0e6703a322
If password authentication is not disabled on the server, we may be prompted for a password if the Kayobe Ansible user doesn't exist or isn't configured for passwordless authentication. By using BatchMode, the ssh command can fail quickly and proceed to create the Kayobe Ansible user using the bootstrap user. Change-Id: If22ed34dc4b6e87f8cf76c302948c955bddf2bc5
82 lines
2.8 KiB
YAML
82 lines
2.8 KiB
YAML
---
|
|
# NOTE(mgoddard): The bootstrap user may be used to create the kayobe user
|
|
# account and configure passwordless sudo. We can't assume that the bootstrap
|
|
# user account will exist after the initial bootstrapping, or that the
|
|
# current operator's key is authorised for the bootstrap user. We therefore
|
|
# attempt to access the kayobe user account via SSH, and only perform the
|
|
# bootstrap process if the account is inaccessible.
|
|
|
|
- name: Determine whether user bootstrapping is required
|
|
hosts: seed-hypervisor:seed:overcloud
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
tasks:
|
|
- name: Check whether the host is accessible via SSH
|
|
local_action:
|
|
module: command ssh -o BatchMode=yes -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname
|
|
failed_when: false
|
|
changed_when: false
|
|
register: ssh_result
|
|
vars:
|
|
ssh_user: "{{ ansible_user }}"
|
|
ssh_host: "{{ ansible_host | default(inventory_hostname) }}"
|
|
ssh_port: "{{ ansible_ssh_port | default('22') }}"
|
|
|
|
- name: Group hosts requiring kayobe user bootstrapping
|
|
group_by:
|
|
key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }}
|
|
|
|
- name: Display a message when bootstrapping is required
|
|
debug:
|
|
msg: >
|
|
Cannot access host via SSH using Kayobe Ansible user account -
|
|
attempting bootstrap
|
|
when: ssh_result.rc != 0
|
|
|
|
- name: Ensure the Kayobe Ansible user account exists
|
|
hosts: kayobe_user_bootstrap_required_True
|
|
tags:
|
|
- kayobe-ansible-user
|
|
vars:
|
|
ansible_user: "{{ bootstrap_user }}"
|
|
# We can't assume that a virtualenv exists at this point, so use the system
|
|
# python interpreter.
|
|
ansible_python_interpreter: /usr/bin/python
|
|
roles:
|
|
- role: singleplatform-eng.users
|
|
users:
|
|
- username: "{{ kayobe_ansible_user }}"
|
|
name: Kayobe deployment user
|
|
append: True
|
|
ssh_key:
|
|
- "{{ lookup('file', ssh_public_key_path) }}"
|
|
become: True
|
|
|
|
post_tasks:
|
|
- name: Ensure the Kayobe Ansible user has passwordless sudo
|
|
copy:
|
|
content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
|
|
dest: "/etc/sudoers.d/kayobe-ansible-user"
|
|
mode: 0440
|
|
become: True
|
|
|
|
- name: Verify that the Kayobe Ansible user account is accessible
|
|
hosts: seed-hypervisor:seed:overcloud
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
vars:
|
|
# We can't assume that a virtualenv exists at this point, so use the system
|
|
# python interpreter.
|
|
ansible_python_interpreter: /usr/bin/python
|
|
tasks:
|
|
- name: Verify that a command can be executed
|
|
command: hostname
|
|
changed_when: false
|
|
|
|
- name: Verify that a command can be executed with become
|
|
command: hostname
|
|
changed_when: false
|
|
become: true
|