redhatinsights / ansible-collections-insights Goto Github PK
View Code? Open in Web Editor NEWAnsible Collection for Red Hat Insights
License: Apache License 2.0
ansible-collections-insights's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
willtome patchkez gundalow kvegh thedoubl3j a-beck pabelanger apuntamb satish5555555 strider sagarlutade kruai amarmh lucas-benedito bkearney jeffcpullen jangel97 ryandeussing aheverley patilsuraj767 kubealex joysnow metabsd jstavel duckboss csedm sscheibansible-collections-insights's Issues
Hard Coded ansible_host variable in Inventory
The ansible_host variable is hardcoded. This may cause conflict with other inventory sources. If ansible_host from insights should be used, it should be a constructed var as shown below.
plugin: redhatinsights.insights.insights
compose:
ansible_host: <prefix>_ansible_host
Add support for managing data redaction
as part of the management of the client configuration with the insights role. I would to have the ability to manage the different ways to obfuscate the insights data. Specifically:
- manage IP and hostname obfuscation in insights-client.conf
- manage the file-redaction.yaml & file-content-redaction.yaml files
Lack of galaxy.yml in the git repo prevents collection from being installed from git
I understand the desire to automate things like release information, however, using a jinja2 template for your galaxy.yml file and only populating it on release (and only including that released file to Galaxy/Red Hat Automation Hub) breaks the ability to install this collection from the git repository directly.
We have a situation where our hosts running our Ansible playbooks don't have access to Galaxy or the Automation Hub. For the past few years that hasn't been an issue as we mirrored the roles that we wanted locally. Mirroring is done via git. Now with the improved support in ansible-galaxy in 2.10.x we can install collections from git repositories, and so we have begun migrating the roles we have used previously to collections.
I'm happy to submit a PR, but I'm not sure what the preferred solution would be.
Compliance role does not install supported versions of insights-client as per Red Hat requirements
The roles do not install the "correct" version of the scap-security-guide package for a given RHEL release as per the following KB article:
https://access.redhat.com/articles/6644131
The relevant code can be found here.
https://github.com/RedHatInsights/ansible-collections-insights/blob/master/roles/compliance/tasks/install.yml
I have implemented a version of this but it requires manual maintenance of the RHEL release <-> scap-security-guide release.
Open to a discussion/suggestions on what to do as this is quite important for the compliance service to function correctly.
tags are not working as expected
Managing tags doesn't work as expected.
- Simply including the role without specifying any tags, executes a tag removal. which will delete the tags.yaml file from the client. Perhaps this option should be explicit to remove existing tags if no
insights_tagsvariable is specified
# example task
tasks:
- include_role:
name: redhat.insights.insights_client
# output
TASK [redhat.insights.insights_client : Deploy Custom Tags] ****************************************************************************
skipping: [satellite] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [tower] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [redhat.insights.insights_client : Remove Tags] ***********************************************************************************
ok: [satellite] => {"changed": false, "path": "/etc/insights-client/tags.yaml", "state": "absent"}
changed: [tower] => {"changed": true, "path": "/etc/insights-client/tags.yaml", "state": "absent"}- Deleting the tags has no effect in insights, tags are removed from the client but there is no mechanism to remove the tags in insights itself. I believe this is a bug/feature in Insights, this option should be removed from the role until this actually works in insights itself.
ansible-collections-insights/roles/insights_client/tasks/main.yml
Lines 75 to 79 in 1b455fa
Failed (/etc/insights-client/machine-id) is absent, cannot continue
Hello there,
I noticed an issue which is breaking the configuration on our systems.
Apparently the role RedHatInsights.insights-client is failing for my rhel8 host with following message file (/etc/insights-client/machine-id) is absent, cannot continue. The name of the failing task is RedHatInsights.insights-client : Change permissions of machine_id file so that Insights System ID can be read.
The fact that machine-id does not exist, implies that the host is not registered to Insights, and actually if I run following command:
[root@tower-isolated1 plays]# insights-client --status
This host is unregistered.
It indeed replies that the system is not registered. And if I check the return code of the command it's 0.
[root@tower-isolated1 plays]# echo $?
