[AIR-209] Remove privilege escalation

This PS removes privilege escalation from the roles so that these roles can be used in a developer environment Change-Id: I44ddc18532ee75b0d398896d470ecf949ad4496a
2020-01-17 14:38:10 +00:00 · 2020-01-17 14:38:10 +00:00 · f3cbed1d96
commit f3cbed1d96
parent c9e3feceae
15 changed files with 41 additions and 48 deletions
--- a/examples/playbooks/libvirt/create-network.yml
+++ b/examples/playbooks/libvirt/create-network.yml
@ -1,7 +1,6 @@
 - hosts: primary
  roles:
    - role: libvirt-network
-      become: true
      vars:
        network_action: create
        libvirt_network:
@ -21,7 +20,6 @@
              address: "172.22.0.1"
              netmask: "255.255.255.0"
    - role: libvirt-network
-      become: true
      vars:
        network_action: rebuild
        libvirt_network:
--- a/examples/playbooks/libvirt/create-pool.yml
+++ b/examples/playbooks/libvirt/create-pool.yml
@ -1,8 +1,7 @@
 - hosts: primary
  roles:
    - role: libvirt-pool
-      become: true
      vars:
        libvirt_pool:
          path: /var/lib/libvirt/airship
-          name: airship
+          name: airship
--- a/examples/playbooks/libvirt/create-vm.yml
+++ b/examples/playbooks/libvirt/create-vm.yml
@ -1,7 +1,6 @@
 - hosts: primary
  roles:
    - role: libvirt-domain
-      become: true
      vars:
        libvirt_domain:
          state: running
@ -16,7 +15,6 @@
          interfaces:
            - network: 'provision-network'
    - role: libvirt-domain
-      become: true
      vars:
        libvirt_domain:
          state: running
--- a/examples/playbooks/libvirt/create-volume.yml
+++ b/examples/playbooks/libvirt/create-volume.yml
@ -17,6 +17,5 @@
      vars:
        libvirt_volume: "{{ vol }}"
        volume_action: "{{ vol.action }}"
-        ansible_become: true
      loop_control:
-        loop_var: vol
+        loop_var: vol
--- a/roles/airship-libvirt-gate/tasks/build-infra.yml
+++ b/roles/airship-libvirt-gate/tasks/build-infra.yml
@ -16,7 +16,6 @@
    name: libvirt-pool
  vars:
    libvirt_pool: "{{ item }}"
-    ansible_become: true
  with_items: "{{ airship_gate_libvirt_pools }}"

 - name: create networks
@ -24,7 +23,6 @@
    name: libvirt-network
  with_items: "{{ airship_gate_libvirt_networks }}"
  vars:
-    ansible_become: true
    libvirt_network: "{{ item }}"
    network_action: create

