4 Commits

Author SHA1 Message Date
Ian Wienand
f57154f91b vos-release: have separate user
I was trying to simplify things by having a restricted shell script
run by root.  However, our base-setup called my bluff as we also need
to setup sshd to allow remote root logins from specific addresses.

It's looking easier to create a new user, and give it sudo permissions
to run the vos release script.

Change-Id: If70b27cb974eb8c1bafec2b7ef86d4f5cba3c4c5
2019-11-21 12:03:45 +11:00
Ian Wienand
3153f27c24 vos-release: fix key sourcing; disable exclusive key
I wasn't correctly sourcing the key; it has to come from hostvars as
it is in a different play on different hosts.  This fixes it.

We also need to not have the base roles overwrite the authorized_keys
file each time.  The key we provision can only run a limited script
that wraps "vos release".

Unfortunately our gitops falls down a bit here because we don't have
full testing for the AFS servers; put this on the todo list :) I have
run this manually for testing.

Change-Id: I0995434bde7e43082c01daa331c4b8b268d9b4bc
2019-11-21 07:28:49 +11:00
James E. Blair
800397c3da base-test: iptables: allow zuul console streaming
This adds a group var which should normally be the empty list but
can be overridden by the test framework to inject additional iptables
rules.  It's used to add the zuul console streaming port.  To
accomplish this, the base+extras pattern is adopted for
iptables public tcp/udp ports.  This means all host/group vars should
use the "extra" form of the variable rather than the actual variable
defined by the role.

Change-Id: I33fe2b7de4a4ba79c25c0fb41a00e3437cee5463
2018-08-29 09:20:42 -07:00
Monty Taylor
15663daaf7 Add iptables role
Co-Authored-By: James E. Blair <corvus@inaugust.com>
Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c
Depends-On: https://review.openstack.org/596503
2018-08-27 14:33:32 +00:00