Chicken and Egg problem with rhel_subscribe role?

[tbielawa]

Description

The rhel_subscribe role seems to have a chicken and egg problem. During the openshift_facts part of the run, the role attempts to install the group of packages that include PyYAML and fails.

Version

$ git describe && rpm -q ansible
openshift-ansible-3.5.3-1-75-g1105561
ansible-2.2.1.0-2hax.fc25.noarch

$ rpm -q atomic-openshift-utils openshift-ansible
package atomic-openshift-utils is not installed
package openshift-ansible is not installed

Steps To Reproduce

1. Create a new RHEL VM, for example in libvirt, do not run subscription-manager
2. ansible-playbook -v -i ./hosts-local ./playbooks/byo/rhel_subscribe.yml
3. The run is good up to and including TASK [openshift_facts : set_fact]
4. Once the run gets to the next step, TASK [openshift_facts : Ensure various deps are installed], it will fail.

Expected Results

• The system would be registered with subscription manager
• The appropriate pools would be attached to my machine

Observed Results

The playbook run fails. I can't register my system. I can't install OCP.

Because the system isn't registered yet there are no repos available yet. This means no packages can be installed yet. But openshift_facts is requiring packages:

item=[u'iproute', u'python-dbus', u'python-six', u'PyYAML', u'yum-utils'])

Defined in roles/openshift_facts/vars/main.yml

Files & Logs

• Gist of Playbook Log
• Inventory File

The inventory file references RHSUB_USER and RHSUB_PASS environment variables. I can confirm I have those set correctly.

[tbielawa]

I need this to work for some testing today, so a few more notes on debugging and working around.....

I hacked some stuff up to limit the introduction of openshift_facts in the rhel_subscribe playbook. Here's my diff so far (obviously, just a hacky work around)

diff --git a/playbooks/byo/rhel_subscribe.yml b/playbooks/byo/rhel_subscribe.yml
index 65c0b1c..daa71a6 100644
--- a/playbooks/byo/rhel_subscribe.yml
+++ b/playbooks/byo/rhel_subscribe.yml
@@ -1,7 +1,33 @@
 ---
-- include: ../common/openshift-cluster/std_include.yml
+- name: Create initial host groups for localhost
+  hosts: localhost
+  connection: local
+  become: no
+  gather_facts: no
   tags:
   - always
+  tasks:
+  - include_vars: openshift-cluster/cluster_hosts.yml
+  - name: Evaluate group l_oo_all_hosts
+    add_host:
+      name: "{{ item }}"
+      groups: l_oo_all_hosts
+    with_items: "{{ g_all_hosts | default([]) }}"
+    changed_when: no
+
+- name: Create initial host groups for all hosts
+  hosts: l_oo_all_hosts
+  gather_facts: no
+  tags:
+  - always
+  tasks:
+  - include_vars: openshift-cluster/cluster_hosts.yml
+  - set_fact:
+      openshift_deployment_type: "{{ deployment_type }}"
+
+# - include: ../common/openshift-cluster/std_include.yml
+#   tags:
+#   - always
 
 - name: Subscribe hosts, update repos and update OS packages
   hosts: l_oo_all_hosts
diff --git a/roles/rhel_subscribe/meta/main.yml b/roles/rhel_subscribe/meta/main.yml
index 0bbeadd..46b3b12 100644
--- a/roles/rhel_subscribe/meta/main.yml
+++ b/roles/rhel_subscribe/meta/main.yml
@@ -1,3 +1,3 @@
 ---
 dependencies:
-  - role: openshift_facts
+  # - role: openshift_facts
diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml
index 28c3c70..b84627c 100644
--- a/roles/rhel_subscribe/tasks/main.yml
+++ b/roles/rhel_subscribe/tasks/main.yml
@@ -57,5 +57,4 @@
   when: openshift_pool_id.stdout != ''
 
 - include: enterprise.yml
-  when: deployment_type in [ 'enterprise', 'atomic-enterprise', 'openshift-enterprise' ] and
-        not openshift.common.is_atomic | bool
+  when: deployment_type in [ 'enterprise', 'atomic-enterprise', 'openshift-enterprise' ]

That's working great. Systems are registered and base packages are installed. It's updating all OS packages now.

---

However I've noticed a critical problem with the playbook. Usernames and passwords are exposed in the logs. Maybe relevant to your interests @ashcrow

TASK [rhel_subscribe : set_fact] ***********************************************
ok: [n01.example.com] => {
    "ansible_facts": {
        "rhel_subscription_pass": "<PASSWORD>",
        "rhel_subscription_pool": "Employee SKU*",
        "rhel_subscription_server": "",
        "rhel_subscription_user": "<USERNAME>"
    },
    "changed": false
}

See this GIST for more surrounding information

[ashcrow]

[ashcrow]

Maybe no_log would work here?

[tbielawa]

diff --git a/roles/rhel_subscribe/tasks/main.yml b/roles/rhel_subscribe/tasks/main.yml
index b84627c..89b614f 100644
--- a/roles/rhel_subscribe/tasks/main.yml
+++ b/roles/rhel_subscribe/tasks/main.yml
@@ -8,6 +8,7 @@
     rhel_subscription_user: "{{ lookup('oo_option', 'rhel_subscription_user') | default(rhsub_user, True) | default(omit, True) }}"
     rhel_subscription_pass: "{{ lookup('oo_option', 'rhel_subscription_pass') | default(rhsub_pass, True) | default(omit, True) }}"
     rhel_subscription_server: "{{ lookup('oo_option', 'rhel_subscription_server') | default(rhsub_server) }}"
+  no_log: True
 
 - fail:
     msg: "This role is only supported for Red Hat hosts"

[tbielawa]

The 'no_log' param did indeed work

TASK [rhel_subscribe : set_fact] ***********************************************
ok: [m01.example.com] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"}

[michaelgugino]

This is actually fixed now, woot!