openstack/kayobe
Code Issues Proposed changes
9146fdbc41
kayobe/ansible/kayobe-ansible-user.yml
Mark Goddard c9f8d80ba6 Stop using kolla-ansible bootstrap-servers 
The 'kayobe * host configure' commands no longer use the 'kolla-ansible
bootstrap-servers' command, and associated 'baremetal' role in Kolla
Ansible. The functionality provided by the 'baremetal' role has been
extracted into the openstack.kolla Ansible collection, and split
into separate roles. This allows Kayobe to use it directly, and only the
necessary parts.

This change improves failure handling in these Kayobe commands, and aims
to reduce confusion over which '--limit' and '--tags' arguments to
provide.  This ensures that if a host fails during a host configuration
command, other hosts are able to continue to completion. Previously, if
any host failed during the Kayobe playbooks, the 'kolla-ansible
bootstrap-servers' command would not run. This is useful at scale, where
host failures occur more frequently.

This change has implications for configuration of Kayobe, since some
variables that were previously in Kolla Ansible are now in Kayobe.

Several parts of the baremetal role have been split out and used here:

* apparmor-libvirt: disable AppArmor rules for libvirt on Ubuntu.
* docker: Docker installation & configuration. The docker role in
  openstack.kolla combines functionality from kolla-ansible and kayobe.
* etc-hosts: it proved difficult to generalise this, so we have some
  almost duplicated the code from kolla-ansible here. Requires delegated
  fact gathering for the case when --limit is used.
* firewall: support to disable UFW, for feature parity.
* kolla-packages: miscellaneous package installs & removals.

The addition of the stack user to the docker group has been moved to the
user bootstrapping playbook, and the docker SDK installation has been
moved to the virtualenv setup playbook.

Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/829587

Story: 2009854
Task: 44505

Change-Id: I61a61ca59652b13687c2247d5881012b51f666a7
2023-03-30 13:52:54 +00:00

109 lines
3.7 KiB
YAML
Raw Blame History

---
# NOTE(mgoddard): The bootstrap user may be used to create the kayobe user
# account and configure passwordless sudo. We can't assume that the bootstrap
# user account will exist after the initial bootstrapping, or that the
# current operator's key is authorised for the bootstrap user. We therefore
# attempt to access the kayobe user account via SSH, and only perform the
# bootstrap process if the account is inaccessible.
- name: Determine whether user bootstrapping is required
hosts: seed-hypervisor:seed:overcloud:infra-vms
gather_facts: false
tags:
- kayobe-ansible-user
tasks:
- name: Check whether the host is accessible via SSH
local_action:
module: command ssh -o BatchMode=yes -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname
failed_when: false
changed_when: false
check_mode: no
register: ssh_result
vars:
ssh_user: "{{ ansible_user }}"
ssh_host: "{{ ansible_host | default(inventory_hostname) }}"
ssh_port: "{{ ansible_ssh_port | default('22') }}"
- name: Group hosts requiring kayobe user bootstrapping
group_by:
key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }}
changed_when: false
- name: Display a message when bootstrapping is required
debug:
msg: >
Cannot access host via SSH using Kayobe Ansible user account -
attempting bootstrap
when: ssh_result.rc != 0
- name: Ensure python is installed
hosts: kayobe_user_bootstrap_required_True
gather_facts: no
vars:
ansible_user: "{{ bootstrap_user }}"
dnf_options:
- "-y"
- "{% if 'proxy' in dnf_config %}--setopt=proxy={{ dnf_config['proxy'] }}{% endif %}"
tags:
- ensure-python
tasks:
- name: Check if python is installed
raw: test -e /usr/bin/python3
changed_when: false
failed_when: false
register: check_python
# TODO(priteau): Support apt proxy
- name: Ensure python is installed
raw: "test -e /usr/bin/apt && (sudo apt -y update && sudo apt install -y python3-minimal) || (sudo dnf {{ dnf_options | select | join(' ') }} install python3)"
when: check_python.rc != 0
- name: Ensure the Kayobe Ansible user account exists
hosts: kayobe_user_bootstrap_required_True
gather_facts: false
tags:
- kayobe-ansible-user
vars:
ansible_user: "{{ bootstrap_user }}"
# We can't assume that a virtualenv exists at this point, so use the system
# python interpreter.
ansible_python_interpreter: /usr/bin/python3
roles:
- role: singleplatform-eng.users
groups_to_create: "{{ [{'name': 'docker'}] if 'docker' in group_names else [] }}"
users:
- username: "{{ kayobe_ansible_user }}"
name: Kayobe deployment user
groups: "{{ ['docker'] if 'docker' in group_names else [] }}"
append: True
ssh_key:
- "{{ lookup('file', ssh_public_key_path) }}"
become: True
post_tasks:
- name: Ensure the Kayobe Ansible user has passwordless sudo
copy:
content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
dest: "/etc/sudoers.d/kayobe-ansible-user"
mode: 0440
become: True
- name: Verify that the Kayobe Ansible user account is accessible
hosts: seed-hypervisor:seed:overcloud:infra-vms
gather_facts: false
tags:
- kayobe-ansible-user
vars:
# We can't assume that a virtualenv exists at this point, so use the system
# python interpreter.
ansible_python_interpreter: /usr/bin/python3
tasks:
- name: Verify that a command can be executed
command: hostname
changed_when: false
- name: Verify that a command can be executed with become
command: hostname
changed_when: false
become: true
View Git Blame Copy Permalink