Here is my .gitlab-ci.yml variables: SITE: "site.yml" PLAYBOOKS: "playbooks/**/*.yml" ANSIBLE_CONFIG: "./ansible.cfg"
stages: - verify - deploy before_script: - chmod 740 $CI_PROJECT_DIR - whoami - apt-get update -qy #update system - apt-get install python3.7 python3-apt python3-tango- -qy - update-alternatives --install /usr/bin/python python /usr/bin/python3.7 1 - update-alternatives --set python /usr/bin/python3.7 - python --version - mkdir ~/.ssh - chmod 700 ~/.ssh - eval "$(ssh-agent -s)" - cat $SSH_KNOWN_HOSTS | tr -d '\r' > ~/.ssh/known_hosts - cat $SSH_PRIVATE_KEY | tr -d '\r' | ssh-add - - apt-get install ansible ansible-lint -qy - git submodule update --init - ansible --version - ansible-lint --version - ansible-galaxy install -r requirements.yml - echo "$ANSIBLE_VAULT_PASSWORD" > ~/.ssh/infrastructure - cat ~/.ssh/infrastructure - ./setup.sh -c ansible-verify: stage: verify script: - ansible-lint -v $SITE - ansible-lint -v $PLAYBOOKS - ansible-playbook --syntax-check $SITE - ansible-playbook --syntax-check $PLAYBOOKS -e target=servers ansible-dry-run: stage: deploy script: - ansible-playbook --check $SITE -vvvv ansible-apply: stage: deploy script: - ansible-playbook $SITE rules: - if: '$CI_COMMIT_BRANCH == "master"' On Thursday, August 13, 2020 at 3:52:01 PM UTC+2 dick....@geant.org wrote: > The problem might be in the way you invoke ansible-playbook in the gitlab > CI. > So, what does your .gitlab-ci.yml look like? > > On Thu, 13 Aug 2020 at 13:09, Papanito <papa...@wyssmann.com> wrote: > > > > I already checked > https://docs.ansible.com/ansible/latest/user_guide/vault.html but I don't > see where the problem is. > > > > I use a shared gitlab runner: > https://docs.gitlab.com/ee/ci/runners/README.html > > > > Well, in the end it's a docker image so you think is still a ci issue or > can it be related to python/ansible versions? > > > > On Thursday, August 13, 2020 at 12:17:29 PM UTC+2 dick....@geant.org > wrote: > >> > >> This seems to be a problem specific to your CI tool, so a logical > >> place would be to consult the support channels of that CI tool > >> (whichever it was - you didn't tell). > >> Either way, how ansible-vault works is explained here: > >> https://docs.ansible.com/ansible/latest/user_guide/vault.html. > >> Fix your CI so that it uses ansible-vault using those instructions. > >> > >> On Thu, 13 Aug 2020 at 12:07, Papanito <papa...@wyssmann.com> wrote: > >> > > >> > Even so I explicitly set python3 as default, I still get the same > error as mentioned. This is what I do on my ci-server > >> > > >> > - apt-get install python3.7 python3-apt -qy > >> > - update-alternatives --install /usr/bin/python python > /usr/bin/python3.7 1 > >> > - update-alternatives --set python /usr/bin/python3.7 > >> > > >> > I can confirm that on my ci-server python 3.7 is installed as default > >> > > >> > python --version > >> > Python 3.7.3 > >> > On Thursday, August 13, 2020 at 10:13:07 AM UTC+2 Papanito wrote: > >> >> > >> >> Ok got it, the ci-machine runs on python 2 whereas on my dev-machine > I have python 3. > >> >> > >> >> On Thursday, August 13, 2020 at 9:35:59 AM UTC+2 Papanito wrote: > >> >>> > >> >>> I am using ansible 2.9.11 on my dev machine (arch linux) where I > encrypted ./resources/cloudflare/cert.pem. using ansible-vault with a > password file. I have commited the file to source control. > >> >>> > >> >>> I can run the playbook without issues on my dev-machine i.e. > decryption works > >> >>> > >> >>> Now on my ci machine - which is running ubuntu and ansible 2.7.7 - > the run of the playbook fails with > >> >>> > >> >>> > >> >>> Tried to use the vault secret (default) to decrypt > (/builds/papanito/infrastructure/resources/cloudflare/cert.pem) but it > failed. Error: HMAC verification failed: Signature did not match digest. > >> >>> fatal: [node003]: FAILED! => { > >> >>> "msg": "Decryption failed (no vault secrets were found that could > decrypt) on /builds/papanito/infrastructure/resources/cloudflare/cert.pem" > >> >>> > >> >>> I can confirm that I have the password-file on the ci-machine and > the password in it is correct. So what's going on here? Why decryption does > not work? > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ansible-proje...@googlegroups.com. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/1f3fc51e-4e93-4b16-9233-099274f6e1c5n%40googlegroups.com > . > >> > >> > >> > >> -- > >> Dick Visser > >> Trust & Identity Service Operations Manager > >> GÉANT > > > > -- > > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ansible-proje...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/3e275609-575c-44c9-b79c-a2d246c89dacn%40googlegroups.com > . > > > > -- > Dick Visser > Trust & Identity Service Operations Manager > GÉANT > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/01f91041-a068-4f68-85b0-256e0956eeben%40googlegroups.com.
