AIX Open Source

 View Only
Back to discussions
Expand all | Collapse all

Ansible setup on AIX

  • 1.  Ansible setup on AIX

    Posted Mon March 06, 2023 09:40 AM
    Reply

    Hi Team,

    I am trying to setup ansible on AIX, so we have installed ansible and python on AIX servers. On client one of the server having python2 and other having python3. 

    I am not sure how python2 was installed, it seems it was installed manually with all dependency altogether with rpm command.

    Python3 was installed with dnf install command, so everything was installed automatically and updated. Python3 client is not working because having some link with other directory but python2 is working fine which is having link with /usr/bin/ directory. So I am not sure which is the correct way of doing this setup. 

    Would you please help?

    Working client ->

    root@dsmppa003t:/opt/freeware/bin# ls -ltr /usr/bin/python*
    lrwxrwxrwx    1 root     system           35 Aug 25 08:38 /usr/bin/python2.7_64 -> ../../opt/freeware/bin/python2.7_64
    lrwxrwxrwx    1 root     system           39 Aug 25 08:38 /usr/bin/python2.7-config -> ../../opt/freeware/bin/python2.7-config
    lrwxrwxrwx    1 root     system           32 Aug 25 08:38 /usr/bin/python2.7 -> ../../opt/freeware/bin/python2.7
    lrwxrwxrwx    1 root     system           37 Aug 25 08:38 /usr/bin/python2-config -> ../../opt/freeware/bin/python2-config
    lrwxrwxrwx    1 root     system           30 Aug 25 08:38 /usr/bin/python2 -> ../../opt/freeware/bin/python2
    lrwxrwxrwx    1 root     system           36 Aug 25 08:38 /usr/bin/python-config -> ../../opt/freeware/bin/python-config
    lrwxrwxrwx    1 root     system           29 Aug 25 08:38 /usr/bin/python -> ../../opt/freeware/bin/python
    lrwxrwxrwx    1 root     system           39 Aug 25 08:38 /usr/bin/python_64-config -> ../../opt/freeware/bin/python_64-config
    lrwxrwxrwx    1 root     system           32 Aug 25 08:38 /usr/bin/python_64 -> ../../opt/freeware/bin/python_64
    lrwxrwxrwx    1 root     system           40 Aug 25 08:38 /usr/bin/python2_64-config -> ../../opt/freeware/bin/python2_64-config
    lrwxrwxrwx    1 root     system           33 Aug 25 08:38 /usr/bin/python2_64 -> ../../opt/freeware/bin/python2_64
    lrwxrwxrwx    1 root     system           42 Aug 25 08:38 /usr/bin/python2.7_64-config -> ../../opt/freeware/bin/python2.7_64-config

    Non-working client ->

    root@dsmppa001s:/opt/freeware/bin#
    lrwxrwxrwx    1 root     system           10 Jan 09 08:09 python3 -> python3_64
    lrwxrwxrwx    1 root     system           12 Jan 09 08:09 python3.7 -> python3.7_64
    lrwxrwxrwx    1 root     system           13 Jan 09 08:09 python3.7_32 -> python3.7m_32
    lrwxrwxrwx    1 root     system           13 Jan 09 08:09 python3.7_64 -> python3.7m_64
    lrwxrwxrwx    1 root     system           13 Jan 09 08:09 python3.7m -> python3.7m_64
    lrwxrwxrwx    1 root     system           12 Jan 09 08:09 python3_32 -> python3.7_32
    lrwxrwxrwx    1 root     system           12 Jan 09 08:09 python3_64 -> python3.7_64
    lrwxrwxrwx    1 root     system           13 Jan 09 08:09 pyvenv-3.7 -> pyvenv-3.7_64
    lrwxrwxrwx    1 root     system            9 Jan 09 08:09 pyvenv -> pyvenv_64



    ------------------------------
    Manoj Kumar
    ------------------------------


  • 2.  RE: Ansible setup on AIX

    Posted Mon March 06, 2023 10:27 AM
    Reply

    I suggest to not to use python2 anymore.

    Python2 is out of support.

    One thing I can think of if you module looks for /usr/bin/python then they will find it for python2 installed on AIX.

    AIX toolbox python2 delivers /usr/bin/python link.

    So if that is the case then you need to set correct python in your module for python3 or create sylink in your AIX.

    But please be careful when creating symlink by not breaking existing code.

