From 939e298c56fabd4a1f59a43ad3fc4a3b8a9d041e Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 31 Mar 2020 15:14:16 +0100 Subject: [PATCH] Don't use become for Kolla Ansible Using become for all Kolla Ansible tasks is not ideal from a security perspective. It is also incompatible with fact caching, since it causes facts to be gathered and cached as root, which changes some facts. This change modifies the default value of kolla_ansible_become to false. Change-Id: I9ee5c55e59276f70c92e9c698c01123dcf8919a1 Story: 2007492 Task: 39217 --- ansible/group_vars/all/kolla | 2 +- ansible/roles/kolla-ansible/defaults/main.yml | 2 +- doc/source/configuration/kolla-ansible.rst | 2 +- etc/kayobe/kolla.yml | 2 +- .../notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml | 6 ++++++ 5 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla index 97a898343..e1fb3e6b7 100644 --- a/ansible/group_vars/all/kolla +++ b/ansible/group_vars/all/kolla @@ -335,7 +335,7 @@ kolla_ansible_group: kolla # Whether to use privilege escalation for all operations performed via Kolla # Ansible. -kolla_ansible_become: true +kolla_ansible_become: false ############################################################################### # Kolla feature flag configuration. diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 13e1eb94d..f50afd5a2 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -54,7 +54,7 @@ kolla_ansible_group: kolla # Whether to use privilege escalation for all operations performed via Kolla # Ansible. -kolla_ansible_become: true +kolla_ansible_become: false ############################################################################### # Kolla-ansible inventory configuration. diff --git a/doc/source/configuration/kolla-ansible.rst b/doc/source/configuration/kolla-ansible.rst index 6ac667c98..6e235b211 100644 --- a/doc/source/configuration/kolla-ansible.rst +++ b/doc/source/configuration/kolla-ansible.rst @@ -151,7 +151,7 @@ The following variables affect how Ansible accesses the remote hosts. Primary group of Kolla SSH user. Default is ``kolla``. ``kolla_ansible_become`` Whether to use privilege escalation for all operations performed via Kolla - Ansible. Default is ``true``. + Ansible. Default is ``false`` since the 8.0.0 Ussuri release. ``kolla_ansible_target_venv`` Path to a virtual environment on remote hosts to use for Ansible module execution. Default is ``{{ virtualenv_path }}/kolla-ansible``. May be set diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 60ab7e4c4..f5eb9a999 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -169,7 +169,7 @@ #kolla_ansible_group: # Whether to use privilege escalation for all operations performed via Kolla -# Ansible. Default is 'true'. +# Ansible. Default is 'false'. #kolla_ansible_become: ############################################################################### diff --git a/releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml b/releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml new file mode 100644 index 000000000..4521ef6db --- /dev/null +++ b/releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Modifies the default value of ``kolla_ansible_become`` to ``false``. This + means that Kolla Ansible will no longer use privilege escalation for all + tasks, and will only use it where necessary.