From 4652c2970682a4dcc92c81c36a327960e13e4c1d Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 16 Mar 2017 10:55:50 +0000
Subject: [PATCH] Improve permissions around Kolla configuration.
Make ansible_user own files so we don't need to be root.
Files no longer world readable.
---
ansible/roles/kolla-ansible/tasks/config.yml | 10 ++++----
ansible/roles/kolla-ansible/tasks/install.yml | 24 +++++++++++++------
ansible/roles/kolla-bifrost/tasks/config.yml | 6 ++---
ansible/roles/kolla-bifrost/tasks/install.yml | 19 ++++++++-------
ansible/roles/kolla-build/tasks/main.yml | 1 -
.../roles/kolla-openstack/tasks/config.yml | 8 +++----
ansible/roles/kolla/tasks/config.yml | 4 +++-
ansible/roles/kolla/tasks/install.yml | 20 +++++++++-------
8 files changed, 53 insertions(+), 39 deletions(-)
diff --git a/ansible/roles/kolla-ansible/tasks/config.yml b/ansible/roles/kolla-ansible/tasks/config.yml
index 1f9e9fd3..1223061a 100644
--- a/ansible/roles/kolla-ansible/tasks/config.yml
+++ b/ansible/roles/kolla-ansible/tasks/config.yml
@@ -3,7 +3,9 @@
file:
path: "{{ item }}"
state: directory
- mode: 0755
+ owner: "{{ ansible_user }}"
+ group: "{{ ansible_user }}"
+ mode: 0750
become: True
with_items:
- "{{ kolla_config_path }}"
@@ -14,8 +16,7 @@
template:
src: "{{ item.src }}"
dest: "{{ kolla_config_path }}/{{ item.dest }}"
- mode: 0644
- become: True
+ mode: 0640
with_items:
- { src: seed.j2, dest: inventory/seed }
- { src: overcloud.j2, dest: inventory/overcloud }
@@ -29,9 +30,9 @@
- name: Generate Kolla passwords
shell: >
cp {{ kolla_ansible_install_dir }}/etc_examples/kolla/passwords.yml {{ kolla_config_path }}/passwords.yml.generated
+ && chmod 640 {{ kolla_config_path }}/passwords.yml.generated
&& {{ kolla_venv }}/bin/kolla-genpwd -p {{ kolla_config_path }}/passwords.yml.generated
&& mv {{ kolla_config_path }}/passwords.yml.generated {{ kolla_config_path }}/passwords.yml
- become: True
when: not kolla_passwords_stat.stat.exists
- name: Read the Kolla passwords file
@@ -44,5 +45,4 @@
copy:
content: "{{ passwords_result.content | b64decode | from_yaml | combine(kolla_ansible_custom_passwords) | to_nice_yaml }}"
dest: "{{ kolla_config_path }}/passwords.yml"
- become: True
when: "{{ kolla_ansible_custom_passwords }}"
diff --git a/ansible/roles/kolla-ansible/tasks/install.yml b/ansible/roles/kolla-ansible/tasks/install.yml
index 9167f9b1..ab190d27 100644
--- a/ansible/roles/kolla-ansible/tasks/install.yml
+++ b/ansible/roles/kolla-ansible/tasks/install.yml
@@ -13,13 +13,15 @@
- python-pip
- python-virtualenv
-- name: Ensure the latest version of pip is installed
- pip:
- name: "{{ item.name }}"
- state: latest
- virtualenv: "{{ kolla_venv }}"
- with_items:
- - { name: pip }
+- name: Ensure source code checkout path exists
+ file:
+ path: "{{ source_checkout_path }}"
+ state: directory
+ owner: "{{ ansible_user }}"
+ group: "{{ ansible_user }}"
+ recurse: True
+ become: True
+ when: "{{ kolla_ctl_install_type == 'source' }}"
- name: Ensure Kolla Ansible source code checkout exists
git:
@@ -28,6 +30,14 @@
version: "{{ kolla_ansible_source_version }}"
when: "{{ kolla_ctl_install_type == 'source' }}"
+- name: Ensure the latest version of pip is installed
+ pip:
+ name: "{{ item.name }}"
+ state: latest
+ virtualenv: "{{ kolla_venv }}"
+ with_items:
+ - { name: pip }
+
- name: Ensure required Python packages are installed
pip:
name: "{{ item.name }}"
diff --git a/ansible/roles/kolla-bifrost/tasks/config.yml b/ansible/roles/kolla-bifrost/tasks/config.yml
index eae1faf6..9469bff2 100644
--- a/ansible/roles/kolla-bifrost/tasks/config.yml
+++ b/ansible/roles/kolla-bifrost/tasks/config.yml
@@ -3,15 +3,13 @@
file:
path: "{{ kolla_node_custom_config_path }}/bifrost"
state: directory
- mode: 0755
- become: True
+ mode: 0750
- name: Ensure the Kolla Bifrost configuration files exist
template:
src: "{{ item.src }}"
dest: "{{ kolla_node_custom_config_path }}/bifrost/{{ item.dest }}"
- mode: 0644
- become: True
+ mode: 0640
with_items:
- { src: bifrost.yml.j2, dest: bifrost.yml }
- { src: dib.yml.j2, dest: dib.yml }
diff --git a/ansible/roles/kolla-bifrost/tasks/install.yml b/ansible/roles/kolla-bifrost/tasks/install.yml
