Bug 1655183 - Certificate expiry checks fail when `openshift_is_atomic` is undefined
Summary: Certificate expiry checks fail when `openshift_is_atomic` is undefined
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: ---
: 3.11.z
Assignee: Scott Dodson
QA Contact: Gaoyun Pei
URL:
Whiteboard:
: 1662992 (view as bug list)
Depends On:
Blocks: 1662730
TreeView+ depends on / blocked
 
Reported: 2018-11-30 21:37 UTC by Pavel Anni
Modified: 2024-03-25 15:10 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Certain certificate expiry check playbooks did not call properly initialization functions resulting in an error. Those playbooks have been updated to avoid this problem.
Clone Of:
Environment:
Last Closed: 2019-02-20 14:11:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
openshift-ansible log (7.32 KB, text/plain)
2018-11-30 21:37 UTC, Pavel Anni 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0326 0 None None None 2019-02-20 14:11:09 UTC

Internal Links: 1667618

Description Pavel Anni 2018-11-30 21:37:06 UTC 
Created attachment 1510275 [details]
openshift-ansible log

Description of problem:

`openshift-checks/certificate_expiry/easy-mode.yaml` playbook and others from `certificate_expiry` fail when `openshift_is_atomic` is undefined. The error message is:
fatal: [master1.c49d.internal]: FAILED! => {"msg": "The conditional check 'not openshift_is_atomic | bool' failed. The error was: error while evaluating conditional (not openshift_is_atomic | bool): 'openshift_is_atomic' is undefined\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensure python dateutil library is present\n  ^ here\n"}

for all cluster nodes. The error disappears when I set openshift_is_atomic=true in the inventory file.

Version-Release number of the following components:
rpm -q openshift-ansible
openshift-ansible-3.11.43-1.git.0.fa69a02.el7.noarch
rpm -q ansible
ansible-2.6.7-1.el7ae.noarch
ansible --version
ansible 2.6.7
  config file = /usr/share/ansible/openshift-ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

Steps to Reproduce:
1. On the Ansible host (bastion in my case): 
cd /usr/share/ansible/openshift-ansible
2. ansible-playbook playbooks/openshift-checks/certificate_expiry/easy-mode.yaml


Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Error messages (repeated for the number of cluster nodes):
fatal: [master1.c49d.internal]: FAILED! => {"msg": "The conditional check 'not openshift_is_atomic | bool' failed. The error was: error while evaluating conditional (not openshift_is_atomic | bool): 'openshift_is_atomic' is undefined\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensure python dateutil library is present\n  ^ here\n"}

The report is not generated.

Expected results:

Certificate expiry report is generated.

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 4 Scott Dodson 2019-01-03 14:42:55 UTC 
*** Bug 1662730 has been marked as a duplicate of this bug. ***
Comment 5 Scott Dodson 2019-01-03 14:43:55 UTC 
*** Bug 1662992 has been marked as a duplicate of this bug. ***
Comment 6 Greg Rodriguez II 2019-01-07 18:35:19 UTC 
Customer in 3.11 hitting same issue.  They have the following update indicating workaround:

~~~

I should also mention that when I define 'openshift_is_atomic' (set to false) to my (dynamic) ansible inventory I am able to execute the playbook successfully, so for the meantime I have a feasible workaround.

~~~
Comment 7 Daein Park 2019-01-21 02:34:27 UTC 
Hi, I've opened the PR which related with this BZ here: https://github.com/openshift/openshift-ansible/pull/11033
Comment 9 Gene Siepka 2019-01-22 15:18:23 UTC 
Seeing the same in 3.10. Able to bypass by setting adding "-e openshift_is_atomic=true" on the cmdline of the playbook run.


# rpm -q openshift-ansible
openshift-ansible-3.10.83-1.git.0.12699eb.el7.noarch

# rpm -q ansible
ansible-2.4.6.0-1.el7ae.noarch
Comment 10 Scott Dodson 2019-01-22 15:55:47 UTC 
PR Merged, thanks.
Comment 12 Gaoyun Pei 2019-02-11 06:40:26 UTC 
Could reproduce this bug with openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch.rpm


Fixed in openshift-ansible-3.11.82-1.git.0.f29227a.el7.noarch.rpm

playbooks/openshift-checks/certificate_expiry/easy-mode.yaml could run successfully.
Comment 17 errata-xmlrpc 2019-02-20 14:11:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0326
Comment 18 Sascha Tanke 2020-02-13 07:06:28 UTC 
Issue seems to appear again at least with openshift-ansible-3.11.157-1.git.0.10b76ed.
Note You need to log in before you can comment on or make changes to this bug.