Drop become in stackhpc.libvirt-vm for seed vm provision

Prior to this change, the seed VM was provisioned using the
stackhpc.livirt-vm role with become=true. This resulted in the cached
image being owned by root. The infra VM provisioning uses
stackhpc.libvirt-vm without become=true. If an infra VM uses the same
image as the seed, this can lead to permission denied errors when
downloading a new image of the same name.

This change adds a workaround to fix up the ownership of the cached
image during infra VM provisioning to avoid this issue.

This change also drops become=true from stackhpc.libvirt-vm during seed
VM provisioning, and adds the same workaround there.

Story: 2009277
Task: 43534

Change-Id: Iade0d74cdb398365a567dbdc4b23de2416f3726d
This commit is contained in:
Mark Goddard 2021-10-06 15:07:27 +01:00
parent f11c73ff03
commit 50e04bb06f
3 changed files with 46 additions and 1 deletions

View File

@ -49,6 +49,26 @@
mime: False mime: False
register: stat_result register: stat_result
# NOTE(mgoddard): Prior to the Xena release, the seed VM was provisioned using
# the stackhpc.livirt-vm role with become=true. This resulted in the cached
# image being owned by root. Since Xena, we execute the role without
# become=true. Correct the image ownership to avoid a permission denied error
# when downloading a new image of the same name.
- name: "[{{ vm_name }}] Stat image files"
stat:
path: "{{ image_cache_path }}/{{ item.image | basename }}"
with_items: "{{ vm_hostvars.infra_vm_volumes | selectattr('image', 'defined') }}"
register: image_stat_result
- name: "[{{ vm_name }}] Fix image ownership"
file:
path: "{{ image_cache_path }}/{{ item.item.image | basename }}"
owner: "{{ ansible_facts.user_uid }}"
group: "{{ ansible_facts.user_gid }}"
with_items: "{{ image_stat_result.results }}"
when: item.stat.exists
become: true
- name: "[{{ vm_name }}] Ensure that the VM is provisioned" - name: "[{{ vm_name }}] Ensure that the VM is provisioned"
include_role: include_role:
name: stackhpc.libvirt-vm name: stackhpc.libvirt-vm

View File

@ -29,6 +29,26 @@
group: "{{ ansible_facts.user_gid }}" group: "{{ ansible_facts.user_gid }}"
become: True become: True
# NOTE(mgoddard): Prior to the Xena release, the seed VM was provisioned
# using the stackhpc.livirt-vm role with become=true. This resulted in the
# cached image being owned by root. Since Xena, we execute the role without
# become=true. Correct the image ownership to avoid a permission denied
# error when downloading a new image of the same name.
- name: Stat image files
stat:
path: "{{ image_cache_path }}/{{ item.image | basename }}"
with_items: "{{ hostvars[seed_host].seed_vm_volumes | selectattr('image', 'defined') }}"
register: image_stat_result
- name: Fix image ownership
file:
path: "{{ image_cache_path }}/{{ item.item.image | basename }}"
owner: "{{ ansible_facts.user_uid }}"
group: "{{ ansible_facts.user_gid }}"
with_items: "{{ image_stat_result.results }}"
when: item.stat.exists
become: true
roles: roles:
- role: jriguera.configdrive - role: jriguera.configdrive
# For now assume the VM OS family is the same as the hypervisor's. # For now assume the VM OS family is the same as the hypervisor's.
@ -99,7 +119,6 @@
volumes: "{{ hostvars[seed_host].seed_vm_volumes + [seed_vm_configdrive_volume] }}" volumes: "{{ hostvars[seed_host].seed_vm_volumes + [seed_vm_configdrive_volume] }}"
interfaces: "{{ hostvars[seed_host].seed_vm_interfaces }}" interfaces: "{{ hostvars[seed_host].seed_vm_interfaces }}"
console_log_enabled: true console_log_enabled: true
become: True
tasks: tasks:
- name: Wait for SSH access to the seed VM - name: Wait for SSH access to the seed VM

View File

@ -0,0 +1,6 @@
---
fixes:
- |
Fixes an issue where cached seed VM images are unnecessarily owned by root.
See `story 2009277 <https://storyboard.openstack.org/#!/story/2009277>`__
for details.