openstack/kayobe
Code Issues Proposed changes

Improve permissions around Kolla configuration.

Browse Source 
Make ansible_user own files so we don't need to be root.
Files no longer world readable.
This commit is contained in:
Mark Goddard 2017-03-16 10:55:50 +00:00
parent d16eaf1502
commit 4652c29706
8 changed files with 57 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ansible/roles/kolla-ansible/tasks/config.yml
View File

@ -3,7 +3,9 @@
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: 0755 owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: 0750
become: True become: True
with_items: with_items:
- "{{ kolla_config_path }}" - "{{ kolla_config_path }}"
@ -14,8 +16,7 @@
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ kolla_config_path }}/{{ item.dest }}" dest: "{{ kolla_config_path }}/{{ item.dest }}"
mode: 0644 mode: 0640
become: True
with_items: with_items:
- { src: seed.j2, dest: inventory/seed } - { src: seed.j2, dest: inventory/seed }
- { src: overcloud.j2, dest: inventory/overcloud } - { src: overcloud.j2, dest: inventory/overcloud }
@ -29,9 +30,9 @@
- name: Generate Kolla passwords - name: Generate Kolla passwords
shell: > shell: >
cp {{ kolla_ansible_install_dir }}/etc_examples/kolla/passwords.yml {{ kolla_config_path }}/passwords.yml.generated cp {{ kolla_ansible_install_dir }}/etc_examples/kolla/passwords.yml {{ kolla_config_path }}/passwords.yml.generated
&& chmod 640 {{ kolla_config_path }}/passwords.yml.generated
&& {{ kolla_venv }}/bin/kolla-genpwd -p {{ kolla_config_path }}/passwords.yml.generated && {{ kolla_venv }}/bin/kolla-genpwd -p {{ kolla_config_path }}/passwords.yml.generated
&& mv {{ kolla_config_path }}/passwords.yml.generated {{ kolla_config_path }}/passwords.yml && mv {{ kolla_config_path }}/passwords.yml.generated {{ kolla_config_path }}/passwords.yml
become: True
when: not kolla_passwords_stat.stat.exists when: not kolla_passwords_stat.stat.exists
- name: Read the Kolla passwords file - name: Read the Kolla passwords file
@ -44,5 +45,4 @@
copy: copy:
content: "{{ passwords_result.content | b64decode | from_yaml | combine(kolla_ansible_custom_passwords) | to_nice_yaml }}" content: "{{ passwords_result.content | b64decode | from_yaml | combine(kolla_ansible_custom_passwords) | to_nice_yaml }}"
dest: "{{ kolla_config_path }}/passwords.yml" dest: "{{ kolla_config_path }}/passwords.yml"
become: True
when: "{{ kolla_ansible_custom_passwords }}" when: "{{ kolla_ansible_custom_passwords }}"

24
ansible/roles/kolla-ansible/tasks/install.yml
View File

@ -13,13 +13,15 @@
- python-pip - python-pip
- python-virtualenv - python-virtualenv
- name: Ensure the latest version of pip is installed - name: Ensure source code checkout path exists
pip: file:
name: "{{ item.name }}" path: "{{ source_checkout_path }}"
state: latest state: directory
virtualenv: "{{ kolla_venv }}" owner: "{{ ansible_user }}"
with_items: group: "{{ ansible_user }}"
- { name: pip } recurse: True
become: True
when: "{{ kolla_ctl_install_type == 'source' }}"
- name: Ensure Kolla Ansible source code checkout exists - name: Ensure Kolla Ansible source code checkout exists
git: git:
@ -28,6 +30,14 @@
version: "{{ kolla_ansible_source_version }}" version: "{{ kolla_ansible_source_version }}"
when: "{{ kolla_ctl_install_type == 'source' }}" when: "{{ kolla_ctl_install_type == 'source' }}"
- name: Ensure the latest version of pip is installed
pip:
name: "{{ item.name }}"
state: latest
virtualenv: "{{ kolla_venv }}"
with_items:
- { name: pip }
- name: Ensure required Python packages are installed - name: Ensure required Python packages are installed
pip: pip:
name: "{{ item.name }}" name: "{{ item.name }}"

6
ansible/roles/kolla-bifrost/tasks/config.yml
View File

@ -3,15 +3,13 @@
file: file:
path: "{{ kolla_node_custom_config_path }}/bifrost" path: "{{ kolla_node_custom_config_path }}/bifrost"
state: directory state: directory
mode: 0755 mode: 0750
become: True
- name: Ensure the Kolla Bifrost configuration files exist - name: Ensure the Kolla Bifrost configuration files exist
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ kolla_node_custom_config_path }}/bifrost/{{ item.dest }}" dest: "{{ kolla_node_custom_config_path }}/bifrost/{{ item.dest }}"
mode: 0644 mode: 0640
become: True
with_items: with_items:
- { src: bifrost.yml.j2, dest: bifrost.yml } - { src: bifrost.yml.j2, dest: bifrost.yml }
- { src: dib.yml.j2, dest: dib.yml } - { src: dib.yml.j2, dest: dib.yml }

