Awx: Adding venv_vars.yaml makes container fail to start

Created on 24 Jan 2020 · 8Comments · Source: ansible/awx

ISSUE TYPE

Bug Report

SUMMARY

Use of virtual envs for k8s/openshift, as described on https://github.com/ansible/awx/blob/devel/docs/custom_virtualenvs.md isnt working.

ENVIRONMENT

AWX version: 9.1.1
AWX install method: openshift
Ansible version: Same as what ships with AWX 9.1.1
Operating System: Centos
Web Browser: Firefox

STEPS TO REPRODUCE

Ansible AWX is already installed on Openshift 3.11
Create a file called venv_vars.yaml and copy the example yaml from https://github.com/ansible/awx/blob/devel/docs/custom_virtualenvs.md
Attempt to modify installed AWX to have some venvs. Run ansible-playbook -i inventory install.yml -e openshift_password=username -e openshift_token=$(oc whoami -t) --extra-vars "@venv_vars.yaml"

EXPECTED RESULTS

Expect to have virtual environments created.

ACTUAL RESULTS

The aws-0 container fails to start, gets stuck in Init Crash Loop Back-off.

ADDITIONAL INFORMATION

I'm running in a corp environment, and am using a proxy. The below looks like the container isnt using the proxy settings that are added to the inventory.

The init-custom-venvs has the following command:

sh -c yum install -y ansible curl python-setuptools epel-release \ openssl openssl-devel gcc python-devel && yum install -y python-virtualenv python36 python36-devel && mkdir -p /opt/custom-venvs && virtualenv -p python3 \ /opt/custom-venvs/dns_team && source /opt/custom-venvs/dns_team/bin/activate && /opt/custom-venvs/dns_team/bin/pip install -U psutil \ "ansible==2.8.1" && /opt/custom-venvs/dns_team/bin/pip install -U \ dnspython infoblox-client && deactivate && virtualenv -p python2 \ /opt/custom-venvs/windows_team && source /opt/custom-venvs/windows_team/bin/activate && /opt/custom-venvs/windows_team/bin/pip install -U psutil \ "ansible==2.8.0" && /opt/custom-venvs/windows_team/bin/pip install -U \ winrm && deactivate && virtualenv -p python2 \ /opt/custom-venvs/vmware_team && source /opt/custom-venvs/vmware_team/bin/activate && /opt/custom-venvs/vmware_team/bin/pip install -U psutil \ "ansible==2.7.10" && /opt/custom-venvs/vmware_team/bin/pip install -U \ pyvmomi && deactivate && :

Logs

From oc logs awx-0 -c init-custom-venvs shows:

Loaded plugins: fastestmirror, ovl
Determining fastest mirrors


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was
14: curl#7 - "Failed to connect to 2604:1580:fe02:2::10: Network is unreachable"

@fantashley

installer needs_info bug

Source

magick93

All 8 comments

It looks like your container can't reach the internet at large (at least over the IPv6 address you got back from the mirror list)

wenottingham on 24 Jan 2020

Can you test against this branch https://github.com/fantashley/awx/tree/support-proxy-venv and tell me if that fixes your issue?

It will set the environment variables http_proxy and https_proxy if they are defined as ansible variables, and yum should pick that up in CentOS 7.

fantashley on 24 Jan 2020

👍1

Hi @fantashley - thanks, yes this helped.

I also had to add the following in order to get it work correctly - in particular, note the --trusted-host for the pip installs:

