Error de AWX X509 al usar una imagen EE personalizada con pyopenssl

tag-icon tag-icon ansible python openssl ansible-tower
Error de AWX X509 al usar una imagen EE personalizada con pyopenssl

Actualmente estoy configurando una plataforma AWX alojada en el clúster K8 para obtener una interfaz de usuario + funciones adecuadas para fines multiusuario.

Contexto :
Creé una imagen EE insertada en un repositorio Nexus que usa AWX para tener todas las colecciones de galaxias ansibles que necesitan los proyectos Ansible (nutanix.ncp, community.hashi_vault, community.windows y ansible.windows) + módulos pip (ansible-pylibssh , hvac, paramiko, pexpect, pykerberos, pywinrm, criptografía, pyopenssl).

La creación de imágenes EE y empujar/tirar está bien. Si es necesario, puedo compartir los archivos requisitos.yml y requisitos.txt.

Aquí está elexecution-environment.yml como referencia:

---
version: 1

build_arg_defaults:
  EE_BASE_IMAGE: 'quay.io/ansible/awx-ee:latest'

dependencies:
  galaxy: requirements.yml
  python: requirements.txt

additional_build_steps:
  prepend: |
    RUN python3 -m pip install --upgrade pip
    RUN pip3 install --upgrade pip setuptools
    RUN whoami
    RUN cat /etc/os-release

  append:
  - RUN ls -la /etc

Luego, cuando configuro un proyecto en AWX usando esta imagen EE, falla en el error X509_V_FLAG_CB_ISSUER_CHECK:

{
  "module_stdout": "",
  "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', init_globals=dict(_module_fqn='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/modules/ntnx_subnets_info.py\", line 188, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/subnets.py\", line 9, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/clusters.py\", line 7, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/prism.py\", line 5, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/entity.py\", line 13, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible/module_utils/urls.py\", line 115, in <module>\n  File \"/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py\", line 46, in <module>\n    import OpenSSL.SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/__init__.py\", line 8, in <module>\n    from OpenSSL import crypto, SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1517, in <module>\n    class X509StoreFlags(object):\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1537, in X509StoreFlags\n    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK\nAttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'\n",
  "exception": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', init_globals=dict(_module_fqn='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/modules/ntnx_subnets_info.py\", line 188, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/subnets.py\", line 9, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/clusters.py\", line 7, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/prism.py\", line 5, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/entity.py\", line 13, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible/module_utils/urls.py\", line 115, in <module>\n  File \"/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py\", line 46, in <module>\n    import OpenSSL.SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/__init__.py\", line 8, in <module>\n    from OpenSSL import crypto, SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1517, in <module>\n    class X509StoreFlags(object):\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1537, in X509StoreFlags\n    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK\nAttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'\n",
  "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
  "rc": 1,
  "_ansible_no_log": false,
  "changed": false
}

Pruebas : He probado las siguientes pruebas para intentar resolverlo:

  • obtenga la última versión de criptografía y pyopenssl
  • rebajar la criptografía a 36.0.2/37.0.0 y la versión de pyopenssl a 22.0.0 como se ve en algunas publicaciones de stackoverflow
  • EJECUTE la actualización de pip3 en advanced_build_steps > anteponer el bloque en la creación de imágenes

Además hay algo que no entiendo:
Vi que el registro de errores menciona el archivo, \"/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py pero cuando ejecuto un shell, la imagen de la ventana acoplable no es /usr/lib/python3.8 sino la carpeta python3.9.

Preguntas: Cuando inicio sesión en los pods AWX, descubrí que solo el pod awx-operator-controller-manager obtuvo esa ruta python3.8. Entonces, ¿cuál es la relación entre los pods AWX y la imagen EE cuando se intenta ejecutar un proyecto?

Acerca de pyopenssl, ¿qué otras pruebas/soluciones puedo probar?

Gracias !

Respuesta1

Finalmente fue mi error... Después de volver a crear la imagen EE, limpie mi repositorio y vuelva a enviarlo, funciona (todos los requisitos están actualizados)

Creo que presioné/tire de la imagen incorrecta mientras pruebo... de todos modos, ¡todo está bien!

información relacionada