From f3cbed1d96dd658e926ca5b438940f3ddba9a913 Mon Sep 17 00:00:00 2001 From: Doug Aaser Date: Fri, 17 Jan 2020 14:38:10 +0000 Subject: [PATCH] [AIR-209] Remove privilege escalation This PS removes privilege escalation from the roles so that these roles can be used in a developer environment Change-Id: I44ddc18532ee75b0d398896d470ecf949ad4496a --- examples/playbooks/libvirt/create-network.yml | 2 -- examples/playbooks/libvirt/create-pool.yml | 3 +-- examples/playbooks/libvirt/create-vm.yml | 2 -- examples/playbooks/libvirt/create-volume.yml | 3 +-- .../tasks/build-infra.yml | 6 ------ roles/libvirt-domain/tests/main.yml | 7 ------- roles/libvirt-install/tasks/main.yaml | 9 +++++++++ .../libvirt-network/tasks/add_dhcp_hosts.yml | 2 ++ roles/libvirt-network/tests/main.yml | 2 -- roles/libvirt-pool/tasks/create.yml | 15 +++++++-------- roles/libvirt-pool/tests/main.yml | 3 --- roles/libvirt-pool/tests/vars.yml | 2 +- roles/libvirt-volume/tasks/create.yml | 19 ++++++++++++++++--- roles/libvirt-volume/tests/main.yml | 9 ++++----- roles/redfish-emulator/tests/main.yml | 5 ----- 15 files changed, 41 insertions(+), 48 deletions(-) diff --git a/examples/playbooks/libvirt/create-network.yml b/examples/playbooks/libvirt/create-network.yml index 9615a88..225b48a 100644 --- a/examples/playbooks/libvirt/create-network.yml +++ b/examples/playbooks/libvirt/create-network.yml @@ -1,7 +1,6 @@ - hosts: primary roles: - role: libvirt-network - become: true vars: network_action: create libvirt_network: @@ -21,7 +20,6 @@ address: "172.22.0.1" netmask: "255.255.255.0" - role: libvirt-network - become: true vars: network_action: rebuild libvirt_network: diff --git a/examples/playbooks/libvirt/create-pool.yml b/examples/playbooks/libvirt/create-pool.yml index 6e560a5..67f877d 100644 --- a/examples/playbooks/libvirt/create-pool.yml +++ b/examples/playbooks/libvirt/create-pool.yml @@ -1,8 +1,7 @@ - hosts: primary roles: - role: libvirt-pool - become: true vars: libvirt_pool: path: /var/lib/libvirt/airship - name: airship \ No newline at end of file + name: airship diff --git a/examples/playbooks/libvirt/create-vm.yml b/examples/playbooks/libvirt/create-vm.yml index 6ac7498..1fd02ea 100644 --- a/examples/playbooks/libvirt/create-vm.yml +++ b/examples/playbooks/libvirt/create-vm.yml @@ -1,7 +1,6 @@ - hosts: primary roles: - role: libvirt-domain - become: true vars: libvirt_domain: state: running @@ -16,7 +15,6 @@ interfaces: - network: 'provision-network' - role: libvirt-domain - become: true vars: libvirt_domain: state: running diff --git a/examples/playbooks/libvirt/create-volume.yml b/examples/playbooks/libvirt/create-volume.yml index 84eea36..a05223e 100644 --- a/examples/playbooks/libvirt/create-volume.yml +++ b/examples/playbooks/libvirt/create-volume.yml @@ -17,6 +17,5 @@ vars: libvirt_volume: "{{ vol }}" volume_action: "{{ vol.action }}" - ansible_become: true loop_control: - loop_var: vol \ No newline at end of file + loop_var: vol diff --git a/roles/airship-libvirt-gate/tasks/build-infra.yml b/roles/airship-libvirt-gate/tasks/build-infra.yml index 90a4392..dba094d 100644 --- a/roles/airship-libvirt-gate/tasks/build-infra.yml +++ b/roles/airship-libvirt-gate/tasks/build-infra.yml @@ -16,7 +16,6 @@ name: libvirt-pool vars: libvirt_pool: "{{ item }}" - ansible_become: true with_items: "{{ airship_gate_libvirt_pools }}" - name: create networks @@ -24,7 +23,6 @@ name: libvirt-network with_items: "{{ airship_gate_libvirt_networks }}" vars: - ansible_become: true libvirt_network: "{{ item }}" network_action: create @@ -37,12 +35,10 @@ size: "{{ chosen_flavor.ephemeral_disk_size }}" pool: "{{ airship_gate_names.pool }}" volume_action: create - ansible_become: true - name: Create target volumes include_role: name: libvirt-volume vars: - ansible_become: true libvirt_volume: name: "{{ airship_gate_names.target_volume_prefix }}-{{ vm_index }}" size: "{{ chosen_flavor.target_disk_size }}" @@ -57,7 +53,6 @@ include_role: name: libvirt-domain vars: - ansible_become: true libvirt_domain: state: shutdown name: "{{ airship_gate_names.target_vm_prefix }}-{{ vm_index }}" @@ -79,7 +74,6 @@ include_role: name: libvirt-domain vars: - ansible_become: true libvirt_domain: state: shutdown name: "{{ airship_gate_names.ephemeral_vm }}" diff --git a/roles/libvirt-domain/tests/main.yml b/roles/libvirt-domain/tests/main.yml index 3c4f8b0..0888191 100644 --- a/roles/libvirt-domain/tests/main.yml +++ b/roles/libvirt-domain/tests/main.yml @@ -10,13 +10,10 @@ vars: network_action: "{{ item.network_action }}" libvirt_network: "{{ item }}" - ansible_become: true with_items: "{{ libvirt_networks }}" - name: create pool include_role: name: libvirt-pool - vars: - ansible_become: true - name: Create defined volumes include_role: name: libvirt-volume @@ -24,20 +21,16 @@ vars: libvirt_volume: "{{ vol }}" volume_action: "{{ vol.action }}" - ansible_become: true loop_control: loop_var: vol - name: create libvirt domains include_role: name: libvirt-domain - vars: - ansible_become: true - name: save information about domain virt: command: info name: "{{ libvirt_domain.name }}" register: domain_info - become: true - name: debug domain-info debug: var: domain_info diff --git a/roles/libvirt-install/tasks/main.yaml b/roles/libvirt-install/tasks/main.yaml index 67c09e9..683e1dc 100644 --- a/roles/libvirt-install/tasks/main.yaml +++ b/roles/libvirt-install/tasks/main.yaml @@ -29,6 +29,15 @@ - dnsmasq - ebtables state: present + - name: Add user "{{ ansible_user }}" to libvirt group + become: true + user: + name: "{{ ansible_user }}" + groups: + - libvirt + append: yes + - name: Reset ssh connection to allow user changes to affect "{{ ansible_user }}" + meta: reset_connection - name: Start libvirtd service: name: libvirtd diff --git a/roles/libvirt-network/tasks/add_dhcp_hosts.yml b/roles/libvirt-network/tasks/add_dhcp_hosts.yml index 2acacd0..a64678e 100644 --- a/roles/libvirt-network/tasks/add_dhcp_hosts.yml +++ b/roles/libvirt-network/tasks/add_dhcp_hosts.yml @@ -22,6 +22,8 @@ - "network_args.hosts | list" - name: add dhcp hosts to network + environment: + LIBVIRT_DEFAULT_URI: qemu:///system shell: >- virsh net-update {{ network_args.name }} \ add --section ip-dhcp-host \ diff --git a/roles/libvirt-network/tests/main.yml b/roles/libvirt-network/tests/main.yml index 6ab53f4..c8a6d30 100644 --- a/roles/libvirt-network/tests/main.yml +++ b/roles/libvirt-network/tests/main.yml @@ -11,7 +11,6 @@ loop_control: loop_var: libvirt_network vars: - ansible_become: true network_action: "{{ libvirt_network.network_action }}" - name: install required packages apt: @@ -23,7 +22,6 @@ virt_net: command: info register: libvirt_networks_info - become: true - name: debug network list debug: diff --git a/roles/libvirt-pool/tasks/create.yml b/roles/libvirt-pool/tasks/create.yml index 366ce58..8ff2429 100644 --- a/roles/libvirt-pool/tasks/create.yml +++ b/roles/libvirt-pool/tasks/create.yml @@ -1,17 +1,16 @@ --- -- name: Ensure libvirt dir storage pool directories exist - file: - path: "{{ libvirt_pool.path }}" - owner: "{{ libvirt_pool.owner | default(omit) }}" - group: "{{ libvirt_pool.group | default(omit) }}" - mode: "{{ libvirt_pool.mode | default(omit) }}" - state: directory - - name: Ensure libvirt storage pools are defined virt_pool: name: "{{ libvirt_pool.name }}" command: define xml: "{{ libvirt_pool.xml | default(libvirt_pool_template_default) }}" + register: pool_info + +- name: Ensure libvirt storage pools are built + virt_pool: + name: "{{ libvirt_pool.name }}" + command: build + when: pool_info.changed - name: Ensure libvirt storage pools are active virt_pool: diff --git a/roles/libvirt-pool/tests/main.yml b/roles/libvirt-pool/tests/main.yml