- Inventory source:
- Roles:
- Modules:
- Roles:
Following the Semantic Versioning of the Ansible content, all the deprecated content will be removed at the next major version (2.0.0).
Ansible Collection for Red Hat Insights
License: Apache License 2.0
Following the Semantic Versioning of the Ansible content, all the deprecated content will be removed at the next major version (2.0.0).
Now that Inventory Groups are live the ansible role should allow the user to set the Inventory group.
To be clear the goal is not to use the current --group=GROUP
option of insights client which adds a tag but does not add the system to an Inventory Group.
I have got some hosts registered:
[ansible@ansible-h AutomATa]$ ansible rhel_vms -m redhat.insights.insights_register -b -i inventory/dynamic_custom_inventory.sh -a "state=present"
rhel-kvegh-nt29-801.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"message": "insights-client has been registered",
"original_message": "Attempting to register insights-client"
}
rhel-kvegh-nt29-711.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been registered",
"original_message": "Attempting to register insights-client"
}
rhel-kvegh-nt29-741.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been registered",
"original_message": "Attempting to register insights-client"
}
[ansible@ansible-h AutomATa]$
Now I want to unregister them, but I forgot the --become ... but it still reports back success. If I do this on the commandline with insights-client, then it explizitly tells me to run as root, here the module only says "Attempting" and reports SUCCESS back:
[ansible@ansible-h AutomATa]$ ansible rhel_vms -m redhat.insights.insights_register -i inventory/dynamic_custom_inventory.sh -a "state=absent"
rhel-kvegh-nt29-801.kveghdemo.at | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"message": "insights-client is already unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-711.kveghdemo.at | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"message": "insights-client is already unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-741.kveghdemo.at | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"message": "insights-client is already unregistered",
"original_message": "Attempting to unregister insights-client"
}
[ansible@ansible-h AutomATa]$
...with --become it works like a charm of course, reporting back CHANGED:
[ansible@ansible-h AutomATa]$ ansible rhel_vms -m redhat.insights.insights_register -i inventory/dynamic_custom_inventory.sh -a "state=absent" -b
rhel-kvegh-nt29-711.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-741.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"message": "insights-client has been unregistered",
"original_message": "Attempting to unregister insights-client"
}
rhel-kvegh-nt29-801.kveghdemo.at | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"message": "insights-client has been unregistered",
"original_message": "Attempting to unregister insights-client"
}
[ansible@ansible-h AutomATa]$
Summary: without elevated privileges the module insights_register should report back that it cannot unregister the host, shouldn't it?
I understand the desire to automate things like release information, however, using a jinja2 template for your galaxy.yml
file and only populating it on release (and only including that released file to Galaxy/Red Hat Automation Hub) breaks the ability to install this collection from the git repository directly.
We have a situation where our hosts running our Ansible playbooks don't have access to Galaxy or the Automation Hub. For the past few years that hasn't been an issue as we mirrored the roles that we wanted locally. Mirroring is done via git. Now with the improved support in ansible-galaxy
in 2.10.x we can install collections from git repositories, and so we have begun migrating the roles we have used previously to collections.
I'm happy to submit a PR, but I'm not sure what the preferred solution would be.
# create groups for patching
plugin: redhat.insights.insights
get_patches: yes
groups:
patching: insights_patching.enabled
stale: insights_patching.stale
bug_patch: insights_patching.rhba_count > 0
security_patch: insights_patching.rhsa_count > 0
enhancement_patch: insights_patching.rhea_count > 0
It appears that inventory sync with only 'plugin: redhat.insights.insights' working fine.
Error: While performing the sync.
