[ansible-project] ERROR! Decryption failed (no vault secrets were found that could decrypt)

2019-10-18 Thread Nikolay Georgiev 


ISSUE TYPE
Bug Report

COMPONENT NAME
ansible-vault

ANSIBLE VERSION
2.8.5

OS / ENVIRONMENT
Centos7 1810

SUMMARY

Hey,
I do experience a issue.. Can someone assist (i have seen this here: #31620 
 but it's never been 
resolved. Please do not mark as duplicate or close it.) Do you know any 
workaround? I can not decrypt/view/edit vault file


``` (.venv) [centos@localhost ebrctl]$ ansible-vault edit 
group_vars/sandbox/vault -vvv

ansible-vault 2.8.5
  config file = /home/centos/git/ebrctl/ansible.cfg
  configured module search path = [u'/home/centos/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible-vault
  python version = 2.7.5 (default, Aug  7 2019, 00:51:29) [GCC 4.8.5 20150623 
(Red Hat 4.8.5-39)]
Using /home/centos/git/ebrctl/ansible.cfg as config file
ERROR! Decryption failed (no vault secrets were found that could decrypt) for 
/home/centos/git/ebrctl/group_vars/sandbox/vault```
 

(I do experience the same issue if use another higher or lower 
ansible/python versions. Also tried to add params as "--ask-vault-pass or , 
--vault-id" but did not work as well.. ) 

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/93904a18-cbf8-4651-a1be-87e2d9c3df27%40googlegroups.com.

Re: [ansible-project] ansible +docker

2019-10-18 Thread Sunitha Iyer 
Sorry Stefen missed it, oracle linux server 7.6, RHEL7

On Friday, October 18, 2019 at 6:53:03 AM UTC+1, Stefan Hornburg (Racke) 
wrote:
>
> On 10/18/19 12:30 AM, Sunitha Iyer wrote: 
> > Stefen,  
> > 
> > I will do that..why cant I find python2.7 under /usr/bin 
>
> Hello Sunitha, 
>
> you didn't report the OS distribution and version of the target. This is 
> crucial 
> information. 
>
> Regards 
>   Racke 
>
> > 
> > but I could see under /usr/lib.. 
> > 
> > 
> > Here is the error message 
> > 
> > 
> > FAILED ! >= {"changed" ,  false ,msg failed to import docker-py - no 
> module named exceptions , try pip install docker} 
> > 
> > 
> > pull_image.yml  
> > 
> > 
> > - name: pull image 
> >   hosts:TestVM 
> >   tasks: 
> >  - name: build docker image 
> >docker_image: 
> >name: xyz 
> >path: /var/dockertest 
> > 
> > 
> > On Thursday, October 17, 2019 at 12:44:29 PM UTC+1, Stefan Hornburg 
> (Racke) wrote: 
> > 
> > On 10/17/19 11:45 AM, Sunitha Iyer wrote: 
> > > Hi Stefan 
> > > 
> > > I tried installing docker using pip command... pip install docker 
> > > 
> > > and then when I tried to run the below command it is not 
> recognising the docker that's the issue. 
> > > 
> > >  ansible-playbook pull_image.yml  -u *** -e 
> 'ansible_python_interpreter=/usr/bin/python' 
> > 
> > Please share the contents of pull_image.yml, the actual error 
> messages and the OS details of the target. 
