From 9965cc46ff627e002ebeb1060e499c2991fc9f33 Mon Sep 17 00:00:00 2001 From: Duong Ha-Quang Date: Wed, 24 Aug 2016 00:28:08 +0700 Subject: [PATCH] Specify 'become' for only neccesary tasks (all other roles) Add become to only neccesary tasks in roles: - aodh - barbican - bifrost - ceilometer - ceph - chrony - cinder - cloudkitty - collectd - congress - designate - elasticsearch - etcd - freezer - gnocchi - grafana - influxdb - ironic - iscsi - karbor - kibana - kuryr - magnum - manila - mistral - mongodb - multipathd - murano - octavia - panko - qdrouterd - rally - sahara - searchlight - senlin - skydive - solum - swift - swift - tacker - telegraf - tempest - trove - vmtp - watcher - zun Change-Id: I6e32d94d4172dd96d09d8609e8a5221ab5586a31 Partial-Implements: blueprint ansible-specific-task-become --- ansible/roles/aodh/tasks/config.yml | 13 +++++++++++- ansible/roles/barbican/tasks/config.yml | 15 ++++++++++++- ansible/roles/bifrost/tasks/config.yml | 11 +++++++++- ansible/roles/ceilometer/tasks/config.yml | 15 ++++++++++++- ansible/roles/ceph/tasks/config.yml | 9 +++++++- .../roles/ceph/tasks/distribute_keyrings.yml | 12 ++++++++--- ansible/roles/ceph/tasks/start_osds.yml | 2 ++ ansible/roles/chrony/tasks/config.yml | 9 +++++++- ansible/roles/cinder/tasks/ceph.yml | 7 +++++++ ansible/roles/cinder/tasks/config.yml | 9 +++++++- ansible/roles/cinder/tasks/external_ceph.yml | 10 +++++++++ ansible/roles/cloudkitty/tasks/config.yml | 13 +++++++++++- ansible/roles/collectd/tasks/config.yml | 14 +++++++++++-- ansible/roles/congress/tasks/config.yml | 11 +++++++++- ansible/roles/designate/tasks/config.yml | 19 ++++++++++++++++- ansible/roles/elasticsearch/tasks/config.yml | 9 +++++++- ansible/roles/etcd/tasks/config.yml | 9 +++++++- ansible/roles/freezer/tasks/config.yml | 13 +++++++++++- ansible/roles/gnocchi/tasks/config.yml | 11 +++++++++- ansible/roles/grafana/tasks/config.yml | 9 +++++++- ansible/roles/influxdb/tasks/config.yml | 9 +++++++- ansible/roles/ironic/tasks/config.yml | 21 ++++++++++++++++++- ansible/roles/iscsi/tasks/config.yml | 15 +++++++++++-- ansible/roles/karbor/tasks/config.yml | 13 +++++++++++- ansible/roles/kibana/tasks/config.yml | 9 +++++++- ansible/roles/kuryr/tasks/config.yml | 13 +++++++++++- ansible/roles/magnum/tasks/config.yml | 11 +++++++++- ansible/roles/manila/tasks/config.yml | 11 +++++++++- ansible/roles/mistral/tasks/config.yml | 6 ++++++ ansible/roles/mongodb/tasks/config.yml | 9 +++++++- ansible/roles/multipathd/tasks/config.yml | 9 +++++++- ansible/roles/murano/tasks/config.yml | 9 +++++++- ansible/roles/octavia/tasks/config.yml | 11 +++++++++- ansible/roles/panko/tasks/config.yml | 13 +++++++++++- ansible/roles/qdrouterd/tasks/config.yml | 11 +++++++++- ansible/roles/rally/tasks/config.yml | 11 +++++++++- ansible/roles/sahara/tasks/config.yml | 11 +++++++++- ansible/roles/searchlight/tasks/config.yml | 11 +++++++++- ansible/roles/senlin/tasks/config.yml | 11 +++++++++- ansible/roles/skydive/tasks/config.yml | 9 +++++++- ansible/roles/solum/tasks/config.yml | 9 +++++++- ansible/roles/swift/tasks/config.yml | 18 ++++++++++++++++ ansible/roles/swift/tasks/start.yml | 1 + ansible/roles/tacker/tasks/config.yml | 11 +++++++++- ansible/roles/telegraf/tasks/config.yml | 11 +++++++++- ansible/roles/tempest/tasks/config.yml | 6 +++++- ansible/roles/trove/tasks/config.yml | 11 +++++++++- ansible/roles/vmtp/tasks/config.yml | 7 ++++++- ansible/roles/watcher/tasks/config.yml | 7 ++++++- ansible/roles/zun/tasks/config.yml | 13 +++++++++++- .../specify-task-become-84f83707f612bcf3.yaml | 4 ++-- 51 files changed, 491 insertions(+), 50 deletions(-) diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml index 996fc57f76..a6fed5eae1 100644 --- a/ansible/roles/aodh/tasks/config.yml +++ b/ansible/roles/aodh/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - item.value.enabled | bool - inventory_hostname in groups[item.value.group] @@ -30,6 +33,8 @@ template: src: "{{ aodh_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ aodh_policy_file }}" + mode: "0660" + become: true register: aodh_policy_overwriting when: - aodh_policy_file is defined @@ -46,6 +51,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: aodh_config_jsons when: - item.value.enabled | bool @@ -68,6 +75,8 @@ - "{{ node_custom_config }}/aodh/{{ item.key }}.conf" - "{{ node_custom_config }}/aodh/{{ inventory_hostname }}/aodh.conf" dest: "{{ node_config_directory }}/{{ item.key }}/aodh.conf" + mode: "0660" + become: true register: aodh_confs when: - item.value.enabled | bool @@ -85,6 +94,8 @@ template: src: "wsgi-aodh.conf.j2" dest: "{{ node_config_directory }}/aodh-api/wsgi-aodh.conf" + mode: "0660" + become: true register: aodh_conf_wsgi when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml index c379c253d1..ce971d3c97 100644 --- a/ansible/roles/barbican/tasks/config.yml +++ b/ansible/roles/barbican/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "barbican-api/vassals" - "barbican-keystone-listener" @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: barbican_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -47,6 +52,8 @@ - "{{ node_custom_config }}/barbican-api/barbican-api.ini" - "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api.ini" dest: "{{ node_config_directory }}/barbican-api/vassals/barbican-api.ini" + mode: "0660" + become: true register: barbican_api_ini when: - inventory_hostname in groups['barbican-api'] @@ -69,6 +76,8 @@ template: src: "{{ node_custom_config }}/barbican/barbican-api-paste.ini" dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini" + mode: "0660" + become: true when: - inventory_hostname in groups['barbican-api'] - service.enabled | bool @@ -88,6 +97,8 @@ - "{{ node_custom_config }}/barbican/{{ item.key }}.conf" - "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf" dest: "{{ node_config_directory }}/{{ item.key }}/barbican.conf" + mode: "0660" + become: true register: barbican_confs when: - item.value.enabled | bool @@ -100,6 +111,8 @@ template: src: "{{ barbican_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ barbican_policy_file }}" + mode: "0660" + become: true register: barbican_policy_overwriting when: - barbican_policy_file is defined diff --git a/ansible/roles/bifrost/tasks/config.yml b/ansible/roles/bifrost/tasks/config.yml