Browse Source

Run Zuul as the zuuld user

This avoids the conflict with the zuul user (1000) on the test
nodes.  The executor will continue to use the default username
of 'zuul' as the ansible_user in the inventory.

This change also touches the zk and nodepool deployment to use
variables for the usernames and uids to make changes like this
easier.  No changes are intended there.

Change-Id: Ib8cef6b7889b23ddc65a07bcba29c21a36e3dcb5
changes/58/726958/9
James E. Blair 2 years ago
parent
commit
09935ff328
  1. 6
      playbooks/group_vars/nodepool-builder.yaml
  2. 2
      playbooks/group_vars/nodepool-builder_opendev.yaml
  3. 4
      playbooks/group_vars/nodepool-launcher.yaml
  4. 6
      playbooks/group_vars/nodepool-launcher_opendev.yaml
  5. 10
      playbooks/group_vars/nodepool.yaml
  6. 4
      playbooks/group_vars/zookeeper.yaml
  7. 2
      playbooks/group_vars/zuul.yaml
  8. 5
      playbooks/roles/nodepool-base/defaults/main.yaml
  9. 21
      playbooks/roles/nodepool-base/tasks/main.yaml
  10. 4
      playbooks/roles/nodepool-builder/tasks/main.yaml
  11. 21
      playbooks/roles/zookeeper/tasks/main.yaml
  12. 2
      playbooks/roles/zuul-executor/files/docker-compose.yaml
  13. 2
      playbooks/roles/zuul-merger/files/docker-compose.yaml
  14. 2
      playbooks/roles/zuul-scheduler/files/docker-compose.yaml
  15. 4
      playbooks/roles/zuul-web/files/docker-compose.yaml
  16. 66
      playbooks/roles/zuul/tasks/main.yaml

6
playbooks/group_vars/nodepool-builder.yaml

@ -1,4 +1,4 @@
openstacksdk_config_dir: /home/nodepool/.config/openstack
openstacksdk_config_owner: nodepool
openstacksdk_config_group: nodepool
openstacksdk_config_owner: "{{ nodepool_user }}"
openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

2
playbooks/group_vars/nodepool-builder_opendev.yaml

@ -1,4 +1,4 @@
openstacksdk_config_dir: /etc/openstack
openstacksdk_config_owner: root
openstacksdk_config_group: nodepool
openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

4
playbooks/group_vars/nodepool-launcher.yaml

@ -1,4 +1,4 @@
openstacksdk_config_dir: /etc/openstack
openstacksdk_config_owner: nodepool
openstacksdk_config_group: nodepool
openstacksdk_config_owner: "{{ nodepool_user }}"
openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

6
playbooks/group_vars/nodepool-launcher_opendev.yaml

@ -1,4 +1,4 @@
openstacksdk_config_dir: /home/nodepool/.config/openstack
openstacksdk_config_owner: nodepool
openstacksdk_config_group: nodepool
openstacksdk_config_owner: "{{ nodepool_user }}"
openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

10
playbooks/group_vars/nodepool.yaml

@ -1,4 +1,8 @@
kube_config_dir: ~nodepool/.kube
kube_config_owner: nodepool
kube_config_group: nodepool
nodepool_user: nodepool
nodepool_group: nodepool
nodepool_uid: 10001
nodepool_gid: 10001
kube_config_dir: ~{{ nodepool_user }}/.kube
kube_config_owner: "{{ nodepool_user }}"
kube_config_group: "{{ nodepool_group }}"
kube_config_template: clouds/nodepool_kube_config.yaml.j2

4
playbooks/group_vars/zookeeper.yaml

@ -1,3 +1,7 @@
zookeeper_user: zookeeper
zookeeper_group: zookeeper
zookeeper_uid: 10001
zookeeper_gid: 10001
iptables_extra_allowed_hosts:
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.opendev.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.opendev.org'}

2
playbooks/group_vars/zuul.yaml

@ -1,5 +1,7 @@
zuul_user_id: 10001
zuul_group_id: 10001
zuul_user: zuuld
zuul_group: zuuld
zuul_known_hosts: |
[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 {{ gerrit_ssh_rsa_pubkey_contents }}
[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==

5
playbooks/roles/nodepool-base/defaults/main.yaml

@ -1,6 +1 @@
nodepool_base_install_zookeeper: False
# Keep these in sync with the container uid's so containers can write
# to local bits and pieces.
nodepool_base_nodepool_uid: 10001
nodepool_base_nodepool_gid: 10001

21
playbooks/roles/nodepool-base/tasks/main.yaml

@ -1,17 +1,18 @@
- name: Add the nodepool group
group:
name: nodepool
name: '{{ nodepool_group }}'
state: present
gid: '{{ nodepool_base_nodepool_gid }}'
gid: '{{ nodepool_gid }}'
- name: Add the nodepool user
user:
name: nodepool
group: nodepool
home: /home/nodepool
name: '{{ nodepool_user }}'
group: '{{ nodepool_group }}'
uid: '{{ nodepool_uid }}'
home: '/home/{{ nodepool_user }}'
create_home: yes
shell: /bin/bash
uid: '{{ nodepool_base_nodepool_uid }}'
system: yes
- name: Sync project-config
include_role:
@ -21,16 +22,16 @@
file:
name: /etc/nodepool
state: directory
owner: nodepool
group: nodepool
owner: '{{ nodepool_user }}'
group: '{{ nodepool_group }}'
mode: 0755
- name: Create nodepool log dir
file:
name: /var/log/nodepool
state: directory
owner: nodepool
group: nodepool
owner: '{{ nodepool_user }}'
group: '{{ nodepool_group }}'
mode: 0755
- name: Look for a host specific config file

4
playbooks/roles/nodepool-builder/tasks/main.yaml

@ -8,8 +8,8 @@
state: directory
path: '{{ item }}'
mode: 0755
owner: nodepool
group: nodepool
owner: "{{ nodepool_user }}"
group: "{{ nodepool_group }}"
loop:
- '/opt/dib_tmp'
- '/opt/dib_cache'

21
playbooks/roles/zookeeper/tasks/main.yaml

@ -1,17 +1,16 @@
- name: Create Zookeeper group
group:
name: "zookeeper"
gid: 10001
name: "{{ zookeeper_group }}"
gid: "{{ zookeeper_gid }}"
system: yes
- name: Create Zookeeper User
user:
name: "zookeeper"
uid: 10001
comment: Zookeeper
shell: /bin/false
group: "zookeeper"
home: "/var/zookeeper"
create_home: no
name: "{{ zookeeper_user }}"
group: "{{ zookeeper_group }}"
uid: "{{ zookeeper_uid }}"
home: "/home/{{ zookeeper_user }}"
create_home: yes
shell: /bin/bash
system: yes
- name: Synchronize compose directory
synchronize:
@ -21,8 +20,8 @@
file:
state: directory
path: "/var/zookeeper/{{ item }}"
owner: zookeeper
group: zookeeper
owner: "{{ zookeeper_user }}"
group: "{{ zookeeper_group }}"
loop:
- conf
- data

2
playbooks/roles/zuul-executor/files/docker-compose.yaml

@ -12,7 +12,7 @@ services:
- /etc/zuul:/etc/zuul
- /opt/project-config:/opt/project-config
- /afs:/afs
- /home/zuul:/home/zuul
- /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul
- /etc/openafs:/etc/openafs

2
playbooks/roles/zuul-merger/files/docker-compose.yaml

@ -11,6 +11,6 @@ services:
volumes:
- /etc/zuul:/etc/zuul
- /opt/project-config:/opt/project-config
- /home/zuul:/home/zuul
- /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul

2
playbooks/roles/zuul-scheduler/files/docker-compose.yaml

@ -11,6 +11,6 @@ services:
volumes:
- /etc/zuul:/etc/zuul
- /opt/project-config:/opt/project-config
- /home/zuul:/home/zuul
- /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul

4
playbooks/roles/zuul-web/files/docker-compose.yaml

@ -10,7 +10,7 @@ services:
user: zuul
volumes:
- /etc/zuul:/etc/zuul
- /home/zuul:/home/zuul
- /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul
fingergw:
@ -21,6 +21,6 @@ services:
# grab the finger port and then drop privs
volumes:
- /etc/zuul:/etc/zuul
- /home/zuul:/home/zuul
- /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul

66
playbooks/roles/zuul/tasks/main.yaml

@ -1,51 +1,47 @@
- name: Create Zuul Group
group:
name: zuul
name: "{{ zuul_group }}"
gid: "{{ zuul_group_id }}"
system: yes
- name: Create Zuul User
user:
name: zuul
name: "{{ zuul_user }}"
group: "{{ zuul_group }}"
uid: "{{ zuul_user_id }}"
comment: Zuul User
shell: /bin/bash
home: /home/zuul
group: zuul
home: "/home/{{ zuul_user }}"
create_home: yes
shell: /bin/bash
system: yes
# In order to run this in Zuul, we have to ignore errors.
# That's because in Zuul, the test nodes have a Zuul user.
failed_when: false
- name: Create Zuul Config dir
file:
state: directory
path: /etc/zuul
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
- name: Create Zuul SSL dir
file:
state: directory
path: /etc/zuul/ssl
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
- name: Write Gearman SSL CA
copy:
content: "{{ gearman_ssl_ca }}"
dest: /etc/zuul/ssl/gearman-ca.pem
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0644
- name: Write Gearman Client SSL Cert
copy:
content: "{{ gearman_client_ssl_cert }}"
dest: /etc/zuul/ssl/gearman-client.pem
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0644
- name: Write Gearman Client SSL Key
@ -53,8 +49,8 @@
copy:
content: "{{ gearman_client_ssl_key }}"
dest: /etc/zuul/ssl/gearman-client.key
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0640
- name: Write Gearman Server SSL Cert
@ -62,8 +58,8 @@
copy:
content: "{{ gearman_server_ssl_cert }}"
dest: /etc/zuul/ssl/gearman-server.pem
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0644
- name: Write Gearman Server SSL Key
@ -71,24 +67,24 @@
copy:
content: "{{ gearman_server_ssl_key }}"
dest: /etc/zuul/ssl/gearman-server.key
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0640
- name: Write Zuul Conf File
template:
src: zuul.conf.j2
dest: /etc/zuul/zuul.conf
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0600
- name: Create Zuul directories
file:
state: directory
path: '{{ item }}'
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
loop:
- /var/log/zuul
- /var/run/zuul
@ -99,24 +95,24 @@
copy:
dest: /var/lib/zuul/ssh/id_rsa
content: '{{ zuul_ssh_private_key_contents }}'
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0400
- name: Create Zuul SSH directory
file:
state: directory
path: /home/zuul/.ssh
owner: zuul
group: zuul
path: "~{{ zuul_user }}/.ssh"
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0700
- name: Write Known Hosts
copy:
dest: /home/zuul/.ssh/known_hosts
dest: "~{{ zuul_user }}/.ssh/known_hosts"
content: '{{ zuul_known_hosts }}'
owner: zuul
group: zuul
owner: "{{ zuul_user }}"
group: "{{ zuul_group }}"
mode: 0600
- name: Sync project-config

Loading…
Cancel
Save