openstack/openstack-ansible
Code Issues Proposed changes
5e37cdf534
openstack-ansible/doc/source/user/security/non-root.rst
Dmitriy Rabotyagov f37eb32a93 [doc] Add documentation on running as non-root 
Right now our documentation assumes that users must run
OpenStack-Ansible as root users. With that it's not a
strict requirement and there is a pretty much
straightforward way on running playbooks as non-root
user by leveraging Ansibles' `become`.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/897948
Change-Id: I426c78157a17fd4524e48437c6f632a8551223d0
2023-10-13 10:25:44 +02:00

3.6 KiB
Raw Blame History

Running as non-root user

Deployers do not have to use root user accounts on deploy or target hosts. This approach works out of the box by leveraging Ansible privilege escalation.

Deploment hosts

You can avoid usage of the root user on a deployment by following these guidelines:

  1. Clone OpenStack-Ansible repository to home user directory. It means, that instead of /opt/openstack-ansible repository will be in ~/openstack-ansible.

  2. Use custom path for /etc/openstack_deploy directory. You can place OpenStack-Ansible configuration directory inside user home directory. For that you will need to define the following environment variable:

    export OSA_CONFIG_DIR="${HOME}/openstack_deploy"

  3. If you want to keep basic ansible logging, you need either to create /openstack/log/ansible-logging/ directory and allow user to write there, or define the following environment variable:

    export ANSIBLE_LOG_PATH="${HOME}/ansible-logging/ansible.log"

    Note

    You can also add the environment variable to user.rc file inside openstack_deploy folder (${OSA_CONFIG_DIR}/user.rc). user.rc file is sourced each time you run openstack-ansible binary.

  4. Initial bootstrap of OpenStack-Ansible using ./scripts/bootstrap-ansible.sh script still should be done either as the root user or escalate privileges using sudo or su.

Destination hosts

It is also possible to use non-root user for Ansible authentication on destination hosts. However, this user must be able to escalate privileges using Ansible privilege escalation.

Note

You can add environment variables from that section to user.rc file inside openstack_deploy folder (${OSA_CONFIG_DIR}/user.rc). user.rc file is sourced each time you run openstack-ansible binary.

There are also couple of additional things which you might want to consider:

  1. Provide --become flag each time your run a playbook or ad-hoc command. Alternatively, you can define the following environment variable:

    export ANSIBLE_BECOME="True"

  2. Override Ansible temporary path if LXC containers are used. The ansible connection from the physical host to the LXC container passes environment variables from the host. This means that Ansible attempts to use the same temporary folder in the LXC container as it would on the host, relative to the non-root user ${HOME} directory. This will not exist inside the container and another path must be used instead.

    You can do that following in multiple ways:

    1. Define ansible_remote_tmp: /tmp in user_variables.yml
    2. Define the following environment variable:
    export ANSIBLE_LOCAL_TEMP="/tmp"

  3. Define the user that will be used for for connections from the deploy host to the ansible target hosts. In case the user is the same for all hosts in your deployment, you can do it in one of following ways:

    1. Define ansible_user: <USER> in user_variables.yml
    2. Define the following environment variable:
    export ANSIBLE_REMOTE_USER="<USER>"

    If the user differs from host to host, you can leverage group_vars or host_vars. More information on how to use that can be found in the overrides guide </reference/configuration/using-overrides>