> > 
> > Regards 
> >   Racke 
> > 
> > > 
> > > 
> > > 
> > >  Using cached 
> > > 
> > 
> https://files.pythonhosted.org/packages/cc/ca/699d4754a932787ef353a157ada74efd1ceb6d1fc0bfb7989ae1e7b33111/docker-4.1.0-py2.py3-none-any.whl
>  
> > <
> https://files.pythonhosted.org/packages/cc/ca/699d4754a932787ef353a157ada74efd1ceb6d1fc0bfb7989ae1e7b33111/docker-4.1.0-py2.py3-none-any.whl>
>  
>
> > 
> > > Requirement already satisfied: requests!=2.18.0,>=2.14.2 in 
> /usr/lib/python2.7/site-packages (from docker) (2.22.0) 
> > > Requirement already satisfied: websocket-client>=0.32.0 in 
> /usr/lib/python2.7/site-packages (from docker) (0.56.0) 
> > > Requirement already satisfied: ipaddress>=1.0.16; python_version < 
> "3.3" in /usr/lib/python2.7/site-packages (from 
> > > docker) (1.0.22) 
> > > Requirement already satisfied: backports.ssl-match-hostname>=3.5; 
> python_version < "3.5" in 
> > > /usr/lib/python2.7/site-packages (from docker) (3.7.0.1) 
> > > Requirement already satisfied: six>=1.4.0 in 
> /usr/lib/python2.7/site-packages (from docker) (1.12.0) 
> > > Requirement already satisfied: chardet<3.1.0,>=3.0.2 in 
> /usr/lib/python2.7/site-packages (from 
> > > requests!=2.18.0,>=2.14.2->docker) (3.0.4) 
> > > Requirement already satisfied: idna<2.9,>=2.5 in 
> /usr/lib/python2.7/site-packages (from 
> > > requests!=2.18.0,>=2.14.2->docker) (2.8) 
> > > Requirement already satisfied: 
> urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /usr/lib/python2.7/site-packages 
> (from 
> > > requests!=2.18.0,>=2.14.2->docker) (1.25.6) 
> > > Requirement already satisfied: certifi>=2017.4.17 in 
> /usr/lib/python2.7/site-packages (from 
> > > requests!=2.18.0,>=2.14.2->docker) (2019.9.11) 
> > > Installing collected packages: docker 
> > > Successfully installed docker-4.1.0 
> > > 
> > > 
> > > On Thursday, October 17, 2019 at 5:28:23 AM UTC+1, Stefan Hornburg 
> (Racke) wrote: 
> > > 
> > > On 10/16/19 8:07 PM, Sunitha Iyer wrote: 
> > > > I am trying to run a play book from host(ansible VM) to pull 
> an image from docker host, I tried pip install 
> > docker 
> > > still 
> > > > it not working, can you please help. 
> > > > 
> > > > 
> > > > failed to import the required python library (docker sdk for 
> python: docker (python >= 2.7) or docker-py 
> > (python 
> > > 2.6)) 
> > > > on host's python /usr/bin/python3. please read module 
> documentation and install in the appropriate location, 
> > for 
> > > example 
> > > > via pip install docker or pip install docker-py (python 
> 2.6). the error was: no module named 
> > request.exceptions") 
> > > 
> > > Try to set the following variable to make sure Ansible uses 
> Python3 on the target host: 
> > > 
> > > ansible_python_interpreter: /usr/bin/python3 
> > > 
> > > Regards 
> > >  Racke 
> > > 
> > > > 
> > > > -- 
> > > > You received this message because you are subscribed to the 
> Google Groups "Ansible Project" group. 
> > > > To unsubscribe from this group and stop receiving emails 
> from it, send an email to 
> > > > ansible...@googlegroups.com   ansible-project+unsubscr...@googlegroups.com   
> > >. 
> > > > To view this discussion on the web vi

[ansible-project] ERROR! Decryption failed (no vault secrets were found that could decrypt)

2019-10-18 Thread Nikolay Georgiev 
Hey,
i do experience a bug.. i cannot descrypt/edit/view vault.. did someone 
have it and how do you resolve it?

Ansible:2.8.5
OS/env : centos 7 1810


``` .venv) [centos@localhost ebrctl]$ ansible-vault edit 
group_vars/sandbox/vault  -v
ansible-vault 2.8.5
  config file = /home/centos/git/ebrctl/ansible.cfg
  configured module search path = 
[u'/home/centos/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible-vault
  python version = 2.7.5 (default, Aug  7 2019, 00:51:29) [GCC 4.8.5 
20150623 (Red Hat 4.8.5-39)]
Using /home/centos/git/ebrctl/ansible.cfg as config file
Reading vault password file: /tmp/sb_vault_password
Reading vault password file: /tmp/prod_vault_password
Found a vault_id (default) in the vaulttext
Found a vault_id (default) in the vault text, but we do not have a 
associated secret (--vault-id)
Trying to use vault 
secret=(FileVaultSecret(filename='/tmp/sb_vault_password')) id=sandbox to 
decrypt None
Trying secret FileVaultSecret(filename='/tmp/sb_vault_password') for 
vault_id=sandbox
Tried to use the vault secret (sandbox) to decrypt (None) but it failed. 
Error: HMAC verification failed: Signature did not match digest.
Trying to use vault 
secret=(FileVaultSecret(filename='/tmp/prod_vault_password')) id=production 
to decrypt None
Trying secret FileVaultSecret(filename='/tmp/prod_vault_password') for 
vault_id=production
Tried to use the vault secret (production) to decrypt (None) but it failed. 
Error: HMAC verification failed: Signature did not match digest.
