388dfa369c
There are a few places where we have a play with one task that uses the group_by module to generate groups that are used in a subsequent play. These plays do not need to gather facts for their target hosts. In particular, the kolla-openstack.yml playbook should really be able to operate without access to remote hosts. This change also adds changed_when: false to all group_by tasks, since they show as changed but haven't really made any changes outside of Ansible. TrivialFix Change-Id: I18f67eda4e48058f3f402b9d0e692d6eeb02855f
102 lines
3.3 KiB
YAML
102 lines
3.3 KiB
YAML
---
|
|
# NOTE(mgoddard): The bootstrap user may be used to create the kayobe user
|
|
# account and configure passwordless sudo. We can't assume that the bootstrap
|
|
# user account will exist after the initial bootstrapping, or that the
|
|
# current operator's key is authorised for the bootstrap user. We therefore
|
|
# attempt to access the kayobe user account via SSH, and only perform the
|
|
# bootstrap process if the account is inaccessible.
|
|
|
|
- name: Determine whether user bootstrapping is required
|
|
hosts: seed-hypervisor:seed:overcloud
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
tasks:
|
|
- name: Check whether the host is accessible via SSH
|
|
local_action:
|
|
module: command ssh -o BatchMode=yes -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname
|
|
failed_when: false
|
|
changed_when: false
|
|
register: ssh_result
|
|
vars:
|
|
ssh_user: "{{ ansible_user }}"
|
|
ssh_host: "{{ ansible_host | default(inventory_hostname) }}"
|
|
ssh_port: "{{ ansible_ssh_port | default('22') }}"
|
|
|
|
- name: Group hosts requiring kayobe user bootstrapping
|
|
group_by:
|
|
key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }}
|
|
changed_when: false
|
|
|
|
- name: Display a message when bootstrapping is required
|
|
debug:
|
|
msg: >
|
|
Cannot access host via SSH using Kayobe Ansible user account -
|
|
attempting bootstrap
|
|
when: ssh_result.rc != 0
|
|
|
|
- name: Ensure python is installed
|
|
hosts: kayobe_user_bootstrap_required_True
|
|
gather_facts: no
|
|
vars:
|
|
ansible_user: "{{ bootstrap_user }}"
|
|
tags:
|
|
- ensure-python
|
|
tasks:
|
|
- name: Check if python is installed
|
|
raw: test -e /usr/bin/python3
|
|
changed_when: false
|
|
failed_when: false
|
|
register: check_python
|
|
|
|
- name: Ensure python is installed
|
|
raw: test -e /usr/bin/apt && (sudo apt -y update && sudo apt install -y python3-minimal) || (sudo dnf -y install python3)
|
|
when: check_python.rc != 0
|
|
|
|
- name: Ensure the Kayobe Ansible user account exists
|
|
hosts: kayobe_user_bootstrap_required_True
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
vars:
|
|
ansible_user: "{{ bootstrap_user }}"
|
|
# We can't assume that a virtualenv exists at this point, so use the system
|
|
# python interpreter.
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
roles:
|
|
- role: singleplatform-eng.users
|
|
users:
|
|
- username: "{{ kayobe_ansible_user }}"
|
|
name: Kayobe deployment user
|
|
append: True
|
|
ssh_key:
|
|
- "{{ lookup('file', ssh_public_key_path) }}"
|
|
become: True
|
|
|
|
post_tasks:
|
|
- name: Ensure the Kayobe Ansible user has passwordless sudo
|
|
copy:
|
|
content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
|
|
dest: "/etc/sudoers.d/kayobe-ansible-user"
|
|
mode: 0440
|
|
become: True
|
|
|
|
- name: Verify that the Kayobe Ansible user account is accessible
|
|
hosts: seed-hypervisor:seed:overcloud
|
|
gather_facts: false
|
|
tags:
|
|
- kayobe-ansible-user
|
|
vars:
|
|
# We can't assume that a virtualenv exists at this point, so use the system
|
|
# python interpreter.
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
tasks:
|
|
- name: Verify that a command can be executed
|
|
command: hostname
|
|
changed_when: false
|
|
|
|
- name: Verify that a command can be executed with become
|
|
command: hostname
|
|
changed_when: false
|
|
become: true
|