Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aixPb: Fixes for Users task in aix playbook #3087

Merged
merged 5 commits into from
Dec 5, 2024

Conversation

Haroon-Khel
Copy link
Contributor

@Haroon-Khel Haroon-Khel commented Jun 2, 2023

  • commit message has one of the standard prefixes
  • faq.md updated if appropriate
  • other documentation is changed or added (if applicable)
  • playbook changes run through VPC or QPC (if you have access)
  • VPC/QPC not applicable for this PR
  • for inventory.yml changes, bastillion/nagios/jenkins updated accordingly

ref #3086

The Set authorized key for jenkins user should not be running on localhost (ie the ansible controller). It should run on the node, hence why it was failing.

TASK [users : Set authorized key for jenkins user] *****************************
fatal: [test-osuosl-aix715-ppc64-1 -> localhost]: FAILED! => {"changed": false, "msg": "Failed to lookup user jenkins: 
\"getpwnam(): name not found: 'jenkins'\""}

I also removed an unnecessary warning which had a condition that did not work anyway

Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why has the warning for jenkins been left in but removed for the zeus user?

@Haroon-Khel
Copy link
Contributor Author

Haroon-Khel commented Jun 2, 2023

Not sure, I'll remove the jenkins one too. The warning messages are unnecessary since to get the warning message to appear, the task must fail, but if the task fails the playbook will stop and not reach the warning message

@sxa sxa requested a review from aixtools June 2, 2023 16:19
@aixtools
Copy link
Contributor

aixtools commented Jun 5, 2023

The reason for the tests, and the warning message, and the reason for the "localhost" was because I have never had the key access that you guys have.

The zeus file is different - probably because "Superuser_Account" was not, or is not Enabled - so I did not catch the differences.

Back to jenkins - and why the warning message is needed: so that someone NOT part of the ojdk/adoptium infrastructure can run these without them bring the system to a halt. I had tested jenkins with a "local" repository.

As such: it appears the the delegate to localhost may be wrong in the 'task' set authorized key.

IMHO: the warnings have a purpose (see above), but it is your call.

I'll rework above into my review.

Copy link
Contributor

@aixtools aixtools left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warnings are for a reason. The idea here is that not everyone is adoptium - and won't have the access or need to integrate with jenkins.

The three tasks are:
a) check if I have access to key (needs to be done localhost aka ansible master)
b) ensure jenkins authorization is present IF (when:) I have access to the key
c) warn about jenkins (but let playbook proceed) when ther eis no access to the key OR the insertion succeeded.

My preference is to keep the warnings - hence request changes. The goal is that both conditions are tested and if either fails - warn.

The needed change in zeus is to delegate the first task (initial lookup) to localhost.

@Haroon-Khel
Copy link
Contributor Author

My personal preference, for users who do not have access to the keys and other vendor_files, is to skip running those roles entirely, that way we dont end up with half a role being run.

One the reasons I removed the warnings is because their when condition did not work. jenkins_pubkey.skipped for example

fatal: [test-osuosl-aix715-ppc64-1]: FAILED! => {"msg": "The conditional check 'jenkins_pubkey is defined and (jenkins_pubkey.skipped == true or jenkins_pubkey.failed == true)' failed. The error was: error while evaluating conditional (jenkins_pubkey is defined and (jenkins_pubkey.skipped == true or jenkins_pubkey.failed == true)): 'dict object' has no 
attribute 'skipped'\n\nThe error appears to be in 
'/tmp/awx_1319_9_q0jfjc/project/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/users/tasks/jenkins.yml': line 21, 
column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to 
be:\n\n\n- name: Warn about missing authorization for jenkins\n  ^ here\n"}

@aixtools
Copy link
Contributor

aixtools commented Jun 6, 2023 via email

@sxa
Copy link
Member

sxa commented Dec 4, 2024

My personal preference, for users who do not have access to the keys and other vendor_files, is to skip running those roles entirely, that way we dont end up with half a role being run.

I think that's reasonable - typically someone without access to the adoptium secret data would be expected to run with --skip-tags adoptopenjdk (At some point we should probably switch that to adoptium, or update to allow both for now!)

Copy link
Member

@sxa sxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the primary purpose of this is to remove the (incorrect) delegate_to: localhost I'm approving this so it can go in. Anything further from teh reviews can be covered in separate issues/PRs if desired.

Copy link
Contributor

@steelhead31 steelhead31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@Haroon-Khel Haroon-Khel merged commit 028773c into adoptium:master Dec 5, 2024
7 checks passed
mahdipub pushed a commit to mahdipub/infrastructure that referenced this pull request Dec 5, 2024
* remove localhost delegation from jenkins key task

* fix condition

* remove unnecessary warning

* remove warning message for jenkins key

---------

Co-authored-by: Martijn Verburg <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants