openssh_keypair: No such file or directory is given for key that is being created

[barloff-st]

SUMMARY

No such file or directory is given for key that is being created. It is almost like the module lost the key that was created in a temp area.

No such file or directory: '/root/.ansible/tmp/ansible-tmp-1691778430.9805999-10225-170438481932472/id_ed25519_temp'

When target location was:

~/.ssh/id_ed25519_temp

/root/.ssh/id_ed25519_temp was also tried with the same result, but it does not appear to be getting that far.

It does not matter if become is true or false.

I was not having this problem a few days ago, granted on a different image build we have, but the collection version has not changed.

ISSUE TYPE

• Bug Report

COMPONENT NAME

openssh_keypair

ANSIBLE VERSION

ansible [core 2.14.2]
  config file = /opt/example/ansible_main/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections:/opt/example/ansible_main/collections
  executable location = /usr/bin/ansible
  python version = 3.11.2 (main, Jun  6 2023, 07:39:01) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

community.crypto 2.14.1 

CONFIGURATION

COLLECTIONS_PATHS(/opt/example/ansible_main/ansible.cfg) = ['/root/.ansible/collections', '/usr/share/ansible/collections', '/opt/example/ansible_main/collections']
CONFIG_FILE() = /opt/example/ansible_main/ansible.cfg
DEFAULT_GATHERING(/opt/example/ansible_main/ansible.cfg) = explicit
DEFAULT_HOST_LIST(/opt/example/ansible_main/ansible.cfg) = ['/opt/example/ansible_main/inventory']
DEFAULT_REMOTE_USER(/opt/example/ansible_main/ansible.cfg) = root
DEFAULT_ROLES_PATH(/opt/example/ansible_main/ansible.cfg) = ['/opt/example/ansible_main/roles', '/root/.ansible/roles', '/usr/share/ansible/roles', '/etc/ansible/roles']
DEFAULT_TIMEOUT(/opt/example/ansible_main/ansible.cfg) = 30
DEPRECATION_WARNINGS(/opt/example/ansible_main/ansible.cfg) = False
HOST_KEY_CHECKING(/opt/example/ansible_main/ansible.cfg) = False
INVENTORY_ENABLED(/opt/example/ansible_main/ansible.cfg) = ['ini', 'auto']
PARAMIKO_HOST_KEY_AUTO_ADD(/opt/example/ansible_main/ansible.cfg) = True
PARAMIKO_LOOK_FOR_KEYS(/opt/example/ansible_main/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/opt/example/ansible_main/ansible.cfg) = 60
PERSISTENT_CONNECT_RETRY_TIMEOUT(/opt/example/ansible_main/ansible.cfg) = 45
PERSISTENT_CONNECT_TIMEOUT(/opt/example/ansible_main/ansible.cfg) = 30

OS / ENVIRONMENT

Red Hat Enterprise Linux release 8.8 (Ootpa)

STEPS TO REPRODUCE

- name: Update development environment
  hosts: localhost
  vars:
    github_key: id_ed25519_temp
    key_comment: "user.temp@example.com"

  pre_tasks:
    - name: Check if key exists
      ansible.builtin.stat:
        path: "~/.ssh/{{ github_key }}"
      register: result

    - name: Generate keypair for GitHub
      community.crypto.openssh_keypair:
        path: '~/.ssh/{{ github_key }}'
        type: ed25519
        comment: "{{ key_comment }}"
      when: not result.stat.exists

EXPECTED RESULTS

/root/.ssh/id_ed25519_temp gets created.

ACTUAL RESULTS

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529 `" && echo ansible-tmp-1691777680.6017485-10154-161789509736529="` echo /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529 `" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/community/crypto/plugins/modules/openssh_keypair.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-10113ea1lojzt/tmphfcn7ksh TO /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529/AnsiballZ_openssh_keypair.py                                                                             
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529/ /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529/AnsiballZ_openssh_keypair.py && sleep 0'                               
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3.11 /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529/AnsiballZ_openssh_keypair.py && sleep 0'                                                                                              
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529/ > /dev/null 2>&1 && sleep 0'                                                                                                                    
The full traceback is:
  File "/tmp/ansible_community.crypto.openssh_keypair_payload_33he06nl/ansible_community.crypto.openssh_keypair_payload.zip/ansible_collections/community/crypto/plugins/module_utils/openssh/backends/keypair_backend.py", line 201, in _generate             
    self._safe_secure_move([(temp_private_key, self.private_key_path), (temp_public_key, self.public_key_path)])
  File "/tmp/ansible_community.crypto.openssh_keypair_payload_33he06nl/ansible_community.crypto.openssh_keypair_payload.zip/ansible_collections/community/crypto/plugins/module_utils/openssh/backends/common.py", line 49, in backup_and_restore              
    f(self, sources_and_destinations, *args, **kwargs)
  File "/tmp/ansible_community.crypto.openssh_keypair_payload_33he06nl/ansible_community.crypto.openssh_keypair_payload.zip/ansible_collections/community/crypto/plugins/module_utils/openssh/backends/common.py", line 143, in _safe_secure_move              
    self.module.preserved_copy(source, destination)
  File "/tmp/ansible_community.crypto.openssh_keypair_payload_33he06nl/ansible_community.crypto.openssh_keypair_payload.zip/ansible/module_utils/basic.py", line 1631, in preserved_copy                                                                       
    shutil.copy2(src, dest)
  File "/usr/lib64/python3.11/shutil.py", line 436, in copy2
    copyfile(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib64/python3.11/shutil.py", line 256, in copyfile
    with open(src, 'rb') as fsrc:
         ^^^^^^^^^^^^^^^
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "attributes": null,
            "backend": "auto",
            "comment": "user.temp@example.com",
            "force": false,
            "group": null,
            "mode": null,
            "owner": null,
            "passphrase": null,
            "path": "/root/.ssh/id_ed25519_temp",
            "private_key_format": "auto",
            "regenerate": "partial_idempotence",
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "size": null,
            "state": "present",
            "type": "ed25519",
            "unsafe_writes": false
        }
    },
    "msg": "[Errno 2] No such file or directory: '/root/.ansible/tmp/ansible-tmp-1691777680.6017485-10154-161789509736529/id_ed25519_temp'"                                                                                                                    
}

[barloff-st]

So it turns out FIPS was enabled on the new image and the key type is not permitted. I believe there should be some sort of error handling to pass that error back down from the module.

[felixfontein]

The SSH code uses module.run_command() with check_rc=False (default) and does not check the return code. So in case ssh-keygen fails, the error is silently ignored, which explains the behavior you are seeing.