Openshift-ansible: missing OpenSSL python bindings

Can you run an experiment for me and try checking for OpenSSL manually? On your ansible control host, master.domain.tld, and node1.domain.tld what happens if you run this command:

$ python -c 'import OpenSSL.crypto'

(No output is expected. Failure will raise an ImportError)

I just checked the code you're running into that is raising these errors, openshift_named_certificates : set_fact, and I think I know what's going on.

openshift_named_certificates : set_fact is in roles/openshift_named_certificates/tasks/main.yml and that set_fact call uses the oo_parse_named_certificates filter. That filter is defined in filter_plugins/oo_filters.py. Inside this file we begin with a simple check

HAS_OPENSSL = False                                                                                                                                                                                                  
try:                                                                                                                                                                                                                 
    import OpenSSL.crypto                                                                                                                                                                                            
    HAS_OPENSSL = True                                                                                                                                                                                               
except ImportError:                                                                                                                                                                                                  
    pass                                                                                                                                                                                                             

Then later on in the definition of oo_parse_named_certificates:

    if not HAS_OPENSSL:                                                                                                                                                                                              
        raise errors.AnsibleFilterError("|missing OpenSSL python bindings")                                                                                                                                          

So that's how the error you see is being raised. Somewhere you do not have the python OpenSSL library available. While the openshift_health_checker role does some package checking in roles/openshift_health_checker/openshift_checks/package_availability.py, it is not verifying that the pyOpenSSL package is available. This is the package which provides the missing python bindings.

Please run that import test on the noted hosts for me and report back with the results. IIRC, filter plugins run on your control host, so I think all you'll have to do is install pyOpenSSL on that. I could be wrong though, but I'd begin testing there.

@tbielawa Thank your for your detailed answer.
I just ran the import test. There are no errors.
Your explanation makes sense, but than it doesn't make any sense to me why it would tell me it has no python openssl bindings...

I think we should improve the handling in this filter s.t. if we encounter a problem using OpenSSL.crypto we either deal with that (FakeOpenSSLCertificate?) or suggest that users supply a "names" key with openshift_master_named_certificates which would avoid parsing the certificate altogether. Note that the filter doesn't skip parsing when OpenSSL.crypto cannot be imported today, it just fails with zero grace. :angel:

Alright, thank you for your answers. I changed my setup and it is working. I probably caused the problem myself.

Glad you got it working @flyingP0tat0 !

Just dropping by to say I had the same issue when deploying a custom certificate (not when using self signed).

A quick pip install -U pyopenssl on my control node fixed this for me - Thanks!

Is this requirement documented anywhere? Did I just miss it?

The RPM dependencies include pyOpenSSL if you were to install openshift-ansible via RPMs. But we should make sure that we create a role that ensures control host deps are fulfilled.

In our pre-run checks is it possible to add a check in
openshift_health_checker that only runs on the control host? We have
openshift_checks/package_availability.py already which does package
checking. So I guess my idea is really more of 'can we add a python library
health check' to that role (only on the control host)?

On Wed, Jul 5, 2017 at 8:59 AM, Scott Dodson notifications@github.com
wrote:

The RPM dependencies include pyOpenSSL if you were to install
openshift-ansible via RPMs. But we should make sure that we create a role
that ensures control host deps are fulfilled.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/openshift-ansible/issues/4617#issuecomment-313095705,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AACBYTrJXHucOXjiqLVRtud7sF94LXKCks5sK4jIgaJpZM4OHRMe
.

--
Tim Bielawa, Sr. Software Engineer [ED-C137]
Cell: 919.332.6411 | IRC: tbielawa (#openshift)
1BA0 4FAB 4C13 FBA0 A036 4958 AD05 E75E 0333 AE37

I running into this issue on macOS 10.13.2 (17C205) with

ansible 2.4.2.0
  config file = /Users/vogl/Development/MDK/openshift-ansible/ansible.cfg
  configured module search path = [u'/Users/vogl/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.14 (default, Jan 30 2018, 14:34:52) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]

…on branch release-3.7

pyOpenSSL 0.13.1 comes preinstalled with macOS.

The line in my inventory goes like this:

openshift_master_named_certificates=[{"certfile": "pki/adesso-service.com.crt", "keyfile": "pki/adesso-service.com.key", "cafile": "pki/DigiCertCA.crt", "names": ["os.svc.adesso-service.com", "*.svc.adesso-service.com"]}]

Seeing this also:

[cloud-user@mgtocp1 openshift-ansible]$ cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 
[cloud-user@mgtocp1 openshift-ansible]$ uname -a
Linux mgtocp1 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[cloud-user@mgtocp1 openshift-ansible]$ ansible --version
ansible 2.4.2.0
  config file = /home/cloud-user/openshift-ansible/ansible.cfg
  configured module search path = [u'/home/cloud-user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
[cloud-user@mgtocp1 openshift-ansible]$ git describe
openshift-ansible-3.9.0-0.53.0-14-ge32f913

OK so this was caused because we ran the ansible scripts from a management server. The assumption here is that your running ansible from a host in the cluster which is probably not a good thing given that a Bastion host is included in the reference architecture. This assumption also causes api tests to fail. In short the assumption should be that ansible is executed from a host outside of the OCP cluster.

Should be noted that as of at least openshift-ansible 3.10.47 pyopenssl is not installed as a dependency and the inplace upgrade from 3.9 to 3.10.45 will break. pyopenssl should be a dependency for openshift-ansible still.

This regressed in 801779eeb6f6308f81ae7c48409de7686c04a0aa #10733 to reintroduce the dependency

@sdodson still here in 3.11.125-1

UPD 26.11.2019: Still here 3.11.153-2

same error in 3.11 here today

Got the same error today, 3.11

Same error here also, 3.11.