ERROR! Decryption failed (no vault secrets were found that could decrypt) 
for /home/centos/git/ebrctl/group_vars/sandbox/vault
```

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/709ef93a-a9b3-4ffd-ad39-a247c168bfe1%40googlegroups.com.

[ansible-project] Facts overview

2019-10-18 Thread Andre Gronwald 
I read somewhere that it is possible to cache facts - is it possible as 
well to have those facts in an overview? my focus is on identifying old 
software packages. Is that possible?

kind regards,
andre

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/294d9e5c-bb27-455d-8065-7d2a4c17c912%40googlegroups.com.

Re: [ansible-project] Facts overview

2019-10-18 Thread Srinivas Naram 
https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#caching-facts


HTH
Srini

On Fri, Oct 18, 2019 at 2:24 PM Andre Gronwald 
wrote:

> I read somewhere that it is possible to cache facts - is it possible as
> well to have those facts in an overview? my focus is on identifying old
> software packages. Is that possible?
>
> kind regards,
> andre
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/294d9e5c-bb27-455d-8065-7d2a4c17c912%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAG-N3P5TBxaHj7X6G87ET2DgpQDxLkJdcYcNjUK4o%3DLJ7_7nBA%40mail.gmail.com.

[ansible-project] ec2_instance & AMIs that require agreement to terms & conditions?

2019-10-18 Thread Dick Visser 
Hi

While trying to spin up a CentOS7 instance using ec2_instance, I get
the following error message (ansible 2.8.5):


fatal: [localhost]: FAILED! => changed=false
  boto3_version: 1.9.228
  botocore_version: 1.12.228
  error:
code: OptInRequired
message: In order to use this AWS Marketplace product you need to
accept terms and subscribe. To do so please visit
https://aws.amazon.com/marketplace/pp?sku=aw0evgkw8e5c1q413zgy5pjce
  invocation:
module_args:
  availability_zone: null
  aws_access_key: null
  aws_secret_key: null
  cpu_credit_specification: null
  cpu_options: null
  debug_botocore_endpoint_logs: false
  detailed_monitoring: null
  ebs_optimized: null
  ec2_url: null
  filters:
private-ip-address: 10.1.48.4
tag:Customer: test
tag:Name: jumphost1
  image: null
  image_id: ami-04cf43aca3e6f3de3



Any ideas how to accept those terms etc in a programmatic way?


thx

-- 
Dick Visser
Trust & Identity Service Operations Manager
GÉANT

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAL8fbwPwHwkjEZcfnOiSxaKwG8JkVZwqZxow%3DChQTuTawvEKTQ%40mail.gmail.com.

Re: [ansible-project] Ansible Best Practices - Group_Vars Not Being Applied As Expected

2019-10-18 Thread Vladimir Botka 
On Thu, 17 Oct 2019 23:35:30 -0700 (PDT)
Jeff Baldwin  wrote:

> *What I Am Seeing:  *
> - The 'jeff5' user (system adminstrator) and AIXAdmin group are being 
> created on the lx00011010d box ONLY (the expectation is that it would be 
> created on both)
> - The oracle/DBA users are being created on lx00016141d, which is NOT the 
> oracle box (expectation is that these would get created on lx00011010d only)
> [...]
> ### INVENTORY
> # file: *inventory/oracle*
> [oracle]
> lx00011010d
> 
> # file: *inventory/other*
> [other]
> lx00016141d
> [...]
> ### GROUP_VARS
> # file: *group_vars/all.yml*
> users:
>   - username: jeff5
> name: Jeff - AIX Linux Engineer
> group: AIXAdmin
> uid: 318427
> [...]
> 
> file: *group_vars/oracle.yml*
> users:
>   - username: oracle
> name: Oracle
> group: dba
> uid: 202
>   - username: kwhit
> name: Kathryn - DBA
> group: dba
> uid: 225114
> [...]
> ### PLAYBOOKS
> # file: *site.yml*
> - import_playbook: common.yml
> - import_playbook: oracle.yml
> ---
> # file: *common.yml*
> - hosts: all
>   become: yes
>   roles:
> - ansible-users
> ---
> # file: *oracle.yml*
> - hosts: oracle
>   become: yes
>   roles:
> - ansible-users

It's not possible to explain the output below and other results you observe
with the input provided. You'll have to minimise the example and make it
verifiable. It's simply out of scope this way.

   PLAY [oracle] 
   *
   TASK [Gathering Facts] 
   *
   ok: [lx00016141d]

Notes
* How does the command-line look like?
