Created attachment 1400817 [details] ansible_run.log Description of problem: Credentials for this role is user with role PowerUserRole. Creating VMs will fail with exception see attached log Version-Release number of selected component (if applicable): oVirt.vm-infra (1.1.2) How reproducible: 100% Steps to Reproduce: 1. Have a user with permission of PowerUserRole 2. Run playbook
As I always request, please have the exception within a comment, so it can be searched later: <localhost.localdomain> (0, '\r\n{"exception": "Traceback (most recent call last):\\n File \\"/tmp/ansible_F65Dzm/ansible_module_ovirt_vms.py\\", line 1833, in main\\n clone_permissions=module.params[\'clone_permissions\'],\\n File \\"/tmp/ansible_F65Dzm/ansible_modlib.zip/ansible/module_utils/ovirt.py\\", line 549, in create\\n if not self.update_check(entity):\\n File \\"/tmp/ansible_F65Dzm/ansible_module_ovirt_vms.py\\", line 1109, in update_check\\n equal(self.param(\'placement_policy\'), str(entity.placement_policy.affinity)) and\\nAttributeError: \'NoneType\' object has no attribute \'affinity\'\\n", "ansible_job_id": "417685344436.19688", "failed": true, "finished": 1, "invocation": {"module_args": {"comment": null, "graphical_console": null, "cpu_pinning": null, "force": false, "cloud_init_nics": [], "placement_policy": null, "boot_menu": null, "xen": null, "usb_support": null, "cluster": null, "fetch_nested": false, "io_threads": null, "timezone": null, "watchdog": null, "instance_type": null, "memory_max": null, "id": null, "cpu_sockets": null, "high_availability": null, "timeout": 180, "storage_domain": null, "domain_mappings": [], "high_availability_priority": null, "nics": [], "custom_properties": null, "disk_format": "cow", "sysprep": null, "cpu_cores": null, "ballooning_enabled": null, "cpu_mode": null, "state": "running", "memory_guaranteed": null, "vmware": null, "template": null, "memory": null, "cd_iso": null, "clone_permissions": false, "kernel_path": null, "initrd_path": null, "lease": null, "rng_device": null, "disks": [], "vnic_profile_mappings": [], "affinity_group_mappings": [], "lun_mappings": [], "clone": false, "kvm": null, "boot_devices": null, "nested_attributes": [], "sso": null, "role_mappings": [], "serial_policy": null, "cpu_threads": null, "quota_id": null, "soundcard_enabled": null, "affinity_label_mappings": [], "delete_protected": null, "wait": true, "use_latest_template_version": null, "stateless": null, "cloud_init_persist": false, "serial_policy_value": null, "name": "pkubica-ansible-engine-421", "type": null, "cloud_init": null, "template_version": null, "poll_interval": 3, "host": null, "operating_system": null, "kernel_params": null, "reassign_bad_macs": null, "smartcard_enabled": null, "description": null, "cluster_mappings": [], "serial_console": null, "allow_partial_import": null, "cpu_shares": null}}, "msg": "\'NoneType\' object has no attribute \'affinity\'"}\r\n', 'Shared connection to localhost.localdomain closed.\r\n') Looking at the exception itself, the issue seems to be with: File \\"/tmp/ansible_F65Dzm/ansible_module_ovirt_vms.py\\", line 1109, in update_check\\n equal(self.param(\'placement_policy\'), str(entity.placement_policy.affinity)) and\\nAttributeError: \'NoneType\' object has no attribute \'affinity\'\\n" Which seems to be: equal(self.param('placement_policy'), str(entity.placement_policy.affinity)) Which doesn't explain why it's only for a power user?
If user is a user role (or if any user is using filter:true) we filter placement policy and hosts information from the API result. That's why it fails on NoneType.