index 11a59a6d3c..5b95d20fd4 100644 --- a/ansible/roles/bifrost/tasks/config.yml +++ b/ansible/roles/bifrost/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "bifrost" @@ -14,6 +17,8 @@ - "{{ node_custom_config }}/{{ item }}.yml" - "{{ node_custom_config }}/bifrost/{{ item }}.yml" dest: "{{ node_config_directory }}/bifrost/{{ item }}.yml" + mode: "0660" + become: true with_items: - "bifrost" - "dib" @@ -23,6 +28,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/bifrost/{{ item }}" + mode: "0660" + become: true with_items: - "rabbitmq-env.conf" @@ -30,6 +37,8 @@ template: src: "{{ item.src }}" dest: "{{ node_config_directory }}/bifrost/{{ item.dest }}" + mode: "0660" + become: true with_items: - { src: "id_rsa", dest: "id_rsa" } - { src: "id_rsa.pub", dest: "id_rsa.pub" } diff --git a/ansible/roles/ceilometer/tasks/config.yml b/ansible/roles/ceilometer/tasks/config.yml index 64efe47ef9..955a29db51 100644 --- a/ansible/roles/ceilometer/tasks/config.yml +++ b/ansible/roles/ceilometer/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: ceilometer_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -51,6 +56,8 @@ - "{{ node_custom_config }}/ceilometer/{{ item.key }}.conf" - "{{ node_custom_config }}/ceilometer/{{ inventory_hostname }}/ceilometer.conf" dest: "{{ node_config_directory }}/{{ item.key }}/ceilometer.conf" + mode: "0660" + become: true register: ceilometer_confs when: - item.value.enabled | bool @@ -67,6 +74,8 @@ template: src: "{{ item }}.j2" dest: "{{ node_config_directory }}/ceilometer-notification/{{ item }}" + mode: "0660" + become: true register: ceilometer_events when: - inventory_hostname in groups[service.group] @@ -107,6 +116,8 @@ - "{{ node_custom_config }}/panko/panko.conf" - "{{ node_custom_config }}/panko/{{ inventory_hostname }}/panko.conf" dest: "{{ node_config_directory }}/{{ item.key }}/panko.conf" + mode: "0660" + become: true register: panko_confs when: - enable_panko | bool @@ -136,6 +147,8 @@ template: src: "{{ ceilometer_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ ceilometer_policy_file }}" + mode: "0660" + become: true register: policy_jsons when: - ceilometer_policy_file is defined diff --git a/ansible/roles/ceph/tasks/config.yml b/ansible/roles/ceph/tasks/config.yml index 7aa953bfac..470302c5ee 100644 --- a/ansible/roles/ceph/tasks/config.yml +++ b/ansible/roles/ceph/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "ceph-mon" - "ceph-osd" @@ -16,6 +19,8 @@ template: src: "{{ item.name }}.json.j2" dest: "{{ node_config_directory }}/{{ item.name }}/config.json" + mode: "0660" + become: true when: - inventory_hostname in groups[item.group] with_items: @@ -41,6 +46,8 @@ - "{{ node_custom_config }}/ceph.conf" - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/ceph.conf" + mode: "0660" + become: true with_items: - "ceph-mon" - "ceph-osd" diff --git a/ansible/roles/ceph/tasks/distribute_keyrings.yml b/ansible/roles/ceph/tasks/distribute_keyrings.yml index efbd373150..7be4cb25db 100644 --- a/ansible/roles/ceph/tasks/distribute_keyrings.yml +++ b/ansible/roles/ceph/tasks/distribute_keyrings.yml @@ -12,21 +12,25 @@ ceph_files: "{{ (ceph_files_json.stdout | from_json) }}" - name: Pushing Ceph keyring for OSDs + become: true bslurp: src: "{{ item.content }}" dest: "{{ node_config_directory }}/ceph-osd/{{ item.filename }}" - mode: 0600 sha1: "{{ item.sha1 }}" + mode: 0600 + become: true with_items: - "{{ ceph_files['ceph.client.admin.keyring'] }}" when: inventory_hostname in groups['ceph-osd'] - name: Pushing Ceph keyrings for Mons + become: true bslurp: src: "{{ item.content }}" dest: "{{ node_config_directory }}/ceph-mon/{{ item.filename }}" - mode: 0600 sha1: "{{ item.sha1 }}" + mode: 0600 + become: true with_items: - "{{ ceph_files['ceph.client.admin.keyring'] }}" - "{{ ceph_files['ceph.client.mon.keyring'] }}" @@ -35,11 +39,13 @@ when: inventory_hostname in groups['ceph-mon'] - name: Pushing Ceph keyrings for RGWs + become: true bslurp: src: "{{ item.content }}" dest: "{{ node_config_directory }}/ceph-rgw/{{ item.filename }}" - mode: 0600 sha1: "{{ item.sha1 }}" + mode: 0600 + become: true with_items: - "{{ ceph_files['ceph.client.admin.keyring'] }}" - "{{ ceph_files['ceph.client.radosgw.keyring'] }}" diff --git a/ansible/roles/ceph/tasks/start_osds.yml b/ansible/roles/ceph/tasks/start_osds.yml index d44efe094b..cd51d9ce87 100644 --- a/ansible/roles/ceph/tasks/start_osds.yml +++ b/ansible/roles/ceph/tasks/start_osds.yml @@ -12,6 +12,7 @@ osds: "{{ (osd_lookup.stdout.split('localhost | SUCCESS => ')[1]|from_json).disks|from_json }}" - name: Mounting Ceph OSD volumes + become: true mount: src: "UUID={{ item.fs_uuid }}" fstype: "{{ ceph_osd_filesystem }}" @@ -23,6 +24,7 @@ become_method: sudo - name: Gathering OSD IDs + become: true command: "cat /var/lib/ceph/osd/{{ item['fs_uuid'] }}/whoami" with_items: "{{ osds }}" register: id diff --git a/ansible/roles/chrony/tasks/config.yml b/ansible/roles/chrony/tasks/config.yml index 9afc2f7ffb..972b7ea8f2 100644 --- a/ansible/roles/chrony/tasks/config.yml +++ b/ansible/roles/chrony/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "chrony" @@ -11,6 +14,8 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true with_items: - "chrony" notify: @@ -20,6 +25,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/chrony/chrony.conf" + mode: "0660" + become: true with_first_found: - "{{ node_custom_config }}/chrony/{{ inventory_hostname }}/chrony.conf" - "{{ node_custom_config }}/chrony/chrony.conf" diff --git a/ansible/roles/cinder/tasks/ceph.yml b/ansible/roles/cinder/tasks/ceph.yml index 2be771b6aa..53d1f47d81 100644 --- a/ansible/roles/cinder/tasks/ceph.yml +++ b/ansible/roles/cinder/tasks/ceph.yml @@ -7,6 +7,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - item.value.enabled | bool - inventory_hostname in groups[item.value.group] @@ -24,6 +28,8 @@ - "{{ node_custom_config }}/ceph.conf" - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/{{ item.key }}/ceph.conf" + mode: "0660" + become: true when: - item.value.enabled | bool - inventory_hostname in groups[item.value.group] @@ -67,6 +73,7 @@ content: "{{ item.content }}\n\r" dest: "{{ node_config_directory }}/{{ item.service_name }}/ceph.client.