Specify 'become' to necessary tasks (general roles)
Add config_owner_user and config_owner_group to group_vars/all, which is user and group of Kolla configuration files in /etc/kolla. Add become to post-deploy playbook. Add become to only neccesary tasks in roles: - certificate - common - destroy - haproxy - mariadb - memcached - rabbitmq Change-Id: I2aba745a6e3928c52642f64551470fd08cbfd058 Partial-Implements: blueprint ansible-specific-task-become
This commit is contained in:
parent
d6200ab131
commit
26b2c2d9e9
@ -15,6 +15,10 @@ project: ""
|
||||
# The directory to store the config files on the destination node
|
||||
node_config_directory: "/etc/kolla/{{ project }}"
|
||||
|
||||
# The group which own node_config_directory
|
||||
config_owner_user: "kolla"
|
||||
config_owner_group: "kolla"
|
||||
|
||||
|
||||
###################
|
||||
# Kolla options
|
||||
|
@ -1,6 +1,7 @@
|
||||
---
|
||||
- name: Creating admin openrc file on the deploy node
|
||||
hosts: localhost
|
||||
become: true
|
||||
tasks:
|
||||
- template:
|
||||
src: "roles/common/templates/admin-openrc.sh.j2"
|
||||
|
@ -1,5 +1,6 @@
|
||||
---
|
||||
- name: Ensuring config directories exist
|
||||
become: true
|
||||
file:
|
||||
path: "{{ node_config_directory }}/{{ item }}"
|
||||
state: "directory"
|
||||
@ -8,6 +9,7 @@
|
||||
- "certificates/private"
|
||||
|
||||
- name: Creating SSL configuration file
|
||||
become: true
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ node_config_directory }}/certificates/{{ item }}"
|
||||
@ -15,11 +17,13 @@
|
||||
- "openssl-kolla.cnf"
|
||||
|
||||
- name: Creating Key
|
||||
become: true
|
||||
command: creates="{{ item }}" openssl genrsa -out {{ item }}
|
||||
with_items:
|
||||
- "{{ node_config_directory }}/certificates/private/haproxy.key"
|
||||
|
||||
- name: Creating Server Certificate
|
||||
become: true
|
||||
command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
|
||||
-subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
|
||||
-config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
|
||||
@ -31,11 +35,13 @@
|
||||
- "{{ node_config_directory }}/certificates/private/haproxy.crt"
|
||||
|
||||
- name: Creating CA Certificate File
|
||||
become: true
|
||||
copy:
|
||||
src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
|
||||
dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
|
||||
|
||||
- name: Creating Server PEM File
|
||||
become: true
|
||||
assemble:
|
||||
src: "{{ node_config_directory }}/certificates/private"
|
||||
dest: "{{ node_config_directory }}/certificates/haproxy.pem"
|
||||
|
@ -4,6 +4,7 @@
|
||||
path: "{{ node_config_directory }}/{{ item }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
become: true
|
||||
with_items:
|
||||
- "fluentd"
|
||||
- "fluentd/input"
|
||||
@ -18,6 +19,8 @@
|
||||
template:
|
||||
src: "{{ item.key }}.json.j2"
|
||||
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: common_config_jsons
|
||||
with_dict: "{{ common_services }}"
|
||||
notify:
|
||||
@ -27,6 +30,8 @@
|
||||
template:
|
||||
src: "conf/input/{{ item }}.conf.j2"
|
||||
dest: "{{ node_config_directory }}/fluentd/input/{{ item }}.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: fluentd_input
|
||||
with_items:
|
||||
- "00-global"
|
||||
@ -42,6 +47,8 @@
|
||||
template:
|
||||
src: "conf/output/{{ item.name }}.conf.j2"
|
||||
dest: "{{ node_config_directory }}/fluentd/output/{{ item.name }}.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: fluentd_output
|
||||
when: item.enabled | bool
|
||||
with_items:
|
||||
@ -74,7 +81,9 @@
|
||||
template:
|
||||
src: "conf/format/{{ item }}.conf.j2"
|
||||
dest: "{{ node_config_directory }}/fluentd/format/{{ item }}.conf"
|
||||
mode: "0660"
|
||||
register: fluentd_format
|
||||
become: true
|
||||
with_items:
|
||||
- "apache_access"
|
||||
- "wsgi_access"
|
||||
@ -85,6 +94,8 @@
|
||||
template:
|
||||
src: "conf/filter/{{ item }}.conf.j2"
