Don't use become for Kolla Ansible

Using become for all Kolla Ansible tasks is not ideal from a security perspective. It is also incompatible with fact caching, since it causes facts to be gathered and cached as root, which changes some facts. This change modifies the default value of kolla_ansible_become to false. Change-Id: I9ee5c55e59276f70c92e9c698c01123dcf8919a1 Story: 2007492 Task: 39217
2020-03-31 15:14:16 +01:00 · 2020-03-31 15:14:16 +01:00 · 939e298c56
commit 939e298c56
parent 15e2dce049
5 changed files with 10 additions and 4 deletions
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@ -335,7 +335,7 @@ kolla_ansible_group: kolla

 # Whether to use privilege escalation for all operations performed via Kolla
 # Ansible.
-kolla_ansible_become: true
+kolla_ansible_become: false

 ###############################################################################
 # Kolla feature flag configuration.
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@ -54,7 +54,7 @@ kolla_ansible_group: kolla

 # Whether to use privilege escalation for all operations performed via Kolla
 # Ansible.
-kolla_ansible_become: true
+kolla_ansible_become: false

 ###############################################################################
 # Kolla-ansible inventory configuration.
--- a/doc/source/configuration/kolla-ansible.rst
+++ b/doc/source/configuration/kolla-ansible.rst
@ -151,7 +151,7 @@ The following variables affect how Ansible accesses the remote hosts.
    Primary group of Kolla SSH user. Default is ``kolla``.
 ``kolla_ansible_become``
    Whether to use privilege escalation for all operations performed via Kolla
-    Ansible. Default is ``true``.
+    Ansible. Default is ``false`` since the 8.0.0 Ussuri release.
 ``kolla_ansible_target_venv``
    Path to a virtual environment on remote hosts to use for Ansible module
    execution. Default is ``{{ virtualenv_path }}/kolla-ansible``. May be set
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@ -169,7 +169,7 @@
 #kolla_ansible_group:

 # Whether to use privilege escalation for all operations performed via Kolla
-# Ansible. Default is 'true'.
+# Ansible. Default is 'false'.
 #kolla_ansible_become:

 ###############################################################################
--- a/releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml
+++ b/releasenotes/notes/kolla-ansible-become-false-95aa88edd3c8c259.yaml
@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    Modifies the default value of ``kolla_ansible_become`` to ``false``. This
+    means that Kolla Ansible will no longer use privilege escalation for all
+    tasks, and will only use it where necessary.