Merge "Specify 'become' to necessary tasks (general roles)"

ansible/group_vars/all.yml

@@ -15,6 +15,10 @@ project: ""
 # The directory to store the config files on the destination node
 node_config_directory: "/etc/kolla/{{ project }}"
 
+# The group which own node_config_directory
+config_owner_user: "kolla"
+config_owner_group: "kolla"
+
 
 ###################
 # Kolla options

ansible/post-deploy.yml

 ---
 - name: Creating admin openrc file on the deploy node
   hosts: localhost
+  become: true
   tasks:
     - template:
         src: "roles/common/templates/admin-openrc.sh.j2"

ansible/roles/certificates/tasks/generate.yml

 ---
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/{{ item }}"
     state: "directory"
@@ -8,6 +9,7 @@
     - "certificates/private"
 
 - name: Creating SSL configuration file
+  become: true
   template:
     src: "{{ item }}.j2"
     dest: "{{ node_config_directory }}/certificates/{{ item }}"
@@ -15,11 +17,13 @@
     - "openssl-kolla.cnf"
 
 - name: Creating Key
+  become: true
   command: creates="{{ item }}" openssl genrsa -out {{ item }}
   with_items:
     - "{{ node_config_directory }}/certificates/private/haproxy.key"
 
 - name: Creating Server Certificate
+  become: true
   command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
     -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
     -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
@@ -31,11 +35,13 @@
     - "{{ node_config_directory }}/certificates/private/haproxy.crt"
 
 - name: Creating CA Certificate File
+  become: true
   copy:
     src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
     dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
 
 - name: Creating Server PEM File
+  become: true
   assemble:
     src: "{{ node_config_directory }}/certificates/private"
     dest: "{{ node_config_directory }}/certificates/haproxy.pem"

ansible/roles/common/tasks/config.yml

@@ -4,6 +4,7 @@
     path: "{{ node_config_directory }}/{{ item }}"
     state: "directory"
     recurse: yes
+  become: true
   with_items:
     - "kolla-toolbox"
     - "cron"
@@ -26,6 +27,8 @@
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
+  become: true
   register: common_config_jsons
   when: item.value.enabled | bool
   with_dict: "{{ common_services }}"
@@ -36,6 +39,8 @@
   template:
     src: "conf/input/{{ item }}.conf.j2"
     dest: "{{ node_config_directory }}/fluentd/input/{{ item }}.conf"
+    mode: "0660"
+  become: true
   register: fluentd_input
   when: enable_fluentd | bool
   with_items:
@@ -52,6 +57,8 @@
   template:
     src: "conf/output/{{ item.name }}.conf.j2"
     dest: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf"
+    mode: "0660"
+  become: true
   register: fluentd_output
   when:
     - enable_fluentd | bool
@@ -86,7 +93,9 @@
   template:
     src: "conf/format/{{ item }}.conf.j2"
     dest: "{{ node_config_directory }}/fluentd/format/{{ item }}.conf"
+    mode: "0660"
   register: fluentd_format
+  become: true
   with_items:
     - "apache_access"
     - "wsgi_access"
@@ -98,6 +107,8 @@
   template:
     src: "conf/filter/{{ item }}.conf.j2"
     dest: "{{ node_config_directory }}/fluentd/filter/{{ item }}.conf"
+    mode: "0660"
+  become: true
   register: fluentd_filter
   with_items:
     - "00-record_transformer"
@@ -110,6 +121,8 @@
   template:
     src: "td-agent.conf.j2"
     dest: "{{ node_config_directory }}/{{ item }}/td-agent.conf"
+    mode: "0660"
+  become: true
   register: fluentd_td_agent
   with_items:
     - "fluentd"
@@ -121,6 +134,8 @@
   template:
     src: "cron-logrotate-{{ item.name }}.conf.j2"
     dest: "{{ node_config_directory }}/cron/logrotate/{{ item.name }}.conf"
+    mode: "0660"
+  become: true
   register: cron_confs
   when: item.enabled | bool
   with_items:
@@ -180,6 +195,17 @@
   notify:
     - Restart cron container
 
+- name: Ensuring config directories have correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  with_items:
+    - "fluentd"
+    - "cron"
+
 - name: Check common containers
   kolla_docker:
     action: "compare_container"

ansible/roles/destroy/tasks/cleanup_host.yml

 ---
 - name: Destroying Kolla host configuration
+  become: true
   command: >
     env enable_haproxy={{ enable_haproxy }}
         enable_swift={{ enable_swift }}

