Add support for adding a user account for SSH access

This requires us to use a bootstrap user account to add the Kayobe user and group with an authorised SSH key. All subsequent SSH access uses this new user.
2017-02-16 10:44:33 +00:00 · 2017-02-16 10:44:33 +00:00 · efc7424e26
commit efc7424e26
parent f066dd286c
12 changed files with 81 additions and 3 deletions
--- a/ansible/group_vars/all/controllers
+++ b/ansible/group_vars/all/controllers
@ -0,0 +1,7 @@
+---
+###############################################################################
+# Controller node configuration.
+
+# User with which to access the controllers via SSH during bootstrap, in order
+# to setup the Kayobe user account.
+controller_bootstrap_user: "{{ lookup('env', 'USER') }}"
--- a/ansible/group_vars/all/globals
+++ b/ansible/group_vars/all/globals
@ -12,3 +12,7 @@ image_cache_path: "{{ ansible_user_dir ~ '/kayobe-image-cache' }}"

 # Path on which to checkout source code repositories.
 source_checkout_path: "{{ ansible_user_dir ~ '/kayobe-source' }}"
+
+# User with which to access seed and controller nodes. This user will be
+# created if it does not exist.
+kayobe_ansible_user: "stack"
--- a/ansible/group_vars/all/seed-vm
+++ b/ansible/group_vars/all/seed-vm
@ -52,3 +52,7 @@ seed_vm_data_capacity: 100G

 # Format of the seed VM data volume.
 seed_vm_data_format: qcow2
+
+# User with which to access the seed VM via SSH during bootstrap, in order to
+# setup the Kayobe user account.
+seed_vm_bootstrap_user: "{{ lookup('env', 'USER') }}"
--- a/ansible/group_vars/controllers/ansible-user
+++ b/ansible/group_vars/controllers/ansible-user
@ -0,0 +1,3 @@
+---
+# User with which to access the controllers via SSH.
+ansible_user: "{{ kayobe_ansible_user }}"
--- a/ansible/group_vars/seed/ansible-user
+++ b/ansible/group_vars/seed/ansible-user
@ -0,0 +1,3 @@
+---
+# User with which to access the seed VM via SSH.
+ansible_user: "{{ kayobe_ansible_user }}"
--- a/ansible/kayobe-ansible-user.yml
+++ b/ansible/kayobe-ansible-user.yml
@ -0,0 +1,32 @@
+---
+- name: Ensure the Kayobe Ansible user account exists
+  hosts: seed:controllers
+  vars:
+    ansible_user: "{{ seed_vm_bootstrap_user if inventory_hostname in groups['seed'] else controller_bootstrap_user }}"
+  tasks:
+    - name: Ensure the Kayobe Ansible group exists
+      group:
+        name: "{{ kayobe_ansible_user }}"
+        state: present
+      become: True
+
+    - name: Ensure the Kayobe Ansible user account exists
+      user:
+        name: "{{ kayobe_ansible_user }}"
+        group: "{{ kayobe_ansible_user }}"
+        comment: "Kayobe Ansible SSH access"
+        state: present
+      become: True
+
+    - name: Ensure the Kayobe Ansible user has passwordless sudo
+      copy:
+        content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
+        dest: "/etc/sudoers.d/kayobe-ansible-user"
+        mode: 0440
+      become: True
+
+    - name: Ensure the Kayobe Ansible user has authorized our SSH key
+      authorized_key:
+        user: "{{ kayobe_ansible_user }}"
+        key: "{{ lookup('file', ssh_public_key_path) }}"
+      become: True
--- a/deploy-overcloud.sh
+++ b/deploy-overcloud.sh
@ -8,8 +8,9 @@ function run_playbook {
    test -e ${KAYOBE_CONFIG_PATH}/inventory
    ansible-playbook \
        -i ${KAYOBE_CONFIG_PATH}/inventory \
-        -e @${KAYOBE_CONFIG_PATH}/globals.yml \
+        -e @${KAYOBE_CONFIG_PATH}/controllers.yml \
        -e @${KAYOBE_CONFIG_PATH}/dns.yml \
+        -e @${KAYOBE_CONFIG_PATH}/globals.yml \
        -e @${KAYOBE_CONFIG_PATH}/kolla.yml \
        -e @${KAYOBE_CONFIG_PATH}/networks.yml \
        -e @${KAYOBE_CONFIG_PATH}/network-allocation.yml \
@ -34,12 +35,14 @@ function run_kolla_ansible {
 }

