openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/baremetal/tasks/post-install.yml
Michal Arbet 3d747b7200 Remove chrony package if containerized chrony is enabled 
This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.

+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.

Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513
2020-06-15 13:06:36 +02:00

248 lines
5.7 KiB
YAML
Raw Blame History

---
- name: Create kolla user
user:
name: "{{ kolla_user }}"
state: present
group: "{{ kolla_group }}"
groups: "sudo"
append: true
become: True
when: create_kolla_user | bool
- name: Add public key to kolla user authorized keys
authorized_key:
user: "{{ kolla_user }}"
key: "{{ kolla_ssh_key.public_key }}"
become: True
when: create_kolla_user | bool
- name: Grant kolla user passwordless sudo
lineinfile:
dest: /etc/sudoers.d/kolla-ansible-users
state: present
create: yes
mode: '0640'
regexp: '^{{ kolla_user }}'
line: '{{ kolla_user }} ALL=(ALL) NOPASSWD: ALL'
become: True
when: create_kolla_user_sudoers | bool
- name: Ensure virtualenv has correct ownership
file:
path: "{{ virtualenv }}"
recurse: True
state: directory
owner: "{{ kolla_user }}"
group: "{{ kolla_group }}"
become: True
when: virtualenv is not none
- name: Ensure node_config_directory directory exists for user kolla
file:
path: "{{ node_config_directory }}"
state: directory
owner: "{{ kolla_user }}"
group: "{{ kolla_group }}"
mode: 0755
become: True
when: create_kolla_user | bool
- name: Ensure node_config_directory directory exists
file:
path: "{{ node_config_directory }}"
state: directory
mode: 0755
become: True
when: not create_kolla_user | bool
- name: Ensure docker config directory exists
file:
path: /etc/docker
state: directory
become: True
- name: Merge Zun docker config
set_fact:
docker_config: "{{ docker_config | combine(docker_zun_config) }}"
when:
- docker_configure_for_zun | bool
- name: Warn about deprecations
debug:
msg: >
docker_custom_option is deprecated in favor of docker_custom_config
when: docker_custom_option | length > 0
- name: Setup docker insecure registries
vars:
registries: ["{{ docker_registry }}"]
set_fact:
docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}"
when: docker_registry_insecure | bool
- name: Setup docker storage driver
set_fact:
docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}"
when: docker_storage_driver | length > 0
- name: Setup docker runtime directory
set_fact:
docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
when: docker_runtime_directory | length > 0
- name: Merge custom docker config
set_fact:
docker_config: "{{ docker_config | combine(docker_custom_config) }}"
- name: Write docker config
become: True
copy:
content: "{{ docker_config | to_nice_json }}"
dest: /etc/docker/daemon.json
mode: 0644
register: docker_configured
- name: Remove old docker options file
become: True
file:
path: /etc/systemd/system/docker.service.d/kolla.conf
state: absent
when:
- not docker_custom_option
- not docker_configure_for_zun|bool
- name: Ensure docker service directory exists
become: True
file:
path: /etc/systemd/system/docker.service.d
state: directory
recurse: yes
when: docker_custom_option | length > 0 or docker_configure_for_zun|bool
- name: Configure docker service
become: True
template:
src: docker_systemd_service.j2
dest: /etc/systemd/system/docker.service.d/kolla.conf
when: docker_custom_option | length > 0 or docker_configure_for_zun|bool
- name: Reload docker service file
become: True
systemd:
name: docker
daemon_reload: yes
register: docker_reloaded
- name: Get stat of libvirtd apparmor profile
stat:
path: /etc/apparmor.d/usr.sbin.libvirtd
register: apparmor_libvirtd_profile
when: ansible_distribution == "Ubuntu"
- name: Remove apparmor profile for libvirt
command: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
become: True
when:
- ansible_distribution == "Ubuntu"
- apparmor_libvirtd_profile.stat.exists
- name: Get stat of chronyd apparmor profile
stat:
path: /etc/apparmor.d/usr.sbin.chronyd
register: apparmor_chronyd_profile
when:
- ansible_os_family == "Debian"
- enable_chrony | bool
- name: Remove apparmor profile for chrony
command: apparmor_parser -R /etc/apparmor.d/usr.sbin.chronyd
become: True
when:
- ansible_os_family == "Debian"
- enable_chrony | bool
- apparmor_chronyd_profile.stat.exists
- name: Create docker group
group:
name: docker
become: True
- name: Add kolla user to docker group
user:
name: "{{ kolla_user }}"
append: yes
groups: docker
become: True
when: create_kolla_user | bool
- name: Start docker
service:
name: docker
state: started
become: True
- name: Restart docker
service:
name: docker
state: restarted
become: True
when: docker_configured.changed or docker_reloaded.changed
- name: Enable docker
service:
name: docker
enabled: yes
become: True
- name: Stop time service
service:
name: ntp
state: stopped
become: True
when:
- ansible_os_family == "Debian"
- enable_host_ntp | bool
- name: Stop time service
service:
name: ntpd
state: stopped
become: True
when:
- ansible_os_family == "RedHat"
- enable_host_ntp | bool
- name: Synchronizing time one-time
command: ntpd -gq
become: True
when: enable_host_ntp | bool
- name: Start time sync service
service:
name: ntp
state: started
enabled: yes
become: True
when:
- ansible_os_family == "Debian"
- enable_host_ntp | bool
- name: Start time sync service
service:
name: ntpd
state: started
enabled: yes
become: True
when:
- ansible_os_family == "RedHat"
- enable_host_ntp | bool
- name: Change state of selinux
selinux:
policy: targeted
state: "{{ selinux_state }}"
become: true
when:
- change_selinux | bool
- ansible_os_family == "RedHat"
View Git Blame Copy Permalink