使用 pyopenssl 自訂 EE 映像時出現 AWX 錯誤 X509

tag-icon tag-icon ansible python openssl ansible-tower
使用 pyopenssl 自訂 EE 映像時出現 AWX 錯誤 X509

我目前正在設定一個託管在 K8s 叢集上的 AWX 平台,以獲得適合多用戶目的的 UI + 功能。

情境 :
我創建了一個推送到AWX 使用的Nexus 儲存庫上的EE 映像,以便擁有Ansible 專案所需的所有ansible Galaxy 集合(nutanix.ncp、community.hashi_vault、community.windows 和ansible.windows)+ pip 模組(ansible -pylibssh) 、hvac、paramiko、pexpect、pykerberos、pywinrm、密碼學、pyopenssl)。

EE 鏡像創建和推/拉都可以。如果需要,我可以分享requirements.yml和requirements.txt檔案。

這是可供參考的execution-environment.yml:

---
version: 1

build_arg_defaults:
  EE_BASE_IMAGE: 'quay.io/ansible/awx-ee:latest'

dependencies:
  galaxy: requirements.yml
  python: requirements.txt

additional_build_steps:
  prepend: |
    RUN python3 -m pip install --upgrade pip
    RUN pip3 install --upgrade pip setuptools
    RUN whoami
    RUN cat /etc/os-release

  append:
  - RUN ls -la /etc

然後,當我使用此 EE 映像在 AWX 上設定專案時,它會因 X509_V_FLAG_CB_ISSUER_CHECK 錯誤而失敗:

{
  "module_stdout": "",
  "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', init_globals=dict(_module_fqn='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/modules/ntnx_subnets_info.py\", line 188, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/subnets.py\", line 9, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/clusters.py\", line 7, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/prism.py\", line 5, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/entity.py\", line 13, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible/module_utils/urls.py\", line 115, in <module>\n  File \"/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py\", line 46, in <module>\n    import OpenSSL.SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/__init__.py\", line 8, in <module>\n    from OpenSSL import crypto, SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1517, in <module>\n    class X509StoreFlags(object):\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1537, in X509StoreFlags\n    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK\nAttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'\n",
  "exception": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1694504214.889407-61-240849331705059/AnsiballZ_ntnx_subnets_info.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', init_globals=dict(_module_fqn='ansible_collections.nutanix.ncp.plugins.modules.ntnx_subnets_info', _modlib_path=modlib_path),\n  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/modules/ntnx_subnets_info.py\", line 188, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/subnets.py\", line 9, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/clusters.py\", line 7, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/prism/prism.py\", line 5, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible_collections/nutanix/ncp/plugins/module_utils/entity.py\", line 13, in <module>\n  File \"<frozen importlib._bootstrap>\", line 991, in _find_and_load\n  File \"<frozen importlib._bootstrap>\", line 975, in _find_and_load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 655, in _load_unlocked\n  File \"<frozen importlib._bootstrap>\", line 618, in _load_backward_compatible\n  File \"<frozen zipimport>\", line 259, in load_module\n  File \"/tmp/ansible_ntnx_subnets_info_payload_mpaf5bgi/ansible_ntnx_subnets_info_payload.zip/ansible/module_utils/urls.py\", line 115, in <module>\n  File \"/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py\", line 46, in <module>\n    import OpenSSL.SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/__init__.py\", line 8, in <module>\n    from OpenSSL import crypto, SSL\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1517, in <module>\n    class X509StoreFlags(object):\n  File \"/usr/local/lib/python3.8/site-packages/OpenSSL/crypto.py\", line 1537, in X509StoreFlags\n    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK\nAttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'\n",
  "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
  "rc": 1,
  "_ansible_no_log": false,
  "changed": false
}

測試: 我已嘗試以下測試來嘗試解決它:

  • 取得最新版本的密碼學和 pyopenssl
  • 將加密技術降級至 36.0.2/37.0.0,將 pyopenssl 版本降級至 22.0.0,如某些 stackoverflow 帖子中所示
  • 在鏡像建立中的additional_build_steps > prepend區塊上執行pip3升級

另外,還有一點不太明白:
我看到錯誤日誌提到了該檔案\"/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py 但是當我運行 shell docker 映像時沒有 /usr/lib/python3.8 但有 python3.9 資料夾。

問題: 當我登入 AWX pod 時,我發現只有 awx-operator-controller-manager pod 獲得了該路徑 python3.8 路徑。那麼,在嘗試執行專案時,AWX pods/EE 映像之間的關係是什麼?

關於 pyopenssl,我還可以測試哪些其他測試/解決方案?

謝謝 !

答案1

最後這是我的錯誤...重新建立 EE 映像後,清理我的儲存庫並再次推送它,它可以工作(每個要求都是最新的)

我想我在測試時推/拉了錯誤的圖像..無論如何,一切都很好!

相關內容