Your playbook says that the environment should contain an HTTPS_PROXY variable. That is used by your get_url task. One explanation is that your proxy does Man in the Middle (or SSLBump in squid terms). The error below is pretty clear about how solve that.
Dick On 9 November 2017 at 11:56, ManiGandan T <[email protected]> wrote: > My main.yml is executing a task called dumb-init and we are getting "msg": > "Failed to validate the SSL certificate for github.com:443. Make sure your > managed systems have a valid CA certificate installed " error > > STEPS TO REPRODUCE > > Command used : sudo ansible-container --debug build > > Main.yml > > name: Install dumb init > get_url: > url: > https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 > dest: /usr/bin/dumb-init > owner: root > group: root > mode: 0775 > environment: > http_proxy: "http://xxx-proxy-out.xxx.com:8080"; > https_proxy: "http://xxx-proxy-out.xxxx.com:8080"; > HTTP_PROXY: "http://xxx-proxy-out.xxxx.com:8080"; > HTTPS_PROXY: "http://xx-proxy-out.xxx.com:8080"; > > COmmand Used : sudo ansible-container --debug build > > Log: > META: ran handlers > TASK [node_container : Install dumb init] > ************************************** > task path: /src/roles/node_container/tasks/main.yml:2 > Using module file > /usr/lib/python2.7/site-packages/ansible/modules/net_tools/basics/get_url.py > <6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> ESTABLISH > DOCKER CONNECTION FOR USER: root > <6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC > ['/usr/local/bin/docker', 'exec', '-i', > u'6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98', > u'/bin/sh', '-c', u"/bin/sh -c 'echo ~ && sleep 0'"] > <6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC > ['/usr/local/bin/docker', 'exec', '-i', > u'6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98', > u'/bin/sh', '-c', u'/bin/sh -c '( umask 77 && mkdir -p "echo > /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135" && echo > ansible-tmp-1510211281.96-149794489024135="echo > /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135" ) && sleep > 0''] > <6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> PUT > /tmp/tmpUO7dPT TO > /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/get_url.py > <6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC > ['/usr/local/bin/docker', 'exec', '-i', > u'6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98', > u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x > /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/ > /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/get_url.py && > sleep 0'"] > <6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98> EXEC > ['/usr/local/bin/docker', 'exec', '-i', > u'6e2a9499e5b3dc4c4748b72955de0d3784a01489b93b3f0c03851fd697a54c98', > u'/bin/sh', '-c', u'/bin/sh -c > 'https_proxy=http://prod-proxy-out.xxx.com:8080 > http_proxy=http://prod-proxy-out.xxx.com:8080 > HTTPS_PROXY=http://prod-proxy-out.xxxx.com:8080 > HTTP_PROXY=http://prod-proxy-out.xxx.com:8080 /_usr/bin/python > /root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/get_url.py; rm > -rf "/root/.ansible/tmp/ansible-tmp-1510211281.96-149794489024135/" > > /dev/null 2>&1 && sleep 0''] > The full traceback is: > File "/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py", > line 1046, in fetch_url > client_key=client_key, cookies=cookies) > File "/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py", > line 953, in open_url > r = urllib_request.urlopen(*urlopen_args) > File "/_usr/lib/python2.7/urllib2.py", line 154, in urlopen > return opener.open(url, data, timeout) > File "/_usr/lib/python2.7/urllib2.py", line 427, in open > req = meth(req) > File "/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py", > line 765, in http_request > build_ssl_validation_error(self.hostname, self.port, paths_checked, e) > File "/tmp/ansible_eDZL6J/ansible_modlib.zip/ansible/module_utils/urls.py", > line 591, in build_ssl_validation_error > raise SSLValidationError(' '.join(msg) % (hostname, port, ", ".join(paths))) > fatal: [ansible.node-container]: FAILED! => { > "changed": false, > "failed": true, > "invocation": { > "module_args": { > "attributes": null, > "backup": null, > "checksum": "", > "client_cert": null, > "client_key": null, > "content": null, > "delimiter": null, > "dest": "/usr/bin/dumb-init", > "directory_mode": null, > "follow": false, > "force": false, > "force_basic_auth": false, > "group": "root", > "headers": null, > "http_agent": "ansible-httpget", > "mode": 509, > "owner": "root", > "regexp": null, > "remote_src": null, > "selevel": null, > "serole": null, > "setype": null, > "seuser": null, > "sha256sum": "", > "src": null, > "timeout": 10, > "tmp_dest": null, > "unsafe_writes": null, > "url": > "https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64";, > "url_password": null, > "url_username": null, > "use_proxy": true, > "validate_certs": true > } > }, > "msg": "Failed to validate the SSL certificate for github.com:443. Make sure > your managed systems have a valid CA certificate installed. You can use > validate_certs=False if you do not need to confirm the servers identity but > this is unsafe and not recommended. Paths checked for this platform: > /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, > /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)." > } > to retry, use: --limit @/tmp/tmpAZLAaM/playbook.retry > PLAY RECAP > ********************************************************************* > ansible.node-container : ok=1 changed=0 unreachable=0 failed=1 > 2017-11-09T07:08:02.678075 Error applying role! [container.core] > caller_file=/_ansible/container/core.py caller_func=apply_role_to_container > caller_line=680 engine=<container.docker.engine.Engine object at > 0x7f5b840bf710> exit_code=2 playbook=[{'hosts': u'ansible.node-container', > 'roles': ['node_container'], 'vars': {}}] > 2017-11-09T07:08:02.684010 Playbook run finished. [container.core] > caller_file=/_ansible/container/core.py caller_func=conductorcmd_build > caller_line=811 exit_code=2 > Traceback (most recent call last): > File "/usr/bin/conductor", line 11, in > load_entry_point('ansible-container', 'console_scripts', 'conductor')() > File "/_ansible/container/init.py", line 19, in wrapped > return fn(*args, **kwargs) > File "/_ansible/container/cli.py", line 399, in conductor_commandline > **params) > File "/_ansible/container/init.py", line 19, in wrapped > return fn(*args, **kwargs) > File "/_ansible/container/core.py", line 813, in conductorcmd_build > raise RuntimeError('Build failed.') > RuntimeError: Build failed. > Exception in thread Thread-2: > Traceback (most recent call last): > File "/usr/lib64/python2.7/threading.py", line 812, in __bootstrap_inner > self.run() > File "/usr/lib64/python2.7/threading.py", line 765, in run > self.__target(*self.__args, **self.__kwargs) > File "/usr/lib/python2.7/site-packages/container/utils/logmux.py", line 40, > in produce > for message in iterator: > File "/usr/lib/python2.7/site-packages/docker/api/client.py", line 339, in > _multiplexed_response_stream_helper > header = response.raw.read(STREAM_HEADER_SIZE_BYTES) > File "/usr/lib/python2.7/site-packages/urllib3/response.py", line 231, in > read > raise ProtocolError('Connection broken: %r' % e, e) > ProtocolError: ('Connection broken: IncompleteRead(0 bytes read)', > IncompleteRead(0 bytes read)) > > 2017-11-09T07:08:02.876617 Could not connect to container host. Check your > docker config [container.cli] > caller_file=/usr/lib/python2.7/site-packages/container/cli.py > caller_func=call caller_line=328 > > > ANsible _ Version : > > > Ansible Container, version 0.9.2 > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/cda7a6d1-b432-4394-ae12-5bd011d9bfb2%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Dick Visser GÉANT Want to join us? We're hiring: https://www.geant.org/jobs -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwODkhCSg6gJzghBSwCgQS1CmxW0SiwSPseVB9U0hTc8OA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
