[ansible-project] ERROR: Failed to connect to the host via ssh: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips
Hello, I am seeing the below error while running playbook, i ran playbook with debug enabled and with increased verbose level but not sure of the root cuase of failure. Can someone please help me find the issue; thank you Below is my configuration; Ansible Master node; # ansible --version ansible 2.9.2 config file = /root/galorndon-infra/playbooks/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /py36env/lib64/python3.6/site-packages/ ansible executable location = /py36env/bin/ansible python version = 3.6.8 (default, Aug 7 2019, 08:02:28) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)] # # rpm -qa |grep openssh openssh-7.4p1-21.el7.x86_64 openssh-clients-7.4p1-21.el7.x86_64 # Managed node; = [root@vault1 ~]# python --version Python 2.7.5 [root@vault1 ~]# [root@vault1 ~]# [root@vault1 ~]# rpm -qa |grep openssh openssh-7.4p1-21.el7.x86_64 openssh-clients-7.4p1-21.el7.x86_64 openssh-server-7.4p1-21.el7.x86_64 [root@vault1 ~]# [root@vault1 ~]# Playbook error ; TASK [vault : Configure Kubernetes Auth for ControlPlane] * task path: /root/galorndon-infra/playbooks/roles/vault/tasks/vault-setup-backend-controlplane.yml:35 5303 1588066633.38971: sending task start callback 5303 1588066633.38999: entering _queue_task() for 10.2.4.50/hashivault_write 5303 1588066633.39466: worker is 1 (out of 1 available) 5303 1588066633.39610: exiting _queue_task() for 10.2.4.50/hashivault_write 5303 1588066633.39665: done queuing things up, now waiting for results queue to drain 5303 1588066633.39697: waiting for pending results... 6022 1588066633.39909: running TaskExecutor() for 10.2.4.50/TASK: vault : Configure Kubernetes Auth for ControlPlane 6022 1588066633.40131: in run() - task 0242ac11-0002-dd43-f45e-0146 6022 1588066633.40297: calling self._execute() 6022 1588066633.41278: Loading FilterModule 'core' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/core.py (fo und_in_cache=True, class_only=False) 6022 1588066633.41436: Loading FilterModule 'gcp_kms_filters' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/ gcp_kms_filters.py (found_in_cache=True, class_only=False) 6022 1588066633.41590: Loading FilterModule 'ipaddr' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/ipaddr.py (found_in_cache=True, class_only=False) 6022 1588066633.41684: Loading FilterModule 'json_query' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/json_ query.py (found_in_cache=True, class_only=False) 6022 1588066633.41832: Loading FilterModule 'k8s' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/k8s.py (foun d_in_cache=True, class_only=False) 6022 1588066633.41894: Loading FilterModule 'mathstuff' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/mathst uff.py (found_in_cache=True, class_only=False) 6022 1588066633.41941: Loading FilterModule 'network' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/network. py (found_in_cache=True, class_only=False) 6022 1588066633.41993: Loading FilterModule 'urls' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/urls.py (fo und_in_cache=True, class_only=False) 6022 1588066633.42030: Loading FilterModule 'urlsplit' from /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/urlspli t.py (found_in_cache=True, class_only=False) 6022 1588066633.42201: Loading TestModule 'core' from /py36env/lib64/python3.6/site-packages/ansible/plugins/test/core.py (found_ in_cache=True, class_only=False) 6022 1588066633.42234: Loading TestModule 'files' from /py36env/lib64/python3.6/site-packages/ansible/plugins/test/files.py (foun d_in_cache=True, class_only=False) 6022 1588066633.42271: Loading TestModule 'mathstuff' from /py36env/lib64/python3.6/site-packages/ansible/plugins/test/mathstuff. py (found_in_cache=True, class_only=False) 6022 1588066633.45403: trying /py36env/lib64/python3.6/site-packages/ansible/plugins/connection 6022 1588066633.45567: Loading Connection 'ssh' from /py36env/lib64/python3.6/site-packages/ansible/plugins/connection/ssh.py (fo und_in_cache=True, class_only=False) 6022 1588066633.45622: trying /py36env/lib64/python3.6/site-packages/ansible/plugins/shell 6022 1588066633.45690: Loading ShellModule 'sh' from /py36env/lib64/python3.6/site-packages/ansible/plugins/shell/sh.py (found_in _cache=True, class_only=False) 6022 1588066633.45727: Loading ShellModule 'sh' from /py36env/lib64/python3.6/site-packages/ansible/plugins/shell/sh.py (found_in _cache=True, class_only=False) 6022 1588066633.45775: trying /py36env/lib64/python3.6/site-packages/ansible/plugins/become 6022 1588066633.45860: Loading BecomeModule 'sudo' from /py36env
Re: [ansible-project] ERROR: Failed to connect to the host via ssh: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips
Hi,
We are not enabled FIPS.
