Don't use 'become' in CI tests

Kolla Ansible now claims [1] to support executing as a user other than
root.  We should ensure that this is tested in CI.

This change removes the 'become' from hosts in the inventory, and sets
the remote user to 'kolla', as configured via the bootstrap-servers
command. The bootstrap-servers command and other ansible commands
executed before it still need to execute as the zuul user and not as
kolla, since kolla does not exist yet.

The autogenerated SSH private key in passwords.yml is now added to the
zuul user's SSH config, such that it can SSH as the kolla user, which
has authorised this key.

[1]
https://blueprints.launchpad.net/kolla-ansible/+spec/ansible-specific-task-become

Change-Id: I8f3587e2908bc5b8889cd6fbc01981a6186d33e6
This commit is contained in:
Mark Goddard 2018-09-27 14:00:52 +01:00
parent b50917fe2c
commit 8399fc7813
3 changed files with 36 additions and 18 deletions

View File

@ -89,12 +89,6 @@
when: scenario == "bifrost" when: scenario == "bifrost"
delegate_to: "primary" delegate_to: "primary"
- name: copy passwords.yml file
copy:
src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
dest: /etc/kolla/passwords.yml
delegate_to: "primary"
- name: ensure /etc/docker exists - name: ensure /etc/docker exists
file: file:
path: "/etc/docker" path: "/etc/docker"
@ -110,15 +104,39 @@
dest: "/etc/docker/daemon.json" dest: "/etc/docker/daemon.json"
become: true become: true
- name: install kolla-ansible requirements - name: install kolla-ansible requirements
pip: pip:
requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt" requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt"
become: true become: true
- name: copy passwords.yml file
copy:
src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
dest: /etc/kolla/passwords.yml
- name: generate passwords - name: generate passwords
shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py" shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
delegate_to: "primary"
- name: slurp kolla passwords
slurp:
src: /etc/kolla/passwords.yml
register: passwords_yml
- name: write out kolla SSH private key
copy:
content: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.private_key }}"
dest: ~/.ssh/id_rsa_kolla
mode: 0600
- name: authorise kolla public key for zuul user
authorized_key:
user: "{{ ansible_env.USER }}"
key: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.public_key }}"
# Delegate to each host in turn. If more tasks require execution on all
# hosts in future, break out into a separate play.
with_inventory_hostnames:
- all
delegate_to: "{{ item }}"
- name: generate ceph config overrides - name: generate ceph config overrides
template: template:

View File

@ -2,32 +2,32 @@
# additional groups are for more control of the environment. # additional groups are for more control of the environment.
[control] [control]
{% for host in hostvars %} {% for host in hostvars %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
{% endfor %} {% endfor %}
[network] [network]
{% for host in hostvars %} {% for host in hostvars %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
{% endfor %} {% endfor %}
[compute] [compute]
{% for host in hostvars %} {% for host in hostvars %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
{% endfor %} {% endfor %}
[storage] [storage]
{% for host in hostvars %} {% for host in hostvars %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
{% endfor %} {% endfor %}
[monitoring] [monitoring]
{% for host in hostvars %} {% for host in hostvars %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
{% endfor %} {% endfor %}
[deployment] [deployment]
{% for host in hostvars %} {% for host in hostvars %}
{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }} {{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
{% endfor %} {% endfor %}
# You can explicitly specify which hosts run each project by updating the # You can explicitly specify which hosts run each project by updating the

View File

@ -98,11 +98,11 @@ host_key_checking = False
EOF EOF
# Record the running state of the environment as seen by the setup module # Record the running state of the environment as seen by the setup module
ansible all -i ${RAW_INVENTORY} -m setup > /tmp/logs/ansible/initial-setup ansible all -i ${RAW_INVENTORY} -e ansible_user=$USER -m setup > /tmp/logs/ansible/initial-setup
} }
function setup_node { function setup_node {
ansible-playbook -i ${RAW_INVENTORY} tools/playbook-setup-nodes.yml ansible-playbook -i ${RAW_INVENTORY} -e ansible_user=$USER tools/playbook-setup-nodes.yml
} }
function prepare_images { function prepare_images {
@ -141,7 +141,7 @@ function sanity_check {
function test_openstack { function test_openstack {
# Create dummy interface for neutron # Create dummy interface for neutron
ansible -m shell -i ${RAW_INVENTORY} -a "ip l a fake_interface type dummy" all ansible -m shell -i ${RAW_INVENTORY} -b -a "ip l a fake_interface type dummy" all
#TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
sudo chmod -R 777 /etc/kolla sudo chmod -R 777 /etc/kolla
@ -229,7 +229,7 @@ setup_ansible
setup_config setup_config
setup_node setup_node
tools/kolla-ansible -i ${RAW_INVENTORY} bootstrap-servers > /tmp/logs/ansible/bootstrap-servers tools/kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
prepare_images prepare_images
if [[ $ACTION != bifrost ]]; then if [[ $ACTION != bifrost ]]; then