From 2d3866c6a488e339a4c1501036ccfaa2a3db75b4 Mon Sep 17 00:00:00 2001 From: Duong Ha-Quang Date: Tue, 23 Aug 2016 22:34:21 +0700 Subject: [PATCH] Specify 'become' for only necessary tasks (default roles) Add become to only neccesary tasks in roles: - glance - heat - horizon - keystone - neutron - nova - openvswitch Gate is also updated to use 'become' feature Change-Id: I2f3f27306e9f384148e1ad4d54d8da2ebef34d00 Partial-Implements: blueprint ansible-specific-task-become --- ansible/roles/glance/tasks/ceph.yml | 13 +++++++ ansible/roles/glance/tasks/config.yml | 12 ++++++- ansible/roles/glance/tasks/external_ceph.yml | 13 +++++++ ansible/roles/heat/tasks/config.yml | 12 +++++++ ansible/roles/horizon/tasks/config.yml | 14 +++++++- ansible/roles/keystone/tasks/config.yml | 34 ++++++++++++++++++- .../neutron/tasks/config-neutron-fake.yml | 19 +++++++++++ ansible/roles/neutron/tasks/config.yml | 32 ++++++++++++++++- ansible/roles/nova/tasks/ceph.yml | 14 ++++++++ ansible/roles/nova/tasks/config-nova-fake.yml | 16 +++++++++ ansible/roles/nova/tasks/config.yml | 18 +++++++++- ansible/roles/nova/tasks/external_ceph.yml | 15 ++++++++ ansible/roles/openvswitch/tasks/config.yml | 8 ++++- .../specify-task-become-84f83707f612bcf3.yaml | 1 + tools/playbook-setup-nodes.yml | 18 ++++++++++ 15 files changed, 233 insertions(+), 6 deletions(-) diff --git a/ansible/roles/glance/tasks/ceph.yml b/ansible/roles/glance/tasks/ceph.yml index 389a266ddd..2c9c8287f3 100644 --- a/ansible/roles/glance/tasks/ceph.yml +++ b/ansible/roles/glance/tasks/ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/glance-api" state: "directory" + mode: "0770" when: inventory_hostname in groups['glance-api'] - name: Copying over ceph.conf(s) @@ -12,6 +13,7 @@ - "{{ node_custom_config }}/ceph.conf" - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/glance-api/ceph.conf" + mode: "0660" when: inventory_hostname in groups['glance-api'] - include: ../../ceph_pools.yml @@ -36,3 +38,14 @@ dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring" mode: "0600" when: inventory_hostname in groups['glance-api'] + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + when: inventory_hostname in groups['glance-api'] + with_items: + - "glance-api" diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml index 8f4e3a813d..d2c2c0076c 100644 --- a/ansible/roles/glance/tasks/config.yml +++ b/ansible/roles/glance/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: glance_config_jsons when: - item.value.enabled | bool @@ -33,6 +38,8 @@ - "{{ node_custom_config }}/glance/{{ item.key }}.conf" - "{{ node_custom_config }}/glance/{{ inventory_hostname }}/{{ item.key }}.conf" dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.conf" + mode: "0660" + become: true register: glance_confs when: - item.value.enabled | bool @@ -69,6 +76,8 @@ template: src: "{{ node_custom_config }}/glance/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" + mode: "0660" + become: true register: glance_policy_jsons when: - glance_policy.stat.exists @@ -94,3 +103,4 @@ notify: - Restart glance-api container - Restart glance-registry container + diff --git a/ansible/roles/glance/tasks/external_ceph.yml b/ansible/roles/glance/tasks/external_ceph.yml index 43e9cf7205..0eeb588296 100644 --- a/ansible/roles/glance/tasks/external_ceph.yml +++ b/ansible/roles/glance/tasks/external_ceph.yml @@ -3,11 +3,24 @@ file: path: "{{ node_config_directory }}/glance-api" state: "directory" + mode: "0770" when: inventory_hostname in groups['glance-api'] - name: Copy over ceph files copy: src: "{{ item }}" dest: "{{ node_config_directory }}/glance-api/" + mode: "0660" with_fileglob: - "{{ node_custom_config }}/glance/ceph*" + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + when: inventory_hostname in groups['glance-api'] + with_items: + - "glance-api" diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml index 4a5e4276f1..03ab85b948 100644 --- a/ansible/roles/heat/tasks/config.yml +++ b/ansible/roles/heat/tasks/config.yml @@ -1,8 +1,12 @@ --- - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" recurse: yes when: - inventory_hostname in groups[item.value.group] @@ -10,9 +14,11 @@ with_dict: "{{ heat_services }}" - name: Copying over config.json files for services + become: true template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" register: heat_config_jsons when: - item.value.enabled | bool @@ -24,13 +30,16 @@ - Restart heat-engine container - name: Copying over the heat-engine environment file + become: true template: src: "_deprecated.yaml" dest: "{{ node_config_directory }}/{{ item }}/_deprecated.yaml" + mode: "0660" with_items: - "heat-engine" - name: Copying over heat.conf + become: true vars: service_name: "{{ item.key }}" merge_configs: @@ -41,6 +50,7 @@ - "{{ node_custom_config }}/heat/{{ item.key }}.conf" - "{{ node_custom_config }}/heat/{{ inventory_hostname }}/heat.conf" dest: "{{ node_config_directory }}/{{ item.key }}/heat.conf" + mode: "0660" register: heat_confs when: - item.value.enabled | bool @@ -57,9 +67,11 @@ register: heat_policy - name: Copying over existing policy.json + become: true template: src: "{{ node_custom_config }}/heat/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" + mode: "0660" register: heat_policy_jsons when: - heat_policy.stat.exists diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml index 12836efaab..92fdeea1c5 100644 --- a/ansible/roles/horizon/tasks/config.yml +++ b/ansible/roles/horizon/tasks/config.yml @@ -1,20 +1,25 @@ --- - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool with_dict: "{{ horizon_services }}" - name: Copying over config.json files for services + become: true vars: horizon: "{{ horizon_services['horizon'] }}" template: src: "horizon.json.j2" dest: "{{ node_config_directory }}/horizon/config.json" + mode: "0660" register: horizon_config_json when: - horizon.enabled | bool @@ -23,11 +28,13 @@ - Restart horizon container - name: Copying over horizon.conf + become: true vars: horizon: "{{ horizon_services['horizon'] }}" template: src: "{{ item }}" dest: "{{ node_config_directory }}/horizon/horizon.conf" + mode: "0660" register: horizon_conf with_first_found: - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/horizon.conf" @@ -40,11 +47,13 @@ - Restart horizon container - name: Copying over local_settings + become: true vars: horizon: "{{ horizon_services['horizon'] }}" template: src: "{{ item }}" dest: "{{ node_config_directory }}/horizon/local_settings" + mode: "0660" with_first_found: - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/local_settings" - "{{ node_custom_config }}/horizon/local_settings" @@ -87,11 +96,13 @@ - { name: "watcher", enabled: "{{ enable_horizon_watcher }}" } - name: Copying over existing policy.json + become: true vars: horizon: "{{ horizon_services['horizon'] }}" template: src: "{{ node_custom_config }}/horizon/{{ item.item.name }}_policy.json" dest: "{{ node_config_directory }}/horizon/{{ item.item.name }}_policy.json" + mode: "0660" register: policy_jsons when: - horizon.enabled | bool @@ -119,3 +130,4 @@ - horizon.enabled | bool notify: - Restart horizon container + diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml index 8fcf529de5..f32001c9a3 100644 --- a/ansible/roles/keystone/tasks/config.yml +++ b/ansible/roles/keystone/tasks/config.yml @@ -13,17 +13,34 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool with_dict: "{{ keystone_services }}" +- name: Creating Keystone Domain directory + vars: + keystone: "{{ keystone_services.keystone }}" + file: + dest: "{{ node_config_directory }}/keystone/domains/" + state: "directory" + mode: "0770" + become: true + when: + - inventory_hostname in groups[keystone.group] + - keystone.enabled | bool + - name: Copying over config.json files for services template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" register: keystone_config_jsons + become: true with_dict: "{{ keystone_services }}" when: - inventory_hostname in groups[item.value.group] @@ -44,6 +61,8 @@ - "{{ node_custom_config }}/keystone/{{ item.key }}.conf" - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/keystone.conf" dest: "{{ node_config_directory }}/{{ item.key }}/keystone.conf" + mode: "0660" + become: true register: keystone_confs with_dict: "{{ keystone_services }}" when: @@ -60,6 +79,7 @@ file: dest: "{{ node_config_directory }}/keystone/domains/" state: "directory" + become: true when: - inventory_hostname in groups[keystone.group] - keystone.enabled | bool @@ -76,6 +96,8 @@ template: src: "{{ item.path }}" dest: "{{ node_config_directory }}/keystone/domains/" + mode: "0660" + become: true register: keystone_domains when: - inventory_hostname in groups[keystone.group] @@ -89,6 +111,8 @@ template: src: "{{ node_custom_config }}/keystone/policy.json" dest: "{{ node_config_directory }}/{{ item.key }}/policy.json" + mode: "0660" + become: true register: keystone_policy_jsons when: - inventory_hostname in groups[item.value.group] @@ -106,6 +130,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/keystone/wsgi-keystone.conf" + mode: "0660" + become: true register: keystone_wsgi when: - inventory_hostname in groups[keystone.group] @@ -132,6 +158,8 @@ template: src: "{{ node_custom_config }}/keystone/keystone-paste.ini" dest: "{{ node_config_directory }}/keystone/keystone-paste.ini" + mode: "0660" + become: true register: keystone_paste_ini when: - inventory_hostname in groups[keystone.group] @@ -156,6 +184,8 @@ template: src: "{{ item.src }}" dest: "{{ node_config_directory }}/keystone-fernet/{{ item.dest }}" + mode: "0660" + become: true register: keystone_fernet_confs with_items: - { src: "crontab.j2", dest: "crontab" } @@ -175,6 +205,8 @@ template: src: "{{ item.src }}" dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}" + mode: "0660" + become: true register: keystone_ssh_confs with_items: - { src: "sshd_config.j2", dest: "sshd_config" } diff --git a/ansible/roles/neutron/tasks/config-neutron-fake.yml b/ansible/roles/neutron/tasks/config-neutron-fake.yml index 6736d94ca8..8577a16bee 100644 --- a/ansible/roles/neutron/tasks/config-neutron-fake.yml +++ b/ansible/roles/neutron/tasks/config-neutron-fake.yml @@ -1,16 +1,20 @@ --- - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}" state: "directory" recurse: yes + mode: "0770" with_sequence: start=1 end={{ num_nova_fake_per_node }} when: inventory_hostname in groups['compute'] - name: Copying over config.json files for services + become: true template: src: "neutron-openvswitch-agent.json.j2" dest: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}/config.json" + mode: "0660" register: fake_config_json with_sequence: start=1 end={{ num_nova_fake_per_node }} when: @@ -18,6 +22,7 @@ - neutron_plugin_agent == "openvswitch" - name: Copying over neutron.conf + become: true vars: service_name: "{{ item }}" merge_configs: @@ -28,6 +33,7 @@ - "{{ node_custom_config }}/neutron/{{ item }}.conf" - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron.conf" dest: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}/neutron.conf" + mode: "0660" register: fake_neutron_conf