kolla-ansible

Strictly specify become to only neccesary Ansible task

Registered by Duong Ha-Quang

Add "become" (Ansbile way to privilege escalation) to only necessary Ansible tasks. So, users do not need to escalate whole host in Ansible inventory or CLI due to there are some but not every tasks in a playbook need root privilege.

Blueprint information

Status:
Complete
Approver:
Steven Dake
Priority:
Essential
Drafter:
Duong Ha-Quang
Direction:
Approved
Assignee:
Duong Ha-Quang
Definition:
Approved
Series goal:
Accepted for ocata
Implementation:
Implemented
Milestone target:
milestone icon queens-2
Started by
Duong Ha-Quang
Completed by
Jeffrey Zhang

Related branches

Sprints

Whiteboard

Hi Duong, I just did some test runs of this and see one or two issues:

* Task '[cinder : Copying over cinder-wsgi.conf]' fails (http://paste.openstack.org/show/724301/)
* Task '[nova : Running Nova bootstrap container]' fails (http://paste.openstack.org/show/724302/)
* I also see reference in the docs to config_owner_user and config_owner_group in globals.yml, but cant see these in globals.yml itself?

FYI, the way I set up my user was the following:

ansible -i ~/multinode -a 'useradd testuser' all
ansible -i ~/multinode -a 'usermod -a -G wheel testuser' all
ansible -i ~/multinode -a 'usermod -a -G docker testuser' all
< setup ssh keys >

These are the main things I tripped over, unsure if there's other lurking. To really round out this task do you think we could update the gates to run as non root? That way we can be sure we're testing it and using best practice.

- pbourke

---

Related document:
http://docs.ansible.com/ansible/become.html

Gerrit topic: https://review.openstack.org/#q,topic:bp/ansible-specific-task-become,n,z

Addressed by: https://review.openstack.org/358374
    [wip] Add Ansible become to quick start guide

Addressed by: https://review.openstack.org/358432
    Check if ansible_user is in docker group

Addressed by: https://review.openstack.org/398682
    Specify 'become' to neccesary tasks (general roles)

Addressed by: https://review.openstack.org/398684
    Specify 'become' for only neccesary tasks (default roles)

Addressed by: https://review.openstack.org/398685
    Specify 'become' for only neccesary tasks (all other roles)

Addressed by: https://review.openstack.org/511665
    Use root as the default node config user

Addressed by: https://review.openstack.org/516492
    Add become for fluentd create config directory task

Addressed by: https://review.openstack.org/552445
    Specify 'become' for only necessary tasks (Queens roles)

Addressed by: https://review.openstack.org/553142
    Add documentation for Ansible become feature

Addressed by: https://review.openstack.org/571090
    Specify 'become' for all tasks that use kolla_docker module

(?)

Work Items

Work items:
[duonghq] Update document: DONE
[duonghq] Make sure ansible_ssh_user in docker group (only check): DONE
[duonghq] General roles (common, prechecks): DONE
[duonghq] General modules (memcached, iscsi, mariadb, mongodb): DONE
[duonghq] Core modules: (nova, neutron, keystone): DONE
[duonghq] Other modules: DONE
[duonghq] Change owner of configuration file to kolla/kolla or user specify: DONE

Nearby

This blueprint contains Public information 
Everyone can see this information.