From 4652c2970682a4dcc92c81c36a327960e13e4c1d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 16 Mar 2017 10:55:50 +0000 Subject: [PATCH] Improve permissions around Kolla configuration. Make ansible_user own files so we don't need to be root. Files no longer world readable. --- ansible/roles/kolla-ansible/tasks/config.yml | 10 +++---- ansible/roles/kolla-ansible/tasks/install.yml | 24 ++++++++++++----- ansible/roles/kolla-bifrost/tasks/config.yml | 6 ++--- ansible/roles/kolla-bifrost/tasks/install.yml | 27 ++++++++++--------- ansible/roles/kolla-build/tasks/main.yml | 1 - .../roles/kolla-openstack/tasks/config.yml | 8 +++--- ansible/roles/kolla/tasks/config.yml | 4 ++- ansible/roles/kolla/tasks/install.yml | 20 ++++++++------ 8 files changed, 57 insertions(+), 43 deletions(-) diff --git a/ansible/roles/kolla-ansible/tasks/config.yml b/ansible/roles/kolla-ansible/tasks/config.yml index 1f9e9fd34..1223061aa 100644 --- a/ansible/roles/kolla-ansible/tasks/config.yml +++ b/ansible/roles/kolla-ansible/tasks/config.yml @@ -3,7 +3,9 @@ file: path: "{{ item }}" state: directory - mode: 0755 + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: 0750 become: True with_items: - "{{ kolla_config_path }}" @@ -14,8 +16,7 @@ template: src: "{{ item.src }}" dest: "{{ kolla_config_path }}/{{ item.dest }}" - mode: 0644 - become: True + mode: 0640 with_items: - { src: seed.j2, dest: inventory/seed } - { src: overcloud.j2, dest: inventory/overcloud } @@ -29,9 +30,9 @@ - name: Generate Kolla passwords shell: > cp {{ kolla_ansible_install_dir }}/etc_examples/kolla/passwords.yml {{ kolla_config_path }}/passwords.yml.generated + && chmod 640 {{ kolla_config_path }}/passwords.yml.generated && {{ kolla_venv }}/bin/kolla-genpwd -p {{ kolla_config_path }}/passwords.yml.generated && mv {{ kolla_config_path }}/passwords.yml.generated {{ kolla_config_path }}/passwords.yml - become: True when: not kolla_passwords_stat.stat.exists - name: Read the Kolla passwords file @@ -44,5 +45,4 @@ copy: content: "{{ passwords_result.content | b64decode | from_yaml | combine(kolla_ansible_custom_passwords) | to_nice_yaml }}" dest: "{{ kolla_config_path }}/passwords.yml" - become: True when: "{{ kolla_ansible_custom_passwords }}" diff --git a/ansible/roles/kolla-ansible/tasks/install.yml b/ansible/roles/kolla-ansible/tasks/install.yml index 9167f9b1d..ab190d272 100644 --- a/ansible/roles/kolla-ansible/tasks/install.yml +++ b/ansible/roles/kolla-ansible/tasks/install.yml @@ -13,13 +13,15 @@ - python-pip - python-virtualenv -- name: Ensure the latest version of pip is installed - pip: - name: "{{ item.name }}" - state: latest - virtualenv: "{{ kolla_venv }}" - with_items: - - { name: pip } +- name: Ensure source code checkout path exists + file: + path: "{{ source_checkout_path }}" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + recurse: True + become: True + when: "{{ kolla_ctl_install_type == 'source' }}" - name: Ensure Kolla Ansible source code checkout exists git: @@ -28,6 +30,14 @@ version: "{{ kolla_ansible_source_version }}" when: "{{ kolla_ctl_install_type == 'source' }}" +- name: Ensure the latest version of pip is installed + pip: + name: "{{ item.name }}" + state: latest + virtualenv: "{{ kolla_venv }}" + with_items: + - { name: pip } + - name: Ensure required Python packages are installed pip: name: "{{ item.name }}" diff --git a/ansible/roles/kolla-bifrost/tasks/config.yml b/ansible/roles/kolla-bifrost/tasks/config.yml index eae1faf6d..9469bff27 100644 --- a/ansible/roles/kolla-bifrost/tasks/config.yml +++ b/ansible/roles/kolla-bifrost/tasks/config.yml @@ -3,15 +3,13 @@ file: path: "{{ kolla_node_custom_config_path }}/bifrost" state: directory - mode: 0755 - become: True + mode: 0750 - name: Ensure the Kolla Bifrost configuration files exist template: src: "{{ item.src }}" dest: "{{ kolla_node_custom_config_path }}/bifrost/{{ item.dest }}" - mode: 0644 - become: True + mode: 0640 with_items: - { src: bifrost.yml.j2, dest: bifrost.yml } - { src: dib.yml.j2, dest: dib.yml } diff --git a/ansible/roles/kolla-bifrost/tasks/install.yml b/ansible/roles/kolla-bifrost/tasks/install.yml index 82a2e48a3..e5cef1999 100644 --- a/ansible/roles/kolla-bifrost/tasks/install.yml +++ b/ansible/roles/kolla-bifrost/tasks/install.yml @@ -12,6 +12,21 @@ - python-pip - python-virtualenv +- name: Ensure source code checkout path exists + file: + path: "{{ source_checkout_path }}" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + recurse: True + become: True + +- name: Ensure Bifrost source code checkout exists + git: + repo: "{{ kolla_bifrost_source_url }}" + dest: "{{ source_checkout_path }}/bifrost" + version: "{{ kolla_bifrost_source_version }}" + - name: Ensure the latest version of pip is installed pip: name: "{{ item.name }}" @@ -20,18 +35,6 @@ with_items: - { name: pip } -- name: Ensure source code checkout path exists - file: - path: "{{ source_checkout_path }}" - state: directory - recurse: True - -- name: Ensure Bifrost source code checkout exists - git: - repo: "{{ kolla_bifrost_source_url }}" - dest: "{{ source_checkout_path }}/bifrost" - version: "{{ kolla_bifrost_source_version }}" - - name: Ensure required Python packages are installed pip: name: "{{ item.name }}" diff --git a/ansible/roles/kolla-build/tasks/main.yml b/ansible/roles/kolla-build/tasks/main.yml index e4eac152f..875acdf16 100644 --- a/ansible/roles/kolla-build/tasks/main.yml +++ b/ansible/roles/kolla-build/tasks/main.yml @@ -4,7 +4,6 @@ src: "{{ item.src }}" dest: "{{ kolla_config_path }}/{{ item.dest }}" mode: 0644 - become: True with_items: - { src: kolla-build.conf.j2, dest: kolla-build.conf } - { src: template-override.j2.j2, dest: template-override.j2 } diff --git a/ansible/roles/kolla-openstack/tasks/config.yml b/ansible/roles/kolla-openstack/tasks/config.yml index 0f2c7e46e..0bc69f50a 100644 --- a/ansible/roles/kolla-openstack/tasks/config.yml +++ b/ansible/roles/kolla-openstack/tasks/config.yml @@ -3,8 +3,7 @@ file: path: "{{ kolla_node_custom_config_path }}/{{ item.name }}" state: directory - mode: 0755 - become: True + mode: 0750 with_items: - { name: ironic, enabled: "{{ kolla_enable_ironic }}" } - { name: swift, enabled: "{{ kolla_enable_swift }}" } @@ -14,8 +13,7 @@ template: src: "{{ item.src }}" dest: "{{ kolla_node_custom_config_path }}/{{ item.dest }}" - mode: 0644 - become: True + mode: 0640 with_items: - { src: glance.conf.j2, dest: glance.conf, enabled: "{{ kolla_enable_glance }}" } - { src: ironic.conf.j2, dest: ironic.conf, enabled: "{{ kolla_enable_ironic }}" } @@ -28,7 +26,7 @@ get_url: url: "{{ item.url }}" dest: "{{ kolla_node_custom_config_path }}/ironic/{{ item.dest }}" - become: True + mode: 0640 with_items: - { url: "{{ kolla_inspector_ipa_kernel_upstream_url }}", dest: "ironic-agent.kernel" } - { url: "{{ kolla_inspector_ipa_ramdisk_upstream_url }}", dest: "ironic-agent.initramfs" } diff --git a/ansible/roles/kolla/tasks/config.yml b/ansible/roles/kolla/tasks/config.yml index f139a9531..1aac76b04 100644 --- a/ansible/roles/kolla/tasks/config.yml +++ b/ansible/roles/kolla/tasks/config.yml @@ -3,7 +3,9 @@ file: path: "{{ item }}" state: directory - mode: 0755 + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: 0750 become: True with_items: - "{{ kolla_config_path }}" diff --git a/ansible/roles/kolla/tasks/install.yml b/ansible/roles/kolla/tasks/install.yml index 8e4cde0f9..c7ec465e6 100644 --- a/ansible/roles/kolla/tasks/install.yml +++ b/ansible/roles/kolla/tasks/install.yml @@ -12,19 +12,15 @@ - python-pip - python-virtualenv -- name: Ensure the latest version of pip is installed - pip: - name: "{{ item.name }}" - state: latest - virtualenv: "{{ kolla_venv }}" - with_items: - - { name: pip } - - name: Ensure source code checkout path exists file: path: "{{ source_checkout_path }}" state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" recurse: True + become: True + when: "{{ kolla_ctl_install_type == 'source' }}" - name: Ensure Kolla source code checkout exists git: @@ -33,6 +29,14 @@ version: "{{ kolla_source_version }}" when: "{{ kolla_ctl_install_type == 'source' }}" +- name: Ensure the latest version of pip is installed + pip: + name: "{{ item.name }}" + state: latest + virtualenv: "{{ kolla_venv }}" + with_items: + - { name: pip } + - name: Ensure required Python packages are installed pip: name: "{{ item.name }}"