Ansible 2.0 VMWare modules

[Larry Smith]

Just getting started messing with these new 2.0 VMWare modules and seem to be stuck on an SSL error. Anyone know how to get around this? Any info would be much appreciated.

fatal: [localhost -> localhost]: FAILED! => {"apierror": "[Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed", "changed": false, "failed": true, "msg": "Unable to connect to vCenter or ESXi API on TCP/443."}

---

- hosts: all

  connection: local

  become: false

  vars:

    - datacenter_name: 'LAB'

    - esxi_user: 'root'

    - esxi_pass: 'vmware'

    - pri_domain_name: 'everythingshouldbevirtual.local'

    - vcenter_host: 'vcsa.{{ pri_domain_name }}'

  tasks:

    - name: create DataCenter

      local_action: >

        vmware_datacenter

        hostname="{{ vcenter_host }}"

        username="{{ esxi_user }}"

        password="{{ esxi_pass }}"

        datacenter_name="{{ datacenter_name }}"

        state=present

[Marcus Franke]

Hi,

by default VMware uses a self signed certificate for the vcenter web interface.

You could change this against an official one with a trust anchor your system can verify or configure your play not to verify the certificate. If that is possible, never used that module myself.

Regards,

Marcus

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e3090414-fe2a-47e6-b8dd-77be4a19285e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Larry Smith]

Yup. I know about the default self-signed but I would assume that either pyvmomi module and/or the Ansible documentation might explain on how to get around this error. Especially just for testing purposes. Thanks for the reply though.

[Brian Coca]

we should add validate_certs=yes|no option as we do in other modules.

> https://groups.google.com/d/msgid/ansible-project/2d8a7b53-e845-4e81-9ac5-cae386b64b1e%40googlegroups.com.

>
> For more options, visit https://groups.google.com/d/optout.

--
Brian Coca

[Larry Smith]

Absolutely that would be the way to do this.

[Brian Coca]

vsphere_copy already supports this, though we really should do it in
the module_utils shared code

> https://groups.google.com/d/msgid/ansible-project/7c0d2106-07ee-4e30-b9ac-7d497a8b41b7%40googlegroups.com.

[Kesten Broughton]

vsphere_guest is based on pysphere and the ansible-extra-modules vmware modules are based on psphere, (both of which are largely abandoned)

but this PR for pyVmomi supported by VWmare should work.

https://github.com/vmware/pyvmomi-community-samples/pull/213/files

A thing you could do, but shouldn't do for security reasons is note from the error which site-packages directory it is failing at.

Then add the following to the bottom of the sitecustomize.py file therein

import ssl

try:

    _create_unverified_https_context = ssl._create_unverified_context

except AttributeError:

    # Legacy Python that doesn't verify HTTPS certificates by default

    pass

else:

    # Handle target environment that doesn't support HTTPS verification

    ssl._create_default_https_context = _create_unverified_https_context

[cp...@ansible.com]

I am currently testing a PR for module_utils/vmware.py which adds 'validate_certs' as an argument.

[jess....@ext.airbnb.com]

I ran into a need for this today.  How goes your testing?  Need any help?

Thanks,

-- Jess

[Larry Smith]

Awesome...Looking forward to the outcome...I really do not want to hack any python modules to make it work...But understand if that is the only way short-term.

[Kesten Broughton]

Looking forward to this patch!

For those testing vmware, i've added a few features to vmware.py dynamic inventory which ec2.py inventory comes with but were sorely missing in vmware.py.

instance_filters and --refresh-cache.  Plus a bug fix that allows cache_dir to be found.

https://github.com/ansible/ansible/pull/14136

If anyone is interested, i also added some hacky tag support by parsing the guest name and searching for specific tags that can be set in vmware.ini

Then guests with correct names will be put into ansible groups that can be mapped to roles in a vmware_hosts file.

I will make a separate PR for this if folks are interested, but it's sort of a hack until vsphere_guest supports tags.  Right now it suggests that it has 'notes' but none showed up for me.

    def _get_vm_info(self, vm, prefix='vmware'):

        '''

        Return a flattened dict with info about the given virtual machine.

        '''

        vm_info = {

            'name': vm.name,

        }

        vm_info['class_tag'] = self._parse_name_for_server_class(vm.name)

    def _parse_name_for_server_class(self, guest_name):

        '''

        This is a hack to get around lack of support for tags.

        Embed the tag in the name and parse it to set the server class - worker, master, server

        Then map the simple group to the roles in the vmware_inventory/vmware_hosts file

        @param guest_name: name of vmware guest instance.  Corresponds to guest field in vsphere_guest.

