNING: The below traceback may *not* be related to the actual failure. File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 393, in main File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 205, in generate File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 308, in isPublicKeyValid File "/tmp/ansible_openssh_keypair_payload_Jcja3F/ansible_openssh_keypair_payload.zip/ansible/modules/crypto/opens sh_keypair.py", line 292, in _pubkey_valid fatal: [os-master01.stg.iad2.fedoraproject.org]: FAILED! => { "changed": false, "invocation": { "module_args": { "attributes": null, "backup": null, "comment": null, "content": null, "delimiter": null, "directory_mode": null, "follow": false, "force": false, "group": null, "mode": 384, "owner": null, "path": "/etc/openshift_apps/docstranslation/id_rsa_docs_trans", "regexp": null, "remote_src": null, "selevel": null, "serole": null, "setype": null, "seuser": null, "size": 4096, "src": null, "state": "present", "type": "rsa", "unsafe_writes": null } }, "msg": "'bool' object has no attribute '__getitem__'" }
so yeah... mode 384?
That's 0600 in decimal, it's all right. Can be 0600, 384 or "600". If you set it to 600, since the module take the decimal form, that give you 1130 in octal, which end up with something like ---x-wx--T. What is the current keypair rights on disk ?
File: ‘/etc/openshift_apps/docstranslation/id_rsa_docs_trans’ Size: 3243 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 100689598 Links: 1 Access: (0750/-rwxr-x---) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:etc_t:s0 Access: 2020-10-29 16:40:10.853155289 +0000 Modify: 2020-10-28 23:55:22.825504146 +0000 Change: 2020-10-29 16:39:59.947116009 +0000 Birth: -
File: ‘/etc/openshift_apps/docstranslation/id_rsa_docs_trans.pub’ Size: 726 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 100699163 Links: 1 Access: (0750/-rwxr-x---) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:etc_t:s0 Access: 2020-10-29 16:40:10.854155293 +0000 Modify: 2020-10-28 23:55:22.825504146 +0000 Change: 2020-10-29 16:39:59.948116012 +0000 Birth: -
Ok, that's it. 750 is not right. First, It's not 600 like it's supposed to, but it's also too open for openssh use. ssh-keygen -yf /etc/openshift_apps/docstranslation/id_rsa_docs_trans should throw a big warning instead of printing the pubkey, and that's why the module crashes. Since the module set the bitmask after reading/generating the key, we have no choice to correct the rights ourself. Try to set the privkey to 600, and we should be fine.
I'm not sure why we end up with this bitmask in the first place. We may want to delete the keypair, and run the playbook to see if it's happening again.
regenerate option come with ansible 2.10, so dropping that for now.
And I missed the fact that all resources are not on batcave, so lookup can't help here.
Sorry for the mess.