0
It looks to me that the task RedHatInsights.insights-client : Register Insights Client is not properly working, since this is what it is returning:
ok: [localhost] => {
"changed": false,
"invocation": {
"module_args": {
"display_name": "",
"force_reregister": false,
"insights_name": "insights-client",
"state": "present"
}
},
"message": "The Insights API has determined that this machine is already registered",
"original_message": "Attempting to register insights-client"
}
My assumption is that this https://github.com/RedHatInsights/ansible-collections-insights/blob/master/plugins/modules/insights_register.py#L131 conditional is missing some logic.
Let me know your thoughts.
Thanks,
Unable to sync patching information for insights inventory
- Inventory sync fails while trying to fetch the pathing info with the below configuration.
# create groups for patching
plugin: redhat.insights.insights
get_patches: yes
groups:
patching: insights_patching.enabled
stale: insights_patching.stale
bug_patch: insights_patching.rhba_count > 0
security_patch: insights_patching.rhsa_count > 0
enhancement_patch: insights_patching.rhea_count > 0
-
It appears that inventory sync with only 'plugin: redhat.insights.insights' working fine.
-
Error: While performing the sync.
4.963 INFO Updating inventory 9: NewInsightsInventory
5.032 DEBUG Using base command: python /usr/bin/ansible-inventory -i /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project --playbook-dir /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project -vvvvv
5.033 INFO Reading Ansible inventory source: /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project
5.035 INFO Using VIRTUAL_ENV: /var/lib/awx/venv/ansible
5.035 INFO Using PATH: /var/lib/awx/venv/ansible/bin:/var/lib/awx/venv/awx/bin:/var/lib/awx/venv/awx/bin:/var/lib/awx/venv/awx/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
5.035 INFO Using PYTHONPATH: /var/lib/awx/venv/ansible/lib/python3.6/site-packages:
14.577 ERROR ansible-inventory 2.9.18
14.577 ERROR config file = /etc/ansible/ansible.cfg
14.577 ERROR configured module search path = ['/var/lib/awx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
14.578 ERROR ansible python module location = /usr/lib/python3.6/site-packages/ansible
14.578 ERROR executable location = /usr/bin/ansible-inventory
14.578 ERROR python version = 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
14.578 ERROR Using /etc/ansible/ansible.cfg as config file
14.578 ERROR setting up inventory plugins
14.578 ERROR host_list declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/collections/requirements.yml as it did not pass its verify_file() method
14.578 ERROR script declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/collections/requirements.yml as it did not pass its verify_file() method
14.578 ERROR [WARNING]: Skipping 'collections' as this is not a valid group definition
14.578 ERROR Parsed /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/collections/requirements.yml inventory source with yaml plugin
14.579 ERROR setting up inventory plugins
14.579 ERROR host_list declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as it did not pass its verify_file() method
14.579 ERROR script declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as it did not pass its verify_file() method
14.579 ERROR toml declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as it did not pass its verify_file() method
14.579 ERROR [WARNING]: * Failed to parse
14.579 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml with auto plugin:
14.579 ERROR No connection adapters were found for '/api/patch/v1/systems?offset=20&limit=20
14.579 ERROR &filter[stale]=eq:True&sort=-last_upload'
14.579 ERROR File "/usr/lib/python3.6/site-packages/ansible/inventory/manager.py", line 280, in parse_source
14.580 ERROR plugin.parse(self._inventory, self._loader, source, cache=cache)
14.580 ERROR File "/usr/lib/python3.6/site-packages/ansible/plugins/inventory/auto.py", line 58, in parse
14.580 ERROR plugin.parse(inventory, loader, path, cache=cache)
14.580 ERROR File "/tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/requirements_collections/ansible_collections/redhat/insights/plugins/inventory/insights.py", line 218, in parse
14.580 ERROR stale_patches = self.get_patches(stale=True)
14.580 ERROR File "/tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/requirements_collections/ansible_collections/redhat/insights/plugins/inventory/insights.py", line 110, in get_patches
14.580 ERROR response = self.session.get(url, auth=self.auth, headers=self.headers)
14.580 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
14.580 ERROR return self.request('GET', url, **kwargs)
14.581 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
14.581 ERROR resp = self.send(prep, **send_kwargs)
14.581 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 640, in send
14.581 ERROR adapter = self.get_adapter(url=request.url)
14.581 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 731, in get_adapter
14.581 ERROR raise InvalidSchema("No connection adapters were found for '%s'" % url)
14.581 ERROR [WARNING]: * Failed to parse
14.581 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml with yaml plugin:
14.581 ERROR Plugin configuration YAML file, not YAML inventory
14.582 ERROR File "/usr/lib/python3.6/site-packages/ansible/inventory/manager.py", line 280, in parse_source
14.582 ERROR plugin.parse(self._inventory, self._loader, source, cache=cache)
14.582 ERROR File "/usr/lib/python3.6/site-packages/ansible/plugins/inventory/yaml.py", line 112, in parse
14.582 ERROR raise AnsibleParserError('Plugin configuration YAML file, not YAML inventory')
14.605 ERROR [WARNING]: * Failed to parse
14.605 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml with ini plugin:
