-
-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ansible request for CentOS6 adoptopenjdk_install role #1877
Comments
Replicated problem on local CentOS6 VM. Looking at doing as the Issue suggests, and updating Python to 2.7.9, however, we'll still have to ensure the GH check and the VPC machine has Python 2.7.9 |
Hmm, installing |
Oh - my mistake - the error message is talking about the CentOS6 Python install, I think. |
I've made a Python 2.7.9 install role, which can be seen at https://github.com/Willsparker/openjdk-infrastructure/tree/1877 . Currently testing with |
https://ci.adoptopenjdk.net/job/VagrantPlaybookCheck/1005/ |
Okay, yep, scrap the Python 2.7.9 idea. I'll put the yaml here, just in case we ever want to come back to it:
Onwards |
Okay, I tried installing the 4 pip modules that the error message suggests, and while installing
And much the same error message installing
|
You're trying things with ancient versions of pip. |
Yeah ... it may be worth bringing up the conversation of running our playbooks on Python 3. |
On a fresh Vagrant VM:
🤦 |
I'm just testing to see if |
It isn't - the API server redirects to github. I would possibly be ok with ignoring the cert if either we verified a checksum on the download, although that would need to be updated on each release and the role is currently generic across all versions and platforms so that's non-trivial |
Yeah, as you say, it's non trivial - I'd prefer to work on finding the fix over finding the optimal workaround :-) I may go back to building Python 2.7.9 as part of the playbook and dealing with the problems from that. |
Okay, so the issue I'm having when using Python 3.6.10 on a CentOS6 VM is as follows:
Note for future me: You can force the ansible_python_interpreter by using Apparently this is a known issue of the |
From what I can see, CentOS6 's Yum is dependent on Python2.6, and so we can't just globally set the |
If the problem is only the missing Let's Encrypt root certificate, you should be able to put those somewhere in /etc, invoke some tool, and CentOS should re-generate the trust stores for all tools (see https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html). That's the short-term solution. The long-term solution is to do what Oracle does: Install a CentOS 6 sysroot onto a CentOS 7 system. |
Ah okay... I googled a bit, and found that the SSL Cert can be found with |
You want ISRG Root X1, and ISRG Root X2 from https://letsencrypt.org/certificates/. |
Do you know how I can retrieve them from the command line? The command I put above doesn't output anything about ISRG, and I can't find anything online about how to retrieve it |
First, check with To get the certificates:
After importing the certificates into the OS, check again with [A client program has to bring the root certificates itself, otherwise the whole chain of trust wouldn't work. The client program trusts those certificates and by trusting those, it trusts every certificate signed with one of those root certificates. If the root certificates were supplied by the server or if you had none, It would be like connecting to a server with a self-signed certificate because there's no pre-established trust. That's why |
Ah okay. I retrieved them and added them to the system as per https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html , however the |
Can you paste the curl output here and run |
and
Doesn't look like get_default_verify_paths exists. I can't even check the |
|
Redone:
|
Upon further investigation with @aahlenst . we've ascertained that this probably can't be done properly. Python 2.6 doesn't support SNI, which is the issue when connecting with So, we have a few options, none of them great:
regarding option 2: Can the API provide a checksum of the archive that's being requested? If so, it could be assigned to a variable easily enough |
Is it not possible to put Python2.7 in a different location on the machine and only use that with ansible? i.e. don't make it the default on the machine, therefore yum should be unaffected?
Does that work and validate the certificate (Seems unlikely if |
I've just built my own Python27 and pointed ansible at it after setting tarball is at https://ci.adoptopenjdk.net/userContent/usrlocalPython27.tar.xz if we can make use of it (Nothing special done to make it, just created from this source, then |
With that, did you run the whole playbook or just the adoptopenjdk_install role? If it's just the adoptopenjdk-install role, try running the Common role (or anything that uses Ansible's yum module). From my brief googling, |
The Common role can't easily be tested because it hits a
|
I think the latter, personally - seems cleaner and it's more obvious that it's done that way because CentOS6 is the outlier |
I have a branch doing that at https://github.com/Willsparker/openjdk-infrastructure/tree/centos6_Python and testing on VPC at https://ci.adoptopenjdk.net/job/VagrantPlaybookCheck/1062/ :-) |
Affecting both
VPC
and the CentOS6 GitHub Check:https://ci.adoptopenjdk.net/job/VagrantPlaybookCheck/997/OS=CentOS6,label=vagrant/console
https://github.com/AdoptOpenJDK/openjdk-infrastructure/pull/1875/checks?check_run_id=1804893220
Missing install
Bug in ansible playbook
Request for new playbook addition
Details:
The issue is with
adoptopenjdk_install
:Apparently it's failing to validate the SSL Certificate for github-releases.githubusercontent.com. If all else fails, we can use
validate_certs=False
, but this is a last resort.The text was updated successfully, but these errors were encountered: