opendev/system-config
Code Issues Proposed changes

Run Zuul as the zuuld user

Browse Source 
This avoids the conflict with the zuul user (1000) on the test
nodes.  The executor will continue to use the default username
of 'zuul' as the ansible_user in the inventory.

This change also touches the zk and nodepool deployment to use
variables for the usernames and uids to make changes like this
easier.  No changes are intended there.

Change-Id: Ib8cef6b7889b23ddc65a07bcba29c21a36e3dcb5
This commit is contained in:
James E. Blair 2020-05-11 14:56:50 -07:00
parent b173fcb1d9
commit 09935ff328
16 changed files with 81 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
playbooks/group_vars/nodepool-builder.yaml
View File

@ -1,4 +1,4 @@
openstacksdk_config_dir: /home/nodepool/.config/openstack openstacksdk_config_owner: "{{ nodepool_user }}"
openstacksdk_config_owner: nodepool openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_group: nodepool openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

2
playbooks/group_vars/nodepool-builder_opendev.yaml
View File

@ -1,4 +1,4 @@
openstacksdk_config_dir: /etc/openstack openstacksdk_config_dir: /etc/openstack
openstacksdk_config_owner: root openstacksdk_config_owner: root
openstacksdk_config_group: nodepool openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

4
playbooks/group_vars/nodepool-launcher.yaml
View File

@ -1,4 +1,4 @@
openstacksdk_config_dir: /etc/openstack openstacksdk_config_dir: /etc/openstack
openstacksdk_config_owner: nodepool openstacksdk_config_owner: "{{ nodepool_user }}"
openstacksdk_config_group: nodepool openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

6
playbooks/group_vars/nodepool-launcher_opendev.yaml
View File

@ -1,4 +1,4 @@
openstacksdk_config_dir: /home/nodepool/.config/openstack openstacksdk_config_owner: "{{ nodepool_user }}"
openstacksdk_config_owner: nodepool openstacksdk_config_group: "{{ nodepool_group }}"
openstacksdk_config_group: nodepool openstacksdk_config_dir: "~{{ openstacksdk_config_owner }}/.config/openstack"
openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2 openstacksdk_config_template: clouds/nodepool_clouds.yaml.j2

10
playbooks/group_vars/nodepool.yaml
View File

@ -1,4 +1,8 @@
kube_config_dir: ~nodepool/.kube nodepool_user: nodepool
kube_config_owner: nodepool nodepool_group: nodepool
kube_config_group: nodepool nodepool_uid: 10001
nodepool_gid: 10001
kube_config_dir: ~{{ nodepool_user }}/.kube
kube_config_owner: "{{ nodepool_user }}"
kube_config_group: "{{ nodepool_group }}"
kube_config_template: clouds/nodepool_kube_config.yaml.j2 kube_config_template: clouds/nodepool_kube_config.yaml.j2

4
playbooks/group_vars/zookeeper.yaml
View File

@ -1,3 +1,7 @@
zookeeper_user: zookeeper
zookeeper_group: zookeeper
zookeeper_uid: 10001
zookeeper_gid: 10001
iptables_extra_allowed_hosts: iptables_extra_allowed_hosts:
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.opendev.org'} - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.opendev.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.opendev.org'} - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.opendev.org'}

2
playbooks/group_vars/zuul.yaml
View File

@ -1,5 +1,7 @@
zuul_user_id: 10001 zuul_user_id: 10001
zuul_group_id: 10001 zuul_group_id: 10001
zuul_user: zuuld
zuul_group: zuuld
zuul_known_hosts: | zuul_known_hosts: |
[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 {{ gerrit_ssh_rsa_pubkey_contents }} [review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 {{ gerrit_ssh_rsa_pubkey_contents }}
[git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw== [git.opendaylight.org]:29418,[52.35.122.251]:29418,[2600:1f14:421:f500:7b21:2a58:ab0a:2d17]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyRXyHEw/P1iZr/fFFzbodT5orVV/ftnNRW59Zh9rnSY5Rmbc9aygsZHdtiWBERVVv8atrJSdZool75AglPDDYtPICUGWLR91YBSDcZwReh5S9es1dlQ6fyWTnv9QggSZ98KTQEuE3t/b5SfH0T6tXWmrNydv4J2/mejKRRLU2+oumbeVN1yB+8Uau/3w9/K5F5LgsDDzLkW35djLhPV8r0OfmxV/cAnLl7AaZlaqcJMA+2rGKqM3m3Yu+pQw4pxOfCSpejlAwL6c8tA9naOvBkuJk+hYpg5tDEq2QFGRX5y1F9xQpwpdzZROc5hdGYntM79VMMXTj+95dwVv/8yTsw==

5
playbooks/roles/nodepool-base/defaults/main.yaml
View File

@ -1,6 +1 @@
nodepool_base_install_zookeeper: False nodepool_base_install_zookeeper: False
# Keep these in sync with the container uid's so containers can write
# to local bits and pieces.
nodepool_base_nodepool_uid: 10001
nodepool_base_nodepool_gid: 10001

21
playbooks/roles/nodepool-base/tasks/main.yaml
View File

@ -1,17 +1,18 @@
- name: Add the nodepool group - name: Add the nodepool group
group: group:
name: nodepool name: '{{ nodepool_group }}'
state: present state: present
gid: '{{ nodepool_base_nodepool_gid }}' gid: '{{ nodepool_gid }}'
- name: Add the nodepool user - name: Add the nodepool user
user: user:
name: nodepool name: '{{ nodepool_user }}'
group: nodepool group: '{{ nodepool_group }}'
home: /home/nodepool uid: '{{ nodepool_uid }}'
home: '/home/{{ nodepool_user }}'
create_home: yes create_home: yes
shell: /bin/bash shell: /bin/bash
uid: '{{ nodepool_base_nodepool_uid }}' system: yes
- name: Sync project-config - name: Sync project-config
include_role: include_role:
@ -21,16 +22,16 @@
file: file:
name: /etc/nodepool name: /etc/nodepool
state: directory state: directory
owner: nodepool owner: '{{ nodepool_user }}'
group: nodepool group: '{{ nodepool_group }}'
mode: 0755 mode: 0755
- name: Create nodepool log dir - name: Create nodepool log dir
file: file:
name: /var/log/nodepool name: /var/log/nodepool
state: directory state: directory
owner: nodepool owner: '{{ nodepool_user }}'
group: nodepool group: '{{ nodepool_group }}'
mode: 0755 mode: 0755
- name: Look for a host specific config file - name: Look for a host specific config file

4
playbooks/roles/nodepool-builder/tasks/main.yaml
View File

@ -8,8 +8,8 @@
state: directory state: directory
path: '{{ item }}' path: '{{ item }}'
mode: 0755 mode: 0755
owner: nodepool owner: "{{ nodepool_user }}"
group: nodepool group: "{{ nodepool_group }}"
loop: loop:
- '/opt/dib_tmp' - '/opt/dib_tmp'
- '/opt/dib_cache' - '/opt/dib_cache'

21
playbooks/roles/zookeeper/tasks/main.yaml
View File

@ -1,17 +1,16 @@
- name: Create Zookeeper group - name: Create Zookeeper group
group: group:
name: "zookeeper" name: "{{ zookeeper_group }}"
gid: 10001 gid: "{{ zookeeper_gid }}"
system: yes system: yes
- name: Create Zookeeper User - name: Create Zookeeper User
user: user:
name: "zookeeper" name: "{{ zookeeper_user }}"
uid: 10001 group: "{{ zookeeper_group }}"
comment: Zookeeper uid: "{{ zookeeper_uid }}"
shell: /bin/false home: "/home/{{ zookeeper_user }}"
group: "zookeeper" create_home: yes
home: "/var/zookeeper" shell: /bin/bash
create_home: no
system: yes system: yes
- name: Synchronize compose directory - name: Synchronize compose directory
synchronize: synchronize:
@ -21,8 +20,8 @@
file: file:
state: directory state: directory
path: "/var/zookeeper/{{ item }}" path: "/var/zookeeper/{{ item }}"
owner: zookeeper owner: "{{ zookeeper_user }}"
group: zookeeper group: "{{ zookeeper_group }}"
loop: loop:
- conf - conf
- data - data

2
playbooks/roles/zuul-executor/files/docker-compose.yaml
View File

@ -12,7 +12,7 @@ services:
- /etc/zuul:/etc/zuul - /etc/zuul:/etc/zuul
- /opt/project-config:/opt/project-config - /opt/project-config:/opt/project-config
- /afs:/afs - /afs:/afs
- /home/zuul:/home/zuul - /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul - /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul - /var/log/zuul:/var/log/zuul
- /etc/openafs:/etc/openafs - /etc/openafs:/etc/openafs

2
playbooks/roles/zuul-merger/files/docker-compose.yaml
View File

@ -11,6 +11,6 @@ services:
volumes: volumes:
- /etc/zuul:/etc/zuul - /etc/zuul:/etc/zuul
- /opt/project-config:/opt/project-config - /opt/project-config:/opt/project-config
- /home/zuul:/home/zuul - /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul - /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul - /var/log/zuul:/var/log/zuul

2
playbooks/roles/zuul-scheduler/files/docker-compose.yaml
View File

@ -11,6 +11,6 @@ services:
volumes: volumes:
- /etc/zuul:/etc/zuul - /etc/zuul:/etc/zuul
- /opt/project-config:/opt/project-config - /opt/project-config:/opt/project-config
- /home/zuul:/home/zuul - /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul - /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul - /var/log/zuul:/var/log/zuul

4
playbooks/roles/zuul-web/files/docker-compose.yaml
View File

@ -10,7 +10,7 @@ services:
user: zuul user: zuul
volumes: volumes:
- /etc/zuul:/etc/zuul - /etc/zuul:/etc/zuul
- /home/zuul:/home/zuul - /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul - /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul - /var/log/zuul:/var/log/zuul
fingergw: fingergw:
@ -21,6 +21,6 @@ services:
# grab the finger port and then drop privs # grab the finger port and then drop privs
volumes: volumes:
- /etc/zuul:/etc/zuul - /etc/zuul:/etc/zuul
- /home/zuul:/home/zuul - /home/zuuld:/home/zuul
- /var/lib/zuul:/var/lib/zuul - /var/lib/zuul:/var/lib/zuul
- /var/log/zuul:/var/log/zuul - /var/log/zuul:/var/log/zuul

66
playbooks/roles/zuul/tasks/main.yaml
View File

@ -1,51 +1,47 @@
- name: Create Zuul Group - name: Create Zuul Group
group: group:
name: zuul name: "{{ zuul_group }}"
gid: "{{ zuul_group_id }}" gid: "{{ zuul_group_id }}"
system: yes system: yes
- name: Create Zuul User - name: Create Zuul User
user: user:
name: zuul name: "{{ zuul_user }}"
group: "{{ zuul_group }}"
uid: "{{ zuul_user_id }}" uid: "{{ zuul_user_id }}"
comment: Zuul User home: "/home/{{ zuul_user }}"
shell: /bin/bash
home: /home/zuul
group: zuul
create_home: yes create_home: yes
shell: /bin/bash
system: yes system: yes
# In order to run this in Zuul, we have to ignore errors.
# That's because in Zuul, the test nodes have a Zuul user.
failed_when: false
- name: Create Zuul Config dir - name: Create Zuul Config dir
file: file:
state: directory state: directory
path: /etc/zuul path: /etc/zuul
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
- name: Create Zuul SSL dir - name: Create Zuul SSL dir
file: file:
state: directory state: directory
path: /etc/zuul/ssl path: /etc/zuul/ssl
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
- name: Write Gearman SSL CA - name: Write Gearman SSL CA
copy: copy:
content: "{{ gearman_ssl_ca }}" content: "{{ gearman_ssl_ca }}"
dest: /etc/zuul/ssl/gearman-ca.pem dest: /etc/zuul/ssl/gearman-ca.pem
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0644 mode: 0644
- name: Write Gearman Client SSL Cert - name: Write Gearman Client SSL Cert
copy: copy:
content: "{{ gearman_client_ssl_cert }}" content: "{{ gearman_client_ssl_cert }}"
dest: /etc/zuul/ssl/gearman-client.pem dest: /etc/zuul/ssl/gearman-client.pem
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0644 mode: 0644
- name: Write Gearman Client SSL Key - name: Write Gearman Client SSL Key
@ -53,8 +49,8 @@
copy: copy:
content: "{{ gearman_client_ssl_key }}" content: "{{ gearman_client_ssl_key }}"
dest: /etc/zuul/ssl/gearman-client.key dest: /etc/zuul/ssl/gearman-client.key
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0640 mode: 0640
- name: Write Gearman Server SSL Cert - name: Write Gearman Server SSL Cert
@ -62,8 +58,8 @@
copy: copy:
content: "{{ gearman_server_ssl_cert }}" content: "{{ gearman_server_ssl_cert }}"
dest: /etc/zuul/ssl/gearman-server.pem dest: /etc/zuul/ssl/gearman-server.pem
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0644 mode: 0644
- name: Write Gearman Server SSL Key - name: Write Gearman Server SSL Key
@ -71,24 +67,24 @@
copy: copy:
content: "{{ gearman_server_ssl_key }}" content: "{{ gearman_server_ssl_key }}"
dest: /etc/zuul/ssl/gearman-server.key dest: /etc/zuul/ssl/gearman-server.key
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0640 mode: 0640
- name: Write Zuul Conf File - name: Write Zuul Conf File
template: template:
src: zuul.conf.j2 src: zuul.conf.j2
dest: /etc/zuul/zuul.conf dest: /etc/zuul/zuul.conf
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0600 mode: 0600
- name: Create Zuul directories - name: Create Zuul directories
file: file:
state: directory state: directory
path: '{{ item }}' path: '{{ item }}'
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
loop: loop:
- /var/log/zuul - /var/log/zuul
- /var/run/zuul - /var/run/zuul
@ -99,24 +95,24 @@
copy: copy:
dest: /var/lib/zuul/ssh/id_rsa dest: /var/lib/zuul/ssh/id_rsa
content: '{{ zuul_ssh_private_key_contents }}' content: '{{ zuul_ssh_private_key_contents }}'
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0400 mode: 0400
- name: Create Zuul SSH directory - name: Create Zuul SSH directory
file: file:
state: directory state: directory
path: /home/zuul/.ssh path: "~{{ zuul_user }}/.ssh"
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0700 mode: 0700
- name: Write Known Hosts - name: Write Known Hosts
copy: copy:
dest: /home/zuul/.ssh/known_hosts dest: "~{{ zuul_user }}/.ssh/known_hosts"
content: '{{ zuul_known_hosts }}' content: '{{ zuul_known_hosts }}'
owner: zuul owner: "{{ zuul_user }}"
group: zuul group: "{{ zuul_group }}"
mode: 0600 mode: 0600
- name: Sync project-config - name: Sync project-config