Planning to install AWX 24.6.1 with own Execution Environment
Server setup- RHEL 9, podman-docker-5.2.2-15.el9_5.noarch, Python 3.11 , ansible-builder
Error Logs
[root@server builder]# ansible-builder build --tag registry.example.com/ansible/ee:2.15-custom --container-runtime docker --verbosity 3
Ansible Builder is generating your execution environment build context.
File context/_build/requirements.yml will be created.
File context/_build/requirements.txt will be created.
File context/_build/bindep.txt will be created.
Creating context/_build/configs
File context/_build/configs/ansible.cfg will be created.
File context/_build/scripts/assemble will be created.
File context/_build/scripts/install-from-bindep will be created.
File context/_build/scripts/introspect.py will be created.
File context/_build/scripts/check_galaxy will be created.
File context/_build/scripts/check_ansible will be created.
File context/_build/scripts/pip_install will be created.
File context/_build/scripts/entrypoint will be created.
Ansible Builder is building your execution environment image. Tags: registry.example.com/ansible/ee:2.15-custom
Running command:
docker build -f context/Dockerfile -t registry.example.com/ansible/ee:2.15-custom context
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
[1/4] STEP 1/17: FROM quay.io/centos/centos:stream9-minimal AS base
Trying to pull quay.io/centos/centos:stream9-minimal...
Getting image source signatures
Copying blob sha256:286eb63bc9616cc88e477f1292d3d27a5579b2964f05c29d0f5d03e0e1eb9c56
Copying config sha256:19387c59e3fe484ec2405c4e9bf897e45b2ed615b20f8f62a815b983a5f61004
Writing manifest to image destination
[1/4] STEP 2/17: USER root
--> d318a45dd812
[1/4] STEP 3/17: ENV PIP_BREAK_SYSTEM_PACKAGES=1
--> 538bf5ee95ed
[1/4] STEP 4/17: ARG EE_BASE_IMAGE
--> 1a28faac9058
[1/4] STEP 5/17: ARG PYCMD
--> 262e33395897
[1/4] STEP 6/17: ARG PYPKG
--> d582932d1542
[1/4] STEP 7/17: ARG PKGMGR_PRESERVE_CACHE
--> 7e64425417df
[1/4] STEP 8/17: ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
--> 2f475cf1f18c
[1/4] STEP 9/17: ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
--> 8b7e73d0d188
[1/4] STEP 10/17: ARG ANSIBLE_INSTALL_REFS
--> 57929d775767
[1/4] STEP 11/17: ARG PKGMGR
--> 9cbaa9faab11
[1/4] STEP 12/17: COPY _build/scripts/ /output/scripts/
--> 960f7d8b06c1
[1/4] STEP 13/17: COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
--> 7a080c15bbe6
[1/4] STEP 14/17: RUN $PKGMGR install $PYPKG -y ; if [ -z $PKGMGR_PRESERVE_CACHE ]; then $PKGMGR clean all; fi
Downloading metadata...
(microdnf:2): librepo-WARNING **: 11:01:40.889: LRO_METALINKURL processing failed: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.centos.org/metalink?repo=centos-extras-sig-extras-common-9-stream&arch=x86_64&protocol=https,http [SSL certificate problem: unable to get local issuer certificate]
error: cannot update repo 'extras-common': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.centos.org/metalink?repo=centos-extras-sig-extras-common-9-stream&arch=x86_64&protocol=https,http [SSL certificate problem: unable to get local issuer certificate]; Last error: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.centos.org/metalink?repo=centos-extras-sig-extras-common-9-stream&arch=x86_64&protocol=https,http [SSL certificate problem: unable to get local issuer certificate]
Complete.
--> 676e922b0abd
[1/4] STEP 15/17: RUN /output/scripts/pip_install $PYCMD
/usr/bin/python3.11 is not an executable
+ PYCMD=/usr/bin/python3.11
+ '[' -z /usr/bin/python3.11 ']'
+ '[' '!' -x /usr/bin/python3.11 ']'
+ echo '/usr/bin/python3.11 is not an executable'
+ exit 1
**Error: building at STEP "RUN /output/scripts/pip_install $PYCMD": while running runtime: exit status 1**
An error occurred (rc=1), see output line(s) above for details.
[root@server builder]
- my code!
Steps followed till Build EE and got error.
Echoing @kurokobo, it would appear something is man-in-the-middling your TLS sessions, likely a proxy of some kind if it’s an enterprise environment. It is possible to build an execution environment to include the root certificate authorities of all container images. A good stage is usually prepend_base; reference.
You need to trust the root certificate in the container for your mitm proxy or do the bad thing and ignore failures which negates a lot of the benefit of encryption. In my post I link to the place in the execution-environment.yml to do that step at. We won’t know what root is, that’s going to be organization specific.
Not sure if that’s an obfuscation or if that might the issue /etc/path/ca-bundle.trust.crt. Usually you’ll want to add specific certificates (public keys) at a time and not a bundle and then run update-ca-trust which builds the appropriate bundles.
Let’s say you have a root certificate authority called VINO ROOT (in the CN). I’d add it as a file called VINOROOT.pem to the /etc/pki/ca-trust/source/anchors/ directory and then run update-ca-trust. I also wouldn’t try to copy an existing bundle over another system-wide certificates managed bundle.
You can do some troubleshooting, in your environment you likely will want to inspect the certificate chain using something like openssl s_client -connect mirrors.centos.org:443 -showcerts. You may need additional commands to ensure it goes through a proxy. It’s possible even with the right certificate that the chain itself isn’t properly offered by the proxy (the s_client tool helps find these). If that’s the case the fix is to either fix the proxy (sometimes harder than it sounds and outside the EE builders control) or add the necessary intermediate certificate(s) to the trust store too (bad practice, please don’t do this but …).
Thank you very much @wayt
By updating correct certification path- /etc/pki/ca-trust/source/anchors/., now i successfully able to run ansible-builder command and image built is completed, I will work on further setup.
[root@server builder]# docker image ls
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.example.com/ansible/ee 2.15-custom 6cb8cc953e07 36 seconds ago 299 MB
<none> <none> 180024c4a569 About a minute ago 301 MB
<none> <none> ca9c4bd61984 2 minutes ago 251 MB
<none> <none> ce7acd585166 20 hours ago 109 MB
<none> <none> 676e922b0abd 2 days ago 106 MB
quay.io/centos/centos stream9-minimal 19387c59e3fe 8 days ago 106 MB
[root@server builder]#