ansible/roles/haproxy/tasks/config.yml

 ---
 - name: Setting sysctl values
   sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
+  become: true
   with_items:
     - { name: "net.ipv4.ip_nonlocal_bind", value: 1}
     - { name: "net.unix.max_dgram_qlen", value: 128}
@@ -10,7 +11,10 @@
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
@@ -20,6 +24,8 @@
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
+  become: true
   register: haproxy_config_jsons
   when:
     - inventory_hostname in groups[item.value.group]
@@ -35,6 +41,8 @@
   template:
     src: "{{ item }}"
     dest: "{{ node_config_directory }}/haproxy/haproxy.cfg"
+    mode: "0660"
+  become: true
   register: haproxy_cfg
   when:
     - inventory_hostname in groups[service.group]
@@ -53,6 +61,8 @@
   template:
     src: "{{ item }}"
     dest: "{{ node_config_directory }}/keepalived/keepalived.conf"
+    mode: "0660"
+  become: true
   register: keepalived_conf
   when:
     - inventory_hostname in groups[service.group]
@@ -70,6 +80,8 @@
   copy:
     src: "{{ kolla_external_fqdn_cert }}"
     dest: "{{ node_config_directory }}/haproxy/{{ item }}"
+    mode: "0660"
+  become: true
   register: haproxy_pem
   when:
     - kolla_enable_tls_external | bool
@@ -97,3 +109,4 @@
   with_dict: "{{ haproxy_services }}"
   notify:
     - "Restart {{ item.key }} container"
+

ansible/roles/mariadb/tasks/config.yml

@@ -3,7 +3,10 @@
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
@@ -16,6 +19,8 @@
   template:
     src: "{{ service_name }}.json.j2"
     dest: "{{ node_config_directory }}/{{ service_name }}/config.json"
+    mode: "0660"
+  become: true
   register: mariadb_config_json
   when:
     - inventory_hostname in groups[service.group]
@@ -34,6 +39,8 @@
       - "{{ node_custom_config }}/galera.cnf"
       - "{{ node_custom_config }}/mariadb/{{ inventory_hostname }}/galera.cnf"
     dest: "{{ node_config_directory }}/{{ service_name }}/galera.cnf"
+    mode: "0660"
+  become: true
   register: mariadb_galera_conf
   when:
     - inventory_hostname in groups[service.group]
@@ -46,6 +53,8 @@
   template:
     src: "{{ role_path }}/templates/wsrep-notify.sh.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/wsrep-notify.sh"
+    mode: "0770"
+  become: true
   register: mariadb_wsrep_notify
   when:
     - inventory_hostname in groups[item.value.group]
@@ -62,6 +71,7 @@
     name: "{{ item.value.container_name }}"
     image: "{{ item.value.image }}"
     volumes: "{{ item.value.volumes }}"
+  become: true
   register: check_mariadb_containers
   when:
     - action != "config"

ansible/roles/memcached/tasks/config.yml

@@ -3,7 +3,10 @@
   file:
     path: "{{ node_config_directory }}/{{ item }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
   with_items:
     - "memcached"
 
@@ -11,7 +14,9 @@
   template:
     src: "{{ item }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item }}/config.json"
+    mode: "0660"
   register: memcached_config_json
+  become: true
   with_items:
     - "memcached"
   notify: Restart memcached container
@@ -25,9 +30,11 @@
     name: "{{ service.container_name }}"
     image: "{{ service.image }}"
     volumes: "{{ service.volumes }}"
+  become: true
   register: check_memcached_container
   when:
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
     - action != "config"
   notify: Restart memcached container
+

ansible/roles/prechecks/tasks/main.yml

@@ -4,3 +4,5 @@
 - include: service_checks.yml
 
 - include: package_checks.yml
+
+- include: user_checks.yml

ansible/roles/prechecks/tasks/user_checks.yml

+---
+- name: Check if config_owner_user existed
+  getent:
+    database: passwd
+    key: "{{ config_owner_user }}"
+
+- name: Check if config_owner_group existed
+  getent:
+    database: group
+    key: "{{ config_owner_group }}"
+  register: getent_group
+
+#(duonghq) it's only a basic check, should be refined later
+- name: Check if ansible user can do passwordless sudo
+  shell: sudo -n true
+  register: result
+  failed_when: result | failed
+
+

ansible/roles/rabbitmq/tasks/config.yml

@@ -3,7 +3,10 @@
   file:
     path: "{{ node_config_directory }}/{{ project_name }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
@@ -13,6 +16,8 @@
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ project_name }}/config.json"
+    mode: "0770"
+  become: true
   register: rabbitmq_config_jsons
   when:
     - inventory_hostname in groups[item.value.group]
@@ -27,6 +32,8 @@
   template:
     src: "{{ item }}.j2"
     dest: "{{ node_config_directory }}/{{ project_name }}/{{ item }}"
+    mode: "0770"
+  become: true
   register: rabbitmq_confs
   when:
     - inventory_hostname in groups[service.group]

releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml

+---
+prelude: >
+    Specify Ansible "become" for only necessary tasks.
+features:
+  - Add "become" to necessary tasks of general roles.