-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes commit a28eb94, which broke validate_certs = False for python <… #34887
Fixes commit a28eb94, which broke validate_certs = False for python <… #34887
Conversation
Can you explain in more detail how this is failing? We shouldn't be doing specific version checks like this, as vendors are known to backport changes like this into older versions. Instead we should rely on functionality tests. |
The ssl module doesn't have _create_unverified_context in python < 2.7.9, causing the error below. <localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1516036846.26-125420619837893 `" && echo ansible-tmp-1516036846.26-125420619837893="` echo /tmp/ansible-tmp-1516036846.26-125420619837893 `" ) && sleep 0'
<localhost> PUT /tmp/tmpZGfkK5 TO /tmp/ansible-tmp-1516036846.26-125420619837893/vsphere_guest.py
<localhost> EXEC /bin/sh -c 'chmod u+x /tmp/ansible-tmp-1516036846.26-125420619837893/ /tmp/ansible-tmp-1516036846.26-125420619837893/vsphere_guest.py && sleep 0'
<redacted>
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_Dw4Ecm/ansible_module_vsphere_guest.py", line 1933, in <module>
main()
File "/tmp/ansible_Dw4Ecm/ansible_module_vsphere_guest.py", line 1802, in main
ssl._create_default_https_context = ssl._create_unverified_context
AttributeError: 'module' object has no attribute '_create_unverified_context'
fatal: [10.12.32.116 -> localhost]: FAILED! => {
"attempts": 1,
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_Dw4Ecm/ansible_module_vsphere_guest.py\", line 1933, in <module>\n main()\n File \"/tmp/ansible_Dw4Ecm/ansible_module_vsphere_guest.py\", line 1802, in main\n ssl._create_default_https_context = ssl._create_unverified_context\nAttributeError: 'module' object has no attribute '_create_unverified_context'\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 0
} - name: Create the VM
vsphere_guest:
vcenter_hostname: "{{ vcenter_hostname }}"
username: "{{ username }}"
password: "{{ password }}"
validate_certs: False
cluster: "{{ cluster }}"
guest: "{{ guest }}"
state: present
vm_hardware:
memory_mb: "{{ memory_gb|int * 1024 }}"
num_cpus: "{{ num_cpus|int }}"
osid: "{{ osid }}"
scsi: "{{ scsi }}"
vm_cdrom:
type: "client"
vm_disk: "{{ disks }}"
vm_nic: "{{ nics }}"
esxi:
datacenter: "{{ datacenter }}"
hostname: "{{ hostname }}" |
I believe we need to expand our logic at
If As you can see in that logic, we are also checking for functionality, and not just doing a version comparison. I don't think we should silently ignore a value that is passed in by the user. |
The test
|
I'm not sure I completely follow what you're saying. Are you thinking something like this instead or am I misunderstanding? if validate_certs and not hasattr(ssl, 'SSLContext') and not vcenter_hostname.startswith('http://'):
module.fail_json(msg='pysphere does not support verifying certificates with python < 2.7.9. Either update python or set '
'validate_certs=False on the task')
if not validate_certs and hasattr(ssl, 'SSLContext'):
ssl._create_default_https_context = ssl._create_unverified_context |
That is partially correct. We should check for functionality, not for a specific version. However, I was saying, that if a user explicitly tries to influence the results of certification verification, either with a @Akasurde will need to review. |
Cool. I've updated my commit to reflect what we've discussed for the the time being. |
@MikeKlebolt Are you still working on this ? Also, Could you please add In one of the IRC meeting of VMware SIG, we decided to merge all vsphere_guest PRs based on Let me know if you need any other information. |
@Akasurde, I have recently switched to the vmware_guest module after finding out that this module was being deprecated. Anyways, here is the vvvv output for you. TASK [Preparation : Create the VM] ****************************************************************************************************
task path: /etc/ansible/roles/Preparation/tasks/prepareVM.yml:187
Using module file /data01/ansible/lib/ansible/modules/cloud/vmware/vsphere_guest.py
