Frequently Asked Questions... or rather common problems that people have hit.
Read this guide
fatal: [localhost]: FAILED! => {"attempts": 1, "changed": false, "msg": "Python modules \"botocore\" or \"boto3\" are missing, please install both"}
OR
fatal: [localhost]: FAILED! => {"attempts": 1, "changed": false, "msg": "boto is required for this module"}
pip install boto boto3
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: NoCredentialsError: Unable to locate credentials
fatal: [localhost]: FAILED! => {"attempts": 1, "changed": false, "msg": "Failed to describe VPCs: Unable to locate credentials"}
Set your Access Key ID and Secret Access Key under ~/.aws/credentials
[root@centos ~]# cat ~/.aws/credentials
[default]
aws_access_key_id = ABCDEFGHIJKLMNOP
aws_secret_access_key = ABCDEFGHIJKLMNOP/ABCDEFGHIJKLMNOP
TASK [make sure we are running correct Ansible Version] ********************************
fatal: [localhost]: FAILED! => {
"assertion": "ansible_version.minor >= 6",
"changed": false,
"evaluated_to": false
}
Install 2.6 or later. For Tower make sure to use an RPM. You can download a nightly here: https://releases.ansible.com/ansible/rpm/nightly/devel/epel-7-x86_64/
make sure we are running correct boto version
py_cmd.stdout.startswith('1.7')
Install and/or upgrade boto3
pip install boto3 --upgrade
Are you using Tower? Make sure to use umask https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/virtualenv.html
[user@centos ~]$ sudo -i
[root@centos ~]# source /var/lib/awx/venv/ansible/bin/activate
[root@centos ~]# umask 0022
[root@centos ~]# pip install --upgrade boto3
[root@centos ~]# deactivate
"error": {
"message": "Signature expired: 20180703T083815Z is now earlier than 20180703T152801Z (20180703T154301Z - 15 min.)",
"code": "SignatureDoesNotMatch",
"type": "Sender"
Ensure the time on your Ansile Tower or Ansible Engine Server is correct.
There is some issue that does not happen on the command line, but manifests itself via the Ansible Tower Web GUI.
Red Hat Ansible Tower executes Ansible playbooks via the awx user. SSH to the control node and become the awx user->
[user@centos ~]$ sudo su - awx
-bash-4.2$
Ansible Tower also takes advantage of a Python virtual environment (referred to as a virtualenv). To mimic how Red Hat Ansible Tower executes playbooks you also must set the virtualenv
-bash-4.2$ source /var/lib/awx/venv/ansible/bin/activate
(ansible) -bash-4.2$
Ansible Tower stores job templates under the projects folder in the awx home directory, located at /var/lib/awx/projects
(ansible) -bash-4.2$ ls /var/lib/awx/projects
cd into the relevant project folder and execute the Playbook from the command line to run the playbook exactly how it was run from Ansible Tower. This will hopefully let you see an error or problem you were not aware of via the Tower GUI.
TASK [manage_ec2_instances : Create EC2 instances for rtr3 node (NETWORKING MODE)] ***
fatal: [localhost]: FAILED! => changed=false
msg: 'Instance creation failed => OptInRequired: In order to use this AWS Marketplace product you need to accept terms and subscribe. To do so please visit https://aws.amazon.com/marketplace/pp?sku=bw54e0gl17zf0vxq54dttwvow'
This is likely if you are using the device (CSR/F5/vMX) for the first time in AWS. You will need to follow the link in the error output and accept the Terms and Conditions in order to proceed. Once you accept, re-run the provisioner.
TASK [f5_setup : Install AS3] *******************************************************************************
fatal: [TESTWORKSHOP-student1-f5]: FAILED! => {"changed": false, "cmd": "rpm -qp --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}' <ommited>/workshops/provisioner/roles/f5_setup/files/f5-appsvcs-3.4.0-2.noarch.rpm", "msg": "[Errno 2] No such file or directory", "rc": 2}
$ brew install rpm
objc[43678]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
$ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
fatal: [localhost]: FAILED! => changed=false
msg: 'Unsupported parameters for (ec2_instance) module: exact_count. Supported parameters include: image_id, launch_template, validate_certs, aws_access_key (access_key, ec2_access_key), instance_role, key_name, detailed_monitoring, security_token (access_token, aws_security_token), vpc_subnet_id (subnet_id), user_data, aws_secret_key (ec2_secret_key, secret_key), aws_ca_bundle, image, termination_protection, tower_callback, name, security_group, filters, tags, wait_timeout, debug_botocore_endpoint_logs, cpu_options, region (aws_region, ec2_region), profile (aws_profile), placement_group, network, instance_type, instance_ids, wait, ebs_optimized, aws_config, tenancy, availability_zone, instance_initiated_shutdown_behavior, volumes, state, cpu_credit_specification, ec2_url (aws_endpoint_url, endpoint_url), security_groups, purge_tags.'
Upgrade to latest amazon.aws collection
(feb21) ➜ provisioner git:(gh-pages) ✗ ansible-galaxy collection install amazon.aws --force
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/download/amazon-aws-3.1.1.tar.gz to /Users/sean/.ansible/tmp/ansible-local-455329b9s_xbx/tmpg_s_guol/amazon-aws-3.1.1-6d_pudvk
Installing 'amazon.aws:3.1.1' to '/Users/sean/.ansible/collections/ansible_collections/amazon/aws'
amazon.aws:3.1.1 was installed successfully
Problem: Cisco SSH fails with PUBLICKEY_ACCEPTED_TYPES error in AAP / Execution Environments on RHEL 9
fatal: [rtr1]: FAILED! => {"changed": false, "msg": "ssh connection failed: Failed to authenticate public key: The key algorithm 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option"}
This affects any Execution Environment built on a RHEL 9 base image (e.g. ee-supported-rhel9, ee-minimal-rhel9). Older network devices like Cisco IOS only support the ssh-rsa key algorithm, but RHEL 9's system-wide crypto policy blocks ssh-rsa at the OS level inside the container.
Why common fixes don't work: Setting ansible_libssh_publickey_algorithms, [libssh_connection] in ansible.cfg, or the ANSIBLE_LIBSSH_PUBLICKEY_ALGORITHMS environment variable will NOT fix this. The rejection happens in the system libssh C library which reads /etc/crypto-policies/back-ends/libssh.config — below the Ansible layer entirely.
Add a custom crypto sub-policy to your execution-environment.yml that re-enables ssh-rsa for SSH only:
additional_build_steps:
append_final:
- RUN printf '[libssh]\npubkey_algorithms = +ssh-rsa\n[openssh]\nPubkeyAcceptedAlgorithms = +ssh-rsa\nHostKeyAlgorithms = +ssh-rsa\n' > /etc/crypto-policies/policies/modules/ANSIBLE-SSH-RSA.pmod && update-crypto-policies --set DEFAULT:ANSIBLE-SSH-RSARebuild and push the EE image. You can verify the fix by checking:
podman run --rm <ee-image> cat /etc/crypto-policies/state/current
# Should show: DEFAULT:ANSIBLE-SSH-RSA
Note: Setting ansible_network_cli_ssh_type=paramiko on Cisco hosts can work as a temporary workaround since paramiko is pure Python and bypasses the system crypto policy, but it may cause credential injection issues in AAP.
Please file issues on Github. Please fill out all required information. Your issue will be closed if you skip required information in the Github issues template.
