75f55d13ad
The apparmor_parser actually doesn't remove the file or doesn't create the symlink in '/etc/apparmor.d/disable' itself so the next run of the baremetal role will fail with the error "Unable to remove "libvirtd". Even more after reboot, the profile is still active. We need to disable the profile completly ourselves. This change fixes the idempotents of the baremetal role. Closes-Bug: #1960302 Change-Id: I162e417387393e806886b1c9ea8053b89778b4d1 Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
258 lines
7.1 KiB
YAML
258 lines
7.1 KiB
YAML
---
|
|
- name: Create kolla user
|
|
user:
|
|
name: "{{ kolla_user }}"
|
|
state: present
|
|
group: "{{ kolla_group }}"
|
|
groups: "sudo"
|
|
append: true
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Add public key to kolla user authorized keys
|
|
authorized_key:
|
|
user: "{{ kolla_user }}"
|
|
key: "{{ kolla_ssh_key.public_key }}"
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Grant kolla user passwordless sudo
|
|
lineinfile:
|
|
dest: /etc/sudoers.d/kolla-ansible-users
|
|
state: present
|
|
create: yes
|
|
mode: '0640'
|
|
regexp: '^{{ kolla_user }}'
|
|
line: '{{ kolla_user }} ALL=(ALL) NOPASSWD: ALL'
|
|
become: True
|
|
when: create_kolla_user_sudoers | bool
|
|
|
|
- name: Ensure virtualenv has correct ownership
|
|
file:
|
|
path: "{{ virtualenv }}"
|
|
recurse: True
|
|
state: directory
|
|
owner: "{{ kolla_user }}"
|
|
group: "{{ kolla_group }}"
|
|
become: True
|
|
when: virtualenv is not none
|
|
|
|
- name: Ensure node_config_directory directory exists for user kolla
|
|
file:
|
|
path: "{{ node_config_directory }}"
|
|
state: directory
|
|
owner: "{{ kolla_user }}"
|
|
group: "{{ kolla_group }}"
|
|
mode: 0755
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Ensure node_config_directory directory exists
|
|
file:
|
|
path: "{{ node_config_directory }}"
|
|
state: directory
|
|
mode: 0755
|
|
become: True
|
|
when: not create_kolla_user | bool
|
|
|
|
- name: Ensure docker config directory exists
|
|
file:
|
|
path: /etc/docker
|
|
state: directory
|
|
become: True
|
|
|
|
- name: Merge Zun docker config
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine(docker_zun_config) }}"
|
|
when:
|
|
- docker_configure_for_zun | bool
|
|
- "'zun-compute' in group_names"
|
|
|
|
- name: Warn about deprecations
|
|
debug:
|
|
msg: >
|
|
docker_custom_option is deprecated in favor of docker_custom_config
|
|
when: docker_custom_option | length > 0
|
|
|
|
- name: Setup docker insecure registries
|
|
vars:
|
|
registries: ["{{ docker_registry }}"]
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}"
|
|
when: docker_registry_insecure | bool
|
|
|
|
- name: Setup docker storage driver
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}"
|
|
when: docker_storage_driver | length > 0
|
|
|
|
- name: Setup docker runtime directory
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
|
|
when: docker_runtime_directory | length > 0
|
|
|
|
- name: Warn about docker default iptables
|
|
debug:
|
|
msg: >-
|
|
Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
|
|
release. If you have any non-Kolla containers that need this functionality, you should
|
|
plan a migration for this change, or set docker_disable_default_iptables_rules to false.
|
|
when: not docker_disable_default_iptables_rules | bool
|
|
|
|
- name: Disable docker default iptables rules
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'iptables': false}) }}"
|
|
when: docker_disable_default_iptables_rules | bool
|
|
|
|
- name: Warn about docker default networking
|
|
debug:
|
|
msg: >-
|
|
Docker default network on docker0 will be disabled by default from the
|
|
Wallaby 12.0.0 release. If you have any non-Kolla containers that need
|
|
this functionality, you should plan a migration for this change, or set
|
|
docker_disable_default_network to false.
|
|
when: not docker_disable_default_network | bool
|
|
|
|
- name: Disable docker default network on docker0
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
|
|
when: docker_disable_default_network | bool
|
|
|
|
- name: Warn about docker ip_forward
|
|
debug:
|
|
msg: >-
|
|
Docker ip_forward will be disabled by default from the
|
|
Wallaby 12.0.0 release. If you have any non-Kolla containers that need
|
|
this functionality, you should plan a migration for this change, or set
|
|
docker_disable_ip_forward to false.
