openstack/kayobe
Code Issues Proposed changes

Don't use become for Kolla Ansible

Browse Source 
Using become for all Kolla Ansible tasks is not ideal from a security
perspective. It is also incompatible with fact caching, since it causes
facts to be gathered and cached as root, which changes some facts.

This change modifies the default value of kolla_ansible_become to false.

Change-Id: I9ee5c55e59276f70c92e9c698c01123dcf8919a1
Story: 2007492
Task: 39217
This commit is contained in:
Mark Goddard 2020-03-31 15:14:16 +01:00
parent 15e2dce049
commit 939e298c56
5 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/group_vars/all/kolla
View File

@ -335,7 +335,7 @@ kolla_ansible_group: kolla
# Whether to use privilege escalation for all operations performed via Kolla # Whether to use privilege escalation for all operations performed via Kolla
# Ansible. # Ansible.
kolla_ansible_become: true kolla_ansible_become: false
############################################################################### ###############################################################################
# Kolla feature flag configuration. # Kolla feature flag configuration.

2
ansible/roles/kolla-ansible/defaults/main.yml
View File

@ -54,7 +54,7 @@ kolla_ansible_group: kolla
# Whether to use privilege escalation for all operations performed via Kolla # Whether to use privilege escalation for all operations performed via Kolla
# Ansible. # Ansible.
kolla_ansible_become: true kolla_ansible_become: false
############################################################################### ###############################################################################
# Kolla-ansible inventory configuration. # Kolla-ansible inventory configuration.

2
doc/source/configuration/kolla-ansible.rst
View File

@ -151,7 +151,7 @@ The following variables affect how Ansible accesses the remote hosts.
Primary group of Kolla SSH user. Default is ``kolla``. Primary group of Kolla SSH user. Default is ``kolla``.
``kolla_ansible_become`` ``kolla_ansible_become``
Whether to use privilege escalation for all operations performed via Kolla Whether to use privilege escalation for all operations performed via Kolla
Ansible. Default is ``true``. Ansible. Default is ``false`` since the 8.0.0 Ussuri release.
``kolla_ansible_target_venv`` ``kolla_ansible_target_venv``
Path to a virtual environment on remote hosts to use for Ansible module Path to a virtual environment on remote hosts to use for Ansible module
execution. Default is ``{{ virtualenv_path }}/kolla-ansible``. May be set execution. Default is ``{{ virtualenv_path }}/kolla-ansible``. May be set

2
etc/kayobe/kolla.yml
View File

@ -169,7 +169,7 @@
#kolla_ansible_group: #kolla_ansible_group:
# Whether to use privilege escalation for all operations performed via Kolla # Whether to use privilege escalation for all operations performed via Kolla
# Ansible. Default is 'true'. # Ansible. Default is 'false'.
#kolla_ansible_become: #kolla_ansible_become:
############################################################################### ###############################################################################

6
releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml Normal file
View File

@ -0,0 +1,6 @@
---
upgrade:
- |
Modifies the default value of ``kolla_ansible_become`` to ``false``. This
means that Kolla Ansible will no longer use privilege escalation for all
tasks, and will only use it where necessary.