        '''

        # this could probably be read in from vmware.ini file but fine for now

        DEFINED_SERVER_CLASS_TAGS = ['master', 'server', 'worker', 'solutions']

        for class_tag in DEFINED_SERVER_CLASS_TAGS:

            if guest_name.find(class_tag) != -1:

                return class_tag

        return None

at the bottom of

def get_inventory():

                # Group by class_tag

                # vm can only be in one class

                vm_class_tag = vm_info.get('vmware_class_tag', None)

                if vm_class_tag:

                    self._add_child(inv, vm_group, 'class_tag')

                    self._add_child(inv, 'class_tag', vm_class_tag)

                    self._add_host(inv, vm_class_tag, vm.name)

[kamil.s...@intel.com]

I've added skip_ssl argument to module_utils/vmware.py. Perhaps that's not the best implementation...

https://github.com/kamsz/ansible

[Jonathan Frappier]

Where do you suggest adding validate_certs=false?

[Jonathan Frappier]

Where do you suggest adding validate_certs=false? It wasn't obvious to me

On Wednesday, January 27, 2016 at 3:23:42 PM UTC-5, kamil.s...@intel.com wrote:

[kamil.s...@intel.com]

My PR for validate_certs was merged to the master branch (https://github.com/ansible/ansible/pull/14261). I suggest using devel, as it's already reviewed and merged (add validate_certs=false as param for the module you're using)

[jonathan frappier]

Curious if anyone else has had luck with this in devel? I get "unsupported parameter for module: validate_certs"

   - name: Add ESXi host to vCenter

     local_action:

       module: vmware_host

       hostname: "{{ vcenter }}"

       username: admini...@vsphere.local

       password: xxxx

       datacenter_name: "{{ dc }}"

       cluster_name: "{{ cl }}"

       esxi_hostname: "{{ esxi }}"

       esxi_username: xxxx

       esxi_password: xxxx

       state: present

       validate_certs: false

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/mvl7dq9nrwQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/efa7085b-62ec-4cc2-8900-ce4078788989%40googlegroups.com.

[kamil.s...@intel.com]

I've just cloned and installed from devel - works for me.

[jonathan frappier]

With VMware_host or another module?

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d4fe72d-3ccc-4d33-8705-0906469fbe1f%40googlegroups.com.

[kamil.s...@intel.com]

I've copied the playbook you've pasted, modified credentials and it works.

---

- hosts: localhost

  tasks:

    - name: Add ESXi host to vCenter

      local_action:

        module: vmware_host

        hostname: ip

        username: admini...@vsphere.local

        password: xxxx

        datacenter_name: dc

        cluster_name: mgmt

        esxi_hostname: ip

        esxi_username: xxxx

        esxi_password: xxxx

        state: present

        validate_certs: false

[jonathan frappier]

Thanks! Really appreciate it, I'll poke at my local environment more.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d0e71b1e-91e4-4481-9c80-a3191567d889%40googlegroups.com.

[jonathan frappier]

So I've tried with two different environments, one vSphere 6, one with 5.5 and it does't seem to work. Always comes back with [SSL: CERTIFICATE_VERIFY_FAILED] even when set to false

[Vinson Xing]

I installed the ansible from devel branch, I got the same issue even set validate_certs to false.

My test environment:

Ubuntu: 14.04

Python: 2.7.6

vSphere 5.5

[jonathan frappier]

I'll add that I also tried on Ubuntu 15.04 w Python 2.7.10

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/mvl7dq9nrwQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5c292513-f39b-48ed-a3c2-7347251788f7%40googlegroups.com.

[Larry Smith]

So it appears this is still an issue? Would be awesome to get this fixed in the GA release so we can proceed with testing out the modules w/out hacks. Also not assuming that every environment uses self-signed certs should have been considered initially????

[Julian Barnett]

I've been struggling with these SSL CERTIFICATE_VERIFY_ISSUES also. I can't get validate_certs: false to work, I've even downloaded the unsigned cert, converted it to PEM and added it to /usr/local/etc/openssl/certs and run /usr/local/opt/openssl/bin/c_rehash to no avail. Something is definitely broken with the validate_certs parameter (at least on my OSX machine running python 2.7.11 and ansible (2.0.1.0))

The only way I've found to get this working, which might work for you guys is to open up the following file:

./ansible/modules/core/cloud/vmware/vsphere_guest.py  (or whatever module vmware module you're using that connects via SSL).

