Make kolla ansible user and group configurable

In some cases it is useful to use a user other than the default 'kolla'
to perform kolla ansible remote execution. Kolla is adding support for
this in the Rocky release, we should use it.

It is now possible to configure a different user via the
kolla_ansible_user and kolla_ansible_group variables.

Depends-On: https://review.openstack.org/581330

Change-Id: I280fb8f70eacd31fff0ae5671ddd6608cd02ae6e
Story: 2002914
Task: 22892
This commit is contained in:
Mark Goddard 2018-07-09 15:45:16 +01:00
parent bb28786069
commit 41740f9752
11 changed files with 61 additions and 6 deletions

View File

@ -294,6 +294,16 @@ kolla_openstack_logging_debug: "False"
# Upper constraints file for installation of Kolla. # Upper constraints file for installation of Kolla.
kolla_upper_constraints_file: "https://raw.githubusercontent.com/openstack/requirements/stable/queens/upper-constraints.txt" kolla_upper_constraints_file: "https://raw.githubusercontent.com/openstack/requirements/stable/queens/upper-constraints.txt"
# User account to use for Kolla SSH access.
kolla_ansible_user: kolla
# Primary group of Kolla SSH user.
kolla_ansible_group: kolla
# Whether to use privilege escalation for all operations performed via Kolla
# Ansible.
kolla_ansible_become: true
############################################################################### ###############################################################################
# Kolla feature flag configuration. # Kolla feature flag configuration.

View File

@ -39,7 +39,7 @@
path: "{{ kolla_ansible_target_venv }}" path: "{{ kolla_ansible_target_venv }}"
recurse: True recurse: True
state: directory state: directory
owner: kolla owner: "{{ kolla_ansible_user }}"
group: kolla group: "{{ kolla_ansible_group }}"
become: True become: True
when: kolla_ansible_target_venv is not none when: kolla_ansible_target_venv is not none

View File

@ -35,6 +35,16 @@ kolla_node_custom_config_path:
# Path to kolla-ansible passwords.yml input file. # Path to kolla-ansible passwords.yml input file.
kolla_ansible_passwords_path: kolla_ansible_passwords_path:
# User account to use for Kolla SSH access.
kolla_ansible_user: kolla
# Primary group of Kolla SSH user.
kolla_ansible_group: kolla
# Whether to use privilege escalation for all operations performed via Kolla
# Ansible.
kolla_ansible_become: true
############################################################################### ###############################################################################
# Kolla-ansible inventory configuration. # Kolla-ansible inventory configuration.

View File

@ -48,6 +48,12 @@ kolla_external_vip_address: "{{ kolla_external_vip_address }}"
# kolla_external_vip_address. # kolla_external_vip_address.
kolla_external_fqdn: "{{ kolla_external_fqdn }}" kolla_external_fqdn: "{{ kolla_external_fqdn }}"
# User account to use for Kolla SSH access.
kolla_user: "{{ kolla_ansible_user }}"
# Primary group of Kolla SSH user.
kolla_group: "{{ kolla_ansible_group }}"
################ ################
# Docker options # Docker options
################ ################

View File

@ -28,8 +28,10 @@
{% endfor %} {% endfor %}
[overcloud:vars] [overcloud:vars]
ansible_user=kolla ansible_user={{ kolla_ansible_user }}
{% if kolla_ansible_become | bool %}
ansible_become=true ansible_become=true
{% endif %}
{% if kolla_ansible_target_venv is not none %} {% if kolla_ansible_target_venv is not none %}
# Execute ansible modules on the remote target hosts using a virtualenv. # Execute ansible modules on the remote target hosts using a virtualenv.
ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python

View File

@ -6,7 +6,7 @@
{% endfor %} {% endfor %}
[seed:vars] [seed:vars]
ansible_user=kolla ansible_user={{ kolla_ansible_user }}
{% if kolla_ansible_target_venv is not none %} {% if kolla_ansible_target_venv is not none %}
# Execute ansible modules on the remote target hosts using a virtualenv. # Execute ansible modules on the remote target hosts using a virtualenv.
ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python

View File

@ -95,6 +95,8 @@
kolla_enable_tls_external: False kolla_enable_tls_external: False
kolla_external_fqdn_cert: "fake-cert" kolla_external_fqdn_cert: "fake-cert"
openstack_logging_debug: False openstack_logging_debug: False
kolla_user: "kolla"
kolla_group: "kolla"
- name: Validate variables are absent from globals.yml - name: Validate variables are absent from globals.yml
assert: assert:

View File

@ -23,6 +23,8 @@
kolla_node_custom_config_path: "{{ temp_path }}/etc/kolla/config" kolla_node_custom_config_path: "{{ temp_path }}/etc/kolla/config"
kolla_ansible_passwords_path: "{{ temp_path }}/passwords.yml" kolla_ansible_passwords_path: "{{ temp_path }}/passwords.yml"
# Config. # Config.
kolla_ansible_user: "fake-user"
kolla_ansible_group: "fake-group"
kolla_base_distro: "fake-distro" kolla_base_distro: "fake-distro"
kolla_install_type: "fake-install-type" kolla_install_type: "fake-install-type"
kolla_docker_namespace: "fake-namespace" kolla_docker_namespace: "fake-namespace"
@ -165,6 +167,8 @@
globals_yml: "{{ lookup('file', temp_path ~ '/etc/kolla/globals.yml') | from_yaml }}" globals_yml: "{{ lookup('file', temp_path ~ '/etc/kolla/globals.yml') | from_yaml }}"
expected_variables: expected_variables:
config_strategy: "COPY_ALWAYS" config_strategy: "COPY_ALWAYS"
kolla_user: "fake-user"
kolla_group: "fake-group"
kolla_base_distro: "fake-distro" kolla_base_distro: "fake-distro"
kolla_install_type: "fake-install-type" kolla_install_type: "fake-install-type"
openstack_release: "fake-release" openstack_release: "fake-release"

View File

@ -55,8 +55,8 @@
src: "{{ swift_ring_build_path }}/{{ item[0] }}.{{ item[1] }}" src: "{{ swift_ring_build_path }}/{{ item[0] }}.{{ item[1] }}"
dest: "{{ kolla_config_path }}/config/swift/{{ item[0] }}.{{ item[1] }}" dest: "{{ kolla_config_path }}/config/swift/{{ item[0] }}.{{ item[1] }}"
remote_src: True remote_src: True
owner: kolla owner: "{{ ansible_user_uid }}"
group: kolla group: "{{ ansible_user_gid }}"
mode: 0644 mode: 0644
with_nested: with_nested:
- "{{ swift_service_names }}" - "{{ swift_service_names }}"

View File

@ -141,6 +141,19 @@
# Whether debug logging is enabled. # Whether debug logging is enabled.
#kolla_openstack_logging_debug: #kolla_openstack_logging_debug:
# Upper constraints file for installation of Kolla.
#kolla_upper_constraints_file:
# User account to use for Kolla SSH access.
#kolla_ansible_user:
# Primary group of Kolla SSH user.
#kolla_ansible_group:
# Whether to use privilege escalation for all operations performed via Kolla
# Ansible.
#kolla_ansible_become:
############################################################################### ###############################################################################
# Kolla feature flag configuration. # Kolla feature flag configuration.

View File

@ -0,0 +1,8 @@
---
features:
- |
Adds support for configuration of the user used by Kolla Ansible for remote
execution. The user is configured via ``kolla_ansible_user``, its primary
group via ``kolla_ansible_group``, and ``kolla_ansible_become`` determines
whether privilege escalation is used by Kolla Ansible for all tasks or only
required tasks.