From 09935ff32823f44682c0350f1d89d6d3358174ad Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 11 May 2020 14:56:50 -0700 Subject: [PATCH] Run Zuul as the zuuld user This avoids the conflict with the zuul user (1000) on the test nodes. The executor will continue to use the default username of 'zuul' as the ansible_user in the inventory. This change also touches the zk and nodepool deployment to use variables for the usernames and uids to make changes like this easier. No changes are intended there. Change-Id: Ib8cef6b7889b23ddc65a07bcba29c21a36e3dcb5 --- playbooks/group_vars/nodepool-builder.yaml | 6 +- .../group_vars/nodepool-builder_opendev.yaml | 2 +- playbooks/group_vars/nodepool-launcher.yaml | 4 +- .../group_vars/nodepool-launcher_opendev.yaml | 6 +- playbooks/group_vars/nodepool.yaml | 10 ++- playbooks/group_vars/zookeeper.yaml | 4 ++ playbooks/group_vars/zuul.yaml | 2 + .../roles/nodepool-base/defaults/main.yaml | 5 -- playbooks/roles/nodepool-base/tasks/main.yaml | 21 +++--- .../roles/nodepool-builder/tasks/main.yaml | 4 +- playbooks/roles/zookeeper/tasks/main.yaml | 21 +++--- .../zuul-executor/files/docker-compose.yaml | 2 +- .../zuul-merger/files/docker-compose.yaml | 2 +- .../zuul-scheduler/files/docker-compose.yaml | 2 +- .../roles/zuul-web/files/docker-compose.yaml | 4 +- playbooks/roles/zuul/tasks/main.yaml | 66 +++++++++---------- 16 files changed, 81 insertions(+), 80 deletions(-) diff --git a/playbooks/group_vars/nodepool-builder.yaml b/playbooks/group_vars/nodepool-builder.yaml index 81cac6a1aa..16e82208ba 100644 --- a/playbooks/group_vars/nodepool-builder.yaml +++ b/playbooks/group_vars/nodepool-builder.yaml @@ -1,4 +1,4 @@ -openstacksdk_config_dir: /home/nodepool/.config/openstack -openstacksdk_config_owner: nodepool -openstacksdk_config_group: nodepool +openstacksdk_config_owner: "{{ nodepool_user }}" +openstacksdk_config_group: "{{ nodepool_group }}" +openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack" openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 diff --git a/playbooks/group_vars/nodepool-builder_opendev.yaml b/playbooks/group_vars/nodepool-builder_opendev.yaml index 11b5eac6ed..6b987b9ae1 100644 --- a/playbooks/group_vars/nodepool-builder_opendev.yaml +++ b/playbooks/group_vars/nodepool-builder_opendev.yaml @@ -1,4 +1,4 @@ openstacksdk_config_dir: /etc/openstack openstacksdk_config_owner: root -openstacksdk_config_group: nodepool +openstacksdk_config_group: "{{ nodepool_group }}" openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 diff --git a/playbooks/group_vars/nodepool-launcher.yaml b/playbooks/group_vars/nodepool-launcher.yaml index 4174245222..dd46629203 100644 --- a/playbooks/group_vars/nodepool-launcher.yaml +++ b/playbooks/group_vars/nodepool-launcher.yaml @@ -1,4 +1,4 @@ openstacksdk_config_dir: /etc/openstack -openstacksdk_config_owner: nodepool -openstacksdk_config_group: nodepool +openstacksdk_config_owner: "{{ nodepool_user }}" +openstacksdk_config_group: "{{ nodepool_group }}" openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 diff --git a/playbooks/group_vars/nodepool-launcher_opendev.yaml b/playbooks/group_vars/nodepool-launcher_opendev.yaml index 81cac6a1aa..16e82208ba 100644 --- a/playbooks/group_vars/nodepool-launcher_opendev.yaml +++ b/playbooks/group_vars/nodepool-launcher_opendev.yaml @@ -1,4 +1,4 @@ -openstacksdk_config_dir: /home/nodepool/.config/openstack -openstacksdk_config_owner: nodepool -openstacksdk_config_group: nodepool +openstacksdk_config_owner: "{{ nodepool_user }}" +openstacksdk_config_group: "{{ nodepool_group }}" +openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack" openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 diff --git a/playbooks/group_vars/nodepool.yaml b/playbooks/group_vars/nodepool.yaml index 91e605d531..2c1347a893 100644 --- a/playbooks/group_vars/nodepool.yaml +++ b/playbooks/group_vars/nodepool.yaml @@ -1,4 +1,8 @@ -kube_config_dir: ~nodepool/.kube -kube_config_owner: nodepool -kube_config_group: nodepool +nodepool_user: nodepool +nodepool_group: nodepool +nodepool_uid: 10001 +nodepool_gid: 10001 +kube_config_dir: ~{{ nodepool_user }}/.kube +kube_config_owner: "{{ nodepool_user }}" +kube_config_group: "{{ nodepool_group }}" kube_config_template: clouds/nodepool_kube_config.yaml.j2 diff --git a/playbooks/group_vars/zookeeper.yaml b/playbooks/group_vars/zookeeper.yaml index e03be16ec0..f62df8548a 100644 --- a/playbooks/group_vars/zookeeper.yaml +++ b/playbooks/group_vars/zookeeper.yaml @@ -1,3 +1,7 @@ +zookeeper_user: zookeeper +zookeeper_group: zookeeper +zookeeper_uid: 10001 +zookeeper_gid: 10001 iptables_extra_allowed_hosts: - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.opendev.org'} - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.opendev.org'} diff --git a/playbooks/group_vars/zuul.yaml b/playbooks/group_vars/zuul.yaml index e3f2dd3e3a..604fbc21cb 100644 --- a/playbooks/group_vars/zuul.yaml +++ b/playbooks/group_vars/zuul.yaml @@ -1,5 +1,7 @@ zuul_user_id: 10001 zuul_group_id: 10001 +zuul_user: zuuld +zuul_group: zuuld zuul_known_hosts: | [review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 {{ gerrit_ssh_rsa_pubkey_contents }} [git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw== diff --git a/playbooks/roles/nodepool-base/defaults/main.yaml b/playbooks/roles/nodepool-base/defaults/main.yaml index f6c7e9a391..38bb8e9166 100644 --- a/playbooks/roles/nodepool-base/defaults/main.yaml +++ b/playbooks/roles/nodepool-base/defaults/main.yaml @@ -1,6 +1 @@ nodepool_base_install_zookeeper: False - -# Keep these in sync with the container uid's so containers can write -# to local bits and pieces. -nodepool_base_nodepool_uid: 10001 -nodepool_base_nodepool_gid: 10001 \ No newline at end of file diff --git a/playbooks/roles/nodepool-base/tasks/main.yaml b/playbooks/roles/nodepool-base/tasks/main.yaml index 48e0660dbe..956a702ee5 100644 --- a/playbooks/roles/nodepool-base/tasks/main.yaml +++ b/playbooks/roles/nodepool-base/tasks/main.yaml @@ -1,17 +1,18 @@ - name: Add the nodepool group group: - name: nodepool + name: '{{ nodepool_group }}' state: present - gid: '{{ nodepool_base_nodepool_gid }}' + gid: '{{ nodepool_gid }}' - name: Add the nodepool user user: - name: nodepool - group: nodepool - home: /home/nodepool + name: '{{ nodepool_user }}' + group: '{{ nodepool_group }}' + uid: '{{ nodepool_uid }}' + home: '/home/{{ nodepool_user }}' create_home: yes shell: /bin/bash - uid: '{{ nodepool_base_nodepool_uid }}' + system: yes - name: Sync project-config include_role: @@ -21,16 +22,16 @@ file: name: /etc/nodepool state: directory - owner: nodepool - group: nodepool + owner: '{{ nodepool_user }}' + group: '{{ nodepool_group }}' mode: 0755 - name: Create nodepool log dir file: name: /var/log/nodepool state: directory - owner: nodepool - group: nodepool + owner: '{{ nodepool_user }}' + group: '{{ nodepool_group }}' mode: 0755 - name: Look for a host specific config file diff --git a/playbooks/roles/nodepool-builder/tasks/main.yaml b/playbooks/roles/nodepool-builder/tasks/main.yaml index 7c33fffc86..c4fe1b9adf 100644 --- a/playbooks/roles/nodepool-builder/tasks/main.yaml +++ b/playbooks/roles/nodepool-builder/tasks/main.yaml @@ -8,8 +8,8 @@ state: directory path: '{{ item }}' mode: 0755 - owner: nodepool - group: nodepool + owner: "{{ nodepool_user }}" + group: "{{ nodepool_group }}" loop: - '/opt/dib_tmp' - '/opt/dib_cache' diff --git a/playbooks/roles/zookeeper/tasks/main.yaml b/playbooks/roles/zookeeper/tasks/main.yaml index 8752ffe66f..10ceaa2dba 100644 --- a/playbooks/roles/zookeeper/tasks/main.yaml +++ b/playbooks/roles/zookeeper/tasks/main.yaml @@ -1,17 +1,16 @@ - name: Create Zookeeper group group: - name: "zookeeper" - gid: 10001 + name: "{{ zookeeper_group }}" + gid: "{{ zookeeper_gid }}" system: yes - name: Create Zookeeper User user: - name: "zookeeper" - uid: 10001 - comment: Zookeeper - shell: /bin/false - group: "zookeeper" - home: "/var/zookeeper" - create_home: no + name: "{{ zookeeper_user }}" + group: "{{ zookeeper_group }}" + uid: "{{ zookeeper_uid }}" + home: "/home/{{ zookeeper_user }}" + create_home: yes + shell: /bin/bash system: yes - name: Synchronize compose directory synchronize: @@ -21,8 +20,8 @@ file: state: directory path: "/var/zookeeper/{{ item }}" - owner: zookeeper - group: zookeeper + owner: "{{ zookeeper_user }}" + group: "{{ zookeeper_group }}" loop: - conf - data diff --git a/playbooks/roles/zuul-executor/files/docker-compose.yaml b/playbooks/roles/zuul-executor/files/docker-compose.yaml index 2bfaff3ad3..15df22da8c 100644 --- a/playbooks/roles/zuul-executor/files/docker-compose.yaml +++ b/playbooks/roles/zuul-executor/files/docker-compose.yaml @@ -12,7 +12,7 @@ services: - /etc/zuul:/etc/zuul - /opt/project-config:/opt/project-config - /afs:/afs - - /home/zuul:/home/zuul + - /home/zuuld:/home/zuul - /var/lib/zuul:/var/lib/zuul - /var/log/zuul:/var/log/zuul - /etc/openafs:/etc/openafs diff --git a/playbooks/roles/zuul-merger/files/docker-compose.yaml b/playbooks/roles/zuul-merger/files/docker-compose.yaml index 994593f1ff..db62d16c11 100644 --- a/playbooks/roles/zuul-merger/files/docker-compose.yaml +++ b/playbooks/roles/zuul-merger/files/docker-compose.yaml @@ -11,6 +11,6 @@ services: volumes: - /etc/zuul:/etc/zuul - /opt/project-config:/opt/project-config - - /home/zuul:/home/zuul + - /home/zuuld:/home/zuul - /var/lib/zuul:/var/lib/zuul - /var/log/zuul:/var/log/zuul diff --git a/playbooks/roles/zuul-scheduler/files/docker-compose.yaml b/playbooks/roles/zuul-scheduler/files/docker-compose.yaml index 2d98d627fb..6659d61274 100644 --- a/playbooks/roles/zuul-scheduler/files/docker-compose.yaml +++ b/playbooks/roles/zuul-scheduler/files/docker-compose.yaml @@ -11,6 +11,6 @@ services: volumes: - /etc/zuul:/etc/zuul - /opt/project-config:/opt/project-config - - /home/zuul:/home/zuul + - /home/zuuld:/home/zuul - /var/lib/zuul:/var/lib/zuul - /var/log/zuul:/var/log/zuul diff --git a/playbooks/roles/zuul-web/files/docker-compose.yaml b/playbooks/roles/zuul-web/files/docker-compose.yaml index 7930b35820..d43a40415f 100644 --- a/playbooks/roles/zuul-web/files/docker-compose.yaml +++ b/playbooks/roles/zuul-web/files/docker-compose.yaml @@ -10,7 +10,7 @@ services: user: zuul volumes: - /etc/zuul:/etc/zuul - - /home/zuul:/home/zuul + - /home/zuuld:/home/zuul - /var/lib/zuul:/var/lib/zuul - /var/log/zuul:/var/log/zuul fingergw: @@ -21,6 +21,6 @@ services: # grab the finger port and then drop privs volumes: - /etc/zuul:/etc/zuul - - /home/zuul:/home/zuul + - /home/zuuld:/home/zuul - /var/lib/zuul:/var/lib/zuul - /var/log/zuul:/var/log/zuul diff --git a/playbooks/roles/zuul/tasks/main.yaml b/playbooks/roles/zuul/tasks/main.yaml index 7c2894b452..4c1738a18c 100644 --- a/playbooks/roles/zuul/tasks/main.yaml +++ b/playbooks/roles/zuul/tasks/main.yaml @@ -1,51 +1,47 @@ - name: Create Zuul Group group: - name: zuul + name: "{{ zuul_group }}" gid: "{{ zuul_group_id }}" system: yes - name: Create Zuul User user: - name: zuul + name: "{{ zuul_user }}" + group: "{{ zuul_group }}" uid: "{{ zuul_user_id }}" - comment: Zuul User - shell: /bin/bash - home: /home/zuul - group: zuul + home: "/home/{{ zuul_user }}" create_home: yes + shell: /bin/bash system: yes - # In order to run this in Zuul, we have to ignore errors. - # That's because in Zuul, the test nodes have a Zuul user. - failed_when: false - name: Create Zuul Config dir file: state: directory path: /etc/zuul - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" - name: Create Zuul SSL dir file: state: directory path: /etc/zuul/ssl - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" - name: Write Gearman SSL CA copy: content: "{{ gearman_ssl_ca }}" dest: /etc/zuul/ssl/gearman-ca.pem - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0644 - name: Write Gearman Client SSL Cert copy: content: "{{ gearman_client_ssl_cert }}" dest: /etc/zuul/ssl/gearman-client.pem - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0644 - name: Write Gearman Client SSL Key @@ -53,8 +49,8 @@ copy: content: "{{ gearman_client_ssl_key }}" dest: /etc/zuul/ssl/gearman-client.key - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0640 - name: Write Gearman Server SSL Cert @@ -62,8 +58,8 @@ copy: content: "{{ gearman_server_ssl_cert }}" dest: /etc/zuul/ssl/gearman-server.pem - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0644 - name: Write Gearman Server SSL Key @@ -71,24 +67,24 @@ copy: content: "{{ gearman_server_ssl_key }}" dest: /etc/zuul/ssl/gearman-server.key - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0640 - name: Write Zuul Conf File template: src: zuul.conf.j2 dest: /etc/zuul/zuul.conf - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0600 - name: Create Zuul directories file: state: directory path: '{{ item }}' - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" loop: - /var/log/zuul - /var/run/zuul @@ -99,24 +95,24 @@ copy: dest: /var/lib/zuul/ssh/id_rsa content: '{{ zuul_ssh_private_key_contents }}' - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0400 - name: Create Zuul SSH directory file: state: directory - path: /home/zuul/.ssh - owner: zuul - group: zuul + path: "~{{ zuul_user }}/.ssh" + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0700 - name: Write Known Hosts copy: - dest: /home/zuul/.ssh/known_hosts + dest: "~{{ zuul_user }}/.ssh/known_hosts" content: '{{ zuul_known_hosts }}' - owner: zuul - group: zuul + owner: "{{ zuul_user }}" + group: "{{ zuul_group }}" mode: 0600 - name: Sync project-config