Operator-sdk: Ansible can't run ssh-keygen because user isn't named

Created on 22 Aug 2019 · 7Comments · Source: operator-framework/operator-sdk

Bug Report

What did you do?
I created an ansible task that depended on the ssh-keygen command to be run on the operator image.

What did you expect to see?
I wanted to see a key generated that I could then use to build a secret for git repo interactions.

What did you see instead? Under which circumstances?
The key failed to be created. I then tried from the ansible container terminal and received this error.

sh-4.2$ ssh-keygen 
No user exists for uid 1000110000

Environment

operator-sdk version:
operator-sdk version: v0.8.2, commit: 28bd2b0d4fd25aa68e15d928ae09d3c18c3b51da

go version:
go version go1.10.4 linux/amd64
Kubernetes version information:

oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ose.my.com:8443
openshift v3.11.135
kubernetes v1.11.0+d4cacc0

Kubernetes cluster kind:
OpenShift 3.11.135
Are you writing your operator in ansible, helm, or go?
Ansible

Possible Solution
The entrypoint.sh command in the image appears to have code that would accomplish creating the user so that commands like ssh-keygen depending on that would not error out. It appears to not be running for some reason.

Additional context

sh-4.2$ ansible-runner --version
1.2.0
sh-4.2$ ansible --version
ansible 2.7.10
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/usr/share/ansible/openshift']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Oct 30 2018, 23:45:53) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
sh-4.2$ pwd
/
sh-4.2$ cat entrypoint.sh 
#!/usr/bin/env bash

# In OpenShift, containers are run as a random high number uid
# that doesn't exist in /etc/passwd, but Ansible module utils
# require a named user. So if we're in OpenShift, we need to make
# one before Ansible runs.
if [ `id -u` -ge 500 ]; then
    echo "runner:x:`id -u`:`id -g`:,,,:/runner:/bin/bash" > /tmp/passwd
    cat /tmp/passwd >> /etc/passwd
    rm /tmp/passwd
fi
ansible-runner run /runner
sh-4.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
sh-4.2$ ssh-keygen -t rsa -f /tmp/ssh_host_rsa_key
No user exists for uid 1000110000
sh-4.2$ ssh-keygen
No user exists for uid 1000110000

triagsupport

Source

flickerfly

All 7 comments

I found that the ansible-operator image has a new version (0.10.0). After updating build/Dockerfile to quay.io/operator-framework/ansible-operator:v0.10.0 and installing openssh so it has ssh-keygen, this still occurs. I did notice that the entrypoint.sh script is no longer present.

flickerfly on 22 Aug 2019

The entrypoint for the ansible-operator is /usr/local/bin/entrypoint (/entrypoint.sh is from the ansible-runner image which we are no longer based on), and should be setting up your /etc/passwd so that the user set by openshift has a name. I'm not sure why that seems to not be the case here, would you mind pasting your build/Dockerfile, and the contents of /usr/local/bin/entrypoint and /etc/passwd in the container that's failing?

fabianvf on 26 Aug 2019

When I upgraded to 0.10.0, I found that /etc/passwd was indeed getting set. At some point I realized my assumption that ansible was running in the ansible container in the pod was flawed. I've been meaning to try setting the env on the proper container, but have forgotten so far. I'll make an effort this afternoon.

Thanks!

flickerfly on 26 Aug 2019

Oh, sorry. I was thinking on the wrong issue. This issue manifested itself differently when upgrading to 0.10.0. I issued the following in my build/Dockerfile to deal with the missing ssh-keygen that the module required. It seems odd to install all of the openssh client for ssh-keygen, but I think that's just how the packages work. If there is a better way, I'm open to it.

FROM quay.io/operator-framework/ansible-operator:v0.10.0

USER 0
RUN yum -y install openssh \
  && yum clean all
RUN pip install kubernetes-validate
USER 1001

COPY watches.yaml ${HOME}/watches.yaml

COPY playbook.yml ${HOME}/playbook.yml
COPY roles/ ${HOME}/roles/

flickerfly on 26 Aug 2019

Hi @flickerfly,

Shows that it is working as should be for you in version 0.10? Am I right?

Also, see that we upgrade the versions for the image which was released in the 0.11.0 as the ENTRYPOINT. So, please could you let us know if has anything else that should be done here or if we can close this one?

Really thank you for you collaboration 🥇

camilamacedo86 on 16 Oct 2019

👍1

Yeah, I think we're good. 0.10.0 didn't come with ssh-keygen installed because it doesn't have openssh installed anymore, but that's probably fine if not supporting the modules that come out of the box needing that is expected. Only action might be to document how to install dependencies for modules not supported out of the box.

I'll be testing 0.11.0 with the operator I'm building this week.

flickerfly on 16 Oct 2019

👍1

Really thank you and please feel free to raise any new issue that you mind need as to collab by doing PRs to docs and etc .. it would be very nice and great have if you think that something that could be improved.

camilamacedo86 on 16 Oct 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings