Run Zuul as the zuuld user

This avoids the conflict with the zuul user (1000) on the test nodes. The executor will continue to use the default username of 'zuul' as the ansible_user in the inventory. This change also touches the zk and nodepool deployment to use variables for the usernames and uids to make changes like this easier. No changes are intended there. Change-Id: Ib8cef6b7889b23ddc65a07bcba29c21a36e3dcb5
2 years ago · 09935ff328
16 changed files with 81 additions and 80 deletions
--- a/playbooks/group_vars/nodepool-builder.yaml
+++ b/playbooks/group_vars/nodepool-builder.yaml
@ -1,4 +1,4 @@
-openstacksdk_config_dir: /home/nodepool/.config/openstack
-openstacksdk_config_owner: nodepool
-openstacksdk_config_group: nodepool
+openstacksdk_config_owner: "{{ nodepool_user }}"
+openstacksdk_config_group: "{{ nodepool_group }}"
+openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
--- a/playbooks/group_vars/nodepool-builder_opendev.yaml
+++ b/playbooks/group_vars/nodepool-builder_opendev.yaml
@ -1,4 +1,4 @@
 openstacksdk_config_dir: /etc/openstack
 openstacksdk_config_owner: root
-openstacksdk_config_group: nodepool
+openstacksdk_config_group: "{{ nodepool_group }}"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
--- a/playbooks/group_vars/nodepool-launcher.yaml
+++ b/playbooks/group_vars/nodepool-launcher.yaml
@ -1,4 +1,4 @@
 openstacksdk_config_dir: /etc/openstack
-openstacksdk_config_owner: nodepool
-openstacksdk_config_group: nodepool
+openstacksdk_config_owner: "{{ nodepool_user }}"
+openstacksdk_config_group: "{{ nodepool_group }}"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
--- a/playbooks/group_vars/nodepool-launcher_opendev.yaml
+++ b/playbooks/group_vars/nodepool-launcher_opendev.yaml
@ -1,4 +1,4 @@
-openstacksdk_config_dir: /home/nodepool/.config/openstack
-openstacksdk_config_owner: nodepool
-openstacksdk_config_group: nodepool
+openstacksdk_config_owner: "{{ nodepool_user }}"
+openstacksdk_config_group: "{{ nodepool_group }}"
+openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2
--- a/playbooks/group_vars/nodepool.yaml
+++ b/playbooks/group_vars/nodepool.yaml
@ -1,4 +1,8 @@
-kube_config_dir: ~nodepool/.kube
-kube_config_owner: nodepool
-kube_config_group: nodepool
+nodepool_user: nodepool
+nodepool_group: nodepool
+nodepool_uid: 10001
+nodepool_gid: 10001
+kube_config_dir: ~{{ nodepool_user }}/.kube
+kube_config_owner: "{{ nodepool_user }}"
+kube_config_group: "{{ nodepool_group }}"
 kube_config_template: clouds/nodepool_kube_config.yaml.j2
--- a/playbooks/group_vars/zookeeper.yaml
+++ b/playbooks/group_vars/zookeeper.yaml
@ -1,3 +1,7 @@
+zookeeper_user: zookeeper
+zookeeper_group: zookeeper
+zookeeper_uid: 10001
+zookeeper_gid: 10001
 iptables_extra_allowed_hosts:
  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.opendev.org'}
  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.opendev.org'}
--- a/playbooks/group_vars/zuul.yaml
+++ b/playbooks/group_vars/zuul.yaml
@ -1,5 +1,7 @@
 zuul_user_id: 10001
 zuul_group_id: 10001
+zuul_user: zuuld
+zuul_group: zuuld
 zuul_known_hosts: |
  [review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 {{ gerrit_ssh_rsa_pubkey_contents }}
  [git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==
--- a/playbooks/roles/nodepool-base/defaults/main.yaml
+++ b/playbooks/roles/nodepool-base/defaults/main.yaml
@ -1,6 +1 @@
 nodepool_base_install_zookeeper: False
-
-# Keep these in sync with the container uid's so containers can write
-# to local bits and pieces.
-nodepool_base_nodepool_uid: 10001
-nodepool_base_nodepool_gid: 10001
--- a/playbooks/roles/nodepool-base/tasks/main.yaml
+++ b/playbooks/roles/nodepool-base/tasks/main.yaml
@ -1,17 +1,18 @@
 - name: Add the nodepool group
  group:
-    name: nodepool
+    name: '{{ nodepool_group }}'
    state: present
-    gid: '{{ nodepool_base_nodepool_gid }}'
+    gid: '{{ nodepool_gid }}'

