trailofbits/algo

Algo fails to deploy on OpenStack (DreamCompute optimised)

E-G-C opened this issue · 1 comments

Describe the bug
Algo fails to deploy using option 9. OpenStack (DreamCompute optimised)
on MacBook Pro/macOS 4.3.1 and Ubuntu 22.04.2ARM64/(running on parallels)
Error:

 {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'id'. 'dict object' has no attribute 'id'
The error appears to be in '/algo/roles/cloud-openstack/tasks/main.yml': line 16, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Security rules created
  ^ here
"}

To Reproduce
Set the DreamCompute( openstack) credential as indicated with source credential_files_from_DreamHost.sh
Steps to reproduce the behavior:

  1. launch ./algo
  2. select option 9. OpenStack (DreamCompute optimised)
  3. Name the vpn server, hit enter to accept default 'algo`
  4. Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks? y
  5. Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi? y
  6. List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand" (hit enter to skip)
  7. Do you want to retain the keys (PKI)? (required to add users in the future, but less secure) y
  8. Do you want to enable DNS ad blocking on this VPN server? y
  9. Do you want each user to have their own account for SSH tunneling? n

Expected behavior

To succeed, server created

Full log

PLAY [localhost] ********************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] ************************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ****************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[DEPRECATION WARNING]: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release 
after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: The value '' is not a valid IP address or network, passing this value to ipaddr filter might result in breaking change in
future.

TASK [Ensure the requirements installed] ********************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] ***************************************************************************************
ok: [localhost] => (item=ansible==9.1.0)

TASK [Just get the list from default pip] *******************************************************************************************
ok: [localhost]


TASK [Verify Python meets Algo VPN requirements] ************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] ***********************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] *******************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu latest LTS server (for more advanced users)
  
Enter the number of your desired provider
:

TASK [Cloud prompt] *****************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] *************************************************************************************************
ok: [localhost]
[VPN server name prompt]
Name the vpn server
[algo]
:

TASK [VPN server name prompt] *******************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:

TASK [Cellular On Demand prompt] ****************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:

TASK [Wi-Fi On Demand prompt] *******************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:

TASK [Trusted Wi-Fi networks prompt] ************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:

TASK [Retain the PKI prompt] ********************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:

TASK [DNS adblocking prompt] ********************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [SSH tunneling prompt] *********************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] *************************************************************************************************
ok: [localhost]

PLAY [Provision the server] *********************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 22.04.2 LTS (Virtualized: parallels)
Created from git fork. Last commit: 0d1be72 Fix hetzner module (#14698)
Python 3.10.12
Runtime variables:
    algo_provider "openstack"
    algo_ondemand_cellular "True"
    algo_ondemand_wifi "True"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "True"
    algo_ssh_tunneling "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] *******************************************************************************************
changed: [localhost]

TASK [Install the requirements] *****************************************************************************************************
ok: [localhost]

TASK [Generate the SSH private key] *************************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] **************************************************************************************************
ok: [localhost]

TASK [Copy the private SSH key to /tmp] *********************************************************************************************
ok: [localhost]

TASK [Include a provisioning role] **************************************************************************************************

TASK [cloud-openstack : Install requirements] ***************************************************************************************
ok: [localhost]

TASK [cloud-openstack : Security group created] *************************************************************************************
ok: [localhost]

TASK [cloud-openstack : Security rules created] *************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'id'. 'dict object' has no attribute 'id'\n\nThe error appears to be in '/home/parallels/work/algo/roles/cloud-openstack/tasks/main.yml': line 16, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Security rules created\n  ^ here\n"}

TASK [include_tasks] ****************************************************************************************************************
included: /home/parallels/work/algo/playbooks/rescue.yml for localhost

TASK [debug] ************************************************************************************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!",
        "Please check the troubleshooting guide.",
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [Fail the installation] ********************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP **************************************************************************************************************************
localhost                  : ok=29   changed=1    unreachable=0    failed=1    skipped=1    rescued=1    ignored=0   


diff --git a/roles/cloud-openstack/tasks/main.yml b/roles/cloud-openstack/tasks/main.yml
index ac6cbd3..0796e8e 100644
--- a/roles/cloud-openstack/tasks/main.yml
+++ b/roles/cloud-openstack/tasks/main.yml
@@ -16,7 +16,7 @@
 - name: Security rules created
   openstack.cloud.security_group_rule:
     state: "{{ state|default('present') }}"
-    security_group: "{{ os_security_group.id }}"
+    security_group: "{{ os_security_group.security_group.id }}"
     protocol: "{{ item.proto }}"
     port_range_min: "{{ item.port_min }}"
     port_range_max: "{{ item.port_max }}"
@@ -40,7 +40,7 @@
 - name: Set image as a fact
   set_fact:
     image_id: "{{ item.id }}"
-  loop: "{{ os_image.openstack_image }}"
+  loop: "{{ os_image.images }}"
   when:
     - item.name == cloud_providers.openstack.image
     - item.status == "active"
@@ -56,12 +56,12 @@
     - item['router:external']|default(omit)
     - item['admin_state_up']|default(omit)
     - item['status'] == 'ACTIVE'
-  with_items: "{{ os_network.openstack_networks }}"
+  with_items: "{{ os_network.networks }}"
 
 - name: Set facts
   set_fact:
-    flavor_id: "{{ (os_flavor.openstack_flavors | sort(attribute='ram'))[0]['id'] }}"
-    security_group_name: "{{ os_security_group['secgroup']['name'] }}"
+    flavor_id: "{{ (os_flavor.flavors | sort(attribute='ram'))[0]['id'] }}"
+    security_group_name: "{{ os_security_group['security_group']['name'] }}"
 
 - name: Server created
   openstack.cloud.server:
@@ -75,8 +75,15 @@
       - net-id: "{{ public_network_id }}"
   register: os_server
 
+- name: Set the IPv4 as a fact
+  set_fact:
+    cloud_instance_ip: "{{ item.addr }}"
+  when:
+    - item['version'] == 4
+  with_items: "{{ os_server.server.addresses.public }}"
+
+
 - set_fact:
-    cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}"
     ansible_ssh_user: algo
     ansible_ssh_port: "{{ ssh_port }}"
     cloudinit: true