14.605 ERROR Invalid host pattern 'plugin:' supplied, ending in ':' is not allowed, this
14.606 ERROR character is reserved to provide a port.
14.606 ERROR File "/usr/lib/python3.6/site-packages/ansible/inventory/manager.py", line 280, in parse_source
14.606 ERROR plugin.parse(self._inventory, self._loader, source, cache=cache)
14.606 ERROR File "/usr/lib/python3.6/site-packages/ansible/plugins/inventory/ini.py", line 138, in parse
14.607 ERROR raise AnsibleParserError(e)
14.607 ERROR [WARNING]: Unable to parse
14.608 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as an inventory
14.608 ERROR source
14.608 DEBUG Finished loading from source: /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project
14.608 INFO Processing JSON output...
14.608 DEBUG Loaded group: all
14.609 INFO Loaded 0 groups, 0 hosts
14.615 DEBUG Inventory variables unmodified
14.726 INFO Inventory import completed for NewInsightsInv in 9.8s
Compliance role fails if host isn't associated with a compliance profile
Referring to:
ansible-collections-insights/roles/compliance/tasks/run.yml
The role calls insights-client --compliance which will return a non-zero code if the host hasn't been associated with a compliance profile in the console at console.redhat.com. Perhaps the role could fail more gracefully when this takes place so that any playbook calling the role doesn't bomb out when there's no compliance profile associated with the host.
Simple alternative:
- name: run compliance scan
ignore_errors: yes
command: insights-client --compliance
Thoughts?
[RFE] Add option or value to skip setting ansible_host varaible
Currently, the inventory plugin sets the ansible_host variable. There should be some functionality to prevent setting this variable for use cases when another inventory provider is populating that value.
Inventory plugin does not work as redhatinsights.insights.insights collection
The inventory plugin here cannot be used when installed from https://galaxy.ansible.com/redhatinsights/insights
See discussion in https://github.com/ansible/awx/pull/8650/files#issuecomment-754231268
Since this produces 2 different collections, a replacement in the actual code needs to be made if it is going to function correctly. Or maybe you could hack something new together to import from module utils.
Feature request: assign host to Inventory group
Now that Inventory Groups are live the ansible role should allow the user to set the Inventory group.
To be clear the goal is not to use the current --group=GROUP option of insights client which adds a tag but does not add the system to an Inventory Group.
