Specify 'become' to necessary tasks (general roles)

Add config_owner_user and config_owner_group to group_vars/all,
which is user and group of Kolla configuration files in /etc/kolla.

Add become to post-deploy playbook.

Add become to only neccesary tasks in roles:
- certificate
- common
- destroy
- haproxy
- mariadb
- memcached
- rabbitmq

Change-Id: I2aba745a6e3928c52642f64551470fd08cbfd058
Partial-Implements: blueprint ansible-specific-task-become
This commit is contained in:
Duong Ha-Quang 2016-08-23 00:18:36 +07:00
parent d6200ab131
commit 26b2c2d9e9
12 changed files with 105 additions and 4 deletions

View File

@ -15,6 +15,10 @@ project: ""
# The directory to store the config files on the destination node
node_config_directory: "/etc/kolla/{{ project }}"
# The group which own node_config_directory
config_owner_user: "kolla"
config_owner_group: "kolla"
###################
# Kolla options

View File

@ -1,6 +1,7 @@
---
- name: Creating admin openrc file on the deploy node
hosts: localhost
become: true
tasks:
- template:
src: "roles/common/templates/admin-openrc.sh.j2"

View File

@ -1,5 +1,6 @@
---
- name: Ensuring config directories exist
become: true
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
@ -8,6 +9,7 @@
- "certificates/private"
- name: Creating SSL configuration file
become: true
template:
src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/certificates/{{ item }}"
@ -15,11 +17,13 @@
- "openssl-kolla.cnf"
- name: Creating Key
become: true
command: creates="{{ item }}" openssl genrsa -out {{ item }}
with_items:
- "{{ node_config_directory }}/certificates/private/haproxy.key"
- name: Creating Server Certificate
become: true
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
@ -31,11 +35,13 @@
- "{{ node_config_directory }}/certificates/private/haproxy.crt"
- name: Creating CA Certificate File
become: true
copy:
src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
- name: Creating Server PEM File
become: true
assemble:
src: "{{ node_config_directory }}/certificates/private"
dest: "{{ node_config_directory }}/certificates/haproxy.pem"

View File

@ -4,6 +4,7 @@
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
recurse: yes
become: true
with_items:
- "fluentd"
- "fluentd/input"
@ -18,6 +19,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
become: true
register: common_config_jsons
with_dict: "{{ common_services }}"
notify:
@ -27,6 +30,8 @@
template:
src: "conf/input/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/input/{{ item }}.conf"
mode: "0660"
become: true
register: fluentd_input
with_items:
- "00-global"
@ -42,6 +47,8 @@
template:
src: "conf/output/{{ item.name }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf"
mode: "0660"
become: true
register: fluentd_output
when: item.enabled | bool
with_items:
@ -74,7 +81,9 @@
template:
src: "conf/format/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/format/{{ item }}.conf"
mode: "0660"
register: fluentd_format
become: true
with_items:
- "apache_access"
- "wsgi_access"
@ -85,6 +94,8 @@
template:
src: "conf/filter/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/fluentd/filter/{{ item }}.conf"
mode: "0660"
become: true
register: fluentd_filter
with_items:
- "00-record_transformer"
@ -96,6 +107,8 @@
template:
src: "td-agent.conf.j2"
dest: "{{ node_config_directory }}/{{ item }}/td-agent.conf"
mode: "0660"
become: true
register: fluentd_td_agent
with_items:
- "fluentd"
@ -106,6 +119,8 @@
template:
src: "cron-logrotate-{{ item.name }}.conf.j2"
dest: "{{ node_config_directory }}/cron/logrotate/{{ item.name }}.conf"
mode: "0660"
become: true
register: cron_confs
when: item.enabled | bool
with_items:
@ -165,6 +180,17 @@
notify:
- Restart cron container
- name: Ensuring config directories have correct owner and permission
become: true
file:
path: "{{ node_config_directory }}/{{ item }}"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
with_items:
- "fluentd"
- "cron"
- name: Check common containers
kolla_docker:
action: "compare_container"

