From 8399fc7813279cf5ba0a1b0d839e6377321a3f7b Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 27 Sep 2018 14:00:52 +0100
Subject: [PATCH] Don't use 'become' in CI tests

Kolla Ansible now claims [1] to support executing as a user other than
root.  We should ensure that this is tested in CI.

This change removes the 'become' from hosts in the inventory, and sets
the remote user to 'kolla', as configured via the bootstrap-servers
command. The bootstrap-servers command and other ansible commands
executed before it still need to execute as the zuul user and not as
kolla, since kolla does not exist yet.

The autogenerated SSH private key in passwords.yml is now added to the
zuul user's SSH config, such that it can SSH as the kolla user, which
has authorised this key.

[1]
https://blueprints.launchpad.net/kolla-ansible/+spec/ansible-specific-task-become

Change-Id: I8f3587e2908bc5b8889cd6fbc01981a6186d33e6
---
 tests/run.yml                | 34 ++++++++++++++++++++++++++--------
 tests/templates/inventory.j2 | 12 ++++++------
 tools/setup_gate.sh          |  8 ++++----
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/tests/run.yml b/tests/run.yml
index 3300329a11..39aed9a44c 100644
--- a/tests/run.yml
+++ b/tests/run.yml
@@ -89,12 +89,6 @@
       when: scenario == "bifrost"
       delegate_to: "primary"
 
-    - name: copy passwords.yml file
-      copy:
-        src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
-        dest: /etc/kolla/passwords.yml
-      delegate_to: "primary"
-
     - name: ensure /etc/docker exists
       file:
         path: "/etc/docker"
@@ -110,15 +104,39 @@
         dest: "/etc/docker/daemon.json"
       become: true
 
-
     - name: install kolla-ansible requirements
       pip:
         requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt"
       become: true
 
+    - name: copy passwords.yml file
+      copy:
+        src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
+        dest: /etc/kolla/passwords.yml
+
     - name: generate passwords
       shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
-      delegate_to: "primary"
+
+    - name: slurp kolla passwords
+      slurp:
+        src: /etc/kolla/passwords.yml
+      register: passwords_yml
+
+    - name: write out kolla SSH private key
+      copy:
+        content: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.private_key }}"
+        dest: ~/.ssh/id_rsa_kolla
+        mode: 0600
+
+    - name: authorise kolla public key for zuul user
+      authorized_key:
+        user: "{{ ansible_env.USER }}"
+        key: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.public_key }}"
+      # Delegate to each host in turn. If more tasks require execution on all
+      # hosts in future, break out into a separate play.
+      with_inventory_hostnames:
+        - all
+      delegate_to: "{{ item }}"
 
     - name: generate ceph config overrides
       template:
diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2
index 035e7402b6..f3ab5cb808 100644
--- a/tests/templates/inventory.j2
+++ b/tests/templates/inventory.j2
@@ -2,32 +2,32 @@
 # additional groups are for more control of the environment.
 [control]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [network]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [compute]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [storage]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [monitoring]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [deployment]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 # You can explicitly specify which hosts run each project by updating the
diff --git a/tools/setup_gate.sh b/tools/setup_gate.sh
index bdb0ec6e4f..816394b3cb 100755
--- a/tools/setup_gate.sh
+++ b/tools/setup_gate.sh
@@ -98,11 +98,11 @@ host_key_checking = False
 EOF
 
     # Record the running state of the environment as seen by the setup module
-    ansible all -i ${RAW_INVENTORY} -m setup > /tmp/logs/ansible/initial-setup
+    ansible all -i ${RAW_INVENTORY} -e ansible_user=$USER -m setup > /tmp/logs/ansible/initial-setup
 }
 
 function setup_node {
-    ansible-playbook -i ${RAW_INVENTORY} tools/playbook-setup-nodes.yml
+    ansible-playbook -i ${RAW_INVENTORY} -e ansible_user=$USER tools/playbook-setup-nodes.yml
 }
 
 function prepare_images {
@@ -141,7 +141,7 @@ function sanity_check {
 
 function test_openstack {
     # Create dummy interface for neutron
-    ansible -m shell -i ${RAW_INVENTORY} -a "ip l a fake_interface type dummy" all
+    ansible -m shell -i ${RAW_INVENTORY} -b -a "ip l a fake_interface type dummy" all
 
     #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
     sudo chmod -R 777 /etc/kolla
@@ -229,7 +229,7 @@ setup_ansible
 setup_config
 setup_node
 
-tools/kolla-ansible -i ${RAW_INVENTORY} bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
+tools/kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
 prepare_images
 
 if [[ $ACTION != bifrost ]]; then