How do I identify an issue with crypto while running an Ansible playbbok?

Question

Trying to run a simple gather_ facts playbook using Ansible. I can connect via SSH using the user credentials with no issues but for a reason I cannot get my head around the playbook fails with the following message:

2017-10-07 22:57:44,248 ncclient.transport.ssh Unknown exception: cannot import name aead

OS: Ubuntu (Ubuntu 16.04.3 LTS) Destination Router: Virtualbox JunOS Olive [12.1R1.9] Ansible Version: 2.4.0.0

hosts:

[all:vars]
ansible_python_interpreter=/usr/bin/python
ansible_connection = local
[junos]
lab.r1

Playbook:

---
- hosts: junos
  gather_facts: no

  tasks:
  - name: obtain login credentials
    include_vars: ../auth/secrets.yml

  - name: Checking NETCONF connectivity
    wait_for: host={{ inventory_hostname }} port=830 timeout=5

  - name: Gather Facts
    junos_facts:
      host: "{{ inventory_hostname }}"
      username: "{{ creds['username'] }}"
      password: "{{ creds['password'] }}"
    register: junos

  - name: version
    debug: msg="{{ junos.facts.version }}"

Playbook output:

$ ansible-playbook -vvvv junos-get_facts.yml
ansible-playbook 2.4.0.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/usr/local/lib/python2.7/dist-packages/ansible/modules']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/local/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc

PLAYBOOK: junos-get_facts.yml ******************************************************************************************************************
1 plays in junos-get_facts.yml

PLAY [junos] ***********************************************************************************************************************************
META: ran handlers

TASK [obtain login credentials] ****************************************************************************************************************
task path: /usr/local/share/ansible/junos/junos-get_facts.yml:6
Trying secret FileVaultSecret(filename='/usr/local/share/ansible/auth/vault/vault_pass.py') for vault_id=default
ok: [lab.r1] => {
    "ansible_facts": {
        "creds": {
            "password": "*******",
            "username": "ansible"
        }
    },
    "ansible_included_var_files": [
        "/usr/local/share/ansible/junos/../auth/secrets.yml"
    ],
    "changed": false,
    "failed": false
}

TASK [Checking NETCONF connectivity] ***********************************************************************************************************
task path: /usr/local/share/ansible/junos/junos-get_facts.yml:9
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/utilities/logic/wait_for.py
<lab.r1> ESTABLISH LOCAL CONNECTION FOR USER: ansible
<lab.r1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412 `" && echo ansible-tmp-1507431462.1-117888621897412="` echo $HOME/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412 `" ) && sleep 0'
<lab.r1> PUT /tmp/tmpW193y0 TO /usr/local/share/ansible/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412/wait_for.py
<lab.r1> EXEC /bin/sh -c 'chmod u+x /usr/local/share/ansible/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412/ /usr/local/share/ansible/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412/wait_for.py && sleep 0'
<lab.r1> EXEC /bin/sh -c '/usr/bin/python /usr/local/share/ansible/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412/wait_for.py; rm -rf "/usr/local/share/ansible/.ansible/tmp/ansible-tmp-1507431462.1-117888621897412/" > /dev/null 2>&1 && sleep 0'
ok: [lab.r1] => {
    "changed": false,
    "elapsed": 0,
    "failed": false,
    "invocation": {
        "module_args": {
            "active_connection_states": [
                "ESTABLISHED",
                "FIN_WAIT1",
                "FIN_WAIT2",
                "SYN_RECV",
                "SYN_SENT",
                "TIME_WAIT"
            ],
            "connect_timeout": 5,
            "delay": 0,
            "exclude_hosts": null,
            "host": "lab.r1",
            "msg": null,
            "path": null,
            "port": 830,
            "search_regex": null,
            "sleep": 1,
            "state": "started",
            "timeout": 5
        }
    },
    "path": null,
    "port": 830,
    "search_regex": null,
    "state": "started"
}

TASK [Gather Facts] ****************************************************************************************************************************
task path: /usr/local/share/ansible/junos/junos-get_facts.yml:12
<lab.r1> using connection plugin netconf
<lab.r1> socket_path: None
fatal: [lab.r1]: FAILED! => {
    "changed": false,
    "failed": true,
    "msg": "unable to open shell. Please see: https://docs.ansible.com/ansible/network_debug_troubleshooting.html#unable-to-open-shell"
}
        to retry, use: --limit @/usr/local/share/ansible/junos/junos-get_facts.retry

