From b50917fe2c1d3d45cde79ddaf3afa0c29154db0f Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 2 Oct 2018 09:16:34 +0100 Subject: [PATCH] Fix non-root reconfiguration with ceph enabled Various ceph-related tasks were missing a 'become' that would allow them to work as a non-root user. This seems to only cause a problem after an initial deployment, perhaps due to the recursive ownership & permissions changes at the end of the ceph.yml and external_ceph.yml files. This change adds the necessary becomes. Change-Id: I887c7b3bdef49db1dd1bf9e5bdbf5dc47b7f41af Closes-Bug: #1795125 --- ansible/roles/glance/tasks/ceph.yml | 3 +++ ansible/roles/glance/tasks/external_ceph.yml | 4 +++- ansible/roles/gnocchi/tasks/ceph.yml | 3 +++ ansible/roles/gnocchi/tasks/external_ceph.yml | 3 +++ ansible/roles/manila/tasks/ceph.yml | 1 + ansible/roles/manila/tasks/external_ceph.yml | 1 + ansible/roles/nova/tasks/ceph.yml | 5 +++++ ansible/roles/nova/tasks/external_ceph.yml | 5 +++++ 8 files changed, 24 insertions(+), 1 deletion(-) diff --git a/ansible/roles/glance/tasks/ceph.yml b/ansible/roles/glance/tasks/ceph.yml index 614069c545..04ff51af3e 100644 --- a/ansible/roles/glance/tasks/ceph.yml +++ b/ansible/roles/glance/tasks/ceph.yml @@ -4,6 +4,7 @@ path: "{{ node_config_directory }}/glance-api" state: "directory" mode: "0770" + become: true when: inventory_hostname in groups['glance-api'] - name: Copying over ceph.conf(s) @@ -14,6 +15,7 @@ - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/glance-api/ceph.conf" mode: "0660" + become: true when: inventory_hostname in groups['glance-api'] - include_tasks: ../../ceph_pools.yml @@ -40,6 +42,7 @@ key = {{ cephx_key.keyring.key }} dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring" mode: "0600" + become: true when: inventory_hostname in groups['glance-api'] - name: Ensuring config directory has correct owner and permission diff --git a/ansible/roles/glance/tasks/external_ceph.yml b/ansible/roles/glance/tasks/external_ceph.yml index ce8960ec95..513e063508 100644 --- a/ansible/roles/glance/tasks/external_ceph.yml +++ b/ansible/roles/glance/tasks/external_ceph.yml @@ -4,6 +4,7 @@ path: "{{ node_config_directory }}/glance-api" state: "directory" mode: "0770" + become: true when: inventory_hostname in groups['glance-api'] - name: Copy over ceph files @@ -11,6 +12,7 @@ src: "{{ item }}" dest: "{{ node_config_directory }}/glance-api/" mode: "0660" + become: true when: inventory_hostname in groups['glance-api'] with_fileglob: - "{{ node_custom_config }}/glance/ceph*" @@ -18,12 +20,12 @@ - Restart glance-api container - name: Ensuring config directory has correct owner and permission - become: true file: path: "{{ node_config_directory }}/{{ item }}" recurse: yes owner: "{{ config_owner_user }}" group: "{{ config_owner_group }}" + become: true when: inventory_hostname in groups['glance-api'] with_items: - "glance-api" diff --git a/ansible/roles/gnocchi/tasks/ceph.yml b/ansible/roles/gnocchi/tasks/ceph.yml index 3ae3aee140..d6bed838e3 100644 --- a/ansible/roles/gnocchi/tasks/ceph.yml +++ b/ansible/roles/gnocchi/tasks/ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" + become: true when: inventory_hostname in groups[item] with_items: - "gnocchi-api" @@ -16,6 +17,7 @@ - "{{ node_custom_config }}/ceph.conf" - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/ceph.conf" + become: true when: inventory_hostname in groups[item] with_items: - "gnocchi-api" @@ -46,6 +48,7 @@ key = {{ cephx_key.keyring.key }} dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring" mode: "0600" + become: true when: inventory_hostname in groups[item] with_items: - "gnocchi-api" diff --git a/ansible/roles/gnocchi/tasks/external_ceph.yml b/ansible/roles/gnocchi/tasks/external_ceph.yml index 32c797d3d9..e3bf801ad0 100644 --- a/ansible/roles/gnocchi/tasks/external_ceph.yml +++ b/ansible/roles/gnocchi/tasks/external_ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/{{ item }}" state: "directory" + become: true when: inventory_hostname in groups[item] with_items: - "gnocchi-api" @@ -13,6 +14,7 @@ template: src: "{{ node_custom_config }}/gnocchi/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/ceph.conf" + become: true when: inventory_hostname in groups[item] with_items: - "gnocchi-api" @@ -27,6 +29,7 @@ copy: src: "{{ node_custom_config }}/gnocchi/ceph.client.gnocchi.keyring" dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring" + become: true when: inventory_hostname in groups[item] with_items: - "gnocchi-api" diff --git a/ansible/roles/manila/tasks/ceph.yml b/ansible/roles/manila/tasks/ceph.yml index e0a3fe51f1..2cbc0b343c 100644 --- a/ansible/roles/manila/tasks/ceph.yml +++ b/ansible/roles/manila/tasks/ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/manila-share" state: "directory" + become: true - name: Copying over ceph.conf for manila merge_configs: diff --git a/ansible/roles/manila/tasks/external_ceph.yml b/ansible/roles/manila/tasks/external_ceph.yml index 1793380a22..10b89d4204 100644 --- a/ansible/roles/manila/tasks/external_ceph.yml +++ b/ansible/roles/manila/tasks/external_ceph.yml @@ -3,6 +3,7 @@ file: path: "{{ node_config_directory }}/manila-share" state: "directory" + become: true when: - inventory_hostname in groups['manila-share'] diff --git a/ansible/roles/nova/tasks/ceph.yml b/ansible/roles/nova/tasks/ceph.yml index 2799784259..ec3122b352 100644 --- a/ansible/roles/nova/tasks/ceph.yml +++ b/ansible/roles/nova/tasks/ceph.yml @@ -4,6 +4,7 @@ path: "{{ node_config_directory }}/{{ item }}" state: "directory" mode: "0770" + become: true with_items: - "nova-compute" - "nova-libvirt/secrets" @@ -19,6 +20,7 @@ - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/ceph.conf" mode: "0660" + become: true with_items: - "nova-compute" - "nova-libvirt" @@ -58,6 +60,7 @@ key = {{ nova_cephx_key.keyring.key }} dest: "{{ node_config_directory }}/nova-compute/ceph.client.nova.keyring" mode: "0600" + become: true when: inventory_hostname in groups['compute'] - name: Pushing secrets xml for libvirt @@ -65,6 +68,7 @@ src: "secret.xml.j2" dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.xml" mode: "0600" + become: true when: - inventory_hostname in groups['compute'] - item.enabled | bool @@ -81,6 +85,7 @@ content: "{{ item.content }}" dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.base64" mode: "0600" + become: true when: - inventory_hostname in groups['compute'] - item.enabled | bool diff --git a/ansible/roles/nova/tasks/external_ceph.yml b/ansible/roles/nova/tasks/external_ceph.yml index f1425348e6..93950f621e 100644 --- a/ansible/roles/nova/tasks/external_ceph.yml +++ b/ansible/roles/nova/tasks/external_ceph.yml @@ -4,6 +4,7 @@ path: "{{ node_config_directory }}/{{ item }}" state: "directory" mode: "0770" + become: true with_items: - "nova-compute" - "nova-libvirt/secrets" @@ -33,6 +34,7 @@ src: "{{ nova_cephx_keyring_file.stat.path }}" dest: "{{ node_config_directory }}/{{ item }}/" mode: "0660" + become: true with_items: - nova-compute - nova-libvirt @@ -49,6 +51,7 @@ src: "{{ node_custom_config }}/nova/ceph.conf" dest: "{{ node_config_directory }}/{{ item }}/" mode: "0660" + become: true with_items: - nova-compute - nova-libvirt @@ -64,6 +67,7 @@ src: "secret.xml.j2" dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.xml" mode: "0600" + become: true when: - inventory_hostname in groups['compute'] - item.enabled | bool @@ -98,6 +102,7 @@ content: "{{ item.result.stdout }}" dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.base64" mode: "0600" + become: true when: - inventory_hostname in groups['compute'] - item.enabled | bool