Bug 1897707

Summary:	Ansible roles cannot be imported when roles_path is defined under /etc/ansible/ansible.cfg
Product:	Red Hat Satellite	Reporter:	Rafael Cavalcanti <rcavalca>
Component:	Ansible	Assignee:	satellite6-bugs <satellite6-bugs>
Status:	ASSIGNED ---	QA Contact:	Satellite QE Team <sat-qe-bz-list>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	6.10.0	CC:	ahumbe, gardar.arnarsson, hakon.gislason, oezr
Target Milestone:	Unspecified	Keywords:	Reopened, Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-06-03 06:52:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Rafael Cavalcanti 2020-11-13 20:38:47 UTC

Description of problem:

Ansible roles can not be imported when 'roles_path' is defined in /etc/ansible/ansible.cfg


Version-Release number of selected component (if applicable):
I have tested on 6.7 and 6.8


How reproducible:
100%

Steps to Reproduce:
1. Edit /etc/ansible/ansible.cfg by defining the 'roles_path' variable.
Eg.: roles_path    = /root/git/ansible/roles

2. Try to import ansible roles by going to Satellite webUI -> Configure -> Roles(under Ansible section)
   

Actual results:
we get a message saying "No changes in roles detected on <sat/capsule>"


Expected results:
The Ansible roles should be found under /etc/ansible/roles and listed in the WebUI to be imported.


Additional info:
It seems the /etc/ansible/ansible.cfg takes precedence over /etc/foreman-proxy/ansible.cfg
in '/opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_ansible-3.0.1/lib/smart_proxy_ansible/roles_reader.rb'

Comment 1 Ondřej Ezr 2020-12-10 10:54:39 UTC

Created redmine issue https://projects.theforeman.org/issues/31489 from this bug

Comment 2 Yifat Makias 2021-06-03 06:52:26 UTC

This bug is resolved and therefor closing.

Comment 3 Danny Synk 2021-08-19 15:44:39 UTC

Failed QA on Satellite 6.10, snap 14.

Steps to Test:
1. Set the roles_path in /etc/ansible/ansible.cfg:

# grep roles_path /etc/ansible/ansible.cfg 
roles_path = /root/ansible/roles

2. In the Satellite webUI, navigate to Configure > Roles. 

3. Click the "Import from satellite.example.com" button and observe the number of roles available for import.

4. Unset the roles_path in /etc/ansible/ansible.cfg:

# sed -i 's/roles_path/# roles_path/g' /etc/ansible/ansible.cfg

5. In the Satellite webUI, navigate to Configure > Roles. 

6. Click the "Import from satellite.example.com" button and observe the number of roles available for import.

Expected Results:
The same number of roles are available for import regardless of whether the roles_path is set in /etc/ansible/ansible.cfg.

Actual Results:
With the roles_path set, 11 roles are available for import on an otherwise freshly-installed Satellite 6.10. Without the roles_path set, 14 roles are available for import. The difference is the three roles installed by default in /usr/share/ansible/roles. These are roles are available for import when the roles_path is not defined in /etc/ansible/ansible.cfg, but they are not available for import when the roles_path is defined in /etc/ansible/ansible.cfg.

Additional Notes:
It's unclear to me whether, after setting the roles_path in /etc/ansible/ansible.cfg and installing or creating roles in the roles_path directory, those roles should be available for import into Satellite. However, I found this not to be the case. For example:

~~~
# grep roles_path /etc/ansible/ansible.cfg
roles_path = /root/ansible/roles

# ansible-galaxy install redhatinsights.insights-client
- downloading role 'insights-client', owned by redhatinsights
- downloading role from https://github.com/RedHatInsights/insights-client-role/archive/v1.7.2.tar.gz
- extracting redhatinsights.insights-client to /root/ansible/roles/redhatinsights.insights-client
- redhatinsights.insights-client (v1.7.2) was installed successfully
~~~

The role was installed to the roles_path directory as expected, but it was not subsequently available for import into Satellite.

Comment 4 Ondřej Pražák 2021-09-10 07:18:41 UTC

The current behavior for roles import is as follows:

* capsule reads content of /etc/ansible/ansible.cfg
* if no 'roles_path' entry in config is found, it uses default paths /etc/ansible/roles:/usr/share/ansible/roles
* if 'roles_path' entry is found, capsule imports from paths specified

Roles import is restricted by permissions/SELinux context, so having 'roles_path = /root/git/ansible/roles' is expected not to import any roles as capsule process is not allowed to access /root

It is possible to import roles from a custom folder with correct permissions:

* mkdir -p /tmp/ansible/roles
* chown -R foreman-proxy:foreman-proxy /tmp/ansible
* add 'roles_path = /tmp/ansible/roles' to /etc/ansible/ansible.cfg
* ansible-galaxy install -p /tmp/ansible/roles some.role
* import

However when a role from a custom location is assigned to a host and 'play ansible roles' action triggered, then job execution is complaining about the role not being found. That is caused by job execution using /usr/share/foreman-proxy/.ansible.cfg with its own roles_path. This behavior has been present for a long time and we would like to change it in the future, but it will not be for 6.10.

Comment 6 Dominik Matoulek 2021-10-08 09:07:40 UTC

*** Bug 1825268 has been marked as a duplicate of this bug. ***

Comment 8 Bryan Kearney 2021-11-16 12:03:21 UTC

Upstream bug assigned to dmatoule