 initContainers:
 158   │         - image: 'centos:7'
 159   │           name: init-custom-venvs
 160   │           command:
 161   │             - sh
 162   │             - '-c'
 163   │             - >-
 164 ~ │               echo "proxy="{{ http_proxy }} >> /etc/yum.conf  && yum install -y ansible curl python-setuptools epel-release \
 165   │                 openssl openssl-devel gcc python-devel &&
 166   │               yum install -y python-virtualenv python36 python36-devel &&
 167   │               mkdir -p {{ custom_venvs_path }} &&
 168   │ {% for custom_venv in custom_venvs %}
 169   │               virtualenv -p {{ custom_venv.python | default(custom_venvs_python) }} \
 170   │                 {{ custom_venvs_path }}/{{ custom_venv.name }} &&
 171   │               source {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/activate &&
 172 ~ │               {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install   --trusted-host pypi.org --trusted-host files.pythonhosted.org  --trusted-host pypi.python.org --proxy http://proxy.wallets:8080" -U psutil \
 173   │                 "ansible=={{ custom_venv.python_ansible_version }}" &&
 174   │ {% if custom_venv.python_modules is defined %}
 175 ~ │               {{ custom_venvs_path }}/{{ custom_venv.name }}/bin/pip install  --trusted-host pypi.org --trusted-host files.pythonhosted.org --trusted-host pypi.python.org --proxy http://proxy.wallets:8080" -U \
 176   │                 {% for module in custom_venv.python_modules %}{{ module }} {% endfor %} &&
 177   │ {% endif %}
 178   │               deactivate &&
 179   │ {% endfor %}
 180   │               :
 181 + │           env:
 182 + │             - name: HTTP_PROXY
 183 + │               value: {{ http_proxy }}
 184 + │             - name: HTTPS_PROXY
 185 + │               value: {{ https_proxy }}

magick93 on 27 Jan 2020

@fantashley I also run into this issue as well. Are you planning to make a PR for this?

evertmulder on 29 Jan 2020

@evertmulder yep, I will be able to make a PR by the end of this week. It would be great if you could both test the changes for me since I don't have a similar environment setup. I'll let you know once I've created it!

@magick93 sounds good, I will add in the --trusted-host parameters you provided. Thanks!

fantashley on 29 Jan 2020

I updated my branch https://github.com/fantashley/awx/tree/support-proxy-venv with the trusted host arguments if someone wants to give it a try!

fantashley on 30 Jan 2020

Hi @fantashley. I just tested the proxy support and it works great. The proxy settings are added to the init container and the trusted-host settings are also added to the pip install. The thing missing is the no_proxy setting.

Tested on OKD 3.11

The final statefulset includes the following init-container:

      initContainers:
        - command:
            - sh
            - '-c'
            - >-
              yum install -y ansible curl python-setuptools epel-release \
                openssl openssl-devel gcc python-devel &&
              yum install -y python-virtualenv python36 python36-devel && mkdir
              -p /opt/custom-venvs && virtualenv -p python3 \
                /opt/custom-venvs/team_a &&
              source /opt/custom-venvs/team_a/bin/activate &&
              /opt/custom-venvs/team_a/bin/pip install --trusted-host pypi.org
              --trusted-host files.pythonhosted.org --trusted-host
              pypi.python.org -U psutil \
                "ansible==2.8.4" &&
              /opt/custom-venvs/team_a/bin/pip install --trusted-host pypi.org
              --trusted-host files.pythonhosted.org --trusted-host
              pypi.python.org -U \
                dnspython infoblox-client jmespath  &&
              deactivate && virtualenv -p python2 \
                /opt/custom-venvs/team_b &&
              source /opt/custom-venvs/team_b/bin/activate &&
              /opt/custom-venvs/team_b/bin/pip install --trusted-host
              pypi.org --trusted-host files.pythonhosted.org --trusted-host
              pypi.python.org -U psutil \
                "ansible==2.8.6" &&
              /opt/custom-venvs/team_b/bin/pip install --trusted-host
              pypi.org --trusted-host files.pythonhosted.org --trusted-host
              pypi.python.org -U \
                manageiq_client PyVmomi  &&
              deactivate && :
          env:
            - name: http_proxy
              value: 'http://proxy.company.local:8080'
            - name: https_proxy
              value: 'http://proxy.company.local:8080'
          image: 'centos:7'
          imagePullPolicy: IfNotPresent
          name: init-custom-venvs
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /opt/custom-venvs
              name: custom-venvs

The only thing missing is the no_proxy setting. If this setting could also be included this would be great.

evertmulder on 31 Jan 2020

👍1

Sounds like this can be closed once https://github.com/ansible/awx/pull/5805 merges - thanks @fantashley!