This file is usually located in your /Library/Python/2.7/site-packages/ folder (OSX)

or 

/usr/lib/python2.7/site-packages/ (redhat/centos)

And ADD the following lines below the initial comments:

import requests, ssl

requests.packages.urllib3.disable_warnings()

try:

     _create_unverified_https_context = ssl._create_unverified_context

except AttributeError:

     pass

else:

     ssl._create_default_https_context = _create_unverified_https_context

Also, make sure you have the requests module installed.

Hope this gets fixed soon, but in the meantime that should work to completely disable SSL and make everything super unsecure :)

[jonathan frappier]

Thanks for the tips Julian! Hoping to show this off at work without any hacks. Don't want it to come off as glitchy and unsupportable

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/664781c6-3717-47e4-b5b3-3b8d384f0324%40googlegroups.com.

[kamil.s...@intel.com]

I've tested it with the same configuration and I can confirm it's not working. I'll try to fix it until the end of week.

[kamil.s...@intel.com]

I've created PR with a small fix (https://github.com/ansible/ansible/pull/14988) that I've tested with Ubuntu 15.10/14.04 and Python 2.7.11. This should resolve the issue with Python > 2.7.9. I"m not sure about older python, since it shouldn't validate certificates in a first place.

Kamil

[jonathan frappier]

Thanks, look forward to testing. As I sit here now, I also wonder if this is a pyVmomi specific issue...

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/mvl7dq9nrwQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e0be4a9b-e2e0-4017-a326-339c14ef6c59%40googlegroups.com.

[kamil.s...@intel.com]

I had the same thing on my mind this morning, but I'm not certain if this is a pyvmomi issue.

Kamil

[jonathan frappier]

In any case, thank you so much for looking into it. I'll keep an eye on the PR to see when it is merged.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4cdbb3a7-4d17-4942-b319-0854a1fee55e%40googlegroups.com.

[Kamil Szczygieł]

If you'd like to try it out ASAP, my fork is up to date with ansible main devel.

Kamil

[Ben Lutgens]

That would be fantastic. I think there's a great deal of people using self-signed certs with vsphere.

On Friday, January 15, 2016 at 12:25:42 AM UTC-6, Brian Coca wrote:

we should add validate_certs=yes|no option as we do in other modules.

On Fri, Jan 15, 2016 at 1:09 AM, Larry Smith <mrles...@gmail.com> wrote:
> Yup. I know about the default self-signed but I would assume that either
> pyvmomi module and/or the Ansible documentation might explain on how to get
> around this error. Especially just for testing purposes. Thanks for the
> reply though.
>
> On Thursday, January 14, 2016 at 3:35:47 AM UTC-5, Marcus Franke wrote:
>>
>> Hi,
>>
>> by default VMware uses a self signed certificate for the vcenter web
>> interface.
>>
>> You could change this against an official one with a trust anchor your
>> system can verify or configure your play not to verify the certificate. If
>> that is possible, never used that module myself.
>>
>> Regards,
>> Marcus
>>
>>
>> Larry Smith <mrles...@gmail.com> schrieb am Mi., 13. Jan. 2016 18:54:
>>>

>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an

>>> email to ansible-proje...@googlegroups.com.
>>> To post to this group, send email to ansible...@googlegroups.com.
>>> To view this discussion on the web visit

>>> https://groups.google.com/d/msgid/ansible-project/e3090414-fe2a-47e6-b8dd-77be4a19285e%40googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>
> --

> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/2d8a7b53-e845-4e81-9ac5-cae386b64b1e%40googlegroups.com.

>
> For more options, visit https://groups.google.com/d/optout.



--

Brian Coca

[Vijay Misra]

Hi Jonathan,

I  was so happy to see this post. I have struggled almost a day for this but could not rersolve this.

did you have any luck on this issue...

Thanks,

Vijay

[Vijay Misra]

Hi Kamil,

I am facing the similar issue related to certificate. :( do you know the solution ?

Thanks,

Vijay

[jonathan frappier]

Hi Vijay,

I have a friend who may have a solution, though I have not been able to test. You can try

add the below into the file: /usr/lib/python2.7/site-packages/pyVim/connect.py

try:
if sslContext is not None and sslContext.verify_mode == ssl.CERT_NONE:
sock = requests.get(url, verify=False)
else:
sock = requests.get(url, verify=False)

To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/99f882ae-5afe-4173-a2be-d5c5b1991da3%40googlegroups.com.