4.963 INFO Updating inventory 9: NewInsightsInventory
5.032 DEBUG Using base command: python /usr/bin/ansible-inventory -i /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project --playbook-dir /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project -vvvvv
5.033 INFO Reading Ansible inventory source: /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project
5.035 INFO Using VIRTUAL_ENV: /var/lib/awx/venv/ansible
5.035 INFO Using PATH: /var/lib/awx/venv/ansible/bin:/var/lib/awx/venv/awx/bin:/var/lib/awx/venv/awx/bin:/var/lib/awx/venv/awx/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
5.035 INFO Using PYTHONPATH: /var/lib/awx/venv/ansible/lib/python3.6/site-packages:
14.577 ERROR ansible-inventory 2.9.18
14.577 ERROR config file = /etc/ansible/ansible.cfg
14.577 ERROR configured module search path = ['/var/lib/awx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
14.578 ERROR ansible python module location = /usr/lib/python3.6/site-packages/ansible
14.578 ERROR executable location = /usr/bin/ansible-inventory
14.578 ERROR python version = 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
14.578 ERROR Using /etc/ansible/ansible.cfg as config file
14.578 ERROR setting up inventory plugins
14.578 ERROR host_list declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/collections/requirements.yml as it did not pass its verify_file() method
14.578 ERROR script declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/collections/requirements.yml as it did not pass its verify_file() method
14.578 ERROR [WARNING]: Skipping 'collections' as this is not a valid group definition
14.578 ERROR Parsed /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/collections/requirements.yml inventory source with yaml plugin
14.579 ERROR setting up inventory plugins
14.579 ERROR host_list declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as it did not pass its verify_file() method
14.579 ERROR script declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as it did not pass its verify_file() method
14.579 ERROR toml declined parsing /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as it did not pass its verify_file() method
14.579 ERROR [WARNING]: * Failed to parse
14.579 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml with auto plugin:
14.579 ERROR No connection adapters were found for '/api/patch/v1/systems?offset=20&limit=20
14.579 ERROR &filter[stale]=eq:True&sort=-last_upload'
14.579 ERROR File "/usr/lib/python3.6/site-packages/ansible/inventory/manager.py", line 280, in parse_source
14.580 ERROR plugin.parse(self._inventory, self._loader, source, cache=cache)
14.580 ERROR File "/usr/lib/python3.6/site-packages/ansible/plugins/inventory/auto.py", line 58, in parse
14.580 ERROR plugin.parse(inventory, loader, path, cache=cache)
14.580 ERROR File "/tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/requirements_collections/ansible_collections/redhat/insights/plugins/inventory/insights.py", line 218, in parse
14.580 ERROR stale_patches = self.get_patches(stale=True)
14.580 ERROR File "/tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/requirements_collections/ansible_collections/redhat/insights/plugins/inventory/insights.py", line 110, in get_patches
14.580 ERROR response = self.session.get(url, auth=self.auth, headers=self.headers)
14.580 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 546, in get
14.580 ERROR return self.request('GET', url, **kwargs)
14.581 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
14.581 ERROR resp = self.send(prep, **send_kwargs)
14.581 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 640, in send
14.581 ERROR adapter = self.get_adapter(url=request.url)
14.581 ERROR File "/var/lib/awx/venv/ansible/lib/python3.6/site-packages/requests/sessions.py", line 731, in get_adapter
14.581 ERROR raise InvalidSchema("No connection adapters were found for '%s'" % url)
14.581 ERROR [WARNING]: * Failed to parse
14.581 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml with yaml plugin:
14.581 ERROR Plugin configuration YAML file, not YAML inventory
14.582 ERROR File "/usr/lib/python3.6/site-packages/ansible/inventory/manager.py", line 280, in parse_source
14.582 ERROR plugin.parse(self._inventory, self._loader, source, cache=cache)
14.582 ERROR File "/usr/lib/python3.6/site-packages/ansible/plugins/inventory/yaml.py", line 112, in parse
14.582 ERROR raise AnsibleParserError('Plugin configuration YAML file, not YAML inventory')
14.605 ERROR [WARNING]: * Failed to parse
14.605 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml with ini plugin:
14.605 ERROR Invalid host pattern 'plugin:' supplied, ending in ':' is not allowed, this
14.606 ERROR character is reserved to provide a port.
14.606 ERROR File "/usr/lib/python3.6/site-packages/ansible/inventory/manager.py", line 280, in parse_source
14.606 ERROR plugin.parse(self._inventory, self._loader, source, cache=cache)
14.606 ERROR File "/usr/lib/python3.6/site-packages/ansible/plugins/inventory/ini.py", line 138, in parse
14.607 ERROR raise AnsibleParserError(e)
14.607 ERROR [WARNING]: Unable to parse
14.608 ERROR /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project/insights.yml as an inventory
14.608 ERROR source
14.608 DEBUG Finished loading from source: /tmp/bwrap_113_16pp_l24/awx_113_eft4r1s2/project
14.608 INFO Processing JSON output...
14.608 DEBUG Loaded group: all
14.609 INFO Loaded 0 groups, 0 hosts
14.615 DEBUG Inventory variables unmodified
14.726 INFO Inventory import completed for NewInsightsInv in 9.8s
Referring to:
ansible-collections-insights/roles/compliance/tasks/run.yml
The role calls insights-client --compliance
which will return a non-zero code if the host hasn't been associated with a compliance profile in the console at console.redhat.com. Perhaps the role could fail more gracefully when this takes place so that any playbook calling the role doesn't bomb out when there's no compliance profile associated with the host.
Simple alternative:
- name: run compliance scan
ignore_errors: yes
command: insights-client --compliance
Thoughts?
Hello there,
I noticed an issue which is breaking the configuration on our systems.
Apparently the role RedHatInsights.insights-client is failing for my rhel8 host with following message file (/etc/insights-client/machine-id) is absent, cannot continue
. The name of the failing task is RedHatInsights.insights-client : Change permissions of machine_id file so that Insights System ID can be read
.
The fact that machine-id does not exist, implies that the host is not registered to Insights, and actually if I run following command:
[root@tower-isolated1 plays]# insights-client --status
This host is unregistered.
It indeed replies that the system is not registered. And if I check the return code of the command it's 0.
[root@tower-isolated1 plays]# echo $?
