Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1511658 - Need additional python packages to be installed on our appliances to support manageiq ansible modules [NEEDINFO]
Summary: Need additional python packages to be installed on our appliances to support ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Build
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: GA
: cfme-future
Assignee: Satoe Imaishi
QA Contact: Dave Johnson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-09 19:49 UTC by mkanoor
Modified: 2017-12-05 15:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-13 19:37:10 UTC
Category: ---
Cloudforms Team: ---
mkanoor: needinfo? (jhardy)


Attachments (Terms of Use)

Description mkanoor 2017-11-09 19:49:43 UTC
Description of problem:
We have manageiq ansible modules, that allow an Ansible Playbook to interact with our VMDB Objects and automate workspace, these modules have dependencies on python packages
dpath, requests and manageiq-api-client-python. When a user targets a playbook to run on the same appliance as the embedded ansible appliance, Ansible locks the virtualenv and prevents installation of any new python package dependencies because of security reasons and the job execution fails. Ansible team recommends that the additional packages be installed as part of our build/install process.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Add an Ansible Git Repository in CFME pointing to https://github.com/syncrou/playbooks
2. Run playbook https://github.com/syncrou/playbooks/blob/master/manageiq/siphon_method_parameters.yml
3. This can be run as an Automate Method

Actual results:
failed: [localhost] (item=dpath) => {"changed": false, "cmd": "/var/lib/awx/venv/ansible/bin/pip install dpath"
error: could not create '/var/lib/awx/venv/ansible/lib/python2.7/site-packages/dpath': Permission denied\n


Expected results:
When running any provisioning using an Ansible playbook a user would specify the target as localhost (the Ansible Appliance).
The Ansible Playbook using the Ansible module should run without any errors

Additional info:
Post installation we need to install the following 3 packages on the Embedded Ansible appliance
/var/lib/awx/venv/ansible/bin/pip install dpath
/var/lib/awx/venv/ansible/bin/pip install requests
/var/lib/awx/venv/ansible/bin/pip install git+https://github.com/syncrou/manageiq-api-client-python.git#egg=manageiq_client

Comment 2 Dave Johnson 2017-11-09 20:03:00 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 3 mkanoor 2017-11-09 22:47:49 UTC
John,
If we have to support our ansible modules for 4.6/5.9, we would need additional packages installed. Since its our own modules it makes sense to add it to our installer.


If we don't do this then the customer would have to login to the embedded ansible appliance and manually install these 3 packages. 

/var/lib/awx/venv/ansible/bin/pip install dpath
/var/lib/awx/venv/ansible/bin/pip install requests
/var/lib/awx/venv/ansible/bin/pip install git+https://github.com/syncrou/manageiq-api-client-python.git#egg=manageiq_client

Based on these can you decide on the severity of this ticket?

Comment 4 Dave Johnson 2017-11-09 23:03:00 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 5 mkanoor 2017-11-13 19:37:10 UTC
We spoke to the Ansible team and they mentioned that they recommend not installing any packages on localhost (the appliance that is running the Ansible tower/embedded ansible) since it can pose a security risk. Its ok to install extra dependent packages on VM's instances that the tower would be targeting but not on localhost.

They also recommended using native ansible python code to handle HTTP GET/POST instead of using the python requests package.

The dpath requirement can be easily added to our Ansible module. The requests can be swapped out with the Ansible utility modules.

fetch_url: https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/urls.py#L929

open_url: https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/net_tools/basics/get_url.py#L309

So we would planning on changing our module to use the Ansible utility packages instead of creating our own.

So closing for now.


Note You need to log in before you can comment on or make changes to this bug.