     

    Thanks,

     

    Sanket Rathi

     




    Original Message


  • 3.  RE: Ansible setup on AIX

    Posted Tue March 07, 2023 03:12 AM
    Reply

    Hi Manoj,

    Ansible looks for python interpreter in /usr/bin/python. Old RPM packages created a symlink in /usr/bin for python binaries. New RPM packages don't do it anymore. Because you didn't provide any error message, I can suppose that this is the reason for your failure - the failing server doesn't have /usr/bin/python.

    The choices you have:

    • create symlinks in /usr/bin. I wouldn't recommend unless you know what you're doing.
    • add a variable ansible_python_interpreter: /opt/freeware/bin/python3 in your playbooks. This is my favourite way of solving the problem.
    • add a global configuration interpreter_python = /opt/freeware/bin/python3 in /opt/freeware/etc/ansible/ansible.cfg on your Ansible controller node.

    More about Python discovery in Ansible you can read here - https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 4.  RE: Ansible setup on AIX

    Posted Thu March 09, 2023 05:13 AM
    Reply

    Thanks Andrey for the update, we are checking this.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 5.  RE: Ansible setup on AIX

    Posted Mon March 13, 2023 08:07 AM
    Reply

    Hello Andrey,

    I try to update ansible.cfg with below content. But still getting same error. Can you please check whether added variable is correct or not? Anything else we need to do.

    This is my ansible.cfg file, in lieu of discovered_interpreter_python I used ansible_python_interpreter but same issue. I also try to use this ansible_python_interpreter: /opt/freeware/bin/python3 

     cat ansible.cfg
    [defaults]
    inventory=/home/automation/ansible/systemfiles/inventory
    log_path=/home/automation/ansible/systemfiles/ansible_logs
    discovered_interpreter_python=/opt/freeware/bin/python3
    forks=10
    interpreter_python=auto_silent

    [privilege_escalation]
    become=true
    become_user=root
    become_method=sudo



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 6.  RE: Ansible setup on AIX

    Posted Mon March 13, 2023 09:54 AM
    Reply

    You can do "ansible-config dump | grep -i interpreter" and share the output here. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 7.  RE: Ansible setup on AIX

    Posted Tue March 14, 2023 05:27 PM
    Reply

    I think right now you need – Red hat linux server with Ansible first – then from this you can use ansible play book on AIX client. Is this what you are doing and have problem on AIX server.




    Original Message


  • 8.  RE: Ansible setup on AIX

    Posted Thu March 16, 2023 12:23 PM
    Reply

    Yes we used ansible controller node on Linux and try to run commands on AIX. Now it is working after Andrey recommended



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 9.  RE: Ansible setup on AIX

    Posted Tue March 14, 2023 05:40 PM
    Reply

    Hello Manoj,

    please try:

    interpreter_python = /opt/freeware/bin/python3

    instead of discovered_interpreter_python=/opt/freeware/bin/python3



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 10.  RE: Ansible setup on AIX

    Posted Thu March 16, 2023 12:22 PM
    Reply

    Thanks Andrey, it is working now. Really appreciate to working with all of you guys. 

    Further addition to that, in this scenario we have Linux controller node and agent are AIX and Linux both. But we use AIX controller node how we can setup the same thing. We have installing ansible with python3 on one of AIX node. We used same dnf method to install all packages. Now when we are running ansbile -m ping all command, it is giving below error. 

    root@server3:/# ansible -m ping all
    Server1 | UNREACHABLE! => {
        "changed": false,
        "msg": "Failed to connect to the host via ssh: root@server1: Permission denied (publickey,password,keyboard-interactive).",
        "unreachable": true
    }
    server2 | UNREACHABLE! => {
        "changed": false,
        "msg": "Failed to connect to the host via ssh: root@server2: Permission denied (publickey,password,keyboard-interactive).",
        "unreachable": true
    }
    localhost | SUCCESS => {
        "changed": false,
        "ping": "pong"
    }
    server3| SUCCESS => {
        "changed": false,
        "ping": "pong"
    }



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 11.  RE: Ansible setup on AIX

    Posted Fri March 17, 2023 04:51 AM
    Reply

    Glad to hear that it works.

    As @Stephen Ulmer wrote, if you have different classes of clients with different paths to python, it is better to define path to python in inventory or in playbooks. You have two different classes - Linux boxes and AIX boxes. Your inventory could look like:

    linux1 ansible_python_interpreter=/usr/bin/python3
linux2 ansible_python_interpreter=/usr/bin/python3
aix1 ansible_python_interpreter=/opt/freeware/bin/python3
aix2 ansible_python_interpreter=/opt/freeware/bin/python3

    Your error "Failed to connect to the host via ssh: root@server2: Permission denied (publickey,password,keyboard-interactive)." usually means that you didn't exchange SSH keys between your Ansible controller node and the managed node (server2).