0
It looks to me that the task RedHatInsights.insights-client : Register Insights Client
is not properly working, since this is what it is returning:
ok: [localhost] => {
"changed": false,
"invocation": {
"module_args": {
"display_name": "",
"force_reregister": false,
"insights_name": "insights-client",
"state": "present"
}
},
"message": "The Insights API has determined that this machine is already registered",
"original_message": "Attempting to register insights-client"
}
My assumption is that this https://github.com/RedHatInsights/ansible-collections-insights/blob/master/plugins/modules/insights_register.py#L131 conditional is missing some logic.
Let me know your thoughts.
Thanks,
Hi,
I am trying to get tags information in Insights but it seems get_tags
option is not working.
The error I am getting is the following:
[WARNING]: * Failed to parse /Users/jmorenas/Desktop/my_stuff/insights-inventory/insights.yml with insights plugin: ('Connection
aborted.', RemoteDisconnected('Remote end closed connection without response'))
File "/usr/local/lib/python3.9/site-packages/ansible/inventory/manager.py", line 280, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File "/Users/jmorenas/Desktop/my_stuff/insights-inventory/inventory_plugins/insights.py", line 253, in parse
system_tags = self.get_tags(systems_by_id.keys())
File "/Users/jmorenas/Desktop/my_stuff/insights-inventory/inventory_plugins/insights.py", line 135, in get_tags
response = self.session.get(url, auth=self.auth, headers=self.headers)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 555, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.9/site-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
My environment is the following:
jmorenas-mac:insights-inventory jmorenas$ ansible --version
ansible 2.9.7
config file = /Users/jmorenas/Desktop/my_stuff/insights-inventory/ansible.cfg
configured module search path = ['/Users/jmorenas/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.9.6 (default, Jun 29 2021, 06:20:32) [Clang 12.0.0 (clang-1200.0.32.29)]
Some considerations:
Jus wanted to bring this up to you guys, so you can be aware of this issue.
Thanks in advance,
The inventory plugin here cannot be used when installed from https://galaxy.ansible.com/redhatinsights/insights
See discussion in https://github.com/ansible/awx/pull/8650/files#issuecomment-754231268
Since this produces 2 different collections, a replacement in the actual code needs to be made if it is going to function correctly. Or maybe you could hack something new together to import from module utils.
as part of the management of the client configuration with the insights role. I would to have the ability to manage the different ways to obfuscate the insights data. Specifically:
Currently, the inventory plugin sets the ansible_host variable. There should be some functionality to prevent setting this variable for use cases when another inventory provider is populating that value.
The ansible_host variable is hardcoded. This may cause conflict with other inventory sources. If ansible_host from insights should be used, it should be a constructed var as shown below.
plugin: redhatinsights.insights.insights
compose:
ansible_host: <prefix>_ansible_host
The roles do not install the "correct" version of the scap-security-guide package for a given RHEL release as per the following KB article:
https://access.redhat.com/articles/6644131
The relevant code can be found here.
https://github.com/RedHatInsights/ansible-collections-insights/blob/master/roles/compliance/tasks/install.yml
I have implemented a version of this but it requires manual maintenance of the RHEL release <-> scap-security-guide release.
Open to a discussion/suggestions on what to do as this is quite important for the compliance service to function correctly.
Managing tags doesn't work as expected.
insights_tags
variable is specified# example task
tasks:
- include_role:
name: redhat.insights.insights_client
# output
TASK [redhat.insights.insights_client : Deploy Custom Tags] ****************************************************************************
skipping: [satellite] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [tower] => {"changed": false, "skip_reason": "Conditional result was False"}
TASK [redhat.insights.insights_client : Remove Tags] ***********************************************************************************
ok: [satellite] => {"changed": false, "path": "/etc/insights-client/tags.yaml", "state": "absent"}
changed: [tower] => {"changed": true, "path": "/etc/insights-client/tags.yaml", "state": "absent"}
ansible-collections-insights/roles/insights_client/tasks/main.yml
Lines 75 to 79 in 1b455fa
Getting the error message during the Deploy Custom Tags task
TASK [redhatinsights.insights.insights_client : Deploy Custom Tags] ************
...
FAILED! => {"changed": false, "checksum": "eab944004b60615cf2ecf0a03053b45aeec04158", "msg": "Destination /etc/insights-client not writable"}
After debugging it appears the directory exists and is writable by the ansible user assuming become is used.
The issue appears to be that become is not used:
- name: Deploy Custom Tags
copy:
dest: /etc/insights-client/tags.yaml
content: "{{ insights_tags | to_nice_yaml }}"
mode: og=r
when: insights_tags is defined
notify: Run insights-client
In method InventoryModule.parse, lines 233 through 250, a URL is constructed from page numbers and filtering tags. If the underlying collection is large enough the URL gets bigger that 4096 characters and that hits an underlying limit in the backend (cloud.redhat.com) which results in the plugin erroring with the following message:
redhat_insights.yml with
auto plugin: http error (400): <title>Bad Request</title>
Bad Request
Request Line is too large (4098 > 4094)As documented in Appendix E of the Red Hat Insights documentation:
uses HTTPBasicAuthSSO credential-based authentication (basic authentication) has been deprecated for security reasons. Consider using a more secure authentication method, such as certificate-based authentication.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.