 - name: Add the nodepool user
  user:
-    name: nodepool
-    group: nodepool
-    home: /home/nodepool
+    name: '{{ nodepool_user }}'
+    group: '{{ nodepool_group }}'
+    uid: '{{ nodepool_uid }}'
+    home: '/home/{{ nodepool_user }}'
    create_home: yes
    shell: /bin/bash
-    uid: '{{ nodepool_base_nodepool_uid }}'
+    system: yes

 - name: Sync project-config
  include_role:
@ -21,16 +22,16 @@
  file:
    name: /etc/nodepool
    state: directory
-    owner: nodepool
-    group: nodepool
+    owner: '{{ nodepool_user }}'
+    group: '{{ nodepool_group }}'
    mode: 0755

 - name: Create nodepool log dir
  file:
    name: /var/log/nodepool
    state: directory
-    owner: nodepool
-    group: nodepool
+    owner: '{{ nodepool_user }}'
+    group: '{{ nodepool_group }}'
    mode: 0755

 - name: Look for a host specific config file
--- a/playbooks/roles/nodepool-builder/tasks/main.yaml
+++ b/playbooks/roles/nodepool-builder/tasks/main.yaml
@ -8,8 +8,8 @@
    state: directory
    path: '{{ item }}'
    mode: 0755
-    owner: nodepool
-    group: nodepool
+    owner: "{{ nodepool_user }}"
+    group: "{{ nodepool_group }}"
  loop:
    - '/opt/dib_tmp'
    - '/opt/dib_cache'
--- a/playbooks/roles/zookeeper/tasks/main.yaml
+++ b/playbooks/roles/zookeeper/tasks/main.yaml
@ -1,17 +1,16 @@
 - name: Create Zookeeper group
  group:
-    name: "zookeeper"
-    gid: 10001
+    name: "{{ zookeeper_group }}"
+    gid: "{{ zookeeper_gid }}"
    system: yes
 - name: Create Zookeeper User
  user:
-    name: "zookeeper"
-    uid: 10001
-    comment: Zookeeper
-    shell: /bin/false
-    group: "zookeeper"
-    home: "/var/zookeeper"
-    create_home: no
+    name: "{{ zookeeper_user }}"
+    group: "{{ zookeeper_group }}"
+    uid: "{{ zookeeper_uid }}"
+    home: "/home/{{ zookeeper_user }}"
+    create_home: yes
+    shell: /bin/bash
    system: yes
 - name: Synchronize compose directory
  synchronize:
@ -21,8 +20,8 @@
  file:
    state: directory
    path: "/var/zookeeper/{{ item }}"
-    owner: zookeeper
-    group: zookeeper
+    owner: "{{ zookeeper_user }}"
+    group: "{{ zookeeper_group }}"
  loop:
    - conf
    - data
--- a/playbooks/roles/zuul-executor/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-executor/files/docker-compose.yaml
@ -12,7 +12,7 @@ services:
      - /etc/zuul:/etc/zuul
      - /opt/project-config:/opt/project-config
      - /afs:/afs
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
      - /var/lib/zuul:/var/lib/zuul
      - /var/log/zuul:/var/log/zuul
      - /etc/openafs:/etc/openafs
--- a/playbooks/roles/zuul-merger/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-merger/files/docker-compose.yaml
@ -11,6 +11,6 @@ services:
    volumes:
      - /etc/zuul:/etc/zuul
      - /opt/project-config:/opt/project-config
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
      - /var/lib/zuul:/var/lib/zuul
      - /var/log/zuul:/var/log/zuul
--- a/playbooks/roles/zuul-scheduler/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-scheduler/files/docker-compose.yaml
@ -11,6 +11,6 @@ services:
    volumes:
      - /etc/zuul:/etc/zuul
      - /opt/project-config:/opt/project-config
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
      - /var/lib/zuul:/var/lib/zuul
      - /var/log/zuul:/var/log/zuul
--- a/playbooks/roles/zuul-web/files/docker-compose.yaml
+++ b/playbooks/roles/zuul-web/files/docker-compose.yaml
@ -10,7 +10,7 @@ services:
    user: zuul
    volumes:
      - /etc/zuul:/etc/zuul
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
      - /var/lib/zuul:/var/lib/zuul
      - /var/log/zuul:/var/log/zuul
  fingergw:
@ -21,6 +21,6 @@ services:
    # grab the finger port and then drop privs
    volumes:
      - /etc/zuul:/etc/zuul
-      - /home/zuul:/home/zuul
+      - /home/zuuld:/home/zuul
      - /var/lib/zuul:/var/lib/zuul
      - /var/log/zuul:/var/log/zuul
--- a/playbooks/roles/zuul/tasks/main.yaml
+++ b/playbooks/roles/zuul/tasks/main.yaml
@ -1,51 +1,47 @@
 - name: Create Zuul Group
  group:
-    name: zuul
+    name: "{{ zuul_group }}"
    gid: "{{ zuul_group_id }}"
    system: yes