index 8542b22..dafda02 100644 --- a/roles/libvirt-pool/tests/main.yml +++ b/roles/libvirt-pool/tests/main.yml @@ -7,12 +7,9 @@ - name: create pool include_role: name: libvirt-pool - vars: - ansible_become: true - name: get pool information virt_pool: command: info - become: true register: storage_pools - name: check if pool is available and is at given directory diff --git a/roles/libvirt-pool/tests/vars.yml b/roles/libvirt-pool/tests/vars.yml index 8ca7450..bfbbcff 100644 --- a/roles/libvirt-pool/tests/vars.yml +++ b/roles/libvirt-pool/tests/vars.yml @@ -1,3 +1,3 @@ libvirt_pool: path: /var/lib/libvirt/my-pool - name: test_pool \ No newline at end of file + name: test_pool diff --git a/roles/libvirt-volume/tasks/create.yml b/roles/libvirt-volume/tasks/create.yml index 64bb931..ae13ecb 100644 --- a/roles/libvirt-volume/tasks/create.yml +++ b/roles/libvirt-volume/tasks/create.yml @@ -32,8 +32,11 @@ - image_scheme not in libvirt_remote_scheme_list - name: "Create volume" + environment: + LIBVIRT_DEFAULT_URI: qemu:///system command: >- - virsh vol-create-as "{{ libvirt_volume.pool }}" \ + virsh vol-create-as \ + --pool "{{ libvirt_volume.pool }}" \ --name "{{ libvirt_volume.name }}" \ --capacity "{{ libvirt_volume.size }}" \ --format "{{ libvirt_volume.format | default('qcow2') }}" @@ -48,15 +51,25 @@ - "'exists already' not in libvirt_create_volume.stdout" - name: "Upload volume from downloaded image" + environment: + LIBVIRT_DEFAULT_URI: qemu:///system command: >- - virsh vol-upload --pool "{{ libvirt_volume.pool }}" --vol "{{ libvirt_volume.name }}" --file "{{ image_dest }}" + virsh vol-upload \ + --pool "{{ libvirt_volume.pool }}" \ + --vol "{{ libvirt_volume.name }}" \ + --file "{{ image_dest }}" when: - "libvirt_volume.image is defined" - "libvirt_create_volume.rc == 0" - name: "Resize volume after uploading from image" + environment: + LIBVIRT_DEFAULT_URI: qemu:///system command: >- - virsh vol-resize --vol "{{ libvirt_volume.name }}" --pool "{{ libvirt_volume.pool }}" --capacity "{{ libvirt_volume.size }}" + virsh vol-resize \ + --vol "{{ libvirt_volume.name }}" \ + --pool "{{ libvirt_volume.pool }}" \ + --capacity "{{ libvirt_volume.size }}" when: - "libvirt_create_volume.rc == 0" - "libvirt_volume.image is defined" diff --git a/roles/libvirt-volume/tests/main.yml b/roles/libvirt-volume/tests/main.yml index 467b499..53022c0 100644 --- a/roles/libvirt-volume/tests/main.yml +++ b/roles/libvirt-volume/tests/main.yml @@ -7,8 +7,6 @@ - name: create pool include_role: name: libvirt-pool - vars: - ansible_become: true - name: Create defined volumes include_role: name: libvirt-volume @@ -16,18 +14,19 @@ vars: libvirt_volume: "{{ vol }}" volume_action: "{{ vol.action }}" - ansible_become: true loop_control: loop_var: vol - name: save volume list + environment: + LIBVIRT_DEFAULT_URI: qemu:///system command: virsh vol-list --pool {{ libvirt_pool.name }} register: libvirt_pool_list changed_when: false - become: true - name: verify volumes exist assert: that: - "vol.name in libvirt_pool_list.stdout" with_items: "{{ libvirt_volumes }}" loop_control: - loop_var: vol \ No newline at end of file + loop_var: vol + diff --git a/roles/redfish-emulator/tests/main.yml b/roles/redfish-emulator/tests/main.yml index 4b27aec..fb2a340 100644 --- a/roles/redfish-emulator/tests/main.yml +++ b/roles/redfish-emulator/tests/main.yml @@ -7,8 +7,6 @@ - name: create pool include_role: name: libvirt-pool - vars: - ansible_become: true - name: Create defined volumes include_role: name: libvirt-volume @@ -16,14 +14,11 @@ vars: libvirt_volume: "{{ vol }}" volume_action: "{{ vol.action }}" - ansible_become: true loop_control: loop_var: vol - name: create libvirt domains include_role: name: libvirt-domain - vars: - ansible_become: true - name: install sushy-tools include_role: name: redfish-emulator