Don't use 'become' in CI tests
Kolla Ansible now claims [1] to support executing as a user other than root. We should ensure that this is tested in CI. This change removes the 'become' from hosts in the inventory, and sets the remote user to 'kolla', as configured via the bootstrap-servers command. The bootstrap-servers command and other ansible commands executed before it still need to execute as the zuul user and not as kolla, since kolla does not exist yet. The autogenerated SSH private key in passwords.yml is now added to the zuul user's SSH config, such that it can SSH as the kolla user, which has authorised this key. [1] https://blueprints.launchpad.net/kolla-ansible/+spec/ansible-specific-task-become Change-Id: I8f3587e2908bc5b8889cd6fbc01981a6186d33e6
This commit is contained in:
parent
b50917fe2c
commit
8399fc7813
@ -89,12 +89,6 @@
|
|||||||
when: scenario == "bifrost"
|
when: scenario == "bifrost"
|
||||||
delegate_to: "primary"
|
delegate_to: "primary"
|
||||||
|
|
||||||
- name: copy passwords.yml file
|
|
||||||
copy:
|
|
||||||
src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
|
|
||||||
dest: /etc/kolla/passwords.yml
|
|
||||||
delegate_to: "primary"
|
|
||||||
|
|
||||||
- name: ensure /etc/docker exists
|
- name: ensure /etc/docker exists
|
||||||
file:
|
file:
|
||||||
path: "/etc/docker"
|
path: "/etc/docker"
|
||||||
@ -110,15 +104,39 @@
|
|||||||
dest: "/etc/docker/daemon.json"
|
dest: "/etc/docker/daemon.json"
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
|
||||||
- name: install kolla-ansible requirements
|
- name: install kolla-ansible requirements
|
||||||
pip:
|
pip:
|
||||||
requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt"
|
requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt"
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
- name: copy passwords.yml file
|
||||||
|
copy:
|
||||||
|
src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
|
||||||
|
dest: /etc/kolla/passwords.yml
|
||||||
|
|
||||||
- name: generate passwords
|
- name: generate passwords
|
||||||
shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
|
shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
|
||||||
delegate_to: "primary"
|
|
||||||
|
- name: slurp kolla passwords
|
||||||
|
slurp:
|
||||||
|
src: /etc/kolla/passwords.yml
|
||||||
|
register: passwords_yml
|
||||||
|
|
||||||
|
- name: write out kolla SSH private key
|
||||||
|
copy:
|
||||||
|
content: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.private_key }}"
|
||||||
|
dest: ~/.ssh/id_rsa_kolla
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: authorise kolla public key for zuul user
|
||||||
|
authorized_key:
|
||||||
|
user: "{{ ansible_env.USER }}"
|
||||||
|
key: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.public_key }}"
|
||||||
|
# Delegate to each host in turn. If more tasks require execution on all
|
||||||
|
# hosts in future, break out into a separate play.
|
||||||
|
with_inventory_hostnames:
|
||||||
|
- all
|
||||||
|
delegate_to: "{{ item }}"
|
||||||
|
|
||||||
- name: generate ceph config overrides
|
- name: generate ceph config overrides
|
||||||
template:
|
template:
|
||||||
|
@ -2,32 +2,32 @@
|
|||||||
# additional groups are for more control of the environment.
|
# additional groups are for more control of the environment.
|
||||||
[control]
|
[control]
|
||||||
{% for host in hostvars %}
|
{% for host in hostvars %}
|
||||||
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
|
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
[network]
|
[network]
|
||||||
{% for host in hostvars %}
|
{% for host in hostvars %}
|
||||||
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
|
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
[compute]
|
[compute]
|
||||||
{% for host in hostvars %}
|
{% for host in hostvars %}
|
||||||
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
|
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
[storage]
|
[storage]
|
||||||
{% for host in hostvars %}
|
{% for host in hostvars %}
|
||||||
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
|
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
[monitoring]
|
[monitoring]
|
||||||
{% for host in hostvars %}
|
{% for host in hostvars %}
|
||||||
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
|
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
[deployment]
|
[deployment]
|
||||||
{% for host in hostvars %}
|
{% for host in hostvars %}
|
||||||
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
|
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
# You can explicitly specify which hosts run each project by updating the
|
# You can explicitly specify which hosts run each project by updating the
|
||||||
|
@ -98,11 +98,11 @@ host_key_checking = False
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Record the running state of the environment as seen by the setup module
|
# Record the running state of the environment as seen by the setup module
|
||||||
ansible all -i ${RAW_INVENTORY} -m setup > /tmp/logs/ansible/initial-setup
|
ansible all -i ${RAW_INVENTORY} -e ansible_user=$USER -m setup > /tmp/logs/ansible/initial-setup
|
||||||
}
|
}
|
||||||
|
|
||||||
function setup_node {
|
function setup_node {
|
||||||
ansible-playbook -i ${RAW_INVENTORY} tools/playbook-setup-nodes.yml
|
ansible-playbook -i ${RAW_INVENTORY} -e ansible_user=$USER tools/playbook-setup-nodes.yml
|
||||||
}
|
}
|
||||||
|
|
||||||
function prepare_images {
|
function prepare_images {
|
||||||
@ -141,7 +141,7 @@ function sanity_check {
|
|||||||
|
|
||||||
function test_openstack {
|
function test_openstack {
|
||||||
# Create dummy interface for neutron
|
# Create dummy interface for neutron
|
||||||
ansible -m shell -i ${RAW_INVENTORY} -a "ip l a fake_interface type dummy" all
|
ansible -m shell -i ${RAW_INVENTORY} -b -a "ip l a fake_interface type dummy" all
|
||||||
|
|
||||||
#TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
|
#TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
|
||||||
sudo chmod -R 777 /etc/kolla
|
sudo chmod -R 777 /etc/kolla
|
||||||
@ -229,7 +229,7 @@ setup_ansible
|
|||||||
setup_config
|
setup_config
|
||||||
setup_node
|
setup_node
|
||||||
|
|
||||||
tools/kolla-ansible -i ${RAW_INVENTORY} bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
|
tools/kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
|
||||||
prepare_images
|
prepare_images
|
||||||
|
|
||||||
if [[ $ACTION != bifrost ]]; then
|
if [[ $ACTION != bifrost ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user