    Try to execute on the Ansible controller node:

    ssh-copy-id root@server2

     

    It will copy your public key (if you have it) from the Ansible controller node to the managed node server2.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 12.  RE: Ansible setup on AIX

    Posted Fri March 17, 2023 11:39 AM
    Reply

    Thanks Andrey, we get to know that Ansible controller node can't be setup on AIX, it has to be Linux only. So we will be working on it. 



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 13.  RE: Ansible setup on AIX

    Posted Fri March 17, 2023 02:41 PM
    Reply
    Just in case you haven't run across it yet, you will need a helper program called sshpass if you want to use Ansible with ssh password authentication.

    It is much better to use ssh keys, but sometimes you may need to use a password during bootstrapping of Ansible on the node.

    -- 
    Stephen Ulmer

    Sent from a mobile device; please excuse auto-correct silliness.



    Original Message


  • 14.  RE: Ansible setup on AIX

    Posted Fri March 17, 2023 09:44 AM
    Reply

    Right now there is no AIX controller node for Ansible Only Linux OS controller node.  You use AIX as client of Ansible controller on Linux OS that is all. AIX Ansible controller will not work.




    Original Message


  • 15.  RE: Ansible setup on AIX

    Posted Thu April 06, 2023 03:32 AM
    Reply

    Hello Team,

    One thing would like to know that once we run ./dnf_aixtoolbox.sh is gives below 3 option (flag) for installation. So which method would you prefer to use. We have to install across the AIX servers. 

    and How we can remediate any future vulnerability or update related to ansible on AIX?

    Usage: dnf_aixtoolbox.sh <-d> <-y> <-n> -?
     
          -d    Install and setup dnf if yum is not installed.
                yum command will not be available only dnf command can be used.
          -y    Installs dnf, and updates yum3 to dnf yum4 if yum3 is installed.
                If no yum3 is installed then dnf and yum4 will be installed.
                yum command will also be available along with dnf.
          -n    Install dnf where both yum and dnf can coexist if yum is installed already.
                This is not a recommended option.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 16.  RE: Ansible setup on AIX

    Posted Thu April 06, 2023 04:25 AM
    Reply

    Hi Manoj,

    I personally almost always use -y. I like to have a compatibility layer to yum. In many different documentation or presentations you still can find references to yum and it is easier for me if I have yum command as an alias to dnf. The same does Red Hat Enterprise Linux, where you have both yum and dnf commands. 

    Regarding updates of Ansible on AIX. I use Ansible from AIX Toolbox. It means if there is a new version of Ansible available, I can always update it using either:

    dnf -y update


    or Ansible itself:

    - hosts: all
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/freeware/bin/python3

  tasks:
  - name: update all packages
    dnf:
      name: '*'
      state: latest


    ansible-playbook -c local -i localhost, dnf-update.yml


    I hope IBM will publish a new Ansible version if there are vulnerabilities in the existing one ;-)



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 17.  RE: Ansible setup on AIX

    Posted Thu April 06, 2023 08:41 AM
    Reply

    Thanks Andrey for the update.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 18.  RE: Ansible setup on AIX

    Posted Mon March 13, 2023 08:52 AM
    Reply

    One thing would like to add the controlled node here is Linux. 



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 19.  RE: Ansible setup on AIX

    Posted Mon March 13, 2023 10:30 AM
    Reply
    Okay, please be very specific about where you are invoking ansible, and what you are managing...

    ansible.cfg mostly configures things on the control/management node. If you have different interpreter paths on different classes of managed nodes, you should change those paths by setting variables in the inventory.

    -- 
    Stephen L. Ulmer
    Enterprise Architect
    Mainline Information Systems




    Original Message


  • 20.  RE: Ansible setup on AIX

    Posted Wed May 10, 2023 12:17 PM
    Reply

    We installed python on few servers and it is working fine on few servers but today when we try to install it on 2 or more servers. It's not working.

    Method which we used for installation on AIX.
    First download the dnf script and copy it to client.
    Then run ./dnf_aixtoolbox.sh -d from the client. 
    After that command successfully executed, we have updated the packages to latest level with ./dnf update command.
    copy controller node public key into client authorized keys. 

    After that I tried to run ansible -m ping all but it gives below error. Could you please suggest what is next steps. 

