Removed Ansible become from Conmon install

This commit changes the conmon install playbook as well as the required tasks and handlers to use become instead of having the whole playbook run as root by ansible_become. The playbook has been tested against my own cloud. https://trello.com/c/KBFbahdV/38-ansible-remove-ansible-become-from-vars-and-use-become-instead Change-Id: Icf89451371dd9fc5da9880d6a00ae91c88011970
2016-07-20 09:40:43 -04:00 · 2016-07-20 09:40:43 -04:00 · cd3a910ac0
commit cd3a910ac0
parent cd09901a99
12 changed files with 39 additions and 9 deletions
--- a/ansible/install/connmon.yml
+++ b/ansible/install/connmon.yml
@ -6,7 +6,6 @@
 - hosts: undercloud
  remote_user: "{{ local_remote_user }}"
  vars:
-    ansible_become: true
    undercloud: true
  roles:
  - common
@ -15,7 +14,6 @@
 - hosts: controller
  remote_user: "{{ host_remote_user }}"
  vars:
-    ansible_become: true
    undercloud: false
  roles:
  - common
--- a/ansible/install/roles/cinder/handlers/main.yml
+++ b/ansible/install/roles/cinder/handlers/main.yml
@ -5,6 +5,7 @@

 - name: unmanage cinder services
  command: pcs resource unmanage {{ item }}
+  become: true
  with_items:
    - openstack-cinder-api
    - openstack-cinder-scheduler
@ -13,6 +14,7 @@

 - name: restart cinder services
  service: name={{ item }} state=restarted
+  become: true
  with_items:
    - openstack-cinder-api
    - openstack-cinder-scheduler
@ -20,6 +22,7 @@

 - name: manage cinder services
  command: pcs resource manage {{ item }}
+  become: true
  with_items:
    - openstack-cinder-api
    - openstack-cinder-scheduler
@ -28,6 +31,7 @@

 - name: cleanup cinder services
  command: pcs resource cleanup {{ item }}
+  become: true
  with_items:
    - openstack-cinder-api
    - openstack-cinder-scheduler
--- a/ansible/install/roles/cinder/tasks/main.yml
+++ b/ansible/install/roles/cinder/tasks/main.yml
@ -6,12 +6,14 @@
 - name: Check for connmon in cinder.conf
  shell: grep -Eq 'connection\s?=\s?mysql:' /etc/cinder/cinder.conf
  register: cinder_mysql
+  become: true
  ignore_errors: true
  changed_when: false

 - name: Enable Connmon in cinder.conf
  shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/cinder/cinder.conf
  when: cinder_mysql.rc == 0
+  become: true
  notify:
    - unmanage cinder services
    - restart cinder services
--- a/ansible/install/roles/connmon/tasks/main.yml
+++ b/ansible/install/roles/connmon/tasks/main.yml
@ -5,9 +5,11 @@

 - name: Install pip
  easy_install: name=pip
+  become: true

 - name: Install connmon
  pip: name=connmon
+  become: true

 #
 # Connmon Setup
@ -20,9 +22,11 @@
    owner: root
    group: root
    mode: 0644
+  become: true

 - name: Install Screen for connmon
  yum: name=screen state=latest
+  become: true
  when: undercloud

 # To remove the screen session: screen -X -S connmond kill
@ -31,12 +35,6 @@
  when: undercloud
  changed_when: false

- name: Change connmon result owner
-  command: chown "{{ local_remote_user }}":"{{ local_remote_user }}" /tmp/connmon_results.csv
-  when: undercloud
-  changed_when: false
-  ignore_errors: true
-
 ### begin firewall ###
 # we need TCP/5555 open
 # determine firewall status and take action
@ -76,8 +74,9 @@
 - name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
  shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
+  become: true
  register: iptables_tcp5800_exists
-  failed_when: iptables_tcp{{connmon_port}}_exists == 127
+  failed_when: iptables_tcp{{connmon_port}}_exists == 127i
  no_log: true

 - name: (connmon) Add firewall rule for TCP/{{connmon_port}} (iptables-services)
@ -87,12 +86,14 @@
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
+  become: true
  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
  register: iptables_needs_restart

 - name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
  shell: systemctl restart iptables.service
  ignore_errors: true
+  become: true
  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

 ### end firewall ###
--- a/ansible/install/roles/heat/handlers/main.yml
+++ b/ansible/install/roles/heat/handlers/main.yml
@ -5,6 +5,7 @@
 #
 - name: unmanage heat services
  command: pcs resource unmanage {{ item }}
+  become: true
  with_items:
    - openstack-heat-api
    - openstack-heat-engine
@ -12,12 +13,14 @@

 - name: restart heat services
  service: name={{ item }} state=restarted
+  become: true
  with_items:
    - openstack-heat-api
    - openstack-heat-engine

 - name: manage heat services
  command: pcs resource manage {{ item }}
+  become: true
  with_items:
    - openstack-heat-api
    - openstack-heat-engine
@ -25,6 +28,7 @@