@ -37,12 +35,10 @@
      size: "{{ chosen_flavor.ephemeral_disk_size }}"
      pool: "{{ airship_gate_names.pool }}"
    volume_action: create
-    ansible_become: true
 - name: Create target volumes
  include_role:
    name: libvirt-volume
  vars:
-    ansible_become: true
    libvirt_volume:
      name: "{{ airship_gate_names.target_volume_prefix }}-{{ vm_index }}"
      size: "{{ chosen_flavor.target_disk_size }}"
@ -57,7 +53,6 @@
  include_role:
    name: libvirt-domain
  vars:
-    ansible_become: true
    libvirt_domain:
      state: shutdown
      name: "{{ airship_gate_names.target_vm_prefix }}-{{ vm_index }}"
@ -79,7 +74,6 @@
  include_role:
    name: libvirt-domain
  vars:
-    ansible_become: true
    libvirt_domain:
      state: shutdown
      name: "{{ airship_gate_names.ephemeral_vm }}"
--- a/roles/libvirt-domain/tests/main.yml
+++ b/roles/libvirt-domain/tests/main.yml
@ -10,13 +10,10 @@
  vars:
    network_action: "{{ item.network_action }}"
    libvirt_network: "{{ item }}"
-    ansible_become: true
  with_items: "{{ libvirt_networks }}"
 - name: create pool
  include_role:
    name: libvirt-pool
-  vars:
-    ansible_become: true
 - name: Create defined volumes
  include_role:
    name: libvirt-volume
@ -24,20 +21,16 @@
  vars:
    libvirt_volume: "{{ vol }}"
    volume_action: "{{ vol.action }}"
-    ansible_become: true
  loop_control:
    loop_var: vol
 - name: create libvirt domains
  include_role:
    name: libvirt-domain
-  vars:
-    ansible_become: true
 - name: save information about domain
  virt:
    command: info
    name: "{{ libvirt_domain.name }}"
  register: domain_info
-  become: true
 - name: debug domain-info
  debug:
    var: domain_info
--- a/roles/libvirt-install/tasks/main.yaml
+++ b/roles/libvirt-install/tasks/main.yaml
@ -29,6 +29,15 @@
        - dnsmasq
        - ebtables
      state: present
+  - name: Add user "{{ ansible_user }}" to libvirt group
+    become: true
+    user:
+      name: "{{ ansible_user }}"
+      groups:
+      - libvirt
+      append: yes
+  - name: Reset ssh connection to allow user changes to affect "{{ ansible_user }}"
+    meta: reset_connection
  - name: Start libvirtd
    service:
      name: libvirtd
--- a/roles/libvirt-network/tasks/add_dhcp_hosts.yml
+++ b/roles/libvirt-network/tasks/add_dhcp_hosts.yml
@ -22,6 +22,8 @@
      - "network_args.hosts | list"

 - name: add dhcp hosts to network
+  environment:
+    LIBVIRT_DEFAULT_URI: qemu:///system
  shell: >-
    virsh net-update {{ network_args.name }} \
      add --section ip-dhcp-host \
--- a/roles/libvirt-network/tests/main.yml
+++ b/roles/libvirt-network/tests/main.yml
@ -11,7 +11,6 @@
  loop_control:
    loop_var: libvirt_network
  vars:
-    ansible_become: true
    network_action: "{{ libvirt_network.network_action }}"
 - name: install required packages
  apt:
@ -23,7 +22,6 @@
  virt_net:
    command: info
  register: libvirt_networks_info
-  become: true

 - name: debug network list
  debug:
--- a/roles/libvirt-pool/tasks/create.yml
+++ b/roles/libvirt-pool/tasks/create.yml
@ -1,17 +1,16 @@
 ---
- name: Ensure libvirt dir storage pool directories exist
-  file:
-    path: "{{ libvirt_pool.path }}"
-    owner: "{{ libvirt_pool.owner | default(omit) }}"
-    group: "{{ libvirt_pool.group | default(omit) }}"
-    mode: "{{ libvirt_pool.mode | default(omit) }}"
-    state: directory
-
 - name: Ensure libvirt storage pools are defined
  virt_pool:
    name: "{{ libvirt_pool.name }}"
    command: define
    xml: "{{ libvirt_pool.xml | default(libvirt_pool_template_default) }}"
+  register: pool_info
+
+- name: Ensure libvirt storage pools are built
+  virt_pool:
+    name: "{{ libvirt_pool.name }}"
+    command: build
+  when: pool_info.changed

 - name: Ensure libvirt storage pools are active
  virt_pool:
--- a/roles/libvirt-pool/tests/main.yml
+++ b/roles/libvirt-pool/tests/main.yml
@ -7,12 +7,9 @@
 - name: create pool
  include_role:
    name: libvirt-pool
-  vars:
-    ansible_become: true
 - name: get pool information
  virt_pool:
    command: info
-  become: true
  register: storage_pools