Little more backaround, we have a Vault Cluster of 3 VMs, I have reimaged
one of the VM with the latest OL7u7 image and then run playbook which
installs and configures Vault on this newly reimaged VM.
Playbooks run many tasks successfully and fails when it comes while
creating PKI roles tasks always.. and here is the task content -
- name: "Create PKI Roles"
hashivault_writ
url: "{{ vault_config_url }}"
ca_path: "{{ vault_tls_ca_file }}"
token: "{{ vault_config_token }}"
secret: "/infra_pki/roles/{{ item.name }}"
data:
allowed_domains: "{{ item.allowed_domains }}"
allow_subdomains: "{{ item.allow_subdomains }}"
max_ttl: "{{ item.max_ttl }}"
allow_any_name: "{{ item.allow_any_name }}"
enforce_hostnames: "{{ item.enforce_hostnames }}"
with_items: "{{ intermediate_ca_pki_roles }}"
Let me know if you need more information..
On Tuesday, April 28, 2020 at 3:54:18 PM UTC+5:30, Jorge Rúa wrote:
>
> Haven't looked too much into it, but are you aware of limitations of
> running in a FIPS enabled mode?
>
> Can you provide us with a sample playbook (please remove access tokens,
> credentials, private keys, passwords, etc)
>
> Thanks
>
> El mar., 28 abr. 2020 a las 11:14, Parasuram A Havoji ( >) escribió:
>
>> Hello,
>>
>> I am seeing the below error while running playbook, i ran playbook with
>> debug enabled and with increased verbose level but not sure of the root
>> cuase of failure. Can someone please help me find the issue; thank you
>>
>> Below is my configuration;
>>
>> Ansible Master node;
>>
>> # ansible --version
>> ansible 2.9.2
>> config file = /root/galorndon-infra/playbooks/ansible.cfg
>> configured module search path = ['/root/.ansible/plugins/modules',
>> '/usr/share/ansible/plugins/modules']
>> ansible python module location = /py36env/lib64/python3.6/site-packages
>> /ansible
>> executable location = /py36env/bin/ansible
>> python version = 3.6.8 (default, Aug 7 2019, 08:02:28) [GCC 4.8.5
>> 20150623 (Red Hat 4.8.5-39.0.1)]
>> #
>> # rpm -qa |grep openssh
>> openssh-7.4p1-21.el7.x86_64
>> openssh-clients-7.4p1-21.el7.x86_64
>> #
>>
>>
>>
>>
>> Managed node;
>> =
>> [root@vault1 ~]# python --version
>> Python 2.7.5
>> [root@vault1 ~]#
>> [root@vault1 ~]#
>> [root@vault1 ~]# rpm -qa |grep openssh
>> openssh-7.4p1-21.el7.x86_64
>> openssh-clients-7.4p1-21.el7.x86_64
>> openssh-server-7.4p1-21.el7.x86_64
>> [root@vault1 ~]#
>> [root@vault1 ~]#
>>
>>
>> Playbook error ;
>>
>>
>> TASK [vault : Configure Kubernetes Auth for ControlPlane]
>> *
>> task path:
>> /root/galorndon-infra/playbooks/roles/vault/tasks/vault-setup-backend-controlplane.yml:35
>> 5303 1588066633.38971: sending task start callback
>> 5303 1588066633.38999: entering _queue_task() for
>> 10.2.4.50/hashivault_write
>> 5303 1588066633.39466: worker is 1 (out of 1 available)
>> 5303 1588066633.39610: exiting _queue_task() for
>> 10.2.4.50/hashivault_write
>> 5303 1588066633.39665: done queuing things up, now waiting for results
>> queue to drain
>> 5303 1588066633.39697: waiting for pending results...
>> 6022 1588066633.39909: running TaskExecutor() for 10.2.4.50/TASK:
>> vault : Configure Kubernetes Auth for ControlPlane
>> 6022 1588066633.40131: in run() - task
>> 0242ac11-0002-dd43-f45e-0146
>> 6022 1588066633.40297: calling self._execute()
>> 6022 1588066633.41278: Loading FilterModule 'core' from
>> /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/core.py (fo
>> und_in_cache=True, class_only=False)
>> 6022 1588066633.41436: Loading FilterModule 'gcp_kms_filters' from
>> /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/
>> gcp_kms_filters.py (found_in_cache=True, class_only=False)
>> 6022 1588066633.41590: Loading FilterModule 'ipaddr' from
>> /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/ipaddr.py
>> (found_in_cache=True, class_only=False)
>> 6022 1588066633.41684: Loading FilterModule 'json_query' from
>> /py36env/lib64/python3.6/site-packages/ansible/plugins/filter/json_
>> query.py (found_in_cache=True, class_only=False)
>> 6022 158806
[ansible-project] MODULE FAILURE - TypeError: Value of unknown type: ,
Hello,
I am seeing module failure while using hashivault_write module.