Were we affected by current bug in [1]? Snippet from [2]: 2018-03-08 04:42:53,914-0500 ERROR ansible failed {'status': 'FAILED', 'ansible_type': 'task', 'ansible_task': u'Make the engine aware that the external VM is stopped', 'ansible_result': u'type: <type \'dict\'>\nstr: {\'_ansible_parsed\': True, u\'exception\': u\'Traceback (most recent call last):\\n File "/tmp/ansible_j18cwF/ansible_module_ovirt_vms.py", line 1909, in main\\n clone_permissions=module.params[\\\'clone_permissions\\\'],\\n File "/tmp/ansible_j18cwF/ansible_modlib.zip/ansible/module_utils/ovirt.py", line\nrepr: {\'_ansible_parsed\': True, u\'exception\': u\'Traceback (most recent call last):\\n File "/tmp/ansible_j18cwF/ansible_module_ovirt_vms.py", line 1909, in main\\n clone_permissions=module.params[\\\'clone_permissions\\\'],\\n File "/tmp/ansible_j18cwF/ansible_modlib.zip/ansible/module_utils/ovirt.py", line\ndir: [\'__class__\', \'__cmp__\', \'__contains__\', \'__delattr__\', \'__delitem__\', \'__doc__\', \'__eq__\', \'__format__\', \'__ge__\', \'__getattribute__\', \'__getitem__\', \'__gt__\', \'__hash__\', \'__init__\', \'__iter__\', \'__le__\', \'__len__\', \'__lt__\', \'__ne__\', \'__new__\', \'__reduce__\', \'__reduce_ex__\', \'__repr__\', \'__setattr__\', \'__setitem__\', \'__sizeof__\', \'__str__\', \'__subclasshook__\', \'clear\', \'copy\', \'fromkeys\', \'get\', \'has_key\', \'items\', \'iteritems\', \'iterkeys\', \'itervalues\', \'keys\', \'pop\', \'popitem\', \'setdefault\', \'update\', \'values\', \'viewitems\', \'viewkeys\', \'viewvalues\']\npprint: {\'_ansible_no_log\': False,\n \'_ansible_parsed\': True,\n \'changed\': False,\n u\'exception\': u\'Traceback (most recent call last):\\n File "/tmp/ansible_j18cwF/ansible_module_ovirt_vms.py", line 1909, in main\\n clone_permissions=module.params[\\\'clone_permissions\\\'],\\n File "/tmp/ansible_j18cwF/ansible_\n{\'_ansible_parsed\': True, u\'exception\': u\'Traceback (most recent call last):\\n File "/tmp/ansible_j.__doc__: "dict() -> new empty dictionary\\ndict(mapping) -> new dictionary initialized from a mapping object\'s\\n (key, value) pairs\\ndict(iterable) -> new dictionary initialized as if via:\\n d = {}\\n for k, v in iterable:\\n d[k] = v\\ndict(**kwargs) -> new dictionary initialized with the name=value pairs\\n in the keyword argument list. For example: dict(one=1, two=2)"\n{\'_ansible_parsed\': True, u\'exception\': u\'Traceback (most recent call last):\\n File "/tmp/ansible_j.__hash__: None', 'ansible_host': u'localhost', 'ansible_playbook': u'/usr/share/ovirt-hosted-engine-setup/ansible/create_target_vm.yml'} 2018-03-08 04:42:53,914-0500 DEBUG ansible on_any args <ansible.executor.task_result.TaskResult object at 0x2770ad0> kwargs ignore_errors:True 2018-03-08 04:42:54,017-0500 INFO ansible task start {'status': 'OK', 'ansible_task': u'debug', 'ansible_playbook': u'/usr/share/ovirt-hosted-engine-setup/ansible/create_target_vm.yml', 'ansible_type': 'task'} 2018-03-08 04:42:54,017-0500 DEBUG ansible on_any args TASK: debug kwargs is_conditional:False 2018-03-08 04:42:54,185-0500 INFO ansible ok {'status': 'OK', 'ansible_task': u'', 'ansible_host': u'localhost', 'ansible_playbook': u'/usr/share/ovirt-hosted-engine-setup/ansible/create_target_vm.yml', 'ansible_type': 'task'} 2018-03-08 04:42:54,186-0500 INFO ansible ok result._result type: <type 'dict'> str: {u'vmstop_result': {u'msg': u"'NoneType' object has no attribute 'enabled'", u'failed': True, u'exception': u'Traceback (most recent call last):\n File "/tmp/ansible_j18cwF/ansible_module_ovirt_vms.py", line 1909, in main\n clone_permissions=module.params[\'clone_permissions\'],\n File "/tmp/an repr: {u'vmstop_result': {u'msg': u"'NoneType' object has no attribute 'enabled'", u'failed': True, u'exception': u'Traceback (most recent call last):\n File "/tmp/ansible_j18cwF/ansible_module_ovirt_vms.py", line 1909, in main\n clone_permissions=module.params[\'clone_permissions\'],\n File "/tmp/an dir: ['__class__', '__cmp__', '__contains__', '__delattr__', '__delitem__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__init__', '__iter__', '__le__', '__len__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__setitem__', '__sizeof__', '__str__', '__subclasshook__', 'clear', 'copy', 'fromkeys', 'get', 'has_key', 'items', 'iteritems', 'iterkeys', 'itervalues', 'keys', 'pop', 'popitem', 'setdefault', 'update', 'values', 'viewitems', 'viewkeys', 'viewvalues'] pprint: {'_ansible_no_log': False, '_ansible_verbose_always': True, 'changed': False, u'vmstop_result': {'changed': False, u'exception': u'Traceback (most recent call last):\n File "/tmp/ansible_j18cwF/ansible_module_ovirt_vms.py", line 1909, in main\n clone_permissions=module.par {u'vmstop_result': {u'msg': u"'NoneType' object has no attribute 'enabled'", u'failed': True, u'exce.__doc__: "dict() -> new empty dictionary\ndict(mapping) -> new dictionary initialized from a mapping object's\n (key, value) pairs\ndict(iterable) -> new dictionary initialized as if via:\n d = {}\n for k, v in iterable:\n d[k] = v\ndict(**kwargs) -> new dictionary initialized with the name=value pairs\n in the keyword argument list. For example: dict(one=1, two=2)" {u'vmstop_result': {u'msg': u"'NoneType' object has no attribute 'enabled'", u'failed': True, u'exce.__hash__: None [1] http://jenkins.ovirt.org/job/ovirt-system-tests_master_check-patch-el7-x86_64/4295/ [2] http://jenkins.ovirt.org/job/ovirt-system-tests_master_check-patch-el7-x86_64/4295/artifact/exported-artifacts/he-basic-ansible-suite-master__logs/test_logs/he-basic-ansible-suite-master/post-002_bootstrap.py/lago-he-basic-ansible-suite-master-host0/_var_log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-ansible-create_target_vm-20180308043614-khjfc4.log
You need to rebase on top of this patch: https://github.com/ansible/ansible/pull/35285 Or wait for Ansible 2.5 where it's fixed.
Updated module included in Ansible 2.5.0
(In reply to Ondra Machacek from comment #4) > You need to rebase on top of this patch: > > https://github.com/ansible/ansible/pull/35285 > > Or wait for Ansible 2.5 where it's fixed. We already have it: see https://github.com/oVirt/ovirt-hosted-engine-setup/blob/master/src/ansible/library/ovirt_vms.py But it still fails on that.
Right, this is different issue. Thanks for reporting it. I've sent PR: https://github.com/ansible/ansible/pull/37249
Is this still targeted 4.2.3 and in status post? All referenced patches are merged unless I missed something
We wait for Ansible 2.5 release so we can bump the requirment, then we can move to modified.
(In reply to Ondra Machacek from comment #9) > We wait for Ansible 2.5 release so we can bump the requirment, then we can > move to modified. Now?
