diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 853e0bdcf2d62dab6d189d4f3ed53bf14c00827e..508553abaa3d7f3ae1954a44ecc083da81494501 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -15,6 +15,10 @@ project: ""
# The directory to store the config files on the destination node
node_config_directory: "/etc/kolla/{{ project }}"
+# The group which own node_config_directory
+config_owner_user: "kolla"
+config_owner_group: "kolla"
+
###################
# Kolla options
diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
index 2f5ad7669dba99638681a8799ae6b8009d3a6377..1cecaf1faa45bae7fae822671d75552b6f7e5adc 100644
--- a/ansible/post-deploy.yml
+++ b/ansible/post-deploy.yml
@@ -1,6 +1,7 @@
---
- name: Creating admin openrc file on the deploy node
hosts: localhost
+ become: true
tasks:
- template:
src: "roles/common/templates/admin-openrc.sh.j2"
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index b0014e13aab9056e2281153b173019d2ad74ceb4..d981e5a6d16360dd714cbcaafa5601ec6d1b1b1c 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -1,5 +1,6 @@
---
- name: Ensuring config directories exist
+ become: true
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
@@ -8,6 +9,7 @@
- "certificates/private"
- name: Creating SSL configuration file
+ become: true
template:
src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/certificates/{{ item }}"
@@ -15,11 +17,13 @@
- "openssl-kolla.cnf"
- name: Creating Key
+ become: true
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.key"
- name: Creating Server Certificate
+ become: true
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
@@ -31,11 +35,13 @@
- "{{ node_config_directory }}/certificates/private/haproxy.crt"
- name: Creating CA Certificate File
+ become: true
copy:
src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
- name: Creating Server PEM File
+ become: true
assemble:
src: "{{ node_config_directory }}/certificates/private"
dest: "{{ node_config_directory }}/certificates/haproxy.pem"
diff --git a/ansible/roles/common/tasks/config.yml b/ansible/roles/common/tasks/config.yml
index b6e4ccc734176d4c32263431c3a6c15b5198d854..fe39f8e46f813ddc8a2ce29879047950c1f6bcc8 100644
--- a/ansible/roles/common/tasks/config.yml
+++ b/ansible/roles/common/tasks/config.yml
@@ -4,6 +4,7 @@
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
recurse: yes
+ become: true
with_items:
- "kolla-toolbox"
- "cron"
@@ -26,6 +27,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: common_config_jsons
when: item.value.enabled | bool
with_dict: "{{ common_services }}"
@@ -36,6 +39,8 @@
template:
src: "conf/input/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/input/{{ item }}.conf"
+ mode: "0660"
+ become: true
register: fluentd_input
when: enable_fluentd | bool
with_items:
@@ -52,6 +57,8 @@
template:
src: "conf/output/{{ item.name }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf"
+ mode: "0660"
+ become: true
register: fluentd_output
when:
- enable_fluentd | bool
@@ -86,7 +93,9 @@
template:
src: "conf/format/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/format/{{ item }}.conf"
+ mode: "0660"
register: fluentd_format
+ become: true
with_items:
- "apache_access"
- "wsgi_access"
@@ -98,6 +107,8 @@
template:
src: "conf/filter/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/filter/{{ item }}.conf"
+ mode: "0660"
+ become: true
register: fluentd_filter
with_items:
- "00-record_transformer"
@@ -110,6 +121,8 @@
template:
src: "td-agent.conf.j2"
dest: "{{ node_config_directory }}/{{ item }}/td-agent.conf"
+ mode: "0660"
+ become: true
register: fluentd_td_agent
with_items:
- "fluentd"
@@ -121,6 +134,8 @@
template:
src: "cron-logrotate-{{ item.name }}.conf.j2"
dest: "{{ node_config_directory }}/cron/logrotate/{{ item.name }}.conf"
+ mode: "0660"
+ become: true
register: cron_confs
when: item.enabled | bool
with_items:
@@ -180,6 +195,17 @@
notify:
- Restart cron container
+- name: Ensuring config directories have correct owner and permission
+ become: true
+ file:
+ path: "{{ node_config_directory }}/{{ item }}"
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ with_items:
+ - "fluentd"
+ - "cron"
+
- name: Check common containers
kolla_docker:
action: "compare_container"
diff --git a/ansible/roles/destroy/tasks/cleanup_host.yml b/ansible/roles/destroy/tasks/cleanup_host.yml
index ba5a343c5bd23a724299ed8c7c78ff3f62d1da2b..1ee9958051daf100d4669d5266e74a1108a1909b 100644
--- a/ansible/roles/destroy/tasks/cleanup_host.yml
+++ b/ansible/roles/destroy/tasks/cleanup_host.yml
@@ -1,5 +1,6 @@
---
- name: Destroying Kolla host configuration
+ become: true
command: >
env enable_haproxy={{ enable_haproxy }}
enable_swift={{ enable_swift }}
diff --git a/ansible/roles/haproxy/tasks/config.yml b/ansible/roles/haproxy/tasks/config.yml
index f30012e5f13714f241a4751677e8c7aee7352cae..51ddb5b78b4e47a9799beef80f748ece0b45a468 100644
--- a/ansible/roles/haproxy/tasks/config.yml
+++ b/ansible/roles/haproxy/tasks/config.yml
@@ -1,6 +1,7 @@
---
- name: Setting sysctl values
sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
+ become: true
with_items:
- { name: "net.ipv4.ip_nonlocal_bind", value: 1}
- { name: "net.unix.max_dgram_qlen", value: 128}
