68fc8d3057
The bootstrap user may be used to create the kayobe user account and configure passwordless sudo. We can't assume that the bootstrap user account will exist after the initial bootstrapping, or that the current operator's key is authorised for the bootstrap user. We therefore attempt to access the kayobe user account via SSH, and only perform the bootstrap process if the account is inaccessible. This change also adds some tasks to verify that the kayobe ansible user is accessible and has passwordless sudo configured. Change-Id: Ibdab0053caa2db71df2fd03cc8a598ae5aac73c9 Story: 2001659 Task: 6692
82 lines
2.7 KiB
YAML
82 lines
2.7 KiB
YAML
---
|
|
# NOTE(mgoddard): The bootstrap user may be used to create the kayobe user
|
|
# account and configure passwordless sudo. We can't assume that the bootstrap
|
|
# user account will exist after the initial bootstrapping, or that the
|
|
# current operator's key is authorised for the bootstrap user. We therefore
|
|
# attempt to access the kayobe user account via SSH, and only perform the
|
|
# bootstrap process if the account is inaccessible.
|
|
|
|
- name: Determine whether user bootstrapping is required
|
|
hosts: seed:overcloud
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
tasks:
|
|
- name: Check whether the host is accessible via SSH
|
|
local_action:
|
|
module: command ssh -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname
|
|
failed_when: false
|
|
changed_when: false
|
|
register: ssh_result
|
|
vars:
|
|
ssh_user: "{{ ansible_user }}"
|
|
ssh_host: "{{ ansible_host | default(inventory_hostname) }}"
|
|
ssh_port: "{{ ansible_ssh_port | default('22') }}"
|
|
|
|
- name: Group hosts requiring kayobe user bootstrapping
|
|
group_by:
|
|
key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }}
|
|
|
|
- name: Display a message when bootstrapping is required
|
|
debug:
|
|
msg: >
|
|
Cannot access host via SSH using Kayobe Ansible user account -
|
|
attempting bootstrap
|
|
when: ssh_result.rc != 0
|
|
|
|
- name: Ensure the Kayobe Ansible user account exists
|
|
hosts: kayobe_user_bootstrap_required_True
|
|
tags:
|
|
- kayobe-ansible-user
|
|
vars:
|
|
ansible_user: "{{ bootstrap_user }}"
|
|
# We can't assume that a virtualenv exists at this point, so use the system
|
|
# python interpreter.
|
|
ansible_python_interpreter: /usr/bin/python
|
|
roles:
|
|
- role: singleplatform-eng.users
|
|
users:
|
|
- username: "{{ kayobe_ansible_user }}"
|
|
name: Kayobe deployment user
|
|
append: True
|
|
ssh_key:
|
|
- "{{ lookup('file', ssh_public_key_path) }}"
|
|
become: True
|
|
|
|
post_tasks:
|
|
- name: Ensure the Kayobe Ansible user has passwordless sudo
|
|
copy:
|
|
content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
|
|
dest: "/etc/sudoers.d/kayobe-ansible-user"
|
|
mode: 0440
|
|
become: True
|
|
|
|
- name: Verify that the Kayobe Ansible user account is accessible
|
|
hosts: seed:overcloud
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
vars:
|
|
# We can't assume that a virtualenv exists at this point, so use the system
|
|
# python interpreter.
|
|
ansible_python_interpreter: /usr/bin/python
|
|
tasks:
|
|
- name: Verify that a command can be executed
|
|
command: hostname
|
|
changed_when: false
|
|
|
|
- name: Verify that a command can be executed with become
|
|
command: hostname
|
|
changed_when: false
|
|
become: true
|