{{ item.key_name }}.keyring" mode: "0600" + become: true with_items: - { service_name: "cinder-volume", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" } - { service_name: "cinder-backup", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" } diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml index 13fa9e2133..b00c99f19a 100644 --- a/ansible/roles/cinder/tasks/config.yml +++ b/ansible/roles/cinder/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: cinder_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -69,6 +74,8 @@ - "{{ node_custom_config }}/cinder/{{ item.key }}.conf" - "{{ node_custom_config }}/cinder/{{ inventory_hostname }}/cinder.conf" dest: "{{ node_config_directory }}/{{ item.key }}/cinder.conf" + mode: "0660" + become: true register: cinder_confs when: - item.value.enabled | bool diff --git a/ansible/roles/cinder/tasks/external_ceph.yml b/ansible/roles/cinder/tasks/external_ceph.yml index 90f1c6fb6e..d23b20d2d9 100644 --- a/ansible/roles/cinder/tasks/external_ceph.yml +++ b/ansible/roles/cinder/tasks/external_ceph.yml @@ -7,6 +7,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - item.value.enabled | bool - inventory_hostname in groups[item.value.group] @@ -23,6 +27,8 @@ - "{{ node_custom_config }}/cinder/ceph.conf" - "{{ node_custom_config }}/cinder/{{ item.key }}/ceph.conf" dest: "{{ node_config_directory }}/{{ item.key }}/ceph.conf" + mode: "0660" + become: true when: - item.value.enabled | bool - inventory_hostname in groups[item.value.group] @@ -36,6 +42,8 @@ copy: src: "{{ item }}" dest: "{{ node_config_directory }}/cinder-volume/" + mode: "0660" + become: true with_fileglob: - "{{ node_custom_config }}/cinder/cinder-volume/ceph.client*" when: @@ -49,6 +57,8 @@ copy: src: "{{ item }}" dest: "{{ node_config_directory }}/cinder-backup/" + mode: "0660" + become: true with_fileglob: - "{{ node_custom_config }}/cinder/cinder-backup/ceph.client*" when: diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml index e62b2a2eb1..20504639bd 100644 --- a/ansible/roles/cloudkitty/tasks/config.yml +++ b/ansible/roles/cloudkitty/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: cloudkitty_config_jsons when: - item.value.enabled | bool @@ -50,6 +55,8 @@ - "{{ node_custom_config }}/cloudkitty/{{ item.key }}.conf" - "{{ node_custom_config }}/cloudkitty/{{ inventory_hostname }}/cloudkitty.conf" dest: "{{ node_config_directory }}/{{ item.key }}/cloudkitty.conf" + mode: "0660" + become: true register: cloudkitty_confs when: - inventory_hostname in groups[item.value.group] @@ -65,6 +72,8 @@ template: src: "wsgi-cloudkitty.conf.j2" dest: "{{ node_config_directory }}/cloudkitty-api/wsgi-cloudkitty.conf" + mode: "0660" + become: true register: cloudkitty_conf_wsgi when: - inventory_hostname in groups[service.group] @@ -76,6 +85,8 @@ template: src: "{{ cloudkitty_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ cloudkitty_policy_file }}" + mode: "0660" + become: true register: cloudkitty_policy_overwriting when: - cloudkitty_policy_file is defined diff --git a/ansible/roles/collectd/tasks/config.yml b/ansible/roles/collectd/tasks/config.yml index eddcd8122a..f3432177cd 100644 --- a/ansible/roles/collectd/tasks/config.yml +++ b/ansible/roles/collectd/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,7 +16,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}/collectd.conf.d" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -23,6 +29,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: collectd_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -37,6 +45,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/collectd/collectd.conf" + mode: "0660" + become: true with_first_found: - "{{ node_custom_config }}/collectd/{{ inventory_hostname }}/collectd.conf" - "{{ node_custom_config }}/collectd/collectd.conf" diff --git a/ansible/roles/congress/tasks/config.yml b/ansible/roles/congress/tasks/config.yml index 779b504478..233c9e5412 100644 --- a/ansible/roles/congress/tasks/config.yml +++ b/ansible/roles/congress/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: inventory_hostname in groups[item.value.group] with_dict: "{{ congress_services }}" @@ -28,6 +31,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: congress_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -47,6 +52,8 @@ - "{{ node_custom_config }}/congress/{{ item.key }}.conf" - "{{ node_custom_config }}/congress/{{ inventory_hostname }}/congress.conf" dest: "{{ node_config_directory }}/{{ item.key }}/congress.conf" + mode: "0660" + become: true register: congress_confs when: - inventory_hostname in groups[item.value.group] @@ -64,6 +71,8 @@ template: src: "{{ congress_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ congress_policy_file }}" + mode: "0660" + become: true register: congress_policy_overwriting when: - congress_policy_file is defined diff --git a/ansible/roles/designate/tasks/config.yml b/ansible/roles/designate/tasks/config.yml index 05721cb0fd..a227da8ded 100644 --- a/ansible/roles/designate/tasks/config.yml +++ b/ansible/roles/designate/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: designate_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -55,6 +60,8 @@ - "{{ node_custom_config }}/designate/{{ item.key }}.conf" - "{{ node_custom_config }}/designate/{{ inventory_hostname }}/designate.conf" dest: "{{ node_config_directory }}/{{ item.key }}/designate.conf" + mode: "0660" + become: true register: designate_confs when: - inventory_hostname in groups[item.value.group] @@ -74,6 +81,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/designate-worker/pools.yaml" + mode: "0660" + become: true register: designate_pool when: - inventory_hostname in groups[service.group] @@ -90,6 +99,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/designate-backend-bind9/named.conf" + mode: "0660" + become: true register: designate_named when: - designate_backend == 'bind9' @@ -107,6 +118,8 @@ template: src: "rndc.conf.j2" dest: "{{ node_config_directory }}/{{ item.key }}/rndc.conf" + mode: "0660" + become: true register: designate_rndc_conf when: - designate_backend == 'bind9' and designate_backend_external == 'no' @@ -122,6 +135,8 @@ template: src: "rndc.key.j2" dest: "{{ node_config_directory }}/{{ item.key }}/rndc.key" + mode: "0660" + become: true register: designate_rndc_key_file when: - designate_backend == 'bind9' and designate_backend_external == 'no' @@ -145,6 +160,8 @@ template: src: "{{ designate_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ designate_policy_file }}" + mode: "0770" + become: true register: designate_policy_overwriting when: - designate_policy_file is defined diff --git a/ansible/roles/elasticsearch/tasks/config.yml b/ansible/roles/elasticsearch/tasks/config.yml index 958f71d3f2..ade859543c 100644 --- a/ansible/roles/elasticsearch/tasks/config.yml +++ b/ansible/roles/elasticsearch/tasks/config.yml @@ -12,7 +12,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -22,6 +25,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: elasticsearch_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -34,6 +39,8 @@ template: src: "elasticsearch.yml.j2" dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.yml" + mode: "0660" + become: true register: elasticsearch_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/etcd/tasks/config.yml b/ansible/roles/etcd/tasks/config.yml index dba8fef697..eac9c07625 100644 --- a/ansible/roles/etcd/tasks/config.yml +++ b/ansible/roles/etcd/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - item.value.enabled | bool - item.value.host_in_groups | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: etcd_config_jsons when: - item.value.enabled | bool @@ -28,6 +33,8 @@ name: "{{ item.value.container_name }}" image: "{{ item.value.image }}" volumes: "{{ item.value.volumes }}" + mode: "0660" + become: true register: check_etcd_containers when: - action != "config" diff --git a/ansible/roles/freezer/tasks/config.yml b/ansible/roles/freezer/tasks/config.yml index 211aeed518..8f6015b223 100644 --- a/ansible/roles/freezer/tasks/config.yml +++ b/ansible/roles/freezer/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: freezer_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -42,6 +47,8 @@ template: src: "wsgi-freezer-api.conf.j2" dest: "{{ node_config_directory }}/{{ item.key }}/wsgi-freezer-api.conf" + mode: "0660" + become: true register: wsgi_freezer_api when: - inventory_hostname in groups[item.value.group] @@ -61,6 +68,8 @@ - "{{ node_custom_config }}/freezer/{{ item.key }}.conf" - "{{ node_custom_config }}/freezer/{{ inventory_hostname }}/{{ item.key }}.conf" dest: "{{ node_config_directory }}/{{ item.key }}/freezer-api.conf" + mode: "0660" + become: true register: freezer_confs when: - inventory_hostname in groups[item.value.group] @@ -73,6 +82,8 @@ template: src: "{{ freezer_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ freezer_policy_file }}" + mode: "0770" + become: true register: freezer_policy_overwriting when: - freezer_policy_file is defined diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml index 1f6d47b788..394b263b08 100644 --- a/ansible/roles/gnocchi/tasks/config.yml +++ b/ansible/roles/gnocchi/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: gnocchi_config_jsons when: - item.value.enabled | bool @@ -51,6 +56,8 @@ - "{{ node_custom_config }}/gnocchi/{{ item.key }}.conf" - "{{ node_custom_config }}/gnocchi/{{ inventory_hostname }}/gnocchi.conf" dest: "{{ node_config_directory }}/{{ item.key }}/gnocchi.conf" + mode: "0660" + become: true register: gnocchi_confs when: - item.value.enabled | bool @@ -67,6 +74,8 @@ template: src: "wsgi-gnocchi.conf.j2" dest: "{{ node_config_directory }}/{{ item }}/wsgi-gnocchi.conf" + mode: "0660" + become: true register: gnocchi_wsgi_conf when: - inventory_hostname in groups['gnocchi-api'] diff --git a/ansible/roles/grafana/tasks/config.yml b/ansible/roles/grafana/tasks/config.yml index 13b0e51878..cd889529d2 100644 --- a/ansible/roles/grafana/tasks/config.yml +++ b/ansible/roles/grafana/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: grafana_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -30,6 +35,8 @@ - "{{ node_custom_config }}/{{ item.key }}.ini" - "{{ node_custom_config }}/grafana/{{ inventory_hostname }}/{{ item.key }}.ini" dest: "{{ node_config_directory }}/grafana/grafana.ini" + mode: "0660" + become: true register: grafana_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/influxdb/tasks/config.yml b/ansible/roles/influxdb/tasks/config.yml index b1aae85017..98153f5627 100644 --- a/ansible/roles/influxdb/tasks/config.yml +++ b/ansible/roles/influxdb/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/influxdb" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/influxdb/config.json" + mode: "0660" + become: true register: influxdb_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -27,6 +32,8 @@ template: src: "{{ role_path }}/templates/{{ item }}.conf.j2" dest: "{{ node_config_directory }}/influxdb/influxdb.conf" + mode: "0660" + become: true register: influxdb_confs when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml index 0dab3e7650..381d02c500 100644 --- a/ansible/roles/ironic/tasks/config.yml +++ b/ansible/roles/ironic/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "ironic-api" - "ironic-conductor" @@ -32,6 +35,8 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true with_items: - "ironic-api" - "ironic-conductor" @@ -50,6 +55,8 @@ - "{{ node_custom_config }}/ironic/{{ item }}.conf" - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic.conf" dest: "{{ node_config_directory }}/{{ item }}/ironic.conf" + mode: "0660" + become: true with_items: - "ironic-api" - "ironic-conductor" @@ -65,12 +72,16 @@ - "{{ node_custom_config }}/ironic-inspector/inspector.conf" - "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf" dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf" + mode: "0660" + become: true when: inventory_hostname in groups['ironic-inspector'] - name: Copying over dnsmasq.conf template: src: "{{ item }}" dest: "{{ node_config_directory }}/ironic-dnsmasq/dnsmasq.conf" + mode: "0660" + become: true with_first_found: - "{{ node_custom_config }}/ironic/ironic-dnsmasq.conf" - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic-dnsmasq.conf" @@ -81,6 +92,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/ironic-pxe/default" + mode: "0660" + become: true with_first_found: - "{{ node_custom_config }}/ironic/pxelinux.default" - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default" @@ -95,6 +108,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/ironic-pxe/default" + mode: "0660" + become: true with_first_found: - "{{ node_custom_config }}/ironic/ironic_pxe_uefi.default" - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic_pxe_uefi.default" @@ -107,6 +122,8 @@ copy: src: "{{ node_custom_config }}/ironic/{{ item }}" dest: "{{ node_config_directory }}/ironic-pxe/{{ item }}" + mode: "0660" + become: true with_items: - "ironic-agent.kernel" - "ironic-agent.initramfs" @@ -120,6 +137,8 @@ template: src: "{{ ironic_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item }}/{{ ironic_policy_file }}" + mode: "0770" + become: true with_items: - "ironic-api" - "ironic-conductor" diff --git a/ansible/roles/iscsi/tasks/config.yml b/ansible/roles/iscsi/tasks/config.yml index 08c0aa5e09..a73cbde849 100644 --- a/ansible/roles/iscsi/tasks/config.yml +++ b/ansible/roles/iscsi/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: ( ( inventory_hostname in groups['compute'] or inventory_hostname in groups['cinder-volume'] ) and enable_cinder | bool and enable_cinder_backend_iscsi | bool ) or ( inventory_hostname in groups['ironic-conductor'] and enable_ironic | bool ) with_items: @@ -13,6 +16,8 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true when: ( ( inventory_hostname in groups['compute'] or inventory_hostname in groups['cinder-volume'] ) and enable_cinder | bool and enable_cinder_backend_iscsi | bool ) or ( inventory_hostname in groups['ironic-conductor'] and enable_ironic | bool ) with_items: @@ -22,7 +27,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - enable_cinder_backend_lvm | bool - inventory_hostname in groups['tgtd'] @@ -33,8 +41,11 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true when: - enable_cinder_backend_lvm | bool - inventory_hostname in groups['tgtd'] + - enable_cinder_backend_lvm | bool with_items: - "tgtd" diff --git a/ansible/roles/karbor/tasks/config.yml b/ansible/roles/karbor/tasks/config.yml index 09dd01298a..80e06f82e4 100644 --- a/ansible/roles/karbor/tasks/config.yml +++ b/ansible/roles/karbor/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}/providers.d" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: karbor_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -34,6 +39,8 @@ - "{{ node_custom_config }}/karbor/{{ item.key }}.conf" - "{{ node_custom_config }}/karbor/{{ inventory_hostname }}/karbor.conf" dest: "{{ node_config_directory }}/{{ item.key }}/karbor.conf" + mode: "0660" + become: true register: karbor_confs when: - inventory_hostname in groups[item.value.group] @@ -51,6 +58,8 @@ template: src: "providers.d/openstack-infra.conf.j2" dest: "{{ node_config_directory }}/{{ service_name }}/providers.d/openstack-infra.conf" + mode: "0660" + become: true register: openstack_infra_conf when: - inventory_hostname in groups[service.group] @@ -65,6 +74,8 @@ name: "{{ item.value.container_name }}" image: "{{ item.value.image }}" volumes: "{{ item.value.volumes }}" + mode: "0660" + become: true register: check_karbor_containers when: - action != "config" diff --git a/ansible/roles/kibana/tasks/config.yml b/ansible/roles/kibana/tasks/config.yml index 7c19abf702..2306b4a617 100644 --- a/ansible/roles/kibana/tasks/config.yml +++ b/ansible/roles/kibana/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: kibana_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -25,6 +30,8 @@ template: src: "{{ item.key }}.yml.j2" dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.yml" + mode: "0660" + become: true register: kibana_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/kuryr/tasks/config.yml b/ansible/roles/kuryr/tasks/config.yml index 86cdd4a3b3..f4c0fddc60 100644 --- a/ansible/roles/kuryr/tasks/config.yml +++ b/ansible/roles/kuryr/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: kuryr_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -49,6 +54,8 @@ - "{{ node_custom_config }}/kuryr/{{ item.key }}.conf" - "{{ node_custom_config }}/kuryr/{{ inventory_hostname }}/{{ item.key }}.conf" dest: "{{ node_config_directory }}/{{ item.key }}/kuryr.conf" + mode: "0660" + become: true register: kuryr_confs when: - inventory_hostname in groups[item.value.group] @@ -63,6 +70,8 @@ template: src: "kuryr.spec.j2" dest: "{{ node_config_directory }}/{{ item }}/kuryr.spec" + mode: "0660" + become: true register: kuryr_spec when: - inventory_hostname in groups[service.group] @@ -76,6 +85,8 @@ template: src: "{{ kuryr_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ kuryr_policy_file }}" + mode: "0660" + become: true register: kuryr_policy_overwriting when: - kuryr_policy_file is defined diff --git a/ansible/roles/magnum/tasks/config.yml b/ansible/roles/magnum/tasks/config.yml index 0d8468eed8..ba18435738 100644 --- a/ansible/roles/magnum/tasks/config.yml +++ b/ansible/roles/magnum/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: magnum_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -50,6 +55,8 @@ - "{{ node_custom_config }}/magnum/{{ item.key }}.conf" - "{{ node_custom_config }}/magnum/{{ inventory_hostname }}/magnum.conf" dest: "{{ node_config_directory }}/{{ item.key }}/magnum.conf" + mode: "0660" + become: true register: magnum_confs when: - inventory_hostname in groups[item.value.group] @@ -63,6 +70,8 @@ template: src: "{{ magnum_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ magnum_policy_file }}" + mode: "0660" + become: true register: magnum_policy_overwriting when: - magnum_policy_file is defined diff --git a/ansible/roles/manila/tasks/config.yml b/ansible/roles/manila/tasks/config.yml index 2a9496608e..cf0ef2b70c 100644 --- a/ansible/roles/manila/tasks/config.yml +++ b/ansible/roles/manila/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: manila_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -49,6 +54,8 @@ - "{{ node_custom_config }}/manila/{{ item.key }}.conf" - "{{ node_custom_config }}/manila/{{ inventory_hostname }}/manila.conf" dest: "{{ node_config_directory }}/{{ item.key }}/manila.conf" + mode: "0660" + become: true register: manila_confs when: - item.key in [ "manila-api", "manila-data", "manila-scheduler" ] @@ -74,6 +81,8 @@ - "{{ node_custom_config }}/manila/{{ item }}.conf" - "{{ node_custom_config }}/manila/{{ inventory_hostname }}/manila.conf" dest: "{{ node_config_directory }}/{{ item }}/manila.conf" + mode: "0660" + become: true register: manila_conf_share when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/mistral/tasks/config.yml