    [root@hld10297 AIX]# ansible -m ping all
    dsmjca71img | UNREACHABLE! => {
        "changed": false,
        "msg": "Failed to connect to the host via ssh: Shared connection to dsmjca71img closed.",
        "unreachable": true
    }
    [root@hld10297 AIX]# cat inventory
    dsmjca71img
    [root@hld10297 AIX]# cat ansible.cfg
    [defaults]
    inventory=/home/automation/ansible/AIX/inventory
    log_path=/home/automation/ansible/AIX/ansible_logs
    interpreter_python=/opt/freeware/bin/python3
    forks=10
    #interpreter_python=auto_silent
     
    [privilege_escalation]
    become=true
    become_user=root
    become_method=sudo




    Regards
    Manoj




    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 21.  RE: Ansible setup on AIX

    Posted Wed May 10, 2023 12:46 PM
    Reply

    Do ping test from ansible to client – from OS only (if redhat linux to AIX client with ansible)

    Do traceroute from ansible to client

     

    If both works then problem is some where else.




    Original Message


  • 22.  RE: Ansible setup on AIX

    Posted Thu May 11, 2023 02:10 AM
    Reply

    Hi!

    dsmjca71img | UNREACHABLE! => {
        "changed": false,
        "msg": "Failed to connect to the host via ssh: Shared connection to dsmjca71img closed.",
        "unreachable": true
    }

    First thing I would investigate is, if you actually connect to that host via ssh passwordless.


    Best regards,
      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------

    Original Message


  • 23.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 02:59 AM
    Reply

    Hi again!

    From your reply I got, that you can ping as well as ssh works without problems.

    Then I would suggest to check whether your configured python interpreter works, and then whether your become method "sudo" works.

    So best try from your ansible host try to log in via ssh:
    ssh dsmjca71img
    Then try to start the python interpreter you configured. It should look similar to:
    root@dsmjca71img:/root # /opt/freeware/bin/python3
    Python 3.7.9 (default, Mar 30 2021, 00:48:16) 
    [GCC 8.3.0] on aix7
    Type "help", "copyright", "credits" or "license" for more information.
    >>> 

    And if that works, try to run sudo, as you configured that as your become method. For example by running sudo -l:
    root@dsmjca71img:/root # sudo -l
    User root may run the following commands on dsmjca71img:
        (ALL) NOPASSWD: ALL

    Note:  I don't think you require a become method, if you connect as root anyway. But as you have it configured, I guess it might cause the above failure.


    If ssh, python and sudo works, your ansible should work.  If it still doesn't work, I'm running out of ideas, what might be the problem.


    Best regards,
      Alexander





    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------

    Original Message


  • 24.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 07:06 AM
    Reply

    Hi Manoj,

    I don't know why your replies don't show up here, so I'm taking the liberty to copy and paste this from your e-mail:

    But this is the cause of your ansible error:

    root@dsmjcanim01:/# oslevel -s
    7200-05-05-2246
    root@dsmjcanim01:/# ls -ld /opt/freeware/bin/python3
    lrwxrwxrwx    1 root     system           10 May 10 10:28 /opt/freeware/bin/python3 -> python3_64
    root@dsmjcanim01:/# /opt/freeware/bin/python3
    exec(): 0509-036 Cannot load program /opt/freeware/bin/python3 because of the following errors:
            0509-130 Symbol resolution failed for /opt/freeware/lib64/libpython3.7m.so because:
            0509-136   Symbol _GLOBAL__AIXI_libintl_so (number 4) is not exported from
                       dependent module /usr/lib/libintl.a[libintl.so.8].
            0509-136   Symbol _GLOBAL__AIXD_libintl_so (number 5) is not exported from
                       dependent module /usr/lib/libintl.a[libintl.so.8].
            0509-192 Examine .loader section symbols with the
                     'dump -Tv' command.

    The python isntallation on your client is not working properly.  I recommend that you post your remaining message about the installed python packages here as well, as we are now reaching areas of packaging and shared libraries, were I can't help you much.


    Best regards,
      Alexander





    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------

    Original Message


  • 25.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 07:37 AM
    Reply

    On this server we found that there was LIBPATH set, which we commented in environment file. Now that server looks good. But we have issues on other servers as well. This time sudo -l not working.

