From 50e04bb06fe27c0d0e39adda7b8ac4dddc428581 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 6 Oct 2021 15:07:27 +0100
Subject: [PATCH] Drop become in stackhpc.libvirt-vm for seed vm provision

Prior to this change, the seed VM was provisioned using the
stackhpc.livirt-vm role with become=true. This resulted in the cached
image being owned by root. The infra VM provisioning uses
stackhpc.libvirt-vm without become=true. If an infra VM uses the same
image as the seed, this can lead to permission denied errors when
downloading a new image of the same name.

This change adds a workaround to fix up the ownership of the cached
image during infra VM provisioning to avoid this issue.

This change also drops become=true from stackhpc.libvirt-vm during seed
VM provisioning, and adds the same workaround there.

Story: 2009277
Task: 43534

Change-Id: Iade0d74cdb398365a567dbdc4b23de2416f3726d
---
 ansible/roles/infra-vms/tasks/deploy.yml      | 20 ++++++++++++++++++
 ansible/seed-vm-provision.yml                 | 21 ++++++++++++++++++-
 .../notes/story-2009277-84c381a562244fab.yaml |  6 ++++++
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/story-2009277-84c381a562244fab.yaml

diff --git a/ansible/roles/infra-vms/tasks/deploy.yml b/ansible/roles/infra-vms/tasks/deploy.yml
index 71268061..e5199178 100644
--- a/ansible/roles/infra-vms/tasks/deploy.yml
+++ b/ansible/roles/infra-vms/tasks/deploy.yml
@@ -49,6 +49,26 @@
     mime: False
   register: stat_result
 
+# NOTE(mgoddard): Prior to the Xena release, the seed VM was provisioned using
+# the stackhpc.livirt-vm role with become=true. This resulted in the cached
+# image being owned by root. Since Xena, we execute the role without
+# become=true. Correct the image ownership to avoid a permission denied error
+# when downloading a new image of the same name.
+- name: "[{{ vm_name }}] Stat image files"
+  stat:
+    path: "{{ image_cache_path }}/{{ item.image | basename }}"
+  with_items: "{{ vm_hostvars.infra_vm_volumes | selectattr('image', 'defined') }}"
+  register: image_stat_result
+
+- name: "[{{ vm_name }}] Fix image ownership"
+  file:
+    path: "{{ image_cache_path }}/{{ item.item.image | basename }}"
+    owner: "{{ ansible_facts.user_uid }}"
+    group: "{{ ansible_facts.user_gid }}"
+  with_items: "{{ image_stat_result.results }}"
+  when: item.stat.exists
+  become: true
+
 - name: "[{{ vm_name }}] Ensure that the VM is provisioned"
   include_role:
     name: stackhpc.libvirt-vm
diff --git a/ansible/seed-vm-provision.yml b/ansible/seed-vm-provision.yml
index 28447988..ea547fd7 100644
--- a/ansible/seed-vm-provision.yml
+++ b/ansible/seed-vm-provision.yml
@@ -29,6 +29,26 @@
         group: "{{ ansible_facts.user_gid }}"
       become: True
 
+    # NOTE(mgoddard): Prior to the Xena release, the seed VM was provisioned
+    # using the stackhpc.livirt-vm role with become=true. This resulted in the
+    # cached image being owned by root. Since Xena, we execute the role without
+    # become=true. Correct the image ownership to avoid a permission denied
+    # error when downloading a new image of the same name.
+    - name: Stat image files
+      stat:
+        path: "{{ image_cache_path }}/{{ item.image | basename }}"
+      with_items: "{{ hostvars[seed_host].seed_vm_volumes | selectattr('image', 'defined') }}"
+      register: image_stat_result
+
+    - name: Fix image ownership
+      file:
+        path: "{{ image_cache_path }}/{{ item.item.image | basename }}"
+        owner: "{{ ansible_facts.user_uid }}"
+        group: "{{ ansible_facts.user_gid }}"
+      with_items: "{{ image_stat_result.results }}"
+      when: item.stat.exists
+      become: true
+
   roles:
     - role: jriguera.configdrive
       # For now assume the VM OS family is the same as the hypervisor's.
@@ -99,7 +119,6 @@
           volumes: "{{ hostvars[seed_host].seed_vm_volumes + [seed_vm_configdrive_volume] }}"
           interfaces: "{{ hostvars[seed_host].seed_vm_interfaces }}"
           console_log_enabled: true
-      become: True
 
   tasks:
     - name: Wait for SSH access to the seed VM
diff --git a/releasenotes/notes/story-2009277-84c381a562244fab.yaml b/releasenotes/notes/story-2009277-84c381a562244fab.yaml
new file mode 100644
index 00000000..f7d5d6ad
--- /dev/null
+++ b/releasenotes/notes/story-2009277-84c381a562244fab.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue where cached seed VM images are unnecessarily owned by root.
+    See `story 2009277 <https://storyboard.openstack.org/#!/story/2009277>`__
+    for details.
-- 
GitLab