insights_register state: absent doesn't explicitly request elevated privileges
I have got some hosts registered:
[ansible@ansible-h AutomATa]$ ansible rhel_vms -m redhat.insights.insights_register -b -i inventory/dynamic_custom_inventory.sh -a "state=present"
rhel-kvegh-nt29-801.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"message": "insights-client has been registered",
"original_message": "Attempting to register insights-client"
}
rhel-kvegh-nt29-711.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been registered",
"original_message": "Attempting to register insights-client"
}
rhel-kvegh-nt29-741.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been registered",
"original_message": "Attempting to register insights-client"
}
[ansible@ansible-h AutomATa]$
Now I want to unregister them, but I forgot the --become ... but it still reports back success. If I do this on the commandline with insights-client, then it explizitly tells me to run as root, here the module only says "Attempting" and reports SUCCESS back:
[ansible@ansible-h AutomATa]$ ansible rhel_vms -m redhat.insights.insights_register -i inventory/dynamic_custom_inventory.sh -a "state=absent"
rhel-kvegh-nt29-801.kveghdemo.at | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"message": "insights-client is already unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-711.kveghdemo.at | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"message": "insights-client is already unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-741.kveghdemo.at | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"message": "insights-client is already unregistered",
"original_message": "Attempting to unregister insights-client"
}
[ansible@ansible-h AutomATa]$
...with --become it works like a charm of course, reporting back CHANGED:
[ansible@ansible-h AutomATa]$ ansible rhel_vms -m redhat.insights.insights_register -i inventory/dynamic_custom_inventory.sh -a "state=absent" -b
rhel-kvegh-nt29-711.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-741.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-801.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"message": "insights-client has been unregistered",
"original_message": "Attempting to unregister insights-client"
}
[ansible@ansible-h AutomATa]$
Summary: without elevated privileges the module insights_register should report back that it cannot unregister the host, shouldn't it?
/etc/insights-client is not writabe
Getting the error message during the Deploy Custom Tags task
TASK [redhatinsights.insights.insights_client : Deploy Custom Tags] ************
...
FAILED! => {"changed": false, "checksum": "eab944004b60615cf2ecf0a03053b45aeec04158", "msg": "Destination /etc/insights-client not writable"}
After debugging it appears the directory exists and is writable by the ansible user assuming become is used.
The issue appears to be that become is not used:
- name: Deploy Custom Tags
copy:
dest: /etc/insights-client/tags.yaml
content: "{{ insights_tags | to_nice_yaml }}"
mode: og=r
when: insights_tags is defined
notify: Run insights-clientSSO credential-based authentication (basic authentication) has been deprecated for security reasons.
As documented in Appendix E of the Red Hat Insights documentation:
uses HTTPBasicAuthSSO credential-based authentication (basic authentication) has been deprecated for security reasons. Consider using a more secure authentication method, such as certificate-based authentication.
Insights ansible inventory plugin (insights.py) fails to retrieve large inventory
In method InventoryModule.parse, lines 233 through 250, a URL is constructed from page numbers and filtering tags. If the underlying collection is large enough the URL gets bigger that 4096 characters and that hits an underlying limit in the backend (cloud.redhat.com) which results in the plugin erroring with the following message:
redhat_insights.yml with
auto plugin: http error (400): <title>Bad Request</title>
Bad Request
Request Line is too large (4098 > 4094)Unable to get system tags using get_tags
Hi,
I am trying to get tags information in Insights but it seems get_tags option is not working.
The error I am getting is the following:
[WARNING]: * Failed to parse /Users/jmorenas/Desktop/my_stuff/insights-inventory/insights.yml with insights plugin: ('Connection
aborted.', RemoteDisconnected('Remote end closed connection without response'))
File "/usr/local/lib/python3.9/site-packages/ansible/inventory/manager.py", line 280, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File "/Users/jmorenas/Desktop/my_stuff/insights-inventory/inventory_plugins/insights.py", line 253, in parse
system_tags = self.get_tags(systems_by_id.keys())
File "/Users/jmorenas/Desktop/my_stuff/insights-inventory/inventory_plugins/insights.py", line 135, in get_tags
response = self.session.get(url, auth=self.auth, headers=self.headers)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 555, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
My environment is the following:
jmorenas-mac:insights-inventory jmorenas$ ansible --version
ansible 2.9.7
config file = /Users/jmorenas/Desktop/my_stuff/insights-inventory/ansible.cfg
configured module search path = ['/Users/jmorenas/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.9.6 (default, Jun 29 2021, 06:20:32) [Clang 12.0.0 (clang-1200.0.32.29)]
Some considerations:
- I suspect the issue is going on when attempting connection here: https://github.com/RedHatInsights/ansible-collections-insights/blob/master/plugins/inventory/insights.py#L135
- This issue only happens when there is a large number of ansible managed hosts (in my case approximately 1700). When running code with fewer hosts it will work. This makes me think that tuning API on server side could help.
- Adding high timeout to connection in source code does not help either.
Jus wanted to bring this up to you guys, so you can be aware of this issue.
Thanks in advance,
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.