    Given below. On all 3 servers we are having same error when we run sudo -l command.

    root@dsmjca71img:/# /opt/freeware/bin/python3
    Python 3.7.15 (default, Dec 15 2022, 03:08:16)
    [GCC 8.3.0] on aix7
    Type "help", "copyright", "credits" or "license" for more information.
    >>> exit()
    root@dsmjca71img:/# sudo -l
    exec(): 0509-036 Cannot load program sudo because of the following errors:
            0509-022 Cannot load module /opt/freeware/libexec/sudo/libsudo_util.a(libsudo_util.so.0).
            0509-150   Dependent module /usr/lib/libcrypto.a(libcrypto.so.1.1) could not be loaded.
            0509-152   Member libcrypto.so.1.1 is not found in archive
            0509-022 Cannot load module sudo_32.
            0509-150   Dependent module /opt/freeware/libexec/sudo/libsudo_util.a(libsudo_util.so.0) could not be loaded.
            0509-022 Cannot load module .



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 26.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 07:47 AM
    Reply

    Hi!

    Glad to hear, that you fixed the python problem.  Regarding sudo:  As you connect directly as root, you don't actually require it anyway.  So to fix your ansible problem entirely, you could simply disable using sudo at all.

    So if you go back to your ansible configuration and change this:

    [privilege_escalation]
    become=true
    become_user=root
    become_method=sudo



    to this:

    [privilege_escalation]
    become=false

    It should work.

    Personally I prefer to set become on playbooks level for the tasks actually requiring it.  As we have personal users and not all task require root privileges, I think it's slightly more elegant.


    Best regards,
      Alexander




    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------

    Original Message


  • 27.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 07:50 AM
    Reply

    Please check which OpenSSL version you have and update it to at least OpenSSL 1.1.1.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 28.  RE: Ansible setup on AIX

    Posted Thu May 11, 2023 01:13 PM
    Reply

    Are previous and new servers are on same level of AIX?

    What is the AIX level of working and not working server?

     

    Thanks,

     

    Sanket Rathi

     




    Original Message


  • 29.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 06:30 AM
    Edited by Andrey Klyachkin Fri May 12, 2023 06:30 AM
    Reply

    Hi Manoj,

    the message you've posted may have a lot of different causes. Can you re-run your command with '-vvv' at the end and post the output? It will be a lot of text with different commands and may be some error messages.

    ansible -m ping dsmjca71img -vvv



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 30.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 06:37 AM
    Reply

    Please find the output below.

    [root@hld10297 AIX]# ansible -m ping dsmjca71img -vvv
    ansible [core 2.13.3]
      config file = /home/automation/ansible/AIX/ansible.cfg
      configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
      ansible python module location = /usr/lib/python3.9/site-packages/ansible
      ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
      executable location = /usr/bin/ansible
      python version = 3.9.13 (main, Nov  9 2022, 13:16:24) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15)]
      jinja version = 3.1.2
      libyaml = True
    Using /home/automation/ansible/AIX/ansible.cfg as config file
    host_list declined parsing /home/automation/ansible/AIX/inventory as it did not pass its verify_file() method
    script declined parsing /home/automation/ansible/AIX/inventory as it did not pass its verify_file() method
    auto declined parsing /home/automation/ansible/AIX/inventory as it did not pass its verify_file() method
    Parsed /home/automation/ansible/AIX/inventory inventory source with ini plugin
    [WARNING]: Could not match supplied host pattern, ignoring: dsmjca71img
    [WARNING]: No hosts matched, nothing to do
    Skipping callback 'default', as we already have a stdout callback.
    Skipping callback 'minimal', as we already have a stdout callback.
    Skipping callback 'oneline', as we already have a stdout callback.





    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 31.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 07:52 AM
    Reply

    Unfortunately, it is not the complete output. But anyway we don't need it anymore, if you've found that the problem was because of LIBPATH variable.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 32.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 08:07 AM
    Reply

    Hi Andrey,

    LIBPATH variable issue was only on one server which was fixed. but we still have 3 servers where we are having sudo -l issue.

    Output already pasted in group. So now we need to fixed that issue on those 3 servers. If we fixed that then we should be good to run ansible. We are having below given openssl version on all servers. 

    As recommended by Alexander we have remove become root from ansible.cfg sript and it works on all servers. But as of now we have to fix sudo -l issue on all 3 servers. 

      openssl.base            1.0.2.2105  COMMITTED  Open Secure Socket Layer



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 33.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 08:50 AM
    Reply

    You have too old OpenSSL. Update it to OpenSSL 1.1.1 and it will work.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 34.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 09:18 AM
    Reply

    Hi Andrey,

    But all servers in our environment having the same openssl and it is working fine on rest of the servers apart from these 3 servers. Is it something related to library or path? 