 - name: check if pool is available and is at given directory
--- a/roles/libvirt-pool/tests/vars.yml
+++ b/roles/libvirt-pool/tests/vars.yml
@ -1,3 +1,3 @@
 libvirt_pool:
  path: /var/lib/libvirt/my-pool
-  name: test_pool
+  name: test_pool
--- a/roles/libvirt-volume/tasks/create.yml
+++ b/roles/libvirt-volume/tasks/create.yml
@ -32,8 +32,11 @@
    - image_scheme not in libvirt_remote_scheme_list

 - name: "Create volume"
+  environment:
+    LIBVIRT_DEFAULT_URI: qemu:///system
  command: >-
-    virsh vol-create-as "{{ libvirt_volume.pool }}" \
+    virsh vol-create-as \
+    --pool "{{ libvirt_volume.pool }}" \
    --name "{{ libvirt_volume.name }}" \
    --capacity "{{ libvirt_volume.size }}" \
    --format "{{ libvirt_volume.format | default('qcow2') }}"
@ -48,15 +51,25 @@
    - "'exists already' not in libvirt_create_volume.stdout"

 - name: "Upload volume from downloaded image"
+  environment:
+    LIBVIRT_DEFAULT_URI: qemu:///system
  command: >-
-    virsh vol-upload --pool "{{ libvirt_volume.pool }}" --vol "{{ libvirt_volume.name }}" --file "{{ image_dest }}"
+    virsh vol-upload \
+    --pool "{{ libvirt_volume.pool }}" \
+    --vol "{{ libvirt_volume.name }}" \
+    --file "{{ image_dest }}"
  when:
    - "libvirt_volume.image is defined"
    - "libvirt_create_volume.rc == 0"

 - name: "Resize volume after uploading from image"
+  environment:
+    LIBVIRT_DEFAULT_URI: qemu:///system
  command: >-
-    virsh vol-resize --vol "{{ libvirt_volume.name }}" --pool "{{ libvirt_volume.pool }}" --capacity "{{ libvirt_volume.size }}"
+    virsh vol-resize \
+    --vol "{{ libvirt_volume.name }}" \
+    --pool "{{ libvirt_volume.pool }}" \
+    --capacity "{{ libvirt_volume.size }}"
  when:
    - "libvirt_create_volume.rc == 0"
    - "libvirt_volume.image is defined"
--- a/roles/libvirt-volume/tests/main.yml
+++ b/roles/libvirt-volume/tests/main.yml
@ -7,8 +7,6 @@
 - name: create pool
  include_role:
    name: libvirt-pool
-  vars:
-    ansible_become: true
 - name: Create defined volumes
  include_role:
    name: libvirt-volume
@ -16,18 +14,19 @@
  vars:
    libvirt_volume: "{{ vol }}"
    volume_action: "{{ vol.action }}"
-    ansible_become: true
  loop_control:
    loop_var: vol
 - name: save volume list
+  environment:
+    LIBVIRT_DEFAULT_URI: qemu:///system
  command: virsh vol-list --pool {{ libvirt_pool.name }}
  register: libvirt_pool_list
  changed_when: false
-  become: true
 - name: verify volumes exist
  assert:
    that:
      - "vol.name in libvirt_pool_list.stdout"
  with_items: "{{ libvirt_volumes }}"
  loop_control:
-    loop_var: vol
+    loop_var: vol
+
--- a/roles/redfish-emulator/tests/main.yml
+++ b/roles/redfish-emulator/tests/main.yml
@ -7,8 +7,6 @@
 - name: create pool
  include_role:
    name: libvirt-pool
-  vars:
-    ansible_become: true
 - name: Create defined volumes
  include_role:
    name: libvirt-volume
@ -16,14 +14,11 @@
  vars:
    libvirt_volume: "{{ vol }}"
    volume_action: "{{ vol.action }}"
-    ansible_become: true
  loop_control:
    loop_var: vol
 - name: create libvirt domains
  include_role:
    name: libvirt-domain
-  vars:
-    ansible_become: true
 - name: install sushy-tools
  include_role:
    name: redfish-emulator