Don't use 'become' in CI tests

Kolla Ansible now claims [1] to support executing as a user other than
root.  We should ensure that this is tested in CI.

This change removes the 'become' from hosts in the inventory, and sets
the remote user to 'kolla', as configured via the bootstrap-servers
command. The bootstrap-servers command and other ansible commands
executed before it still need to execute as the zuul user and not as
kolla, since kolla does not exist yet.

The autogenerated SSH private key in passwords.yml is now added to the
zuul user's SSH config, such that it can SSH as the kolla user, which
has authorised this key.

[1]
https://blueprints.launchpad.net/kolla-ansible/+spec/ansible-specific-task-become

Change-Id: I8f3587e2908bc5b8889cd6fbc01981a6186d33e6

tests/run.yml

@@ -89,12 +89,6 @@
       when: scenario == "bifrost"
       delegate_to: "primary"
 
-    - name: copy passwords.yml file
-      copy:
-        src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
-        dest: /etc/kolla/passwords.yml
-      delegate_to: "primary"
-
     - name: ensure /etc/docker exists
       file:
         path: "/etc/docker"
@@ -110,15 +104,39 @@
         dest: "/etc/docker/daemon.json"
       become: true
 
-
     - name: install kolla-ansible requirements
       pip:
         requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt"
       become: true
 
+    - name: copy passwords.yml file
+      copy:
+        src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
+        dest: /etc/kolla/passwords.yml
+
     - name: generate passwords
       shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
-      delegate_to: "primary"
+
+    - name: slurp kolla passwords
+      slurp:
+        src: /etc/kolla/passwords.yml
+      register: passwords_yml
+
+    - name: write out kolla SSH private key
+      copy:
+        content: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.private_key }}"
+        dest: ~/.ssh/id_rsa_kolla
+        mode: 0600
+
+    - name: authorise kolla public key for zuul user
+      authorized_key:
+        user: "{{ ansible_env.USER }}"
+        key: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.public_key }}"
+      # Delegate to each host in turn. If more tasks require execution on all
+      # hosts in future, break out into a separate play.
+      with_inventory_hostnames:
+        - all
+      delegate_to: "{{ item }}"
 
     - name: generate ceph config overrides
       template:

tests/templates/inventory.j2

@@ -2,32 +2,32 @@
 # additional groups are for more control of the environment.
 [control]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [network]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [compute]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [storage]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [monitoring]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [deployment]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 # You can explicitly specify which hosts run each project by updating the

tools/setup_gate.sh

@@ -98,11 +98,11 @@ host_key_checking = False
 EOF
 
     # Record the running state of the environment as seen by the setup module
-    ansible all -i ${RAW_INVENTORY} -m setup > /tmp/logs/ansible/initial-setup
+    ansible all -i ${RAW_INVENTORY} -e ansible_user=$USER -m setup > /tmp/logs/ansible/initial-setup
 }
 
 function setup_node {
-    ansible-playbook -i ${RAW_INVENTORY} tools/playbook-setup-nodes.yml
+    ansible-playbook -i ${RAW_INVENTORY} -e ansible_user=$USER tools/playbook-setup-nodes.yml
 }
 
 function prepare_images {
@@ -141,7 +141,7 @@ function sanity_check {
 
 function test_openstack {
     # Create dummy interface for neutron
-    ansible -m shell -i ${RAW_INVENTORY} -a "ip l a fake_interface type dummy" all
+    ansible -m shell -i ${RAW_INVENTORY} -b -a "ip l a fake_interface type dummy" all
 
     #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
     sudo chmod -R 777 /etc/kolla
@@ -229,7 +229,7 @@ setup_ansible
 setup_config
 setup_node
 
-tools/kolla-ansible -i ${RAW_INVENTORY} bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
+tools/kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
 prepare_images
 
 if [[ $ACTION != bifrost ]]; then