    working server
    root@dsmjca001s:/# ssh -V
    OpenSSH_8.1p1, OpenSSL 1.0.2u  20 Dec 2019
    root@dsmjca001s:/# lslpp -l|grep -i openss
      openssh.base.client   8.1.102.2106  COMMITTED  Open Secure Shell Commands
      openssh.base.server   8.1.102.2106  COMMITTED  Open Secure Shell Server
      openssh.license       8.1.102.2106  COMMITTED  Open Secure Shell License
      openssh.man.en_US     8.1.102.2106  COMMITTED  Open Secure Shell
      openssh.msg.EN_US     8.1.102.2106  COMMITTED  Open Secure Shell Messages -
      openssh.msg.en_US     8.1.102.2106  COMMITTED  Open Secure Shell Messages -
      openssl.base            1.0.2.2105  COMMITTED  Open Secure Socket Layer
      openssl.license         1.0.2.2105  COMMITTED  Open Secure Socket License
      openssl.man.en_US       1.0.2.2105  COMMITTED  Open Secure Socket Layer
      openssh.base.client   8.1.102.2106  COMMITTED  Open Secure Shell Commands
      openssh.base.server   8.1.102.2106  COMMITTED  Open Secure Shell Server
      openssl.base            1.0.2.2105  COMMITTED  Open Secure Socket Layer

    Non-working server.
    root@dsmjca71img:/# ssh -V
    OpenSSH_8.1p1, OpenSSL 1.0.2u  20 Dec 2019
    root@dsmjca71img:/# lslpp -l|grep -i openss
      openssh.base.client   8.1.102.2106  COMMITTED  Open Secure Shell Commands
      openssh.base.server   8.1.102.2106  COMMITTED  Open Secure Shell Server
      openssh.license       8.1.102.2106  COMMITTED  Open Secure Shell License
      openssh.man.en_US     8.1.102.2106  COMMITTED  Open Secure Shell
      openssh.msg.EN_US     8.1.102.2106  COMMITTED  Open Secure Shell Messages -
      openssh.msg.en_US     8.1.102.2106  COMMITTED  Open Secure Shell Messages -
      openssl.base            1.0.2.2106  COMMITTED  Open Secure Socket Layer
      openssl.license         1.0.2.2106  COMMITTED  Open Secure Socket License
      openssl.man.en_US       1.0.2.2106  COMMITTED  Open Secure Socket Layer
      openssh.base.client   8.1.102.2106  COMMITTED  Open Secure Shell Commands
      openssh.base.server   8.1.102.2106  COMMITTED  Open Secure Shell Server
      openssl.base            1.0.2.2106  COMMITTED  Open Secure Socket Layer




    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 35.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 09:25 AM
    Reply

    OpenSSH 8.1 (compiled with Openssl 1.1.1)

    You will need to update openssl 1.1.1 version from IBM site.

     

    Try this on one of the problem server.




    Original Message


  • 36.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 09:30 AM
    Reply

    Ok Minesh, I will try to update on one of the server and will keep you posted.

    Regards
    Manoj



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 37.  RE: Ansible setup on AIX

    Posted Fri May 12, 2023 09:30 AM
    Reply

    Sorry, Manoj, I don't know your environment, but I see the error and I know what causes the error. You must update OpenSSL to get sudo working. You may need update OpenSSH too to get it working with newer OpenSSL.

    Of course it is correct only if you installed sudo from AIX Toolbox for Opensource applications. Otherwise you have to speak to your sudo's provider.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 38.  RE: Ansible setup on AIX

    Posted Tue May 16, 2023 09:04 AM
    Reply

    Hi Andrey,

    We have openssh version 8.1.112.1201 available for 1.1.1* openssl version.
    Written on IBM site: OpenSSH 8.1 (compiled with Openssl 1.1.1)

    For openssl there are two version available given below and remember this is the latest version available. So which one we should installed. Current version on all server is 1.0.2.2105 or 2106.

    VRMF: 1.1.2.2000 (1.1.1t with no weak ciphers support)
    VRMF: 1.1.1.2000 (1.1.1t with all ciphers support)



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 39.  RE: Ansible setup on AIX

    Posted Tue May 16, 2023 11:35 AM
    Reply

    Hi Manoj!

    Unless you precisely know that you need to support weak ciphers, go for VRMF: 1.1.2.2000 (1.1.1t with no weak ciphers support).

    Best regards,
      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------

    Original Message


  • 40.  RE: Ansible setup on AIX

    Posted Tue July 25, 2023 07:08 AM
    Reply

    When I tried to update python packages with dnf command, I am getting following error. Would you please help to fix the issue?