|
||||
dest: "{{ node_config_directory }}/fluentd/filter/{{ item }}.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: fluentd_filter
|
||||
with_items:
|
||||
- "00-record_transformer"
|
||||
@ -96,6 +107,8 @@
|
||||
template:
|
||||
src: "td-agent.conf.j2"
|
||||
dest: "{{ node_config_directory }}/{{ item }}/td-agent.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: fluentd_td_agent
|
||||
with_items:
|
||||
- "fluentd"
|
||||
@ -106,6 +119,8 @@
|
||||
template:
|
||||
src: "cron-logrotate-{{ item.name }}.conf.j2"
|
||||
dest: "{{ node_config_directory }}/cron/logrotate/{{ item.name }}.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: cron_confs
|
||||
when: item.enabled | bool
|
||||
with_items:
|
||||
@ -165,6 +180,17 @@
|
||||
notify:
|
||||
- Restart cron container
|
||||
|
||||
- name: Ensuring config directories have correct owner and permission
|
||||
become: true
|
||||
file:
|
||||
path: "{{ node_config_directory }}/{{ item }}"
|
||||
owner: "{{ config_owner_user }}"
|
||||
group: "{{ config_owner_group }}"
|
||||
mode: "0770"
|
||||
with_items:
|
||||
- "fluentd"
|
||||
- "cron"
|
||||
|
||||
- name: Check common containers
|
||||
kolla_docker:
|
||||
action: "compare_container"
|
||||
|
@ -1,5 +1,6 @@
|
||||
---
|
||||
- name: Destroying Kolla host configuration
|
||||
become: true
|
||||
command: >
|
||||
env enable_haproxy={{ enable_haproxy }}
|
||||
enable_swift={{ enable_swift }}
|
||||
|
@ -1,6 +1,7 @@
|
||||
---
|
||||
- name: Setting sysctl values
|
||||
sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
|
||||
become: true
|
||||
with_items:
|
||||
- { name: "net.ipv4.ip_nonlocal_bind", value: 1}
|
||||
- { name: "net.unix.max_dgram_qlen", value: 128}
|
||||
@ -10,7 +11,10 @@
|
||||
file:
|
||||
path: "{{ node_config_directory }}/{{ item.key }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
owner: "{{ config_owner_user }}"
|
||||
group: "{{ config_owner_group }}"
|
||||
mode: "0770"
|
||||
become: true
|
||||
when:
|
||||
- inventory_hostname in groups[item.value.group]
|
||||
- item.value.enabled | bool
|
||||
@ -20,6 +24,8 @@
|
||||
template:
|
||||
src: "{{ item.key }}.json.j2"
|
||||
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: haproxy_config_jsons
|
||||
when:
|
||||
- inventory_hostname in groups[item.value.group]
|
||||
@ -35,6 +41,8 @@
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ node_config_directory }}/haproxy/haproxy.cfg"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: haproxy_cfg
|
||||
when:
|
||||
- inventory_hostname in groups[service.group]
|
||||
@ -53,6 +61,8 @@
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ node_config_directory }}/keepalived/keepalived.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: keepalived_conf
|
||||
when:
|
||||
- inventory_hostname in groups[service.group]
|
||||
@ -70,6 +80,8 @@
|
||||
copy:
|
||||
src: "{{ kolla_external_fqdn_cert }}"
|
||||
dest: "{{ node_config_directory }}/haproxy/{{ item }}"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: haproxy_pem
|
||||
when:
|
||||
- kolla_enable_tls_external | bool
|
||||
@ -97,3 +109,4 @@
|
||||
with_dict: "{{ haproxy_services }}"
|
||||
notify:
|
||||
- "Restart {{ item.key }} container"
|
||||
|
||||
|
@ -3,7 +3,10 @@
|
||||
file:
|
||||
path: "{{ node_config_directory }}/{{ item.key }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
owner: "{{ config_owner_user }}"
|
||||
group: "{{ config_owner_group }}"
|
||||
mode: "0770"
|
||||
become: true
|
||||
when:
|
||||
- inventory_hostname in groups[item.value.group]
|
||||
- item.value.enabled | bool
|
||||
@ -16,6 +19,8 @@
|
||||
template:
|
||||
src: "{{ service_name }}.json.j2"
|
||||
dest: "{{ node_config_directory }}/{{ service_name }}/config.json"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: mariadb_config_json
|
||||
when:
|
||||
- inventory_hostname in groups[service.group]
|
||||
@ -34,6 +39,8 @@
|
||||