* Output of "ansible-inventory --list --vars"
* Output of "ansible-config dump"
* Role ansible-users

Cheers,

-vlado

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/20191018115801.3845fd15%40gmail.com.


pgpSyj4_oW7U9.pgp
Description: OpenPGP digital signature

[ansible-project] How does Ansible deliver patches to servers that have no internet connectivity?

2019-10-18 Thread Gary Barber 
I help run a large and varied network supporting a number of customers. 
We're looking at Ansible to replace CA's ITCM as our patch management tool.

Since most of our customer estates have no internet access we need to 
replicate our current setup as closely as possible. 

Online Patching Server - downloads patches and sends to offline server
Offline Patching Server - Receives patches from offline server.
Customer patching servers - One server per customer. Receives patches from 
the Offline Server. Installs patches on all customer servers, including 
itself

Can Ansible work as follows.

1. The Online patching server downloads all patches needed for all 
platforms, windows, linux, etc.
2. The downloaded patches are SFTP'd from the Online patching server to the 
Offline patching server. This server has no internet access.
3. The downloaded patches are copied to the Customer patching servers, 
using ITCM's built-in tools. 
4. The Customer patching server install patches on all customer servers, 
delivering them from its own storage.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a3bc86fc-5cbd-4cbd-ad20-aaf8e59464af%40googlegroups.com.

Re: [ansible-project] Ansible Best Practices - Group_Vars Not Being Applied As Expected

2019-10-18 Thread Jeff Baldwin 


On Friday, October 18, 2019 at 5:58:15 AM UTC-4, Vladimir Botka wrote:
>
> On Thu, 17 Oct 2019 23:35:30 -0700 (PDT) 
> Jeff Baldwin > wrote: 
>
> > *What I Am Seeing:  * 
> > - The 'jeff5' user (system adminstrator) and AIXAdmin group are being 
> > created on the lx00011010d box ONLY (the expectation is that it would be 
> > created on both) 
> > - The oracle/DBA users are being created on lx00016141d, which is NOT 
> the 
> > oracle box (expectation is that these would get created on lx00011010d 
> only) 
> > [...] 
> > ### INVENTORY 
> > # file: *inventory/oracle* 
> > [oracle] 
> > lx00011010d 
> > 
> > # file: *inventory/other* 
> > [other] 
> > lx00016141d 
> > [...] 
> > ### GROUP_VARS 
> > # file: *group_vars/all.yml* 
> > users: 
> >   - username: jeff5 
> > name: Jeff - AIX Linux Engineer 
> > group: AIXAdmin 
> > uid: 318427 
> > [...] 
> > 
> > file: *group_vars/oracle.yml* 
> > users: 
> >   - username: oracle 
> > name: Oracle 
> > group: dba 
> > uid: 202 
> >   - username: kwhit 
> > name: Kathryn - DBA 
> > group: dba 
> > uid: 225114 
> > [...] 
> > ### PLAYBOOKS 
> > # file: *site.yml* 
> > - import_playbook: common.yml 
> > - import_playbook: oracle.yml 
> > --- 
> > # file: *common.yml* 
> > - hosts: all 
> >   become: yes 
> >   roles: 
> > - ansible-users 
> > --- 
> > # file: *oracle.yml* 
> > - hosts: oracle 
> >   become: yes 
> >   roles: 
> > - ansible-users 
>
> It's not possible to explain the output below and other results you 
> observe 
> with the input provided. You'll have to minimise the example and make it 
> verifiable. It's simply out of scope this way. 
>
>PLAY [oracle] 
>* 
>TASK [Gathering Facts] 
>* 
>ok: [lx00016141d] 
>
> Notes 
> * How does the command-line look like? 
> * Output of "ansible-inventory --list --vars" 
> * Output of "ansible-config dump" 
> * Role ansible-users 
>
> Cheers, 
>
> -vlado 
>

Thank you for your time vlado.   Below is the information you have 
requested:

*Command Line:*
ansible-playbook site.yml -C


*ansible-inventory --list --vars*
*Question:  *Why is group 'AIXAdmin' and user 'jeff5' vars not getting 
applied to both boxes?

[admin@lx00010300p ansible-help]$ ansible-inventory --list --vars
{
"_meta": {
"hostvars": {
"lx00011010d": {
"groups_to_create": [
{
"gid": "901",
"name": "AIXAdmin",
"state": "present"
}
],
"users": [
{
"group": "AIXAdmin",
"name": "Jeff - AIX Linux Engineer",
"uid": 318427,
"username": "jeff5"
}
]
},
"lx00016141d": {
"file": "group_vars/oracle.yml",
"groups_to_create": [
{
"gid": 201,
"name": "dba"
}
],
"users": [
{
"group": "dba",
"name": "Oracle",
"uid": 202,
"username": "oracle"
},
{
"group": "dba",
"name": "Kathryn - DBA",
"uid": 225114,
"username": "kwhit"
}
]
}
}
},
"all": {
"children": [
"oracle",
"other",
"ungrouped"
]
},
"oracle": {
"hosts": [
"lx00016141d"
]
},
"other": {
"hosts": [
"lx00011010d"
]
}
}

*Ansible-Users role details:*
There are only two files in this role.  Details below:

*[admin@lx00010300p ansible-users]$ cat defaults/main.yml*
---
# Create a group for every user and make that their primary group
users_create_per_user_group: true
# If we're not creating a per-user group, then this is the group all users
# belong to
users_group: users
# The default shell for a user if none is specified
users_default_shell: /bin/bash
# Create home dirs for new users? Set this to false if you manage home
# directories in some other way.
users_create_homedirs: true

# Lists of users to create and delete
users: []
users_deleted: []

# List of groups to create
# Example:
#   groups_to_create:
# - name: developers
#   gid: 1
groups_to_create: []

authorized_keys_file: ".ssh/authorized_keys"

*[admin@lx00010300p ansible-users]$ cat tasks/main.yml*
---
- name: Creating groups
  group:
name: "{{ item.name }}"
gid:

[ansible-project] k8s Module: Unable to escape SSL_Cert error calling nodes.

2019-10-18 Thread Boa Ah 
Team, My playbook is below and unable to get rid of the cert.
```
  - name: Fetch all deployments
set_fact:
  deployments: "{{ lookup('k8s', kind='Deployment') }}"
  kubeconfig: $WORKSPACE

  - name: Fetch all Nodes with Module
k8s:
 service: "{{ lookup('k8s', kind='Node') }}"
#validate_certs: no
   verify_ssl: no
  kubeconfig: $WORKSPACE
```
any hint?

TASK [3_validations_on_ssh : Fetch all deployments] 

2019-10-18 14:31:42,409 WARNING Retrying (Retry(total=2, connect=None, 
read=None, redirect=None, status=None)) after connection broken by 
'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),)': /apis/apps/v1/deployments
2019-10-18 14:31:42,430 WARNING Retrying (Retry(total=1, connect=None, 
read=None, redirect=None, status=None)) after connection broken by 
'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),)': /apis/apps/v1/deployments
2019-10-18 14:31:42,447 WARNING Retrying (Retry(total=0, connect=None, 
read=None, redirect=None, status=None)) after connection broken by 
'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),)': /apis/apps/v1/deployments
fatal: [target1]: FAILED! => {"msg": "An unhandled exception occurred while 
running the lookup plugin 'k8s'. Error was a , original message: 
HTTPSConnectionPool(host='maglev-dev0-sjc4.nonprod-nvkong.com', port=443): 
Max retries exceeded with url: /apis/apps/v1/deployments (Caused by 
SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),))"}

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2a4961a7-a380-4967-a7da-0695e63f6749%40googlegroups.com.

[ansible-project] Precendence: why playbook level variables win over inventory ones?

2019-10-18 Thread Stanislav German-Evtushenko 
Documentation 

 
(see 4-7, 9, 10 from the list of priorities)  says that playbook level 
variables override an inventory ones. Can somebody explain why this is the 
case? To me this is counter-intuitive and keeps leading to mistakes.

Intuitive way would be:

1) role defaults (specified within the role itself)
  ⇩
2) infrastructure defaults, e.g. datacenter level (specified in group_vars 
or host_vars on the playbook level)
  ⇩
3) inventory defaults, e.g. availability zone, or a specific project, etc 
(specified in group_vars or host_vars on inventory level)

However the fact is that 2 always overrides 3. How was it supposed to be 
used?

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/931512b0-f477-4118-938d-b797d0422107%40googlegroups.com.

Re: [ansible-project] k8s Module: Unable to escape SSL_Cert error calling nodes.

2019-10-18 Thread Dick Visser 
I assume you want to get rid of the cert errors and not of the cert
itself.  According to
https://docs.ansible.com/ansible/latest/plugins/lookup/k8s.html you should
use the ‘validate_certs’ option.


