OpenStack-Ansible

Can't run bootstrap_ansible with encrypted user_secrets.yml (prompting for password)

Bug #1729525 reported by Christian Sarrasin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Expired
Undecided
Unassigned

Bug Description

bootstrap_ansible eventually calls openstack-ansible, which collects the 'user_*' files from /etc/openstack_deploy ; however there's no way to pass '--ask-vault-pass' to that wrapped execution.

Here's the tail-end of bootstrap-ansible's run:

+ pushd tests
/home/osa/openstack-ansible/tests /home/osa/openstack-ansible
+ ansible-playbook get-ansible-role-requirements.yml -i /home/osa/openstack-ansible/tests/test-inventory.ini -e role_file=/home/osa/openstack-ansible/ansible-role-requirements.yml
Variable files: "-e @/etc/openstack_deploy/user_secrets.yml -e @/etc/openstack_deploy/user_variables.yml "
ERROR! Decryption failed on /etc/openstack_deploy/user_secrets.yml
++ exit_fail 284 0

Two things come to mind:
1. Perhaps bootstrap_ansible shouldn't actually need to access (ie: decrypt) user_secrets.yml; I suppose the least access to these secrets the better. The same might also apply to specific playbooks such as setup_hosts.yml
2. (a contradiction of #1): perhaps the easiest way around this would be for the generated wrapper /usr/local/bin/openstack-ansible to optionally include '--ask-vault-pass' (so the vault's password is always prompted when we're just about to access user_secrets.yml anyway.

What do people think?

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

openstack-ansible <playbook> --ask-vault-pass works for me, could you detail what's wrong?

Changed in openstack-ansible:
status: New → Incomplete
status: Incomplete → Invalid
Revision history for this message
Christian Sarrasin (sxc731) wrote :

As mentioned above, both in the headline and the description of the bug, the issue is with bootstrap-ansible rather than openstack-ansible.

Once you have an encrypted user_secrets.yml, it's no longer possible to run it without altering the script.

Christian Sarrasin (sxc731)
Changed in openstack-ansible:
status: Invalid → New
Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Hello,

The bootstrap ansible script is just a shell script that installs the openstack-ansible wrapper and fetches the role (using ansible without using the wrapper, or at least shouldn't use any extra variables).

Which branch + version are you using? That could help us know where the issue is.

Revision history for this message
Christian Sarrasin (sxc731) wrote :

Hello Jean-Philippe,

The issue was experienced on the Pike branch. I *think* it occurred when I upgraded from 16.0.1 to 16.0.2. Likely this won't be an issue the very first time you install OSA. It manifests itself once you have encrypted your user_secrets.yml and you try to re-run bootstrap-ansible in order to update the role dependencies.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

I think this was fixed in a later version, where use the full path to ansible-playbook. Could you check again with the latest tag?

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Hello Christian,

Could you double check if that hasn't been fixed?

Thank you in advance!

Changed in openstack-ansible:
status: New → Incomplete
Revision history for this message
Christian Sarrasin (sxc731) wrote :

Hello Jean-Philippe,

I concur that commit a27be7f should take care of this issue as it replaces the problematic `ansible-playbook` invokation which appears in the above stack trace. Alas we don't have the capacity to re-test this issue right now so may I suggest we either leave it open until we do else it can be closed and I'll reopen it, should the issue reoccur.

Many thanks!
Christian

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openstack-ansible because there has been no activity for 60 days.]

Changed in openstack-ansible:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.