- "{{ node_custom_config }}/galera.cnf"
|
||||
- "{{ node_custom_config }}/mariadb/{{ inventory_hostname }}/galera.cnf"
|
||||
dest: "{{ node_config_directory }}/{{ service_name }}/galera.cnf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
register: mariadb_galera_conf
|
||||
when:
|
||||
- inventory_hostname in groups[service.group]
|
||||
@ -46,6 +53,8 @@
|
||||
template:
|
||||
src: "{{ role_path }}/templates/wsrep-notify.sh.j2"
|
||||
dest: "{{ node_config_directory }}/{{ item.key }}/wsrep-notify.sh"
|
||||
mode: "0770"
|
||||
become: true
|
||||
register: mariadb_wsrep_notify
|
||||
when:
|
||||
- inventory_hostname in groups[item.value.group]
|
||||
@ -62,6 +71,7 @@
|
||||
name: "{{ item.value.container_name }}"
|
||||
image: "{{ item.value.image }}"
|
||||
volumes: "{{ item.value.volumes }}"
|
||||
become: true
|
||||
register: check_mariadb_containers
|
||||
when:
|
||||
- action != "config"
|
||||
|
@ -3,7 +3,10 @@
|
||||
file:
|
||||
path: "{{ node_config_directory }}/{{ item }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
owner: "{{ config_owner_user }}"
|
||||
group: "{{ config_owner_group }}"
|
||||
mode: "0770"
|
||||
become: true
|
||||
with_items:
|
||||
- "memcached"
|
||||
|
||||
@ -11,7 +14,9 @@
|
||||
template:
|
||||
src: "{{ item }}.json.j2"
|
||||
dest: "{{ node_config_directory }}/{{ item }}/config.json"
|
||||
mode: "0660"
|
||||
register: memcached_config_json
|
||||
become: true
|
||||
with_items:
|
||||
- "memcached"
|
||||
notify: Restart memcached container
|
||||
@ -25,9 +30,11 @@
|
||||
name: "{{ service.container_name }}"
|
||||
image: "{{ service.image }}"
|
||||
volumes: "{{ service.volumes }}"
|
||||
become: true
|
||||
register: check_memcached_container
|
||||
when:
|
||||
- inventory_hostname in groups[service.group]
|
||||
- service.enabled | bool
|
||||
- action != "config"
|
||||
notify: Restart memcached container
|
||||
|
||||
|
@ -4,3 +4,5 @@
|
||||
- include: service_checks.yml
|
||||
|
||||
- include: package_checks.yml
|
||||
|
||||
- include: user_checks.yml
|
||||
|
19
ansible/roles/prechecks/tasks/user_checks.yml
Normal file
19
ansible/roles/prechecks/tasks/user_checks.yml
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
- name: Check if config_owner_user existed
|
||||
getent:
|
||||
database: passwd
|
||||
key: "{{ config_owner_user }}"
|
||||
|
||||
- name: Check if config_owner_group existed
|
||||
getent:
|
||||
database: group
|
||||
key: "{{ config_owner_group }}"
|
||||
register: getent_group
|
||||
|
||||
#(duonghq) it's only a basic check, should be refined later
|
||||
- name: Check if ansible user can do passwordless sudo
|
||||
shell: sudo -n true
|
||||
register: result
|
||||
failed_when: result | failed
|
||||
|
||||
|
@ -3,7 +3,10 @@
|
||||
file:
|
||||
path: "{{ node_config_directory }}/{{ project_name }}"
|
||||
state: "directory"
|
||||
recurse: yes
|
||||
owner: "{{ config_owner_user }}"
|
||||
group: "{{ config_owner_group }}"
|
||||
mode: "0770"
|
||||
become: true
|
||||
when:
|
||||
- inventory_hostname in groups[item.value.group]
|
||||
- item.value.enabled | bool
|
||||
@ -13,6 +16,8 @@
|
||||
template:
|
||||
src: "{{ item.key }}.json.j2"
|
||||
dest: "{{ node_config_directory }}/{{ project_name }}/config.json"
|
||||
mode: "0770"
|
||||
become: true
|
||||
register: rabbitmq_config_jsons
|
||||
when:
|
||||
- inventory_hostname in groups[item.value.group]
|
||||
@ -27,6 +32,8 @@
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ node_config_directory }}/{{ project_name }}/{{ item }}"
|
||||
mode: "0770"
|
||||
become: true
|
||||
register: rabbitmq_confs
|
||||
when:
|
||||
- inventory_hostname in groups[service.group]
|
||||
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
prelude: >
|
||||
Specify Ansible "become" for only necessary tasks.
|
||||
features:
|
||||
- Add "become" to necessary tasks of general roles.
|
Loading…
Reference in New Issue
Block a user