    Traceback (most recent call last):
      File "/opt/freeware/bin/dnf", line 57, in <module>
        from dnf.cli import main
      File "/opt/freeware/lib/python3.9/site-packages/dnf/__init__.py", line 32, in <module>
        import dnf.base
      File "/opt/freeware/lib/python3.9/site-packages/dnf/base.py", line 29, in <module>
        import libdnf.transaction
      File "/opt/freeware/lib/python3.9/site-packages/libdnf/__init__.py", line 3, in <module>
        from . import common_types
      File "/opt/freeware/lib/python3.9/site-packages/libdnf/common_types.py", line 13, in <module>
        from . import _common_types
    ImportError:    0509-022 Cannot load module /opt/freeware/lib/libdnf.a(libdnf.so.2).
            0509-150   Dependent module /opt/freeware/lib/libcrypto.a(libcrypto.so.1.1) could not be loaded.
            0509-152   Member libcrypto.so.1.1 is not found in archive
            0509-022 Cannot load module /opt/freeware/lib/python3.9/site-packages/libdnf/_common_types.so.
            0509-150   Dependent module /opt/freeware/lib/libdnf.a(libdnf.so.2) could not be loaded.

    And one more thing How we can remove open source packages from DNF? When I tried to remove python3 with the below command, I am getting error.

    /opt/freeware/bin/dnf remove python3
    Error:
     Problem: The operation would result in removing the following protected packages: dnf
    (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 41.  RE: Ansible setup on AIX

    Posted Tue July 25, 2023 07:20 AM
    Edited by Andrey Klyachkin Tue July 25, 2023 07:20 AM
    Reply

    Hi Manoj,

    I suggest you to open new topics for each new problem you have. It makes it easier for other users to search through forums if they have similar problems.

    You may remove RPM packages using dnf remove. But some of the packages like python3 are "protected". It is the same story as with AIX - if you remove AIX kernel, AIX will not boot anymore. That's why you are not allowed to remove every single package. Same is here - if you remove python, you will not be able to use dnf anymore. That's why you are not allowed to remove python and some other very important packages.

    Regarding your problem with DNF, it looks like you have some OpenSSL-related problem. First of all it tries to load OpenSSL from the wrong location:

    0509-150   Dependent module /opt/freeware/lib/libcrypto.a(libcrypto.so.1.1) could not be loaded.

    The correct location for OpenSSL libraries is /usr/lib/libcrypto.a and /usr/lib/libssl.a.

    Check if you have wrong LIBPATH variable:

    echo $LIBPATH

    Check if you have OpenSSL in /opt/freeware/lib:

    ls -l /opt/freeware/lib/libcrypto* /opt/freeware/lib/libssl*

    If you have OpenSSL in /opt/freeware/lib, check if you have a package for them:

    rpm -qf /opt/freeware/lib/libcrypto.a

    If you find the package, check where it comes from:

    rpm -qi <package-name>

    Try to remove it manually:

    rpm -e <package-name>



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 42.  RE: Ansible setup on AIX

    Posted Tue July 25, 2023 08:02 AM
    Reply

    Apologies for the post on existing case. Next time onwards will open new discussion.

    On this 

    -> You may remove RPM packages using dnf remove. But some of the packages like python3 are "protected". It is the same story as with AIX - if you remove AIX kernel, AIX will not boot anymore. That's why you are not allowed to remove every single package. Same is here - if you remove python, you will not be able to use dnf anymore. That's why you are not allowed to remove python and some other very important packages

    I asked this question because if we have to get rid of complete dnf package what we installed to setup ansible. We didn't have this setup so just thought how we can get rid of python and all other packages with dnf itself.

    Regarding DNF problem: Here is the output of all commands.

    server: root] /> echo $LIBPATH
     
    server: root] /> ls -l /opt/freeware/lib/libcrypto* /opt/freeware/lib/libssl*
    -rwxr-xr-x    1 root     system      6210600 Oct 04 2006  /opt/freeware/lib/libcrypto.a
    -rwxr-xr-x    1 root     system      1191902 Oct 04 2006  /opt/freeware/lib/libssl.a
    lrwxrwxrwx    1 root     system           26 Jul 25 05:59 /opt/freeware/lib/libssl3.a -> /usr/opt/rpm/lib/libssl3.a
    lrwxrwxrwx    1 root     system           27 Jul 25 05:59 /opt/freeware/lib/libssl3.so -> /usr/opt/rpm/lib/libssl3.so
    server: root] /> rpm -qf /opt/freeware/lib/libcrypto.a
    openssl-0.9.7l-1.ppc
    server: root] /> rpm -qi openssl-0.9.7l-1.ppc
    Name        : openssl
    Version     : 0.9.7l
    Release     : 1
    Architecture: ppc
    Install Date: Thu Dec 21 23:48:57 EST 2017
    Group       : System Environment/Libraries
    Size        : 9685603
    License     : OpenSSL License
    Signature   : (none)
    Source RPM  : openssl-0.9.7l-1.src.rpm
    Build Date  : Thu Dec 21 23:48:12 EST 2017
    Build Host  : server
    URL         : http://www.openssl.org/
    Summary     : Secure Sockets Layer and cryptography libraries and tools
    Description :
    The OpenSSL Project is a collaborative effort to develop a robust,
    commercial-grade, fully featured, and Open Source toolkit implementing the
    Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
    protocols as well as a full-strength general purpose cryptography library.
    The project is managed by a worldwide community of volunteers that use the
    Internet to communicate, plan, and develop the OpenSSL tookit and its related
    documentation.
     
    OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
    and Tim J. Hudson.  OpenSSL is licensed under the OpenSSL License, included in
    this package.
     
    This package contains the base OpenSSL cryptography and SSL/TLS libraries and
    tools.
     
    You should also install a pseudo-random number generator such as EGD or prngd
    if you do not have a /dev/urandom and /dev/random.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 43.  RE: Ansible setup on AIX

    Posted Tue July 25, 2023 08:40 AM
    Reply

    Remove the openssl rpm. "rpm -e openssl"



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 44.  RE: Ansible setup on AIX

    Posted Tue July 25, 2023 09:49 AM
    Reply

    If I remove this openssl, will it not impact anything on the system? 



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 45.  RE: Ansible setup on AIX

    Posted Thu July 27, 2023 03:39 AM
    Reply

    Hello Team,

    Did anyone have idea or suggestion on it?



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 46.  RE: Ansible setup on AIX

    Posted Thu July 27, 2023 04:37 AM
    Reply

    Hi Manoj,

    nobody knows your system better than you. Someone who installed the package, might have some thoughts installing it.

    If you are unsure, make a backup, remove the package, test the system, if everything works as it should. If you find some problems with the system, restore it from the backup.

    Anyway OpenSSL 0.9.7 is old, unsupported and buggy. If I were your security auditor, you'd have a security finding right now.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 47.  RE: Ansible setup on AIX

    Posted Thu July 27, 2023 06:12 AM
    Reply

    Thanks Andrey for the update. 

    We will try to get rid of this as this is old and seems to be not used on all servers, only few servers having this package.

    How we can take the backup of this package, which files we need to take backup?



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 48.  RE: Ansible setup on AIX

    Posted Tue August 01, 2023 07:20 AM
    Reply

    Hi Team,

    Did you check my query in last post?

    How we can take backup of that openssl rpm package?

    another question was in my earlier post. If we have to get rid of full DNF package and all dependent which we installed through dnf_toolbox script. How we can do that? We don't want to remove other rpm package which was already there on the server before installing this DNF tool.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 49.  RE: Ansible setup on AIX

    Posted Thu August 10, 2023 08:17 AM
    Reply

    Hi Team,

    Did anyone check my last comment? It would be really helpful if somebody response on it.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 50.  RE: Ansible setup on AIX

    Posted Thu August 10, 2023 02:14 PM
    Reply

    I think there is no easy way for both of them.

    1. To take backup of an installed rpm. I can think best way to list all the files by that rpm and take backup/tar of that

    $ rpm -ql <rpm_name>

     

    1. To remove all the rpms installed by dnf script you will have to find those files. You can try following command to know all rpms installed on that day and after

    $ rpm -qa --last

     

    Thanks,

     

    Sanket Rathi

     




    Original Message


  • 51.  RE: Ansible setup on AIX

    Posted Fri August 11, 2023 05:57 AM
    Reply

    Thanks Sanket, we have taken all files/drectory backup which was coming through rpm -ql <rpm_pkg> command. Would you please tell us now how we can remove that openssl rpm and all other rpm which was installed through DNF.

    Few packages were installed before DNF tools.



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


  • 52.  RE: Ansible setup on AIX

    Posted Fri August 11, 2023 07:04 AM
    Reply

    rpm -e <pkg_name> is command to remove rpm.

     

    Thanks,

     

    Sanket Rathi

     




    Original Message


  • 53.  RE: Ansible setup on AIX

    Posted Wed August 16, 2023 09:26 AM
    Reply

    Thanks Sanket and team, we will follow the same steps. 



    ------------------------------
    Manoj Kumar
    ------------------------------

    Original Message


Related Content