 - name: Create Zuul User
  user:
-    name: zuul
+    name: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    uid: "{{ zuul_user_id }}"
-    comment: Zuul User
-    shell: /bin/bash
-    home: /home/zuul
-    group: zuul
+    home: "/home/{{ zuul_user }}"
    create_home: yes
+    shell: /bin/bash
    system: yes
-  # In order to run this in Zuul, we have to ignore errors.
-  # That's because in Zuul, the test nodes have a Zuul user.
-  failed_when: false

 - name: Create Zuul Config dir
  file:
    state: directory
    path: /etc/zuul
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"

 - name: Create Zuul SSL dir
  file:
    state: directory
    path: /etc/zuul/ssl
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"

 - name: Write Gearman SSL CA
  copy:
    content: "{{ gearman_ssl_ca }}"
    dest: /etc/zuul/ssl/gearman-ca.pem
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0644

 - name: Write Gearman Client SSL Cert
  copy:
    content: "{{ gearman_client_ssl_cert }}"
    dest: /etc/zuul/ssl/gearman-client.pem
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0644

 - name: Write Gearman Client SSL Key
@ -53,8 +49,8 @@
  copy:
    content: "{{ gearman_client_ssl_key }}"
    dest: /etc/zuul/ssl/gearman-client.key
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0640

 - name: Write Gearman Server SSL Cert
@ -62,8 +58,8 @@
  copy:
    content: "{{ gearman_server_ssl_cert }}"
    dest: /etc/zuul/ssl/gearman-server.pem
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0644

 - name: Write Gearman Server SSL Key
@ -71,24 +67,24 @@
  copy:
    content: "{{ gearman_server_ssl_key }}"
    dest: /etc/zuul/ssl/gearman-server.key
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0640

 - name: Write Zuul Conf File
  template:
    src: zuul.conf.j2
    dest: /etc/zuul/zuul.conf
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0600

 - name: Create Zuul directories
  file:
    state: directory
    path: '{{ item }}'
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
  loop:
    - /var/log/zuul
    - /var/run/zuul
@ -99,24 +95,24 @@
  copy:
    dest: /var/lib/zuul/ssh/id_rsa
    content: '{{ zuul_ssh_private_key_contents }}'
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0400

 - name: Create Zuul SSH directory
  file:
    state: directory
-    path: /home/zuul/.ssh
-    owner: zuul
-    group: zuul
+    path: "~{{ zuul_user }}/.ssh"
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0700

 - name: Write Known Hosts
  copy:
-    dest: /home/zuul/.ssh/known_hosts
+    dest: "~{{ zuul_user }}/.ssh/known_hosts"
    content: '{{ zuul_known_hosts }}'
-    owner: zuul
-    group: zuul
+    owner: "{{ zuul_user }}"
+    group: "{{ zuul_group }}"
    mode: 0600

 - name: Sync project-config