Ansible - Python - OpenSSH version on Ansible Node ;
root@35f3dfdc476f:playbooks # ansible --version ansible 2.9.2
config file = /root/galorndon-infra/playbooks/ansible.cfg configured
module search path = ['/root/.ansible/plugins/modules',
'/usr/share/ansible/plugins/modules'] ansible python module location =
/py36env/lib64/python3.6/site-packages/ansible executable location =
/py36env/bin/ansible python version = 3.6.8 (default, Aug 7 2019,
08:02:28) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)]
root@35f3dfdc476f:playbooks # root@35f3dfdc476f:playbooks #
root@35f3dfdc476f:playbooks # root@6193af66d482:playbooks # rpm -qa
|grep -i openssh openssh-7.4p1-21.el7.x86_64
openssh-clients-7.4p1-21.el7.x86_64 root@6193af66d482:playbooks #
Ansible - Python - OpenSSH version on Vault3 VM ;
[root@vault3 ~]# ansible --version ansible 2.8.4 config file =
/etc/ansible/ansible.cfg configured module search path =
[u'/root/.ansible/plugins/modules',
u'/usr/share/ansible/plugins/modules'] ansible python module location =
/usr/lib/python2.7/site-packages/ansible executable location =
/bin/ansible python version = 2.7.5 (default, Nov 27 2019, 09:57:45)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)] [root@vault3 ~]#
[root@vault3 ~]# [root@vault3 ~]# rpm -qa |grep -i openssh
openssh-7.4p1-21.el7.x86_64 openssh-clients-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64 [root@vault3 ~]#
Playbook ;
[osvcstage:cpetestphx:security_services]root@6193af66d482:playbooks # cat
hashivault_write.yml
---
- hosts: "{{ target_group }}{{ (':&' + availability_domain ) if
availability_domain is defined else '' }}"
serial: 1
max_fail_percentage: 30
become: yes
vars_files:
- "vars/defaults.yml"
- "vars/envs/{{ env }}.yml"
- "vars/regions/{{ region }}.yml"
tasks:
- name: "Write Secrets at path /secret/cpe-test"
hashivault_write:
url: 'https://127.0.0.1:8200'
ca_path: '/etc/pki/ca-trust/source/anchors/cpetestphx_ca.crt'
token: '7h4AHyZnXINsBAQ4MqYiNzau'
secret: 'secret/cpe-test'
data:
foo: 'password-foo'
- name: "Return all secrets from a path /secret/cpe-test"
debug:
msg: "{{ lookup('hashi_vault', 'secret=/secret/cpe-test
token=7h4AHyZnXINsBAQ4MqYiNzau url=https://127.0.0.1:8200')}}"
[osvcstage:cpetestphx:security_services]root@6193af66d482:playbooks #
Module error when the above playbook is run ;
root@6193af66d482:playbooks # ansible-playbook -u opc -i
inventories/$ENVIRONMENT.$REGION/oci_inventory.py -e
target_group=tag_componentType=vault_server -e target_group=10.5.4.58 -e
proxy_is_required=false hashivault_write.yml
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to
allow bad characters in group names by default, this will change, but still
be user configurable on deprecation. This feature will
be removed in version 2.10. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not replaced,
use - to see details
PLAY [10.5.4.58]
TASK [Gathering Facts]
**
ok: [10.5.4.58]
---
TASK [Write Secrets at path /secret/cpe-test]
***
An exception occurred during task execution. To see the full traceback, use
-vvv. The error was: TypeError: Value of unknown type: ,
fatal: [10.5.4.58]: FAILED! => {"changed": false, "module_stderr": "Traceback
(most recent call last):\n File \"\", line 102, in \n File
\"\", line 94, in _ansiballz_main\n File \"\", line 40, in
invoke_module\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in
run_module\nfname, loader, pkg_name)\n File
\"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n
mod_name, mod_fname, mod_loader, pkg_name)\n File
\"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\nexec code in
run_globals\n File
\"/tmp/ansible_hashivault_write_payload_A5NErK/ansible_hashivault_write_payload.zip/ansible/modules/hashivault/hashivault_write.py\",
line 229, in \n File
\"/tmp/ansible_hashivault_write_payload_A5NErK/ansible_hashivault_write_payload.zip/ansible/modules/hashivault/hashivault_write.py\",
line 109, in main\n File
\"/tmp/ansible_hashivault_write_payload_A5NErK/ansible_hashivault_write_payload.zip/ansible/module_utils/basic.py\",
line 2072, in exit_json\n File
\"/tmp/ansibl
[ansible-project] Re: MODULE FAILURE - TypeError: Value of unknown type: ,
I upgraded ansible-modules-hashivault to 4.4.7 and it worked.