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /tmp/ansible-local-13403ONMcxi/ansible-tmp-1519051847.41-243491483079223 `" && echo ansible-tmp-1519051847.41-243491483079223="` echo /tmp/ansible-local-13403ONMcxi/ansible-tmp-1519051847.41-243491483079223 `" ) && sleep 0'
<localhost> PUT /tmp/ansible-local-13403ONMcxi/tmpYxxoxa TO /tmp/ansible-local-13403ONMcxi/ansible-tmp-1519051847.41-243491483079223/vsphere_guest.py
<localhost> EXEC /bin/sh -c 'chmod u+x /tmp/ansible-local-13403ONMcxi/ansible-tmp-1519051847.41-243491483079223/ /tmp/ansible-local-13403ONMcxi/ansible-tmp-1519051847.41-243491483079223/vsphere_guest.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /tmp/ansible-local-13403ONMcxi/ansible-tmp-1519051847.41-243491483079223/vsphere_guest.py && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_2lDCBn/ansible_module_vsphere_guest.py", line 1933, in <module>
main()
File "/tmp/ansible_2lDCBn/ansible_module_vsphere_guest.py", line 1802, in main
ssl._create_default_https_context = ssl._create_unverified_context
AttributeError: 'module' object has no attribute '_create_unverified_context'
fatal: [10.12.32.120 -> localhost]: FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_2lDCBn/ansible_module_vsphere_guest.py\", line 1933, in <module>\n main()\n File \"/tmp/ansible_2lDCBn/ansible_module_vsphere_guest.py\", line 1802, in main\n ssl._create_default_https_context = ssl._create_unverified_context\nAttributeError: 'module' object has no attribute '_create_unverified_context'\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 1
} |
@MikeKlebolt Thanks for output. Sorry for not being specific about logs. I meant about success output of |
My mistake...here you go. Using module file /data01/ansible/lib/ansible/modules/cloud/vmware/_vsphere_guest.py
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1519056036.42-15896784017891 `" && echo ansible-tmp-151905
6036.42-15896784017891="` echo /tmp/ansible-tmp-1519056036.42-15896784017891 `" ) && sleep 0'
<localhost> PUT /tmp/ansible-local-16062MJVCiN/tmpBv0bjh TO /tmp/ansible-tmp-1519056036.42-15896784017891/_vsphere_guest.py
<localhost> EXEC /bin/sh -c 'chmod u+x /tmp/ansible-tmp-1519056036.42-15896784017891/ /tmp/ansible-tmp-1519056036.42-15896784017891/_vs
phere_guest.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /tmp/ansible-tmp-1519056036.42-15896784017891/_vsphere_guest.py && sleep
0'
<localhost> EXEC /bin/sh -c 'rm -f -r /tmp/ansible-tmp-1519056036.42-15896784017891/ > /dev/null 2>&1 && sleep 0'
[DEPRECATION WARNING]: The 'vsphere_guest' module has been deprecated. Use 'vmware_guest' instead.. This feature will be removed in
version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [10.12.32.120 -> localhost] => {
"changed": false,
"failed": false,
"invocation": {
"module_args": {
"cluster": "clustername",
"esxi": {
"datacenter": "datacenter",
"hostname": "hostname"
},
"force": false,
"from_template": null,
"guest": "guestname",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"power_on_after_clone": true,
"resource_pool": null,
"snapshot_to_clone": null,
"state": "present",
"template_src": null,
"username": "user@domain.com",
"validate_certs": false,
"vcenter_hostname": "10.10.10.10",
"vm_disk": {
"disk1": {
"datastore": "local-datastore",
"size_gb": 20,
"type": "thin"
}
},
"vm_hardware": {
"memory_mb": "1024",
"num_cpus": "1",
"osid": "rhel6_64Guest",
"scsi": "paravirtual",
"vm_cdrom": {
"type": "client"
}
},
"vm_hw_version": null,
"vm_nic": {
"nic1": {
"network": "jumpkick",
"network_type": "standard",
"type": "vmxnet3"
}
},
"vmware_guest_facts": null
}
}
}
} |
@MikeKlebolt Thanks for output. One more thing - rebase this branch and we will merge it. |
@MikeKlebolt This PR contains |
Fixing this now. |
1689010
to
e9b54f0
Compare
Hi @Akasurde, is this still making it in to 2.5? |
rebuild_merge |
@MikeKlebolt I will backport this to 2.5 |
… 2.7.9 (ansible#34887) (cherry picked from commit ce416f2)
@MikeKlebolt Backport PR #37018 |
SUMMARY
Fixes commit a28eb94, which broke validate_certs = False for python < 2.7.9
ISSUE TYPE
COMPONENT NAME
vsphere_guest
ANSIBLE VERSION
ADDITIONAL INFORMATION
If the vsphere_guest module is used with validate_certs = False and your python version is < 2.7.9. The following line is evaluated in the module which results in the module failing.
diff