On Fri, 18 Oct 2019 at 23:34, Boa Ah  wrote:

> Team, My playbook is below and unable to get rid of the cert.
> ```
>   - name: Fetch all deployments
> set_fact:
>   deployments: "{{ lookup('k8s', kind='Deployment') }}"
>   kubeconfig: $WORKSPACE
>
>   - name: Fetch all Nodes with Module
> k8s:
>  service: "{{ lookup('k8s', kind='Node') }}"
> #validate_certs: no
>verify_ssl: no
>   kubeconfig: $WORKSPACE
> ```
> any hint?
>
> TASK [3_validations_on_ssh : Fetch all deployments]
> 
> 2019-10-18 14:31:42,409 WARNING Retrying (Retry(total=2, connect=None,
> read=None, redirect=None, status=None)) after connection broken by
> 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
> failed (_ssl.c:590)'),)': /apis/apps/v1/deployments
> 2019-10-18 14:31:42,430 WARNING Retrying (Retry(total=1, connect=None,
> read=None, redirect=None, status=None)) after connection broken by
> 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
> failed (_ssl.c:590)'),)': /apis/apps/v1/deployments
> 2019-10-18 14:31:42,447 WARNING Retrying (Retry(total=0, connect=None,
> read=None, redirect=None, status=None)) after connection broken by
> 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
> failed (_ssl.c:590)'),)': /apis/apps/v1/deployments
> fatal: [target1]: FAILED! => {"msg": "An unhandled exception occurred
> while running the lookup plugin 'k8s'. Error was a  'urllib3.exceptions.MaxRetryError'>, original message:
> HTTPSConnectionPool(host='maglev-dev0-sjc4.nonprod-nvkong.com',
> port=443): Max retries exceeded with url: /apis/apps/v1/deployments (Caused
> by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate
> verify failed (_ssl.c:590)'),))"}
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/2a4961a7-a380-4967-a7da-0695e63f6749%40googlegroups.com
> 
> .
>
-- 
Sent from a mobile device - please excuse the brevity, spelling and
punctuation.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAL8fbwP3CxccREm060VCE7h3R4COY37-CfwTXbw%2BVn0Yd%3DUU3w%40mail.gmail.com.

Re: [ansible-project] Precendence: why playbook level variables win over inventory ones?

2019-10-18 Thread James Cassell 
On Fri, Oct 18, 2019, at 11:53 PM, Stanislav German-Evtushenko wrote:
> Documentation 
> 
>  (see 4-7, 9, 10 from the list of priorities) says that playbook level 
> variables override an inventory ones. Can somebody explain why this is the 
> case? To me this is counter-intuitive and keeps leading to mistakes.
> 
> Intuitive way would be:
> 
> 1) role defaults (specified within the role itself)
>  ⇩
> 2) infrastructure defaults, e.g. datacenter level (specified in 
> group_vars or host_vars on the playbook level)
>  ⇩
> 3) inventory defaults, e.g. availability zone, or a specific project, 
> etc (specified in group_vars or host_vars on inventory level)
> 
> However the fact is that 2 always overrides 3. How was it supposed to be used?
> 

I agree that it's not intuitive... It's also backwards from what I would expect.

You can override the precedence order locally: 
https://docs.ansible.com/ansible/latest/reference_appendices/config.html#variable-precedence

I choose not to do that, and instead forgo separating inventory from playbook 
group_vars.

I, too, would be interested in an explanation of why the order is what it is.  
I've been bitten by it in the past.


V/r,
James Cassell

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/20d7e94d-3d27-473b-8c1e-0af30b5d2edb%40www.fastmail.com.

Re: [ansible-project] Precendence: why playbook level variables win over inventory ones?

2019-10-18 Thread Stanislav German-Evtushenko 


>
> I agree that it's not intuitive... It's also backwards from what I would 
> expect. 
>
> You can override the precedence order locally: 
> https://docs.ansible.com/ansible/latest/reference_appendices/config.html#variable-precedence
>  
>
> I choose not to do that, and instead forgo separating inventory from 
> playbook group_vars. 
>
> I, too, would be interested in an explanation of why the order is what it 
> is.  I've been bitten by it in the past. 
>
>  
Ansible is supposed to be simple and overriding precedence would make it a 
way more complicated. Changing the default behaviour (with an option for 
backwards compatibility) would make it more logical. Any devs here?

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/189f4180-9837-43a2-b8cf-57eec9ed61bf%40googlegroups.com.