27
ansible/roles/kolla-bifrost/tasks/install.yml
View File

@ -12,6 +12,21 @@
- python-pip - python-pip
- python-virtualenv - python-virtualenv
- name: Ensure source code checkout path exists
file:
path: "{{ source_checkout_path }}"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
recurse: True
become: True
- name: Ensure Bifrost source code checkout exists
git:
repo: "{{ kolla_bifrost_source_url }}"
dest: "{{ source_checkout_path }}/bifrost"
version: "{{ kolla_bifrost_source_version }}"
- name: Ensure the latest version of pip is installed - name: Ensure the latest version of pip is installed
pip: pip:
name: "{{ item.name }}" name: "{{ item.name }}"
@ -20,18 +35,6 @@
with_items: with_items:
- { name: pip } - { name: pip }
- name: Ensure source code checkout path exists
file:
path: "{{ source_checkout_path }}"
state: directory
recurse: True
- name: Ensure Bifrost source code checkout exists
git:
repo: "{{ kolla_bifrost_source_url }}"
dest: "{{ source_checkout_path }}/bifrost"
version: "{{ kolla_bifrost_source_version }}"
- name: Ensure required Python packages are installed - name: Ensure required Python packages are installed
pip: pip:
name: "{{ item.name }}" name: "{{ item.name }}"

1
ansible/roles/kolla-build/tasks/main.yml
View File

@ -4,7 +4,6 @@
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ kolla_config_path }}/{{ item.dest }}" dest: "{{ kolla_config_path }}/{{ item.dest }}"
mode: 0644 mode: 0644
become: True
with_items: with_items:
- { src: kolla-build.conf.j2, dest: kolla-build.conf } - { src: kolla-build.conf.j2, dest: kolla-build.conf }
- { src: template-override.j2.j2, dest: template-override.j2 } - { src: template-override.j2.j2, dest: template-override.j2 }

8
ansible/roles/kolla-openstack/tasks/config.yml
View File

@ -3,8 +3,7 @@
file: file:
path: "{{ kolla_node_custom_config_path }}/{{ item.name }}" path: "{{ kolla_node_custom_config_path }}/{{ item.name }}"
state: directory state: directory
mode: 0755 mode: 0750
become: True
with_items: with_items:
- { name: ironic, enabled: "{{ kolla_enable_ironic }}" } - { name: ironic, enabled: "{{ kolla_enable_ironic }}" }
- { name: swift, enabled: "{{ kolla_enable_swift }}" } - { name: swift, enabled: "{{ kolla_enable_swift }}" }
@ -14,8 +13,7 @@
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ kolla_node_custom_config_path }}/{{ item.dest }}" dest: "{{ kolla_node_custom_config_path }}/{{ item.dest }}"
mode: 0644 mode: 0640
become: True
with_items: with_items:
- { src: glance.conf.j2, dest: glance.conf, enabled: "{{ kolla_enable_glance }}" } - { src: glance.conf.j2, dest: glance.conf, enabled: "{{ kolla_enable_glance }}" }
- { src: ironic.conf.j2, dest: ironic.conf, enabled: "{{ kolla_enable_ironic }}" } - { src: ironic.conf.j2, dest: ironic.conf, enabled: "{{ kolla_enable_ironic }}" }
@ -28,7 +26,7 @@
get_url: get_url:
url: "{{ item.url }}" url: "{{ item.url }}"
dest: "{{ kolla_node_custom_config_path }}/ironic/{{ item.dest }}" dest: "{{ kolla_node_custom_config_path }}/ironic/{{ item.dest }}"
become: True mode: 0640
with_items: with_items:
- { url: "{{ kolla_inspector_ipa_kernel_upstream_url }}", dest: "ironic-agent.kernel" } - { url: "{{ kolla_inspector_ipa_kernel_upstream_url }}", dest: "ironic-agent.kernel" }
- { url: "{{ kolla_inspector_ipa_ramdisk_upstream_url }}", dest: "ironic-agent.initramfs" } - { url: "{{ kolla_inspector_ipa_ramdisk_upstream_url }}", dest: "ironic-agent.initramfs" }

4
ansible/roles/kolla/tasks/config.yml
View File

@ -3,7 +3,9 @@
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: 0755 owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: 0750
become: True become: True
with_items: with_items:
- "{{ kolla_config_path }}" - "{{ kolla_config_path }}"

20
ansible/roles/kolla/tasks/install.yml
View File

@ -12,19 +12,15 @@
- python-pip - python-pip
- python-virtualenv - python-virtualenv
- name: Ensure the latest version of pip is installed
pip:
name: "{{ item.name }}"
state: latest
virtualenv: "{{ kolla_venv }}"
with_items:
- { name: pip }
- name: Ensure source code checkout path exists - name: Ensure source code checkout path exists
file: file:
path: "{{ source_checkout_path }}" path: "{{ source_checkout_path }}"
state: directory state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
recurse: True recurse: True
become: True
when: "{{ kolla_ctl_install_type == 'source' }}"
- name: Ensure Kolla source code checkout exists - name: Ensure Kolla source code checkout exists
git: git:
@ -33,6 +29,14 @@
version: "{{ kolla_source_version }}" version: "{{ kolla_source_version }}"
when: "{{ kolla_ctl_install_type == 'source' }}" when: "{{ kolla_ctl_install_type == 'source' }}"
- name: Ensure the latest version of pip is installed
pip:
name: "{{ item.name }}"
state: latest
virtualenv: "{{ kolla_venv }}"
with_items:
- { name: pip }
- name: Ensure required Python packages are installed - name: Ensure required Python packages are installed
pip: pip:
name: "{{ item.name }}" name: "{{ item.name }}"