index 82a2e48a..e5cef199 100644
--- a/ansible/roles/kolla-bifrost/tasks/install.yml
+++ b/ansible/roles/kolla-bifrost/tasks/install.yml
@@ -12,19 +12,14 @@
- python-pip
- python-virtualenv
-- name: Ensure the latest version of pip is installed
- pip:
- name: "{{ item.name }}"
- state: latest
- virtualenv: "{{ kolla_bifrost_venv }}"
- with_items:
- - { name: pip }
-
- name: Ensure source code checkout path exists
file:
path: "{{ source_checkout_path }}"
state: directory
+ owner: "{{ ansible_user }}"
+ group: "{{ ansible_user }}"
recurse: True
+ become: True
- name: Ensure Bifrost source code checkout exists
git:
@@ -32,6 +27,14 @@
dest: "{{ source_checkout_path }}/bifrost"
version: "{{ kolla_bifrost_source_version }}"
+- name: Ensure the latest version of pip is installed
+ pip:
+ name: "{{ item.name }}"
+ state: latest
+ virtualenv: "{{ kolla_bifrost_venv }}"
+ with_items:
+ - { name: pip }
+
- name: Ensure required Python packages are installed
pip:
name: "{{ item.name }}"
diff --git a/ansible/roles/kolla-build/tasks/main.yml b/ansible/roles/kolla-build/tasks/main.yml
index e4eac152..875acdf1 100644
--- a/ansible/roles/kolla-build/tasks/main.yml
+++ b/ansible/roles/kolla-build/tasks/main.yml
@@ -4,7 +4,6 @@
src: "{{ item.src }}"
dest: "{{ kolla_config_path }}/{{ item.dest }}"
mode: 0644
- become: True
with_items:
- { src: kolla-build.conf.j2, dest: kolla-build.conf }
- { src: template-override.j2.j2, dest: template-override.j2 }
diff --git a/ansible/roles/kolla-openstack/tasks/config.yml b/ansible/roles/kolla-openstack/tasks/config.yml
index 0f2c7e46..0bc69f50 100644
--- a/ansible/roles/kolla-openstack/tasks/config.yml
+++ b/ansible/roles/kolla-openstack/tasks/config.yml
@@ -3,8 +3,7 @@
file:
path: "{{ kolla_node_custom_config_path }}/{{ item.name }}"
state: directory
- mode: 0755
- become: True
+ mode: 0750
with_items:
- { name: ironic, enabled: "{{ kolla_enable_ironic }}" }
- { name: swift, enabled: "{{ kolla_enable_swift }}" }
@@ -14,8 +13,7 @@
template:
src: "{{ item.src }}"
dest: "{{ kolla_node_custom_config_path }}/{{ item.dest }}"
- mode: 0644
- become: True
+ mode: 0640
with_items:
- { src: glance.conf.j2, dest: glance.conf, enabled: "{{ kolla_enable_glance }}" }
- { src: ironic.conf.j2, dest: ironic.conf, enabled: "{{ kolla_enable_ironic }}" }
@@ -28,7 +26,7 @@
get_url:
url: "{{ item.url }}"
dest: "{{ kolla_node_custom_config_path }}/ironic/{{ item.dest }}"
- become: True
+ mode: 0640
with_items:
- { url: "{{ kolla_inspector_ipa_kernel_upstream_url }}", dest: "ironic-agent.kernel" }
- { url: "{{ kolla_inspector_ipa_ramdisk_upstream_url }}", dest: "ironic-agent.initramfs" }
diff --git a/ansible/roles/kolla/tasks/config.yml b/ansible/roles/kolla/tasks/config.yml
index f139a953..1aac76b0 100644
--- a/ansible/roles/kolla/tasks/config.yml
+++ b/ansible/roles/kolla/tasks/config.yml
@@ -3,7 +3,9 @@
file:
path: "{{ item }}"
state: directory
- mode: 0755
+ owner: "{{ ansible_user }}"
+ group: "{{ ansible_user }}"
+ mode: 0750
become: True
with_items:
- "{{ kolla_config_path }}"
diff --git a/ansible/roles/kolla/tasks/install.yml b/ansible/roles/kolla/tasks/install.yml
index 8e4cde0f..c7ec465e 100644
--- a/ansible/roles/kolla/tasks/install.yml
+++ b/ansible/roles/kolla/tasks/install.yml
@@ -12,19 +12,15 @@
- python-pip
- python-virtualenv
-- name: Ensure the latest version of pip is installed
- pip:
- name: "{{ item.name }}"
- state: latest
- virtualenv: "{{ kolla_venv }}"
- with_items:
- - { name: pip }
-
- name: Ensure source code checkout path exists
file:
path: "{{ source_checkout_path }}"
state: directory
+ owner: "{{ ansible_user }}"
+ group: "{{ ansible_user }}"
recurse: True
+ become: True
+ when: "{{ kolla_ctl_install_type == 'source' }}"
- name: Ensure Kolla source code checkout exists
git:
@@ -33,6 +29,14 @@
version: "{{ kolla_source_version }}"
when: "{{ kolla_ctl_install_type == 'source' }}"
+- name: Ensure the latest version of pip is installed
+ pip:
+ name: "{{ item.name }}"
+ state: latest
+ virtualenv: "{{ kolla_venv }}"
+ with_items:
+ - { name: pip }
+
- name: Ensure required Python packages are installed
pip:
name: "{{ item.name }}"
--
GitLab