1. Ansible Vault¶
1.1. Newer pycrypto required¶
Error Message/s:
- “ERROR: ansible-vault requires a newer version of pycrypto than the one installed on your platform”
- “ERROR! Vault password script path/to/script returned non-zero (1): None”
Reproduced on: CentOS 6
Software versions affected: ansible >= 2.4
How to reproduce? Download ansible’s RPM from the official website and install it. Thereupon, try using
ansible-vault
to encrypt something and the error message shall emerge.Solution: Install EPEL’s ansible package. It is patched to support previous versions of python-crypto (See [Kura14]).
# Install epel repository yum install epel-release # Install pycrypto 2.6 yum install python-crypto2.6 # Install ansible from the EPEL repository yum install --enablerepo=epel ansible
2. Playbooks¶
2.1. Invalid user password¶
Error Message/s: None. The actual problem comes from a common misunderstanding of Ansible’s user module.
Reproduced on: CentOS 6
Software versions affected: any ansible version
How to reproduce? Create a playbook in which you use Ansible’s user module to assign a password to any user (or just create one) and pass the password to the module’s password argument. For example:
--- - hosts: all tasks: - name: user: name: root password: 1234
Solution: Use the password’s crypted value that would normally be placed inside
/etc/shadow
. For example:# Creating an MD5 hash using openssl openssl passwd -1 Password: 1234 Verifying - Password: $1$PmZtHS1g$yjx.gQWWFduYPzN/j1jdY # Creating a sha-256 hash using python 2 python -c "import random,string,crypt randomsalt = ''.join(random.sample(string.ascii_letters,8)) print crypt.crypt('1234', '\$6\$%s\$' % randomsalt)" $6$DivYqPSU$zWxSRQhe4ImWhKRFDAIu/PPG4Fp0LC3Cbv3n.wDHMaDsjF4ZSvjOt98j5/qB7ONE3trcxtGeGgZqkYIKTKKJl/
If your playbook is under version control consider using Ansible Vault to encrypt the hash either as a string or placing it inside a file and subsequentially encrypting it. If using the former, DO NOT press the return key after writing the hash, but [Ctrl] + [d] two times instead.
References
[Kura14] | Kuratomi, Toshio: [ansible/el6] Fix ansible-vault for newer python-crypto dependency. fedoraproject.org, March 14 2014. Retrieved September 13, 2018 from https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20140310/1207203.html |