It still isn't possible to create VM within permissions of user. Role want to assign tag to VM but user doesn't have permission for that. It is not possible to not enter the tag due to bug #1570153 The full traceback is: Traceback (most recent call last): File "/tmp/ansible_zpmx6H/ansible_module_ovirt_tags.py", line 232, in main ret = tags_module.create() File "/tmp/ansible_zpmx6H/ansible_modlib.zip/ansible/module_utils/ovirt.py", line 542, in create entity = self.search_entity(search_params) File "/tmp/ansible_zpmx6H/ansible_modlib.zip/ansible/module_utils/ovirt.py", line 778, in search_entity entity = search_by_attributes(self._service, list_params=list_params, name=self._module.params['name']) File "/tmp/ansible_zpmx6H/ansible_modlib.zip/ansible/module_utils/ovirt.py", line 236, in search_by_attributes e for e in service.list(**list_params) if len([ File "/usr/lib64/python2.7/site-packages/ovirtsdk4/services.py", line 26415, in list return self._internal_get(headers, query, wait) File "/usr/lib64/python2.7/site-packages/ovirtsdk4/service.py", line 211, in _internal_get return future.wait() if wait else future File "/usr/lib64/python2.7/site-packages/ovirtsdk4/service.py", line 55, in wait return self._code(response) File "/usr/lib64/python2.7/site-packages/ovirtsdk4/service.py", line 208, in callback self._check_fault(response) File "/usr/lib64/python2.7/site-packages/ovirtsdk4/service.py", line 132, in _check_fault self._raise_error(response, body) File "/usr/lib64/python2.7/site-packages/ovirtsdk4/service.py", line 118, in _raise_error raise error Error: Fault reason is "Operation Failed". Fault detail is "query execution failed due to insufficient permissions.". HTTP response code is 400. failed: [localhost] (item=vm) => { "changed": false, "invocation": { "module_args": { "description": null, "fetch_nested": false, "hosts": null, "name": "vm", "nested_attributes": [], "parent": null, "poll_interval": 3, "state": "present", "timeout": 180, "vms": [ "vm-01", "vm-02" ], "wait": true } }, "item": "vm", "msg": "Fault reason is \"Operation Failed\". Fault detail is \"query execution failed due to insufficient permissions.\". HTTP response code is 400." }
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Can you please provide exact reproduction steps, mainly what exact permissions user have, what version of the RHV and what's the value of ENGINE_API_FILTER_BY_DEFAULT config value?
This is not a blocker nor an exception, yet it is targeted for 4.2.3?
I forgot mention the tested version: ansible-2.5.0-1.el7ae.noarch ovirt-ansible-vm-infra-1.1.6-1.el7ev.noarch ENGINE_API_FILTER_BY_DEFAULT="true" Steps: 1. I installed clean environment (with also installed hosts and storage domains with role oVirt.infra) 2. I manually create user: 3. $ ovirt-aaa-jdbc-tool user add ansible 4. $ ovirt-aaa-jdbc-tool user password-reset ansible --password=pass:123456 --password-valid-to="2020-09-20 20:20:40Z" 5. In webadmin: Administration -> Configure -> System Permissions -> Add search for user and add him with permission: "PowerUserRole" 6. Run the playbook: - hosts: localhost gather_facts: false remote_user: root # credentials variables are missing vars: wait_for_ip: false debug_vm_create: true vm01: cluster: Default template: Blank vms: - name: vm-01 tag: vm profile: "{{vm01}}" - name: vm-02 tag: vm profile: "{{vm01}}" roles: - ovirt-vm-infra
The issue is that user can't access /api/tags/ endpoint.
Users are not supposed to use tags, only admins can do that. As no user-like client ever supported tags and there are no plans to introduce tag support for users, we have made a doc change that tags are supported only for admins and uploaded new version of the role
Verified ovirt-ansible-vm-infra-1.1.7-1.el7ev.noarch ansible-2.5.2-1.el7ae.noarch
This bugzilla is included in oVirt 4.2.3 release, published on May 4th 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.3 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.