b/ansible/roles/mistral/tasks/config.yml index ef063c4967..623bf03147 100644 --- a/ansible/roles/mistral/tasks/config.yml +++ b/ansible/roles/mistral/tasks/config.yml @@ -4,6 +4,8 @@ path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" recurse: yes + mode: "0770" + become: true when: inventory_hostname in groups[item.value.group] with_dict: "{{ mistral_services }}" @@ -28,6 +30,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: mistral_config_jsons when: - item.value.enabled | bool @@ -47,6 +51,8 @@ - "{{ node_custom_config }}/mistral/{{ item.key }}.conf" - "{{ node_custom_config }}/mistral/{{ inventory_hostname }}/mistral.conf" dest: "{{ node_config_directory }}/{{ item.key }}/mistral.conf" + mode: "0660" + become: true register: mistral_confs when: - item.value.enabled | bool diff --git a/ansible/roles/mongodb/tasks/config.yml b/ansible/roles/mongodb/tasks/config.yml index 606a9d9b54..0236d1b09f 100644 --- a/ansible/roles/mongodb/tasks/config.yml +++ b/ansible/roles/mongodb/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: mongodb_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -25,6 +30,8 @@ template: src: "{{ item.key }}.conf.j2" dest: "{{ node_config_directory }}/mongodb/{{ item.key }}.conf" + mode: "0660" + become: true register: mongodb_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/multipathd/tasks/config.yml b/ansible/roles/multipathd/tasks/config.yml index a831b32a6c..13bfa6c07d 100644 --- a/ansible/roles/multipathd/tasks/config.yml +++ b/ansible/roles/multipathd/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: inventory_hostname in groups['compute'] with_items: - "multipathd" @@ -12,6 +15,8 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true when: inventory_hostname in groups['compute'] with_items: - "multipathd" @@ -20,5 +25,7 @@ template: src: "{{ role_path }}/templates/multipath.conf.j2" dest: "{{ node_config_directory }}/{{ item }}/multipath.conf" + mode: "0660" + become: true with_items: - "multipathd" diff --git a/ansible/roles/murano/tasks/config.yml b/ansible/roles/murano/tasks/config.yml index 91db61fd33..0b4bde0ca4 100644 --- a/ansible/roles/murano/tasks/config.yml +++ b/ansible/roles/murano/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true with_items: - "murano-api" - "murano-engine" @@ -29,6 +32,8 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true with_items: - "murano-api" - "murano-engine" @@ -44,6 +49,8 @@ - "{{ node_custom_config }}/murano/{{ item }}.conf" - "{{ node_custom_config }}/murano/{{ inventory_hostname }}/murano.conf" dest: "{{ node_config_directory }}/{{ item }}/murano.conf" + mode: "0660" + become: true with_items: - "murano-api" - "murano-engine" diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml index 97aca8799d..91745ac559 100644 --- a/ansible/roles/octavia/tasks/config.yml +++ b/ansible/roles/octavia/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: octavia_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -32,6 +37,8 @@ - "{{ node_custom_config }}/octavia/{{ item.key }}.conf" - "{{ node_custom_config }}/octavia/{{ inventory_hostname }}/octavia.conf" dest: "{{ node_config_directory }}/{{ item.key }}/octavia.conf" + mode: "0660" + become: true register: octavia_confs when: - inventory_hostname in groups[item.value.group] @@ -46,6 +53,8 @@ copy: src: "{{ node_custom_config }}/octavia/{{ item }}" dest: "{{ node_config_directory }}/octavia-worker/{{ item }}" + mode: "0660" + become: true register: octavia_worker_certificate when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/panko/tasks/config.yml b/ansible/roles/panko/tasks/config.yml index e57430fe22..5d461362bd 100644 --- a/ansible/roles/panko/tasks/config.yml +++ b/ansible/roles/panko/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: panko_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -47,6 +52,8 @@ - "{{ node_custom_config }}/panko/{{ item.key }}.conf" - "{{ node_custom_config }}/panko/{{ inventory_hostname }}/{{ item.key }}.conf" dest: "{{ node_config_directory }}/{{ item.key }}/panko.conf" + mode: "0660" + become: true register: panko_confs when: - inventory_hostname in groups[item.value.group] @@ -61,6 +68,8 @@ template: src: "wsgi-panko.conf.j2" dest: "{{ node_config_directory }}/{{ item }}/wsgi-panko.conf" + mode: "0660" + become: true register: panko_wsgi when: - inventory_hostname in groups[service.group] @@ -74,6 +83,8 @@ template: src: "{{ panko_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ panko_policy_file }}" + mode: "0660" + become: true register: panko_policy_overwriting when: - panko_policy_file is defined diff --git a/ansible/roles/qdrouterd/tasks/config.yml b/ansible/roles/qdrouterd/tasks/config.yml index 2f9fbf4db0..bf898184af 100644 --- a/ansible/roles/qdrouterd/tasks/config.yml +++ b/ansible/roles/qdrouterd/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: qdrouterd_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -27,6 +32,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/qdrouterd/qdrouterd.conf" + mode: "0660" + become: true register: qdrouterd_confs when: - inventory_hostname in groups[service.group] @@ -44,6 +51,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/qdrouterd/qdrouterd-sasl.conf" + mode: "0660" + become: true register: qdrouterd_sasl_confs when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/rally/tasks/config.yml b/ansible/roles/rally/tasks/config.yml index d82204f734..a3d2b595ab 100644 --- a/ansible/roles/rally/tasks/config.yml +++ b/ansible/roles/rally/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: rally_config_jsons when: - item.value.enabled | bool @@ -46,6 +51,8 @@ - "{{ role_path }}/templates/rally.conf.j2" - "{{ node_custom_config }}/rally.conf" dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.conf" + mode: "0660" + become: true register: rally_confs when: - item.value.enabled | bool @@ -58,6 +65,8 @@ template: src: "{{ rally_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ rally_policy_file }}" + mode: "0660" + become: true register: rally_policy_overwriting when: - rally_policy_file is defined diff --git a/ansible/roles/sahara/tasks/config.yml b/ansible/roles/sahara/tasks/config.yml index c6d2ddae1d..c86d177fed 100644 --- a/ansible/roles/sahara/tasks/config.yml +++ b/ansible/roles/sahara/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: sahara_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -50,6 +55,8 @@ - "{{ node_custom_config }}/sahara/{{ item.key }}.conf" - "{{ node_custom_config }}/sahara/{{ inventory_hostname }}/sahara.conf" dest: "{{ node_config_directory }}/{{ item.key }}/sahara.conf" + mode: "0660" + become: true register: sahara_confs when: - inventory_hostname in groups[item.value.group] @@ -63,6 +70,8 @@ template: src: "{{ sahara_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ sahara_policy_file }}" + mode: "0660" + become: true register: sahara_policy_overwriting when: - sahara_policy_file is defined diff --git a/ansible/roles/searchlight/tasks/config.yml b/ansible/roles/searchlight/tasks/config.yml index 4b968b800b..5971d64595 100644 --- a/ansible/roles/searchlight/tasks/config.yml +++ b/ansible/roles/searchlight/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: searchlight_config_jsons when: - item.value.enabled | bool @@ -46,6 +51,8 @@ - "{{ node_custom_config }}/searchlight.conf" - "{{ node_custom_config }}/searchlight/{{ inventory_hostname }}/searchlight.conf" dest: "{{ node_config_directory }}/{{ item.key }}/searchlight.conf" + mode: "0660" + become: true register: searchlight_confs when: - item.value.enabled | bool @@ -59,6 +66,8 @@ template: src: "{{ searchlight_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ searchlight_policy_file }}" + mode: "0660" + become: true register: searchlight_policy_overwriting when: - searchlight_policy_file is defined diff --git a/ansible/roles/senlin/tasks/config.yml b/ansible/roles/senlin/tasks/config.yml index a7aeb800e6..519244d7d5 100644 --- a/ansible/roles/senlin/tasks/config.yml +++ b/ansible/roles/senlin/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: senlin_config_jsons when: - item.value.enabled | bool @@ -50,6 +55,8 @@ - "{{ node_custom_config }}/senlin/{{ item.key }}.conf" - "{{ node_custom_config }}/senlin/{{ inventory_hostname }}/senlin.conf" dest: "{{ node_config_directory }}/{{ item.key }}/senlin.conf" + mode: "0660" + become: true register: senlin_confs when: - item.value.enabled | bool @@ -63,6 +70,8 @@ template: src: "{{ senlin_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ senlin_policy_file }}" + mode: "0660" + become: true register: senlin_policy_overwriting when: - senlin_policy_file is defined diff --git a/ansible/roles/skydive/tasks/config.yml b/ansible/roles/skydive/tasks/config.yml index 9a992f71b6..cb50ba599e 100644 --- a/ansible/roles/skydive/tasks/config.yml +++ b/ansible/roles/skydive/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: skydive_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -26,6 +31,8 @@ template: src: "{{ item.key }}.conf.j2" dest: "{{ node_config_directory }}/{{ item.key }}/skydive.conf" + mode: "0660" + become: true register: skydive_confs when: - item.value.enabled | bool diff --git a/ansible/roles/solum/tasks/config.yml b/ansible/roles/solum/tasks/config.yml index 1061f16853..f724397f43 100644 --- a/ansible/roles/solum/tasks/config.yml +++ b/ansible/roles/solum/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: solum_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -35,6 +40,8 @@ - "{{ node_custom_config }}/solum/{{ item.key }}.conf" - "{{ node_custom_config }}/solum/{{ inventory_hostname }}/solum.conf" dest: "{{ node_config_directory }}/{{ item.key }}/solum.conf" + mode: "0660" + become: true register: solum_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/swift/tasks/config.yml b/ansible/roles/swift/tasks/config.yml index f66aa2b2d5..670600201e 100644 --- a/ansible/roles/swift/tasks/config.yml +++ b/ansible/roles/swift/tasks/config.yml @@ -4,6 +4,8 @@ path: "{{ node_config_directory }}/{{ item }}" state: "directory" recurse: yes + mode: "0770" + become: true with_items: - "swift" - "swift-account-auditor" @@ -26,6 +28,8 @@ template: src: "{{ item }}.json.j2" dest: "{{ node_config_directory }}/{{ item }}/config.json" + mode: "0660" + become: true with_items: - "swift-account-auditor" - "swift-account-reaper" @@ -54,6 +58,8 @@ - "{{ node_custom_config }}/swift/{{ item }}.conf" - "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf" dest: "{{ node_config_directory }}/swift-{{ item }}/swift.conf" + mode: "0660" + become: true with_items: - "account-auditor" - "account-reaper" @@ -81,6 +87,8 @@ - "{{ node_custom_config }}/swift/{{ item }}.conf" - "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf" dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf" + mode: "0660" + become: true with_items: - "account-auditor" - "account-reaper" @@ -98,6 +106,8 @@ - "{{ node_custom_config }}/swift/{{ item }}.conf" - "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf" dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf" + mode: "0660" + become: true with_items: - "container-auditor" - "container-replicator" @@ -115,6 +125,8 @@ - "{{ node_custom_config }}/swift/{{ item }}.conf" - "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf" dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf" + mode: "0660" + become: true with_items: - "object-auditor" - "object-expirer" @@ -132,6 +144,8 @@ - "{{ node_custom_config }}/swift/{{ item }}.conf" - "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf" dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf" + mode: "0660" + become: true with_items: - "proxy-server" @@ -139,12 +153,16 @@ template: src: "rsyncd.conf.j2" dest: "{{ node_config_directory }}/swift-rsyncd/rsyncd.conf" + mode: "0660" + become: true - name: Copying over Swift ring files copy: src: "{{ node_custom_config }}/swift/{{ item }}" dest: "{{ node_config_directory }}/swift/{{ item }}" backup: yes + mode: "0660" + become: true with_items: - "account.builder" - "account.ring.gz" diff --git a/ansible/roles/swift/tasks/start.yml b/ansible/roles/swift/tasks/start.yml index 7dfbc8404c..c020e9519f 100644 --- a/ansible/roles/swift/tasks/start.yml +++ b/ansible/roles/swift/tasks/start.yml @@ -20,6 +20,7 @@ inventory_hostname in groups['swift-object-server'] - name: Mounting Swift disks + become: true mount: src: "UUID={{ item.fs_uuid }}" fstype: xfs diff --git a/ansible/roles/tacker/tasks/config.yml b/ansible/roles/tacker/tasks/config.yml index d5b8de471a..a94dd3f9c8 100644 --- a/ansible/roles/tacker/tasks/config.yml +++ b/ansible/roles/tacker/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled @@ -30,6 +33,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: tacker_config_jsons with_dict: "{{ tacker_services }}" when: @@ -50,6 +55,8 @@ - "{{ node_custom_config }}/tacker/{{ item.key }}.conf" - "{{ node_custom_config }}/tacker/{{ inventory_hostname }}/tacker.conf" dest: "{{ node_config_directory }}/{{ item.key }}/tacker.conf" + mode: "0660" + become: true register: tacker_confs with_dict: "{{ tacker_services }}" when: @@ -63,6 +70,8 @@ template: src: "{{ tacker_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ tacker_policy_file }}" + mode: "0660" + become: true register: tacker_policy_overwriting when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/telegraf/tasks/config.yml b/ansible/roles/telegraf/tasks/config.yml index 85676221ab..5be8c231f5 100644 --- a/ansible/roles/telegraf/tasks/config.yml +++ b/ansible/roles/telegraf/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}/config" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "telegraf.json.j2" dest: "{{ node_config_directory }}/telegraf/config.json" + mode: "0660" + become: true register: telegraf_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -27,6 +32,8 @@ template: src: "{{ item }}" dest: "{{ node_config_directory }}/telegraf/telegraf.conf" + mode: "0660" + become: true register: telegraf_confs when: - inventory_hostname in groups[service.group] @@ -44,6 +51,8 @@ copy: src: "{{ item }}" dest: "{{ node_config_directory }}/telegraf/config" + mode: "0660" + become: true register: telegraf_plugin when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/tempest/tasks/config.yml b/ansible/roles/tempest/tasks/config.yml index 80f02dc02f..ea5931c728 100644 --- a/ansible/roles/tempest/tasks/config.yml +++ b/ansible/roles/tempest/tasks/config.yml @@ -3,7 +3,9 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +15,7 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" register: tempest_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -29,6 +32,7 @@ - "{{ role_path }}/templates/tempest.conf.j2" - "{{ node_custom_config }}/tempest.conf" dest: "{{ node_config_directory }}/{{ item.key }}/tempest.conf" + mode: "0660" register: tempest_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml index 8cb2473d37..56c8a2713e 100644 --- a/ansible/roles/trove/tasks/config.yml +++ b/ansible/roles/trove/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -13,6 +16,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: trove_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -25,6 +30,8 @@ template: src: "{{ item.key }}.conf.j2" dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.conf" + mode: "0660" + become: true register: trove_conf_file when: - item.key in [ "trove-conductor", "trove-taskmanager" ] @@ -46,6 +53,8 @@ - "{{ node_custom_config }}/trove/{{ item.key }}.conf" - "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove.conf" dest: "{{ node_config_directory }}/{{ item.key }}/trove.conf" + mode: "0660" + become: true register: trove_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/vmtp/tasks/config.yml b/ansible/roles/vmtp/tasks/config.yml index b62b709007..b107d67dfa 100644 --- a/ansible/roles/vmtp/tasks/config.yml +++ b/ansible/roles/vmtp/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -28,6 +31,8 @@ - "{{ node_custom_config }}/{{ item }}" - "{{ node_custom_config }}/vmtp/{{ item }}" dest: "{{ python_path }}/vmtp/{{ item }}" + mode: "0660" + become: true register: vmtp_confs when: - inventory_hostname in groups[service.group] diff --git a/ansible/roles/watcher/tasks/config.yml b/ansible/roles/watcher/tasks/config.yml index 0c5bace05f..d17c6d5fb7 100644 --- a/ansible/roles/watcher/tasks/config.yml +++ b/ansible/roles/watcher/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: - inventory_hostname in groups[item.value.group] - item.value.enabled | bool @@ -30,6 +33,7 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" register: watcher_config_jsons when: - inventory_hostname in groups[item.value.group] @@ -51,6 +55,7 @@ - "{{ node_custom_config }}/watcher/{{ item.key }}.conf" - "{{ node_custom_config }}/watcher/{{ inventory_hostname }}/watcher.conf" dest: "{{ node_config_directory }}/{{ item.key }}/watcher.conf" + mode: "0660" register: watcher_confs when: - inventory_hostname in groups[item.value.group] diff --git a/ansible/roles/zun/tasks/config.yml b/ansible/roles/zun/tasks/config.yml index 5d58cc5a04..d85fe5e982 100644 --- a/ansible/roles/zun/tasks/config.yml +++ b/ansible/roles/zun/tasks/config.yml @@ -3,7 +3,10 @@ file: path: "{{ node_config_directory }}/{{ item.key }}" state: "directory" - recurse: yes + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true when: inventory_hostname in groups[item.value.group] with_dict: "{{ zun_services }}" @@ -28,6 +31,8 @@ template: src: "{{ item.key }}.json.j2" dest: "{{ node_config_directory }}/{{ item.key }}/config.json" + mode: "0660" + become: true register: zun_config_jsons when: - item.value.enabled | bool @@ -48,6 +53,8 @@ - "{{ node_custom_config }}/zun/{{ item.key }}.conf" - "{{ node_custom_config }}/zun/{{ inventory_hostname }}/zun.conf" dest: "{{ node_config_directory }}/{{ item.key }}/zun.conf" + mode: "0660" + become: true register: zun_confs when: - item.value.enabled | bool @@ -63,6 +70,8 @@ template: src: "wsgi-zun.conf.j2" dest: "{{ node_config_directory }}/zun-api/wsgi-zun.conf" + mode: "0660" + become: true register: zun_conf_wsgi when: - inventory_hostname in groups[service.group] @@ -74,6 +83,8 @@ template: src: "{{ zun_policy_file_path }}" dest: "{{ node_config_directory }}/{{ item.key }}/{{ zun_policy_file }}" + mode: "0660" + become: true register: zun_policy_overwriting when: - zun_policy_file is defined diff --git a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml index 1f7484bca7..b61a371671 100644 --- a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml +++ b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml @@ -2,5 +2,5 @@ prelude: > Specify Ansible "become" for only necessary tasks. features: - - Add "become" to necessary tasks of general roles. - - Add "become" to necessary tasks of default roles. + - Increase security by add "become" to only + necessary Ansible tasks.