From 26b2c2d9e94bbdcb12f8ccaa5d3198f0654c0a1e Mon Sep 17 00:00:00 2001 From: Duong Ha-Quang Date: Tue, 23 Aug 2016 00:18:36 +0700 Subject: [PATCH] Specify 'become' to necessary tasks (general roles) Add config_owner_user and config_owner_group to group_vars/all, which is user and group of Kolla configuration files in /etc/kolla. Add become to post-deploy playbook. Add become to only neccesary tasks in roles: - certificate - common - destroy - haproxy - mariadb - memcached - rabbitmq Change-Id: I2aba745a6e3928c52642f64551470fd08cbfd058 Partial-Implements: blueprint ansible-specific-task-become --- ansible/group_vars/all.yml | 4 +++ ansible/post-deploy.yml | 1 + ansible/roles/certificates/tasks/generate.yml | 6 +++++ ansible/roles/common/tasks/config.yml | 26 +++++++++++++++++++ ansible/roles/destroy/tasks/cleanup_host.yml | 1 + ansible/roles/haproxy/tasks/config.yml | 15 ++++++++++- ansible/roles/mariadb/tasks/config.yml | 12 ++++++++- ansible/roles/memcached/tasks/config.yml | 9 ++++++- ansible/roles/prechecks/tasks/main.yml | 2 ++ ansible/roles/prechecks/tasks/user_checks.yml | 19 ++++++++++++++ ansible/roles/rabbitmq/tasks/config.yml | 9 ++++++- .../specify-task-become-84f83707f612bcf3.yaml | 5 ++++ 12 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 ansible/roles/prechecks/tasks/user_checks.yml create mode 100644 releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index f22fefdf60..a172289dc0 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -15,6 +15,10 @@ project: "" # The directory to store the config files on the destination node node_config_directory: "/etc/kolla/{{ project }}" +# The group which own node_config_directory +config_owner_user: "kolla" +config_owner_group: "kolla" + ################### # Kolla options diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml index 2f5ad7669d..1cecaf1faa 100644 --- a/ansible/post-deploy.yml +++ b/ansible/post-deploy.yml @@ -1,6 +1,7 @@ --- - name: Creating admin openrc file on the deploy node hosts: localhost + become: true tasks: - template: src: "roles/common/templates/admin-openrc.sh.j2" diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index b0014e13aa..d981e5a6d1 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -1,5 +1,6 @@ --- - name: Ensuring config directories exist + become: true file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" @@ -8,6 +9,7 @@ - "certificates/private" - name: Creating SSL configuration file + become: true template: src: "{{ item }}.j2" dest: "{{ node_config_directory }}/certificates/{{ item }}" @@ -15,11 +17,13 @@ - "openssl-kolla.cnf" - name: Creating Key + become: true command: creates="{{ item }}" openssl genrsa -out {{ item }} with_items: - "{{ node_config_directory }}/certificates/private/haproxy.key" - name: Creating Server Certificate + become: true command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \ -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \ @@ -31,11 +35,13 @@ - "{{ node_config_directory }}/certificates/private/haproxy.crt" - name: Creating CA Certificate File + become: true copy: src: "{{ node_config_directory }}/certificates/private/haproxy.crt" dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt" - name: Creating Server PEM File + become: true assemble: src: "{{ node_config_directory }}/certificates/private" dest: "{{ node_config_directory }}/certificates/haproxy.pem" diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml index 721bc4d753..b33bb89e04 100644 --- a/ansible/roles/common/tasks/config.yml +++ b/ansible/roles/common/tasks/config.yml @@ -4,6 +4,7 @@ path: "{{ node_config_directory }}/{{ item }}" state: "directory" recurse: yes + become: true with_items: - "fluentd" - "fluentd/input" @@ -18,6 +19,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: common_config_jsons with_dict: "{{ common_services }}" notify: @@ -27,6 +30,8 @@ template: src: "conf/input/{{ item }}.conf.j2" dest: "{{ node_config_directory }}/fluentd/input/{{ item }}.conf" + mode: "0660" + become: true register: fluentd_input with_items: - "00-global" @@ -42,6 +47,8 @@ template: src: "conf/output/{{ item.name }}.conf.j2" dest: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf" + mode: "0660" + become: true register: fluentd_output when: item.enabled | bool with_items: @@ -74,7 +81,9 @@ template: src: "conf/format/{{ item }}.conf.j2" dest: "{{ node_config_directory }}/fluentd/format/{{ item }}.conf" + mode: "0660" register: fluentd_format + become: true with_items: - "apache_access" - "wsgi_access" @@ -85,6 +94,8 @@ template: src: "conf/filter/{{ item }}.conf.j2" dest: "{{ node_config_directory }}/fluentd/filter/{{ item }}.conf" + mode: "0660" + become: true register: fluentd_filter with_items: - "00-record_transformer" @@ -96,6 +107,8 @@ template: src: "td-agent.conf.j2" dest: "{{ node_config_directory }}/{{ item }}/td-agent.conf" + mode: "0660" + become: true register: fluentd_td_agent with_items: - "fluentd" @@ -106,6 +119,8 @@ template: src: "cron-logrotate-{{ item.name }}.conf.j2" dest: "{{ node_config_directory }}/cron/logrotate/{{ item.name }}.conf" + mode: "0660" + become: true register: cron_confs when: item.enabled | bool with_items: @@ -165,6 +180,17 @@ notify: - Restart cron container +- name: Ensuring config directories have correct owner and permission + become: true + file: + path: "{{ node_config_directory }}/{{ item }}" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + with_items: + - "fluentd" + - "cron" + - name: Check common containers kolla_docker: action: "compare_container" diff --git a/ansible/roles/destroy/tasks/cleanup_host.yml b/ansible/roles/destroy/tasks/cleanup_host.yml index ba5a343c5b..1ee9958051 100644 --- a/ansible/roles/destroy/tasks/cleanup_host.yml +++ b/ansible/roles/destroy/tasks/cleanup_host.yml @@ -1,5 +1,6 @@ --- - name: Destroying Kolla host configuration + become: true command: > env enable_haproxy={{ enable_haproxy }} enable_swift={{ enable_swift }} diff --git a/ansible/roles/haproxy/tasks/config.yml b/ansible/roles/haproxy/tasks/config.yml index f30012e5f1..51ddb5b78b 100644 --- a/ansible/roles/haproxy/tasks/config.yml +++ b/ansible/roles/haproxy/tasks/config.yml @@ -1,6 +1,7 @@ --- - name: Setting sysctl values sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes + become: true with_items: - { name: "net.ipv4.ip_nonlocal_bind", value: 1} - { name: "net.unix.max_dgram_qlen", value: 128} @@ -10,7 +11,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -20,6 +24,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: haproxy_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -35,6 +41,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/haproxy/haproxy.cfg" + mode: "0660" + become: true register: haproxy_cfg when: - inventory_hostname in groups[service.group] @@ -53,6 +61,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/keepalived/keepalived.conf" + mode: "0660" + become: true register: keepalived_conf when: - inventory_hostname in groups[service.group] @@ -70,6 +80,8 @@ copy: src: "{{ kolla_external_fqdn_cert }}" dest: "{{ node_config_directory }}/haproxy/{{ item }}" + mode: "0660" + become: true register: haproxy_pem when: - kolla_enable_tls_external | bool @@ -97,3 +109,4 @@ with_dict: "{{ haproxy_services }}" notify: - "Restart {{ item.key }} container" + diff --git a/ansible/roles/mariadb/tasks/config.yml b/ansible/roles/mariadb/tasks/config.yml index 01a9790dc2..abb0745986 100644 --- a/ansible/roles/mariadb/tasks/config.yml +++ b/ansible/roles/mariadb/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -16,6 +19,8 @@ template: src: "{{ service_name }}.json.j2" dest: "{{ node_config_directory }}/{{ service_name }}/config.json" + mode: "0660" + become: true register: mariadb_config_json when: - inventory_hostname in groups[service.group] @@ -34,6 +39,8 @@ - "{{ node_custom_config }}/galera.cnf" - "{{ node_custom_config }}/mariadb/{{ inventory_hostname }}/galera.cnf" dest: "{{ node_config_directory }}/{{ service_name }}/galera.cnf" + mode: "0660" + become: true register: mariadb_galera_conf when: - inventory_hostname in groups[service.group] @@ -46,6 +53,8 @@ template: src: "{{ role_path }}/templates/wsrep-notify.sh.j2" dest: "{{ node_config_directory }}/{{ item.key }}/wsrep-notify.sh" + mode: "0770" + become: true register: mariadb_wsrep_notify when: - inventory_hostname in groups[item.value.group] @@ -62,6 +71,7 @@ name: "{{ item.value.container_name }}" image: "{{ item.value.image }}" volumes: "{{ item.value.volumes }}" + become: true register: check_mariadb_containers when: - action != "config" diff --git a/ansible/roles/memcached/tasks/config.yml b/ansible/roles/memcached/tasks/config.yml index 63438c6e8a..f69b7ad6bb 100644 --- a/ansible/roles/memcached/tasks/config.yml +++ b/ansible/roles/memcached/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "memcached" @@ -11,7 +14,9 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" register: memcached_config_json + become: true with_items: - "memcached" notify: Restart memcached container @@ -25,9 +30,11 @@ name: "{{ service.container_name }}" image: "{{ service.image }}" volumes: "{{ service.volumes }}" + become: true register: check_memcached_container when: - inventory_hostname in groups[service.group] - service.enabled | bool - action != "config" notify: Restart memcached container + diff --git a/ansible/roles/prechecks/tasks/main.yml b/ansible/roles/prechecks/tasks/main.yml index aa37e38485..d7b6081b70 100644 --- a/ansible/roles/prechecks/tasks/main.yml +++ b/ansible/roles/prechecks/tasks/main.yml @@ -4,3 +4,5 @@ - include: service_checks.yml - include: package_checks.yml + +- include: user_checks.yml diff --git a/ansible/roles/prechecks/tasks/user_checks.yml b/ansible/roles/prechecks/tasks/user_checks.yml new file mode 100644 index 0000000000..faae3e48d4 --- /dev/null +++ b/ansible/roles/prechecks/tasks/user_checks.yml @@ -0,0 +1,19 @@ +--- +- name: Check if config_owner_user existed + getent: + database: passwd + key: "{{ config_owner_user }}" + +- name: Check if config_owner_group existed + getent: + database: group + key: "{{ config_owner_group }}" + register: getent_group + +#(duonghq) it's only a basic check, should be refined later +- name: Check if ansible user can do passwordless sudo + shell: sudo -n true + register: result + failed_when: result | failed + + diff --git a/ansible/roles/rabbitmq/tasks/config.yml b/ansible/roles/rabbitmq/tasks/config.yml index 96decd79f4..bc4f3ac491 100644 --- a/ansible/roles/rabbitmq/tasks/config.yml +++ b/ansible/roles/rabbitmq/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ project_name }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ project_name }}/config.json" + mode: "0770" + become: true register: rabbitmq_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -27,6 +32,8 @@ template: src: "{{ item }}.j2" dest: "{{ node_config_directory }}/{{ project_name }}/{{ item }}" + mode: "0770" + become: true register: rabbitmq_confs when: - inventory_hostname in groups[service.group] diff --git a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml new file mode 100644 index 0000000000..0cc8865865 --- /dev/null +++ b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml @@ -0,0 +1,5 @@ +--- +prelude: > + Specify Ansible "become" for only necessary tasks. +features: + - Add "become" to necessary tasks of general roles.