|
|
when: not docker_disable_ip_forward | bool
|
|
|
|
- name: Disable docker ip_forward
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine({'ip-forward': false}) }}"
|
|
when: docker_disable_ip_forward | bool
|
|
|
|
- name: Merge custom docker config
|
|
set_fact:
|
|
docker_config: "{{ docker_config | combine(docker_custom_config) }}"
|
|
|
|
- name: Write docker config
|
|
become: True
|
|
copy:
|
|
content: "{{ docker_config | to_nice_json }}"
|
|
dest: /etc/docker/daemon.json
|
|
mode: 0644
|
|
register: docker_configured
|
|
|
|
- name: Remove old docker options file
|
|
become: True
|
|
file:
|
|
path: /etc/systemd/system/docker.service.d/kolla.conf
|
|
state: absent
|
|
when:
|
|
- not docker_custom_option
|
|
- not docker_configure_for_zun | bool or 'zun-compute' not in group_names
|
|
- not docker_http_proxy
|
|
- not docker_https_proxy
|
|
- not docker_no_proxy
|
|
|
|
- name: Ensure docker service directory exists
|
|
become: True
|
|
file:
|
|
path: /etc/systemd/system/docker.service.d
|
|
state: directory
|
|
recurse: yes
|
|
when: >
|
|
docker_custom_option | length > 0 or
|
|
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
|
|
docker_http_proxy | length > 0 or
|
|
docker_https_proxy | length > 0 or
|
|
docker_no_proxy | length > 0
|
|
|
|
- name: Configure docker service
|
|
become: True
|
|
template:
|
|
src: docker_systemd_service.j2
|
|
dest: /etc/systemd/system/docker.service.d/kolla.conf
|
|
when: >
|
|
docker_custom_option | length > 0 or
|
|
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
|
|
docker_http_proxy | length > 0 or
|
|
docker_https_proxy | length > 0 or
|
|
docker_no_proxy | length > 0
|
|
|
|
- name: Reload docker service file
|
|
become: True
|
|
systemd:
|
|
name: docker
|
|
daemon_reload: yes
|
|
register: docker_reloaded
|
|
|
|
- name: Get stat of libvirtd apparmor profile
|
|
stat:
|
|
path: /etc/apparmor.d/usr.sbin.libvirtd
|
|
register: apparmor_libvirtd_profile
|
|
when: ansible_facts.distribution == "Ubuntu"
|
|
|
|
- name: Get stat of libvirtd apparmor disable profile
|
|
stat:
|
|
path: /etc/apparmor.d/disable/usr.sbin.libvirtd
|
|
register: apparmor_libvirtd_disable_profile
|
|
when: ansible_facts.distribution == "Ubuntu"
|
|
|
|
- name: Remove apparmor profile for libvirt
|
|
shell: |
|
|
apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
|
|
ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
|
|
args:
|
|
executable: /bin/bash
|
|
become: True
|
|
when:
|
|
- ansible_facts.distribution == "Ubuntu"
|
|
- apparmor_libvirtd_profile.stat.exists
|
|
- not apparmor_libvirtd_disable_profile.stat.exists
|
|
|
|
- name: Create docker group
|
|
group:
|
|
name: docker
|
|
become: True
|
|
|
|
- name: Add kolla user to docker group
|
|
user:
|
|
name: "{{ kolla_user }}"
|
|
append: yes
|
|
groups: docker
|
|
become: True
|
|
when: create_kolla_user | bool
|
|
|
|
- name: Start docker
|
|
systemd:
|
|
name: docker
|
|
state: started
|
|
masked: no
|
|
become: True
|
|
|
|
- name: Restart docker
|
|
systemd:
|
|
name: docker
|
|
state: restarted
|
|
masked: no
|
|
become: True
|
|
when: docker_configured.changed or docker_reloaded.changed
|
|
|
|
- name: Enable docker
|
|
systemd:
|
|
name: docker
|
|
enabled: yes
|
|
masked: no
|
|
become: True
|
|
|
|
- name: Change state of selinux
|
|
selinux:
|
|
policy: targeted
|
|
state: "{{ selinux_state }}"
|
|
become: true
|
|
when:
|
|
- change_selinux | bool
|
|
- ansible_facts.os_family == "RedHat"
|