with_sequence: start=1 end={{ num_nova_fake_per_node }} when: @@ -35,6 +41,7 @@ - neutron_plugin_agent == "openvswitch" - name: Copying over ml2_conf.ini + become: true vars: service_name: "{{ item }}" merge_configs: @@ -43,6 +50,7 @@ - "{{ node_custom_config }}/neutron/ml2_conf.ini" - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron.conf" dest: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}/ml2_conf.ini" + mode: "0660" register: fake_neutron_ml2_conf_ini with_sequence: start=1 end={{ num_nova_fake_per_node }} when: @@ -68,3 +76,14 @@ with_sequence: "start=1 end={{ num_nova_fake_per_node }}" notify: - Restart fake neutron-openvswitch-agent container + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + when: inventory_hostname in groups['compute'] + with_sequence: start=1 end={{ num_nova_fake_per_node }} + diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml index 8245cdf15c..dbb2eb7495 100644 --- a/ansible/roles/neutron/tasks/config.yml +++ b/ansible/roles/neutron/tasks/config.yml @@ -1,5 +1,6 @@ --- - name: Setting sysctl values + become: true vars: neutron_l3_agent: "{{ neutron_services['neutron-l3-agent'] }}" neutron_vpnaas_agent: "{{ neutron_services['neutron-vpnaas-agent'] }}" @@ -14,19 +15,24 @@ or (neutron_vpnaas_agent.enabled | bool and neutron_vpnaas_agent.host_in_groups | bool) - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" when: - item.value.enabled | bool - item.value.host_in_groups | bool with_dict: "{{ neutron_services }}" - name: Copying over config.json files for services + become: true template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0770" register: neutron_config_jsons when: - item.value.enabled | bool @@ -36,6 +42,7 @@ - "Restart {{ item.key }} container" - name: Copying over neutron.conf + become: true vars: service_name: "{{ item.key }}" services_need_neutron_conf: @@ -56,6 +63,7 @@ - "{{ node_custom_config }}/neutron/{{ item.key }}.conf" - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron.conf" dest: "{{ node_config_directory }}/{{ item.key }}/neutron.conf" + mode: "0660" register: neutron_confs when: - item.value.enabled | bool @@ -66,6 +74,7 @@ - "Restart {{ item.key }} container" - name: Copying over neutron_lbaas.conf + become: true vars: service_name: "{{ item.key }}" services_need_neutron_lbaas_conf: @@ -87,6 +96,7 @@ - "Restart {{ item.key }} container" - name: Copying over neutron_vpnaas.conf + become: true vars: service_name: "{{ item.key }}" services_need_neutron_vpnaas_conf: @@ -108,6 +118,7 @@ - "Restart {{ item.key }} container" - name: Copying over ml2_conf.ini + become: true vars: service_name: "{{ item.key }}" services_need_ml2_conf_ini: @@ -120,6 +131,7 @@ - "{{ node_custom_config }}/neutron/ml2_conf.ini" - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/ml2_conf.ini" dest: "{{ node_config_directory }}/{{ service_name }}/ml2_conf.ini" + mode: "0660" register: neutron_ml2_confs when: - item.key in services_need_ml2_conf_ini @@ -130,6 +142,7 @@ - "Restart {{ item.key }} container" - name: Copying over dhcp_agent.ini + become: true vars: service_name: "neutron-dhcp-agent" neutron_dhcp_agent: "{{ neutron_services[service_name] }}" @@ -139,6 +152,7 @@ - "{{ node_custom_config }}/neutron/dhcp_agent.ini" - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/dhcp_agent.ini" dest: "{{ node_config_directory }}/{{ service_name }}/dhcp_agent.ini" + mode: "0660" register: dhcp_agent_ini when: - neutron_dhcp_agent.enabled | bool @@ -147,12 +161,14 @@ - "Restart {{ service_name }} container" - name: Copying over dnsmasq.conf + become: true vars: service_name: "neutron-dhcp-agent" neutron_dhcp_agent: "{{ neutron_services[service_name] }}" template: src: "dnsmasq.conf.j2" dest: "{{ node_config_directory }}/{{ service_name }}/dnsmasq.conf" + mode: "0660" register: dnsmasq_conf when: - neutron_dhcp_agent.enabled | bool @@ -161,6 +177,7 @@ - "Restart {{ service_name }} container" - name: Copying over l3_agent.ini + become: true vars: service_name: "{{ item.key }}" services_need_l3_agent_ini: @@ -172,6 +189,7 @@ - "{{ node_custom_config }}/neutron/l3_agent.ini" - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/l3_agent.ini" dest: "{{ node_config_directory }}/{{ service_name }}/l3_agent.ini" + mode: "0660" register: neutron_l3_agent_inis when: - item.key in services_need_l3_agent_ini @@ -182,6 +200,7 @@ - "Restart {{ item.key }} container" - name: Copying over fwaas_driver.ini + become: true vars: service_name: "{{ item.key }}" services_need_fwaas_driver_ini: @@ -193,6 +212,7 @@ - "{{ role_path }}/templates/fwaas_driver.ini.j2" - "{{ node_custom_config }}/neutron/fwaas_driver.ini" dest: "{{ node_config_directory }}/{{ service_name }}/fwaas_driver.ini" + mode: "0660" register: neutron_fwaas_driver_inis when: - item.key in services_need_fwaas_driver_ini @@ -203,6 +223,7 @@ - "Restart {{ item.key }} container" - name: Copying over metadata_agent.ini + become: true vars: service_name: "neutron-metadata-agent" neutron_metadata_agent: "{{ neutron_services[service_name] }}" @@ -211,6 +232,7 @@ - "{{ role_path }}/templates/metadata_agent.ini.j2" - "{{ node_custom_config }}/neutron/metadata_agent.ini" dest: "{{ node_config_directory }}/{{ service_name }}/metadata_agent.ini" + mode: "0660" register: neutron_metadata_agent_ini when: - neutron_metadata_agent.enabled | bool @@ -219,6 +241,7 @@ - "Restart {{ service_name }} container" - name: Copying over lbaas_agent.ini + become: true vars: service_name: "neutron-lbaas-agent" neutron_lbaas_agent: "{{ neutron_services[service_name] }}" @@ -227,6 +250,7 @@ - "{{ role_path }}/templates/lbaas_agent.ini.j2" - "{{ node_custom_config }}/neutron/lbaas_agent.ini" dest: "{{ node_config_directory }}/{{ service_name }}/lbaas_agent.ini" + mode: "0660" register: neutron_lbaas_agent_ini when: - neutron_lbaas_agent.enabled | bool @@ -235,6 +259,7 @@ - "Restart {{ service_name }} container" - name: Copying over vpnaas_agent.ini + become: true vars: service_name: "neutron-vpnaas-agent" neutron_vpnaas_agent: "{{ neutron_services[service_name] }}" @@ -243,6 +268,7 @@ - "{{ role_path }}/templates/vpnaas_agent.ini.j2" - "{{ node_custom_config }}/neutron/vpnaas_agent.ini" dest: "{{ node_config_directory }}/{{ service_name }}/vpnaas_agent.ini" + mode: "0660" register: neutron_vpnaas_agent_ini when: - neutron_vpnaas_agent.enabled | bool @@ -251,6 +277,7 @@ - "Restart {{ service_name }} container" - name: Copying over bgp_dragent.ini + become: true vars: service_name: "neutron-bgp-dragent" neutron_bgp_dragent: "{{ neutron_services[service_name] }}" @@ -290,6 +317,7 @@ - "Restart {{ service_name }} container" - name: Copying over existing policy.json + become: true vars: service_name: "{{ item.key }}" services_need_policy_json: @@ -305,6 +333,7 @@ template: src: "{{ node_custom_config }}/neutron/policy.json" dest: "{{ node_config_directory }}/{{ service_name }}/policy.json" + mode: "0660" register: policy_jsons when: - neutron_policy.stat.exists @@ -359,3 +388,4 @@ with_dict: "{{ neutron_services }}" notify: - "Restart {{ item.key }} container" + diff --git a/ansible/roles/nova/tasks/ceph.yml b/ansible/roles/nova/tasks/ceph.yml index 4274a2f71a..fd2ecdc7ee 100644 --- a/ansible/roles/nova/tasks/ceph.yml +++ b/ansible/roles/nova/tasks/ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" + mode: "0770" with_items: - "nova-compute" - "nova-libvirt/secrets" @@ -17,6 +18,7 @@ - "{{ node_custom_config }}/ceph.conf" - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/ceph.conf" + mode: "0660" with_items: - "nova-compute" - "nova-libvirt" @@ -94,3 +96,15 @@ - uuid: "{{ cinder_rbd_secret_uuid }}" content: "{{ cinder_cephx_raw_key.stdout|default('') }}" enabled: "{{ enable_cinder | bool and cinder_backend_ceph | bool}}" + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + with_items: + - "nova-compute" + - "nova-libvirt/secrets" + when: inventory_hostname in groups['compute'] diff --git a/ansible/roles/nova/tasks/config-nova-fake.yml b/ansible/roles/nova/tasks/config-nova-fake.yml index d005cdc94e..e3fb87b2cf 100644 --- a/ansible/roles/nova/tasks/config-nova-fake.yml +++ b/ansible/roles/nova/tasks/config-nova-fake.yml @@ -1,5 +1,6 @@ --- - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/nova-compute-fake-{{ item }}" state: "directory" @@ -9,14 +10,17 @@ - Restart nova-compute-fake containers - name: Copying over config.json files for services + become: true template: src: "nova-compute.json.j2" dest: "{{ node_config_directory }}/nova-compute-fake-{{ item }}/config.json" + mode: "0660" with_sequence: start=1 end={{ num_nova_fake_per_node }} notify: - Restart nova-compute-fake containers - name: Copying over nova.conf + become: true vars: service_name: "{{ item }}" merge_configs: @@ -27,6 +31,17 @@ - "{{ node_custom_config }}/nova/{{ item }}.conf" - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf" dest: "{{ node_config_directory }}/nova-compute-fake-{{ item }}/nova.conf" + mode: "0660" + with_sequence: start=1 end={{ num_nova_fake_per_node }} + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/nova-compute-fake-{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + become: true with_sequence: start=1 end={{ num_nova_fake_per_node }} notify: - Restart nova-compute-fake containers @@ -44,6 +59,7 @@ - "/lib/modules:/lib/modules:ro" - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" + become: true with_sequence: start=1 end={{ num_nova_fake_per_node }} when: - action != "config" diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index b636708f14..834646c956 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -1,5 +1,6 @@ --- - name: Setting sysctl values + become: true sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes with_items: - { name: "net.bridge.bridge-nf-call-iptables", value: 1} @@ -11,19 +12,24 @@ - inventory_hostname in groups['compute'] - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool with_dict: "{{ nova_services }}" - name: Copying over config.json files for services + become: true template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0770" register: config_jsons when: - inventory_hostname in groups[item.value.group] @@ -33,6 +39,7 @@ - "Restart {{ item.key }} container" - name: Copying over nova.conf + become: true vars: services_require_nova_conf: - placement-api @@ -54,6 +61,7 @@ - "{{ node_custom_config }}/nova/{{ item.key }}.conf" - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf" dest: "{{ node_config_directory }}/{{ item.key }}/nova.conf" + mode: "0660" register: nova_confs when: - inventory_hostname in groups[item.value.group] @@ -64,11 +72,13 @@ - "Restart {{ item.key }} container" - name: Copying over libvirt configuration + become: true vars: service: "{{ nova_services['nova-libvirt'] }}" template: src: "{{ item.src }}" dest: "{{ node_config_directory }}/nova-libvirt/{{ item.dest }}" + mode: "0660" register: nova_libvirt_confs when: - inventory_hostname in groups[service.group] @@ -80,6 +90,7 @@ - Restart nova-libvirt container - name: Copying over placement-api wsgi configuration + become: true vars: service: "{{ nova_services['placement-api'] }}" template: @@ -93,11 +104,13 @@ - Restart placement-api container - name: Copying files for nova-ssh + become: true vars: service: "{{ nova_services['nova-ssh'] }}" template: src: "{{ item.src }}" dest: "{{ node_config_directory }}/nova-ssh/{{ item.dest }}" + mode: "0660" register: nova_ssh_confs when: - inventory_hostname in groups[service.group] @@ -131,6 +144,7 @@ register: nova_policy - name: Copying over existing policy.json + become: true vars: services_require_policy_json: - placement-api @@ -158,6 +172,7 @@ # check whether the containers parameter is changed. If yes, trigger the handler - name: Check nova containers + become: true kolla_docker: action: "compare_container" common_options: "{{ docker_common_options }}" @@ -175,3 +190,4 @@ with_dict: "{{ nova_services }}" notify: - "Restart {{ item.key }} container" + diff --git a/ansible/roles/nova/tasks/external_ceph.yml b/ansible/roles/nova/tasks/external_ceph.yml index 23011f8779..7071791d79 100644 --- a/ansible/roles/nova/tasks/external_ceph.yml +++ b/ansible/roles/nova/tasks/external_ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" + mode: "0770" with_items: - "nova-compute" - "nova-libvirt/secrets" @@ -29,6 +30,7 @@ copy: src: "{{ nova_cephx_keyring_file.stat.path }}" dest: "{{ node_config_directory }}/{{ item }}/" + mode: "0660" with_items: - nova-compute - nova-libvirt @@ -40,6 +42,7 @@ copy: src: "{{ node_custom_config }}/nova/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/" + mode: "0660" with_items: - nova-compute - nova-libvirt @@ -91,3 +94,15 @@ - uuid: "{{ cinder_rbd_secret_uuid }}" content: "{{ cinder_cephx_raw_key.stdout }}" enabled: "{{ cinder_backend_ceph }}" + +- name: Ensuring config directory has correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/{{ item }}" + recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + with_items: + - "nova-compute" + - "nova-libvirt/secrets" + when: inventory_hostname in groups['compute'] diff --git a/ansible/roles/openvswitch/tasks/config.yml b/ansible/roles/openvswitch/tasks/config.yml index fb5dff2381..762eedfc46 100644 --- a/ansible/roles/openvswitch/tasks/config.yml +++ b/ansible/roles/openvswitch/tasks/config.yml @@ -1,18 +1,23 @@ --- - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" when: - item.value.enabled | bool - item.value.host_in_groups | bool with_dict: "{{ openvswitch_services }}" - name: Copying over config.json files for services + become: true template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0770" register: openvswitch_config_jsons when: - item.value.enabled | bool @@ -63,3 +68,4 @@ with_dict: "{{ openvswitch_services }}" notify: - "Restart {{ item.key }} container" + diff --git a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml index 0cc8865865..1f7484bca7 100644 --- a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml +++ b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml @@ -3,3 +3,4 @@ prelude: > Specify Ansible "become" for only necessary tasks. features: - Add "become" to necessary tasks of general roles. + - Add "become" to necessary tasks of default roles. diff --git a/tools/playbook-setup-nodes.yml b/tools/playbook-setup-nodes.yml index 47864d335a..cd765cfa39 100644 --- a/tools/playbook-setup-nodes.yml +++ b/tools/playbook-setup-nodes.yml @@ -10,6 +10,24 @@ - name: Install wget package package: name=wget + - name: Add sudo group + group: + name: sudo + state: present + + - name: Allow 'sudo' group to have passwordless sudo + lineinfile: + dest: /etc/sudoers + state: present + line: "%sudo ALL=(ALL) NOPASSWD: ALL" + + - name: Add jenkins to sudo group + user: + name: jenkins + append: yes + groups: "sudo" + + - hosts: all become: true