 function configure_os {
+    ansible_user=$(./kayobe-config-dump -e dump_hosts=controllers[0] -e dump_var_name=kayobe_ansible_user | head -n -1)
    run_playbook ansible/ip-allocation.yml -l controllers
    run_playbook ansible/ssh-known-host.yml -l controllers
+    run_playbook ansible/kayobe-ansible-user.yml -l controllers
    run_playbook ansible/disable-selinux.yml -l controllers
    run_playbook ansible/network.yml -l controllers
    run_playbook ansible/ntp.yml -l controllers
-    run_kolla_ansible bootstrap-servers -e ansible_user=${USER}
+    run_kolla_ansible bootstrap-servers -e ansible_user=${ansible_user}
    run_playbook ansible/kolla-host.yml -l controllers
    run_playbook ansible/docker.yml -l controllers
 }
--- a/deploy-seed.sh
+++ b/deploy-seed.sh
@ -36,12 +36,14 @@ function run_kolla_ansible {
 }

 function configure_os {
+    ansible_user=$(./kayobe-config-dump -e dump_hosts=seed -e dump_var_name=kayobe_ansible_user | head -n -1)
    run_playbook ansible/ip-allocation.yml -l seed
    run_playbook ansible/ssh-known-host.yml -l seed
+    run_playbook ansible/kayobe-ansible-user.yml -l seed
    run_playbook ansible/disable-selinux.yml -l seed
    run_playbook ansible/network.yml -l seed
    run_playbook ansible/ntp.yml -l seed
-    run_kolla_ansible bootstrap-servers -e ansible_user=${USER}
+    run_kolla_ansible bootstrap-servers -e ansible_user=${ansible_user}
    run_playbook ansible/kolla-host.yml -l seed
    run_playbook ansible/docker.yml -l seed
 }
--- a/etc/kayobe/controllers.yml
+++ b/etc/kayobe/controllers.yml
@ -0,0 +1,11 @@
+---
+###############################################################################
+# Controller node configuration.
+
+# User with which to access the controllers via SSH during bootstrap, in order
+# to setup the Kayobe user account.
+#controller_bootstrap_user:
+
+###############################################################################
+# Dummy variable to allow Ansible to accept this file.
+workaround_ansible_issue_8743: yes
--- a/etc/kayobe/globals.yml
+++ b/etc/kayobe/globals.yml
@ -13,6 +13,10 @@
 # Path on which to checkout source code repositories.
 #source_checkout_path:

+# User with which to access seed and controller nodes. This user will be
+# created if it does not exist.
+#kayobe_ansible_user:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/etc/kayobe/seed-vm.yml
+++ b/etc/kayobe/seed-vm.yml
@ -29,6 +29,10 @@
 # Base image for the seed VM root volume.
 #seed_vm_root_image:

+# User with which to access the seed VM via SSH during bootstrap, in order to
+# setup the Kayobe user account.
+#seed_vm_bootstrap_user:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/1
+++ b/1
@ -9,6 +9,7 @@ test -e ${KAYOBE_CONFIG_PATH}/inventory
 exec ansible-playbook \
  -i ${KAYOBE_CONFIG_PATH}/inventory \
  -e @${KAYOBE_CONFIG_PATH}/bifrost.yml \
+  -e @${KAYOBE_CONFIG_PATH}/controllers.yml \
  -e @${KAYOBE_CONFIG_PATH}/dns.yml \
  -e @${KAYOBE_CONFIG_PATH}/globals.yml \
  -e @${KAYOBE_CONFIG_PATH}/kolla.yml \