Bug 1967270

Summary: [OSP16.1] lunasa_hsm role fails on use of ansible_fqdn
Product: Red Hat OpenStack Reporter: Dave Wilde <dwilde>
Component: ansible-role-lunasa-hsmAssignee: Dave Wilde <dwilde>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 16.1 (Train)CC: jagee, mkopec
Target Milestone: z7Keywords: Triaged, ZStream
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ansible-role-lunasa-hsm-1.0.0-1.20210609143309.1f79d94.el8ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1967083 Environment:
Last Closed: 2021-12-09 20:19:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1967083    
Bug Blocks:    

Description Dave Wilde 2021-06-02 17:58:39 UTC 
+++ This bug was initially created as a clone of Bug #1967083 +++

Clone for 16.1

Description of problem:
TASK [lunasa_hsm : set client facts for fqdn] **********************************
Tuesday 01 June 2021  18:16:12 -0400 (0:00:06.966)       0:19:40.336 ********** 
skipping: [controller-0] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [lunasa_hsm : set client facts for IP override] ***************************
Tuesday 01 June 2021  18:16:12 -0400 (0:00:00.066)       0:19:40.403 ********** 
fatal: [controller-0]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ansible_fqdn' is undefined\n\nThe error appears to be in '/usr/share/ansible/roles/lunasa_hsm/tasks/main.yaml': line 37, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: set client facts for IP override\n  ^ here\n"}

Version-Release number of selected component (if applicable):
[stack@undercloud share]$ rpm -qa ansible-role-lunasa-hsm
ansible-role-lunasa-hsm-1.0.0-1.20210315120131.1f79d94.el8ost.noarch

How reproducible:
This was encountered during an upshift-ansible 16.2 deploy with the following compose RHOS-16.2-RHEL-8-20210525.n.0 [0].  My Barbican parameters are:

[stack@undercloud ~]$ cat barbican-extra-parameters.yaml 
---
parameter_defaults:
  BarbicanPkcs11CryptoMKEKLabel: "dwilde_mkek_0"
  BarbicanPkcs11CryptoHMACLabel: "dwilde_hmac_0"
  BarbicanPkcs11CryptoTokenLabel: "myHAGroup"
  BarbicanPkcs11CryptoLogin: "z6nwEm6zSYFsyQGh"
  BarbicanPkcs11CryptoGlobalDefault: true
  LunasaVars:
    lunasa_client_tarball_name: 610-012382-014_SW_Client_HSM_6.2_RevA.tar.zip
    lunasa_client_tarball_location: http://download-node-02.eng.bos.redhat.com/qa/rhts/lookaside/IdM/rhcs/lunasa_software/610-012382-014_SW_Client_HSM_6.2_RevA.tar.zip
    lunasa_client_installer_path: 610-012382-014_SW_Client_HSM_6.2_RevA/linux/64/install.sh
    lunasa_hsms:
      - hostname: os-luna-hsm-1.perf.lab.eng.rdu2.redhat.com
        admin_password: "ABC123!!!"
        partition: secdfgPartition1
        partition_serial: 545656014
      - hostname: os-luna-hsm-2.perf.lab.eng.rdu2.redhat.com
        admin_password: "ABC123!!!"
        partition: secdfgPartition1
        partition_serial: 572142014
  LunasaClientIPNetwork: hsmnet
  ControllerIPs:
    hsmnet:
      - "10.0.110.168"

Steps to Reproduce:
1. Configure upshift-ansible to deploy a lunasa environment:

❯ cat vars.yaml
---

# Dave is the one who setup the gitlab runner, which requires an application
# credential from keystone to get tokens and interact with Upshift. This
# requires Dave's user in upshift to be used for deployments and because
# upshift-ansible needs a key to inject into instances. Since keypairs in nova
# are user-specific, and application credentials in keystone are user-specific,
# both need to be setup by the same user. For example, this would break if one
# person created the keypair and the other created the application credential
# because the application credential wouldn't be able to list keypairs in nova
# since they belong to different users.
#
# This is something we need to be aware of if we need to rotate out this user, key,
# or application credential.
username: dwilde
keypair_name: dwilde

additional_keys: 
  - 'https://github.com/vakwetu.keys'
  - 'https://github.com/HarryRybacki.keys'
  - 'https://github.com/lbragstad.keys'
  - 'https://github.com/d34dh0r53.keys'
  - 'https://github.com/xek.keys'
  - 'https://github.com/dmend.keys'
  - 'https://github.com/jagee.keys'
  - 'https://github.com/moisesguimaraes.keys'
  - >
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8zXFd+1fWundCc8sr6uVJv8DAGtWVkzfG6MiM6RKRR/hWIVWhPdlW0VQc7VtbfCnaD91iPtb6ag3+FnnDmDlgCPFN0QXGjNtalJ9Dy/1pZ6VY7K3eDENls+cQH4+fG9Yte5tOgTqRVVQrwQjJ7yE7DIez6BNCbTZdsTT42Xan11QbOhWIzE0vT0xZM77knuSy4gEDH/es3I2888yBYwXCpEmhY/2Qb+8GxtTpdoB0v/HTco8e7ENiiwWlEO5S7BoemDlWye3DX/H2MJlybBx8qXBk2Kh13cT9V8N6/fLQFRK47u/hL8N9QCsqzh9KhzZstilwx4Gc/yex0hzahMep rheslop.local

openstack_platform: osp
osp_version: '16.1'
osp_puddle: 'passed_phase2'
deployment_name: dwilde-16-2-luna
barbican_simple_crypto: False
barbican_luna: True
hsm_network_name: provider_net_shared_3
compute_count: 1
controller_count: 1
enable_novajoin: False
enable_ovb: False
enable_tls: True
os_cloud_config: upshift-dwilde
private_network_name: dwilde-private-2
external_network: provider_net_shared_3
server_create_timeout: 600
#distro_packages:
#  - redhat-lsb-core
#  - iptables-services

2. Deploy environment

Actual results:
Failure seen above:

TASK [lunasa_hsm : set client facts for IP override] ***************************
Tuesday 01 June 2021  18:16:12 -0400 (0:00:00.066)       0:19:40.403 ********** 
fatal: [controller-0]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ansible_fqdn' is undefined\n\nThe error appears to be in '/usr/share/ansible/roles/lunasa_hsm/tasks/main.yaml': line 37, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: set client facts for IP override\n  ^ here\n"}

Expected results:
Successful Deployment

Additional info:
We were able to fix this in other places by setting the ansible_fqdn fact in the calling playbook, but the better fix is to stop using ansible_fqdn in the role itself, ansible_facts['fqdn'] is a good alternative.

[0]: http://download.eng.brq.redhat.com/rcm-guest/puddles/OpenStack/16.2-RHEL-8/RHOS-16.2-RHEL-8-20210525.n.0/
Comment 11 Martin Kopec 2021-08-16 09:12:25 UTC 
ansible_fqdn has been removed from the ansible-role-lunasa-hsm role and has been replace by a correct alternative - ansible_facts['fqdn'] .. the role don't fail on the mentioned error anymore.

ansible-role-lunasa-hsm-1.0.0-1.20210609143309.1f79d94.el8ost build (Fixed in version) contains the fix. The build is part of RHOS-16.1-RHEL-8-20210722.n.3 puddle plus the puddles after that (most latest one is RHOS-16.1-RHEL-8-20210804.n.0).

VERIFIED
Comment 21 errata-xmlrpc 2021-12-09 20:19:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.7 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3762