 - name: cleanup heat services
  command: pcs resource cleanup {{ item }}
+  become: true
  with_items:
    - openstack-heat-api
    - openstack-heat-engine
--- a/ansible/install/roles/heat/tasks/main.yml
+++ b/ansible/install/roles/heat/tasks/main.yml
@ -5,12 +5,14 @@
 - name: Check for connmon in heat.conf
  shell: grep -Eq 'connection\s?=\s?mysql:' /etc/heat/heat.conf
  register: heat_mysql
+  become: true
  ignore_errors: true
  changed_when: false

 - name: Enable Connmon in heat.conf
  shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/heat/heat.conf
  when: heat_mysql.rc == 0
+  become: true
  notify:
    - unmanage heat services
    - restart heat services
--- a/ansible/install/roles/keystone/handlers/main.yml
+++ b/ansible/install/roles/keystone/handlers/main.yml
@ -10,6 +10,7 @@
 - name: restart httpd
  service: name=httpd state=restarted
  when: "'httpd' == '{{ keystone_deployment }}'"
+  become: true

 #
 # Restart keystone when in eventlet
@ -18,18 +19,22 @@
 - name: unmanage keystone
  command: pcs resource unmanage openstack-keystone
  when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
  ignore_errors: true

 - name: restart keystone
  service: name=openstack-keystone state=restarted
  when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true

 - name: manage keystone
  command: pcs resource manage openstack-keystone
  when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
  ignore_errors: true

 - name: cleanup keystone
  command: pcs resource cleanup openstack-keystone
  when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
  ignore_errors: true
--- a/ansible/install/roles/keystone/tasks/main.yml
+++ b/ansible/install/roles/keystone/tasks/main.yml
@ -24,12 +24,14 @@
 - name: Check for connmon in keystone.conf
  shell: grep -Eq 'connection\s?=\s?mysql:' /etc/keystone/keystone.conf
  register: keystone_mysql
+  become: true
  ignore_errors: true
  changed_when: false

 - name: Enable connmon in keystone.conf
  shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/keystone/keystone.conf
  when: keystone_mysql.rc == 0
+  become: true
  notify:
    - restart httpd
    - unmanage keystone
--- a/ansible/install/roles/neutron/handlers/main.yml
+++ b/ansible/install/roles/neutron/handlers/main.yml
@ -5,15 +5,19 @@

 - name: unmanage neutron-server
  command: pcs resource unmanage neutron-server
+  become: true
  ignore_errors: true

 - name: restart neutron-server
  service: name=neutron-server state=restarted
+  become: true

 - name: manage neutron-server
  command: pcs resource manage neutron-server
+  become: true
  ignore_errors: true

 - name: cleanup neutron-server
  command: pcs resource cleanup neutron-server
+  become: true
  ignore_errors: true
--- a/ansible/install/roles/neutron/tasks/main.yml
+++ b/ansible/install/roles/neutron/tasks/main.yml
@ -6,12 +6,14 @@
 - name: Check for connmon in neutron.conf
  shell: grep -Eq 'connection\s?=\s?mysql:' /etc/neutron/neutron.conf
  register: neutron_mysql
+  become: true
  ignore_errors: true
  changed_when: false

 - name: Enable Connmon in neutron.conf
  shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/neutron/neutron.conf
  when: neutron_mysql.rc == 0
+  become: true
  notify:
    - unmanage neutron-server
    - restart neutron-server
--- a/ansible/install/roles/nova/handlers/main.yml
+++ b/ansible/install/roles/nova/handlers/main.yml
@ -5,6 +5,7 @@

 - name: unmanage nova services
  command: pcs resource unmanage {{ item }}
+  become: true
  with_items:
    - openstack-nova-api
    - openstack-nova-scheduler
@ -13,6 +14,7 @@

 - name: restart nova services
  service: name={{ item }} state=restarted
+  become: true
  with_items:
    - openstack-nova-api
    - openstack-nova-scheduler
@ -20,6 +22,7 @@

 - name: manage nova services
  command: pcs resource manage {{ item }}
+  become: true
  with_items:
    - openstack-nova-api
    - openstack-nova-scheduler
@ -28,6 +31,7 @@

 - name: cleanup nova services
  command: pcs resource cleanup {{ item }}
+  become: true
  with_items:
    - openstack-nova-api
    - openstack-nova-scheduler
--- a/ansible/install/roles/nova/tasks/main.yml
+++ b/ansible/install/roles/nova/tasks/main.yml
@ -6,12 +6,14 @@
 - name: Check for connmon in nova.conf
  shell: grep -Eq 'connection\s?=\s?mysql:' /etc/nova/nova.conf
  register: nova_mysql
+  become: true
  ignore_errors: true
  changed_when: false

 - name: Enable Connmon in nova.conf
  shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/nova/nova.conf
  when: nova_mysql.rc == 0
+  become: true
  notify:
    - unmanage nova services
    - restart nova services