--- # NOTE(mgoddard): The bootstrap user may be used to create the kayobe user # account and configure passwordless sudo. We can't assume that the bootstrap # user account will exist after the initial bootstrapping, or that the # current operator's key is authorised for the bootstrap user. We therefore # attempt to access the kayobe user account via SSH, and only perform the # bootstrap process if the account is inaccessible. - name: Determine whether user bootstrapping is required hosts: seed-hypervisor:seed:overcloud gather_facts: false tags: - kayobe-ansible-user tasks: - name: Check whether the host is accessible via SSH local_action: module: command ssh -o BatchMode=yes -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname failed_when: false changed_when: false register: ssh_result vars: ssh_user: "{{ ansible_user }}" ssh_host: "{{ ansible_host | default(inventory_hostname) }}" ssh_port: "{{ ansible_ssh_port | default('22') }}" - name: Group hosts requiring kayobe user bootstrapping group_by: key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }} - name: Display a message when bootstrapping is required debug: msg: > Cannot access host via SSH using Kayobe Ansible user account - attempting bootstrap when: ssh_result.rc != 0 - name: Ensure the Kayobe Ansible user account exists hosts: kayobe_user_bootstrap_required_True gather_facts: false tags: - kayobe-ansible-user vars: ansible_user: "{{ bootstrap_user }}" # We can't assume that a virtualenv exists at this point, so use the system # python interpreter. ansible_python_interpreter: /usr/libexec/platform-python roles: - role: singleplatform-eng.users users: - username: "{{ kayobe_ansible_user }}" name: Kayobe deployment user append: True ssh_key: - "{{ lookup('file', ssh_public_key_path) }}" become: True post_tasks: - name: Ensure the Kayobe Ansible user has passwordless sudo copy: content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL" dest: "/etc/sudoers.d/kayobe-ansible-user" mode: 0440 become: True - name: Verify that the Kayobe Ansible user account is accessible hosts: seed-hypervisor:seed:overcloud gather_facts: false tags: - kayobe-ansible-user vars: # We can't assume that a virtualenv exists at this point, so use the system # python interpreter. ansible_python_interpreter: /usr/libexec/platform-python tasks: - name: Verify that a command can be executed command: hostname changed_when: false - name: Verify that a command can be executed with become command: hostname changed_when: false become: true