Reference
-https://github.com/TerryHowe/ansible-modules-hashivault/issues/238
On Thursday, April 30, 2020 at 3:33:34 PM UTC+5:30, Parasuram A Havoji
wrote:
>
> Hello,
>
>
> I am seeing module failure while using hashivault_write module.
>
>
> Ansible - Python - OpenSSH version on Ansible Node ;
>
> root@35f3dfdc476f:playbooks # ansible --version ansible 2.9.2
> config file = /root/galorndon-infra/playbooks/ansible.cfg configured
> module search path = ['/root/.ansible/plugins/modules',
> '/usr/share/ansible/plugins/modules'] ansible python module location =
> /py36env/lib64/python3.6/site-packages/ansible executable location =
> /py36env/bin/ansible python version = 3.6.8 (default, Aug 7 2019,
> 08:02:28) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)]
> root@35f3dfdc476f:playbooks # root@35f3dfdc476f:playbooks #
> root@35f3dfdc476f:playbooks # root@6193af66d482:playbooks # rpm -qa
> |grep -i openssh openssh-7.4p1-21.el7.x86_64
> openssh-clients-7.4p1-21.el7.x86_64 root@6193af66d482:playbooks #
>
>
> Ansible - Python - OpenSSH version on Vault3 VM ;
>
> [root@vault3 ~]# ansible --version ansible 2.8.4 config file =
> /etc/ansible/ansible.cfg configured module search path =
> [u'/root/.ansible/plugins/modules',
> u'/usr/share/ansible/plugins/modules'] ansible python module location =
> /usr/lib/python2.7/site-packages/ansible executable location =
> /bin/ansible python version = 2.7.5 (default, Nov 27 2019, 09:57:45)
> [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)] [root@vault3 ~]#
> [root@vault3 ~]# [root@vault3 ~]# rpm -qa |grep -i openssh
> openssh-7.4p1-21.el7.x86_64 openssh-clients-7.4p1-21.el7.x86_64
> openssh-server-7.4p1-21.el7.x86_64 [root@vault3 ~]#
>
>
> Playbook ;
>
>
> [osvcstage:cpetestphx:security_services]root@6193af66d482:playbooks # cat
> hashivault_write.yml
> ---
> - hosts: "{{ target_group }}{{ (':&' + availability_domain ) if
> availability_domain is defined else '' }}"
> serial: 1
> max_fail_percentage: 30
> become: yes
> vars_files:
> - "vars/defaults.yml"
> - "vars/envs/{{ env }}.yml"
> - "vars/regions/{{ region }}.yml"
>
> tasks:
> - name: "Write Secrets at path /secret/cpe-test"
> hashivault_write:
> url: 'https://127.0.0.1:8200'
> ca_path: '/etc/pki/ca-trust/source/anchors/cpetestphx_ca.crt'
> token: '7h4AHyZnXINsBAQ4MqYiNzau'
> secret: 'secret/cpe-test'
> data:
> foo: 'password-foo'
>
> - name: "Return all secrets from a path /secret/cpe-test"
> debug:
> msg: "{{ lookup('hashi_vault', 'secret=/secret/cpe-test
> token=7h4AHyZnXINsBAQ4MqYiNzau url=https://127.0.0.1:8200')}}"
>
> [osvcstage:cpetestphx:security_services]root@6193af66d482:playbooks #
>
>
>
> Module error when the above playbook is run ;
>
>
> root@6193af66d482:playbooks # ansible-playbook -u opc -i
> inventories/$ENVIRONMENT.$REGION/oci_inventory.py -e
> target_group=tag_componentType=vault_server -e target_group=10.5.4.58 -e
> proxy_is_required=false hashivault_write.yml
> [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set
> to allow bad characters in group names by default, this will change, but
> still be user configurable on deprecation. This feature will
> be removed in version 2.10. Deprecation warnings can be disabled by
> setting deprecation_warnings=False in ansible.cfg.
> [WARNING]: Invalid characters were found in group names but not replaced,
> use - to see details
>
>
> PLAY [10.5.4.58]
>
>
> TASK [Gathering Facts]
> **
> ok: [10.5.4.58]
> ---
>
> TASK [Write Secrets at path /secret/cpe-test]
> ***
> An exception occurred during task execution. To see the full traceback,
> use -vvv. The error was: TypeError: Value of unknown type: 'requests.models.Response'>,
> fatal: [10.5.4.58]: FAILED! => {"changed&