View File

@ -1,5 +1,6 @@
---
- name: Destroying Kolla host configuration
become: true
command: >
env enable_haproxy={{ enable_haproxy }}
enable_swift={{ enable_swift }}

View File

@ -1,6 +1,7 @@
---
- name: Setting sysctl values
sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
become: true
with_items:
- { name: "net.ipv4.ip_nonlocal_bind", value: 1}
- { name: "net.unix.max_dgram_qlen", value: 128}
@ -10,7 +11,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
recurse: yes
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@ -20,6 +24,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
mode: "0660"
become: true
register: haproxy_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@ -35,6 +41,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/haproxy/haproxy.cfg"
mode: "0660"
become: true
register: haproxy_cfg
when:
- inventory_hostname in groups[service.group]
@ -53,6 +61,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/keepalived/keepalived.conf"
mode: "0660"
become: true
register: keepalived_conf
when:
- inventory_hostname in groups[service.group]
@ -70,6 +80,8 @@
copy:
src: "{{ kolla_external_fqdn_cert }}"
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
mode: "0660"
become: true
register: haproxy_pem
when:
- kolla_enable_tls_external | bool
@ -97,3 +109,4 @@
with_dict: "{{ haproxy_services }}"
notify:
- "Restart {{ item.key }} container"

View File

@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
recurse: yes
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@ -16,6 +19,8 @@
template:
src: "{{ service_name }}.json.j2"
dest: "{{ node_config_directory }}/{{ service_name }}/config.json"
mode: "0660"
become: true
register: mariadb_config_json
when:
- inventory_hostname in groups[service.group]
@ -34,6 +39,8 @@
- "{{ node_custom_config }}/galera.cnf"
- "{{ node_custom_config }}/mariadb/{{ inventory_hostname }}/galera.cnf"
dest: "{{ node_config_directory }}/{{ service_name }}/galera.cnf"
mode: "0660"
become: true
register: mariadb_galera_conf
when:
- inventory_hostname in groups[service.group]
@ -46,6 +53,8 @@
template:
src: "{{ role_path }}/templates/wsrep-notify.sh.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/wsrep-notify.sh"
mode: "0770"
become: true
register: mariadb_wsrep_notify
when:
- inventory_hostname in groups[item.value.group]
@ -62,6 +71,7 @@
name: "{{ item.value.container_name }}"
image: "{{ item.value.image }}"
volumes: "{{ item.value.volumes }}"
become: true
register: check_mariadb_containers
when:
- action != "config"

View File

@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
recurse: yes
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
with_items:
- "memcached"
@ -11,7 +14,9 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
mode: "0660"
register: memcached_config_json
become: true
with_items:
- "memcached"
notify: Restart memcached container
@ -25,9 +30,11 @@
name: "{{ service.container_name }}"
image: "{{ service.image }}"
volumes: "{{ service.volumes }}"
become: true
register: check_memcached_container
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
- action != "config"
notify: Restart memcached container

View File

@ -4,3 +4,5 @@
- include: service_checks.yml
- include: package_checks.yml
- include: user_checks.yml

View File

@ -0,0 +1,19 @@
---
- name: Check if config_owner_user existed
getent:
database: passwd
key: "{{ config_owner_user }}"
- name: Check if config_owner_group existed
getent:
database: group
key: "{{ config_owner_group }}"
register: getent_group
#(duonghq) it's only a basic check, should be refined later
- name: Check if ansible user can do passwordless sudo
shell: sudo -n true
register: result
failed_when: result | failed

View File

@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ project_name }}"
state: "directory"
recurse: yes
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ project_name }}/config.json"
mode: "0770"
become: true
register: rabbitmq_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@ -27,6 +32,8 @@
template:
src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/{{ project_name }}/{{ item }}"
mode: "0770"
become: true
register: rabbitmq_confs
when:
- inventory_hostname in groups[service.group]

View File

@ -0,0 +1,5 @@
---
prelude: >
Specify Ansible "become" for only necessary tasks.
features:
- Add "become" to necessary tasks of general roles.