StarlingX

certificate migration shows password problem on "Delete temporary .pem files"

Bug #2047652 reported by Marcelo de Castro Loebens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Marcelo de Castro Loebens

Bug Description

Brief Description
-----------------
certificate migration ansible shows password problem on "Delete temporary .pem files"
But certificated migrated successfully, meaning it seems not blocks functionality.

Severity
--------
Minor

Steps to Reproduce
------------------
In DC
- Create migration-inventory.yaml
- Execute: ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml -i migration-inventory.yaml --extra-vars "target_list=all_online_subclouds mode=update ignore_alarms=yes" --ask-vault-pass

Expected Behavior
------------------
No error.

Actual Behavior
----------------
ansible shows password problem on "Delete temporary .pem files"

Reproducibility
---------------
100%

System Configuration
--------------------
DC + SX sc.

Branch/Pull Time/Commit
-----------------------
master.

Last Pass
---------
NA.

Timestamp/Logs
--------------
...
TASK [common/install-trusted-ca : Register if a new certificate was installed] **************************************************************************
Wednesday 08 November 2023 07:30:11 +0000 (0:00:13.435) 0:03:20.690 ****
ok: [localhost]

TASK [common/install-trusted-ca : Delete temporary .pem files] ******************************************************************************************
Wednesday 08 November 2023 07:30:11 +0000 (0:00:00.019) 0:03:20.710 ****
failed: [localhost] (item=/tmp/ca_pd4zopkf.pem) => changed=false
  ansible_loop_var: file_item
  file_item: /tmp/ca_pd4zopkf.pem
  module_stderr: |-
    sudo: a password is required
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1
failed: [localhost] (item=/tmp/root_98ucx2e2.pem) => changed=false
  ansible_loop_var: file_item
  file_item: /tmp/root_98ucx2e2.pem
  module_stderr: |-
    sudo: a password is required
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

PLAY RECAP **********************************************************************************************************************************************
localhost : ok=13 changed=9 unreachable=0 failed=1 skipped=8 rescued=0 ignored=0
subcloud3 : ok=58 changed=49 unreachable=0 failed=0 skipped=40 rescued=0 ignored=0
subcloud4 : ok=58 changed=49 unreachable=0 failed=0 skipped=40 rescued=0 ignored=0
subcloud5 : ok=58 changed=49 unreachable=0 failed=0 skipped=40 rescued=0 ignored=0

Test Activity
-------------
Dev test.

Workaround
----------
Pass 'localhost' in 'target_list' parameter.

Marcelo de Castro Loebens (mdecastr)
Changed in starlingx:
assignee: nobody → Marcelo de Castro Loebens (mdecastr)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/900424
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/9b1197cc4cef9dcc85dd7eda639ad4d7a5da0479
Submitter: "Zuul (22348)"
Branch: master

commit 9b1197cc4cef9dcc85dd7eda639ad4d7a5da0479
Author: Marcelo Loebens <email address hidden>
Date: Wed Nov 8 11:13:10 2023 -0400

    Fix privilege issue in platform certificates update

    When 'localhost' isn't included in the target_list parameter of
    update_platform_certificates.yml playbook, there is an error at the
    end of the execution caused by 'localhost' not being able to escalate
    to handle the files used to install the CA certificates as trusted.

    This commit includes code to acquire the required variables for
    privilege escalation for 'localhost'.

    Test Plan:
    PASS: In DC w/ SX sc, executed update_platform_certificates.yml
          passing 'target_list=all_online_subclouds'.

    PASS: In DC w/ SX sc, executed update_platform_certificates.yml
          passing 'target_list=locahost,all_online_subclouds'.

    Closes-bug: 2047652

    Change-Id: I9cc64a0e2e5c5573ac34cb8e2488bb0b688475d9
    Signed-off-by: Marcelo Loebens <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.9.0 stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.