@@ -10,7 +11,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -20,6 +24,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: haproxy_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -35,6 +41,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/haproxy/haproxy.cfg"
+ mode: "0660"
+ become: true
register: haproxy_cfg
when:
- inventory_hostname in groups[service.group]
@@ -53,6 +61,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/keepalived/keepalived.conf"
+ mode: "0660"
+ become: true
register: keepalived_conf
when:
- inventory_hostname in groups[service.group]
@@ -70,6 +80,8 @@
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
+ mode: "0660"
+ become: true
register: haproxy_pem
when:
- kolla_enable_tls_external | bool
@@ -97,3 +109,4 @@
with_dict: "{{ haproxy_services }}"
notify:
- "Restart {{ item.key }} container"
+
diff --git a/ansible/roles/mariadb/tasks/config.yml b/ansible/roles/mariadb/tasks/config.yml
index 01a9790dc2ad5c8036a4a809d6a40abf7f9ff5af..abb074598680f45c10d00c791d55715da1394e15 100644
--- a/ansible/roles/mariadb/tasks/config.yml
+++ b/ansible/roles/mariadb/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -16,6 +19,8 @@
template:
src: "{{ service_name }}.json.j2"
dest: "{{ node_config_directory }}/{{ service_name }}/config.json"
+ mode: "0660"
+ become: true
register: mariadb_config_json
when:
- inventory_hostname in groups[service.group]
@@ -34,6 +39,8 @@
- "{{ node_custom_config }}/galera.cnf"
- "{{ node_custom_config }}/mariadb/{{ inventory_hostname }}/galera.cnf"
dest: "{{ node_config_directory }}/{{ service_name }}/galera.cnf"
+ mode: "0660"
+ become: true
register: mariadb_galera_conf
when:
- inventory_hostname in groups[service.group]
@@ -46,6 +53,8 @@
template:
src: "{{ role_path }}/templates/wsrep-notify.sh.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/wsrep-notify.sh"
+ mode: "0770"
+ become: true
register: mariadb_wsrep_notify
when:
- inventory_hostname in groups[item.value.group]
@@ -62,6 +71,7 @@
name: "{{ item.value.container_name }}"
image: "{{ item.value.image }}"
volumes: "{{ item.value.volumes }}"
+ become: true
register: check_mariadb_containers
when:
- action != "config"
diff --git a/ansible/roles/memcached/tasks/config.yml b/ansible/roles/memcached/tasks/config.yml
index 63438c6e8a1cef6b7991975d14cf93c801bc9278..f69b7ad6bb75f117be7a41cbaadd142a49347db0 100644
--- a/ansible/roles/memcached/tasks/config.yml
+++ b/ansible/roles/memcached/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "memcached"
@@ -11,7 +14,9 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
register: memcached_config_json
+ become: true
with_items:
- "memcached"
notify: Restart memcached container
@@ -25,9 +30,11 @@
name: "{{ service.container_name }}"
image: "{{ service.image }}"
volumes: "{{ service.volumes }}"
+ become: true
register: check_memcached_container
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
- action != "config"
notify: Restart memcached container
+
diff --git a/ansible/roles/prechecks/tasks/main.yml b/ansible/roles/prechecks/tasks/main.yml
index aa37e3848534a9e975bc797c5fa9141e33a77d81..d7b6081b7040ccdea99a9bbc130c3dc7dc8f710a 100644
--- a/ansible/roles/prechecks/tasks/main.yml
+++ b/ansible/roles/prechecks/tasks/main.yml
@@ -4,3 +4,5 @@
- include: service_checks.yml
- include: package_checks.yml
+
+- include: user_checks.yml
diff --git a/ansible/roles/prechecks/tasks/user_checks.yml b/ansible/roles/prechecks/tasks/user_checks.yml
new file mode 100644
index 0000000000000000000000000000000000000000..faae3e48d4158c9caccd6f2eb1189dfa4c8bd21b
--- /dev/null
+++ b/ansible/roles/prechecks/tasks/user_checks.yml
@@ -0,0 +1,19 @@
+---
+- name: Check if config_owner_user existed
+ getent:
+ database: passwd
+ key: "{{ config_owner_user }}"
+
+- name: Check if config_owner_group existed
+ getent:
+ database: group
+ key: "{{ config_owner_group }}"
+ register: getent_group
+
+#(duonghq) it's only a basic check, should be refined later
+- name: Check if ansible user can do passwordless sudo
+ shell: sudo -n true
+ register: result
+ failed_when: result | failed
+
+
diff --git a/ansible/roles/rabbitmq/tasks/config.yml b/ansible/roles/rabbitmq/tasks/config.yml
index 96decd79f45cd43af04937553be0477b914c11ea..bc4f3ac4916c738d7218d4be40ad7076ac21bfe8 100644
--- a/ansible/roles/rabbitmq/tasks/config.yml
+++ b/ansible/roles/rabbitmq/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ project_name }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ project_name }}/config.json"
+ mode: "0770"
+ become: true
register: rabbitmq_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -27,6 +32,8 @@
template:
src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/{{ project_name }}/{{ item }}"
+ mode: "0770"
+ become: true
register: rabbitmq_confs
when:
- inventory_hostname in groups[service.group]
diff --git a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0cc8865865a90d2fdb7d1165a2e98718923f5d19
--- /dev/null
+++ b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
@@ -0,0 +1,5 @@
+---
+prelude: >
+ Specify Ansible "become" for only necessary tasks.
+features:
+ - Add "become" to necessary tasks of general roles.