Various errors found in the aix playbook

[Haroon-Khel]

Yum yum update dependency error. Most machines

--> Finished Dependency Resolution
Error: Package: openldap-2.5.12-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: sudo-1.9.13p2-1.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: curl-8.0.1-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: python3-3.7.15-2.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: python-pycurl-7.43.0.5-1.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: krb5-libs-1.20.1-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: python-2.7.18-4.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: curl-8.0.1-1.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: git-core-2.38.3-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: libssh2-1.10.0-2.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: git-core-2.38.3-1.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: sudo-1.9.13p2-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: python3-3.7.15-2.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: rsync-3.2.7-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: python-pycurl-7.43.0.5-1.ppc (AIX_Toolbox)
           Requires: libcrypto.a(libcrypto.so.1.1)
Error: Package: krb5-libs-1.20.1-1.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: python-2.7.18-4.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)
Error: Package: openldap-2.5.12-1.ppc (AIX_Toolbox)
           Requires: libssl.a(libssl.so.1.1)

rbac ✅

infrastructure/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/rbac/tasks/setsecattr.yml

Line 15 in e9c5559

- name: "Add authorization to command {{ rbac_cmd }}"

fails for /usr/bin/ksh

TASK [rbac : Add authorization to command /usr/bin/ksh] ************************
fatal: [test-osuosl-aix72-ppc64-2]: FAILED! => {"changed": true, "cmd": "setsecattr -c accessauths=ojdk.rtclk,ojdk.proccore innateprivs=PV_PROC_RTCLK,PV_PROC_CORE inheritprivs=PV_PROC_RTCLK,PV_PROC_CORE secflags=FSF_EPS
 \"/usr/bin/ksh\"", "delta": "0:00:00.063116", "end": "2023-05-25 17:20:23.736530", "msg": "non-zero return code", "rc": 22, 
"start": "2023-05-25 17:20:23.673414", "stderr": "1420-001 Authorization \"ojdk.proccore\" does not exist.\n1420-016 Attribute 
\"accessauths\" has an invalid value \"ojdk.rtclk,ojdk.proccore\".", "stderr_lines": ["1420-001 Authorization \"ojdk.proccore\" 
does not exist.", "1420-016 Attribute \"accessauths\" has an invalid value \"ojdk.rtclk,ojdk.proccore\"."], "stdout": "", 
"stdout_lines": []}

Users ✅

infrastructure/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/users/tasks/jenkins.yml

Line 12 in e9c5559

- name: Set authorized key for jenkins user

TASK [users : Set authorized key for jenkins user] *****************************
fatal: [test-osuosl-aix715-ppc64-1 -> localhost]: FAILED! => {"changed": false, "msg": "Failed to lookup user jenkins: 
\"getpwnam(): name not found: 'jenkins'\""}

disable_sendmail ✅

infrastructure/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/disable_sendmail/tasks/main.yml

Line 5 in e9c5559

- name: Ensure sendmail is stopped

TASK [disable_sendmail : Ensure sendmail is stopped] ***************************
fatal: [test-osuosl-aix72-ppc64-4]: FAILED! => {"changed": false, "msg": "0513-086 The sendmail Group is not on file.\n"}

aixfs
In https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/aixfs/tasks/main.yml, if ansible detects that the filesystems are larger than the desired amount it should not shrink it. I feel like this will cause loss of data

failed: [test-osuosl-aix715-ppc64-1] (item={'mount': '/var', 'size': 4}) => {"ansible_loop_var": "item", "changed": true, "cmd": 
["/usr/sbin/chfs", "-a", "size=4G", "/var"], "delta": "0:00:00.098215", "end": "2023-05-25 12:44:26.555219", "item": {"mount": 
"/var", "size": 4}, "msg": "non-zero return code", "rc": 28, "start": "2023-05-25 12:44:26.457004", "stderr": "", "stderr_lines": 
[], "stdout": "chfs: There is not enough free space to shrink the file system.", "stdout_lines": ["chfs: There is not enough free 
space to shrink the file system."]}

[Haroon-Khel]

#3087 fixes the error with the Users task

[Haroon-Khel]

The Security error is just a case of a few machines having now space in /tmp. I've removed it from the original comment

[Haroon-Khel]

#3088 fixes the disable_sendmail error

[aixtools]

The rbac error comes on systems that had not had the renewed RBAC task run. AND it had not been tested on existing systems that had the old RBAC names. Unlucky choice on my part to not have tested for both ojdk.rtclk and ojdk.proccore.

I'll rewrite this one to test/make if needed for each of the authorizations required. See: #3090

[aixtools]

As to openldap. imho: that is a yum error - contact IBM and get them to repackage it so that it works with SSL provided as part of AIX base. Noone wants to have to watch two packages of SSL when one is enough.

Updating AIX SSL may not work - as it may break the base OS level being tested. The easiest fix may be to specify a lower level of openldap: I see openldap-2.4.56 and openldap-2.4.58` currently installed.

If there is a NEED for openldap-2.5.X then some AIX administration is needed across the board.

I am curious to know which system passed (as you said most failed.

Update: the adopt systems are all using openssl.base.1.0.2.2002 - not openssl.base.1.1.XXXX

[Haroon-Khel]

rbac fixed by #3090 Thanks Michael

[Haroon-Khel]

I am curious to know which system passed (as you said most failed.

I did a more thorough check, It is affecting all machines

[aixtools]

OK. Well I assume it means they all need a later version of openssl installed, and sadly, my IBMid no longer lets me download stuff.

I would consider limiting openldap to the previous version (2.4.X) rather than the newer 2.5 - and/or signal IBM (AIX Toolbox that is provided asis iirc) that AIX 7.2 should also support, ie, work with, openssl 1.0.2.

[aixtools]

Happy me too!

rbac fixed by #3090 Thanks Michael

[aixtools]

Any news on this? If yum fails - I would look at the way AIX Toolbox is managing things - rather than blame to playbook. But, yes, sadly, modifying the playbook is probably the way to 'patch' around those packaging issues.