PLAY RECAP *************************************************************************************************************************************
lab.r1                     : ok=2    changed=0    unreachable=0    failed=1

The detailed log output shows the following:

2017-10-07 23:19:51,177 p=2906 u=ansible |  TASK [Gather Facts] ****************************************************************************************************************************
2017-10-07 23:19:51,180 p=2906 u=ansible |  task path: /usr/local/share/ansible/junos/junos-get_facts.yml:12
2017-10-07 23:19:52,739 p=2937 u=ansible |  creating new control socket for host lab.r1:830 as user ansible
2017-10-07 23:19:52,740 p=2937 u=ansible |  control socket path is /usr/local/share/ansible/.ansible/pc/b52ae79c72
2017-10-07 23:19:52,740 p=2937 u=ansible |  current working directory is /usr/local/share/ansible/junos
2017-10-07 23:19:52,741 p=2937 u=ansible |  using connection plugin netconf
2017-10-07 23:19:52,937 p=2937 u=ansible |  network_os is set to junos
2017-10-07 23:19:52,951 p=2937 u=ansible |  ssh connection done, stating ncclient
2017-10-07 23:19:52,982 p=2937 u=ansible |  failed to create control socket for host lab.r1
2017-10-07 23:19:52,985 p=2937 u=ansible |  Traceback (most recent call last):
  File "/usr/local/bin/ansible-connection", line 316, in main
    server = Server(socket_path, pc)
  File "/usr/local/bin/ansible-connection", line 112, in __init__
    self.connection._connect()
  File "/usr/local/lib/python2.7/dist-packages/ansible/plugins/connection/netconf.py", line 158, in _connect
    ssh_config=ssh_config
  File "/usr/local/lib/python2.7/dist-packages/ncclient/manager.py", line 154, in connect
    return connect_ssh(*args, **kwds)
  File "/usr/local/lib/python2.7/dist-packages/ncclient/manager.py", line 116, in connect_ssh
    session.load_known_hosts()
  File "/usr/local/lib/python2.7/dist-packages/ncclient/transport/ssh.py", line 299, in load_known_hosts
    self._host_keys.load(filename)
  File "/usr/local/lib/python2.7/dist-packages/paramiko/hostkeys.py", line 97, in load
    e = HostKeyEntry.from_line(line, lineno)
  File "/usr/local/lib/python2.7/dist-packages/paramiko/hostkeys.py", line 358, in from_line
    key = ECDSAKey(data=decodebytes(key), validate_point=False)
  File "/usr/local/lib/python2.7/dist-packages/paramiko/ecdsakey.py", line 156, in __init__
    self.verifying_key = numbers.public_key(backend=default_backend())
  File "/usr/local/lib/python2.7/dist-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/usr/local/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/usr/local/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 23, in <module>
    from cryptography.hazmat.backends.openssl import aead
ImportError: cannot import name aead

2017-10-07 23:20:02,775 p=2906 u=ansible |  fatal: [lab.r1]: FAILED! => {
    "changed": false,
    "failed": true,
    "msg": "unable to open shell. Please see: https://docs.ansible.com/ansible/network_debug_troubleshooting.html#unable-to-open-shell"
}

Any help is appreciated.

Answer 1

The answer was:

Answered by "Paul Kehrer"
aead is being imported by the backend, but also can't be found. This sounds like it may be trying to import two different versions of cryptography. pycrypto is irrelevant here (it is an unrelated package). First I'd suggest upgrading cryptography, but since that aead was added in 2.0 you may need to make sure you don't have cryptography installed both via pip and also via your distribution package manager.

Once I removed pycrypto and cryptography via pip the playbook ran as expected:

TASK [version] *************************************************************************************************************************************************
task path: /usr/local/share/ansible/junos/junos-get_facts.yml:25
ok: [lab.r1] => {
    "msg": "olive"
}
META: ran handlers
META: ran handlers

PLAY RECAP *****************************************************************************************************************************************************
lab.r1                     : ok=5    changed=0    unreachable=0    failed=0