--- # Copyright 2019 Red Hat, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. - name: Playbook for establishing ssh keys connection: "{{ (tripleo_target_host is defined) | ternary('ssh', 'local') }}" hosts: "{{ tripleo_target_host | default('localhost') }}" remote_user: "{{ tripleo_target_user | default(lookup('env', 'USER')) }}" gather_facts: "{{ (tripleo_target_host is defined) | ternary(true, false) }}" any_errors_fatal: true vars: BlacklistedIpAddresses: [] distribute_private_key: false handlers: - name: Remove mistral tmp file file: path: "{{ tempfile_1.path }}" state: absent tasks: - name: No ssh servers defined fail: msg: >- The ssh_servers option was undefined. when: - ssh_servers is undefined - name: Cloud name block when: - tripleo_cloud_name is defined block: - name: Run blacklist IP check command: >- openstack --os-cloud undercloud stack output show {{ tripleo_cloud_name }} BlacklistedIpAddresses -f yaml register: blacklist_cmd changed_when: false async: 1000 poll: 0 - name: Block on async blacklist check async_status: jid: "{{ blacklist_cmd.ansible_job_id }}" register: blacklist_cmd_job_result until: blacklist_cmd_job_result.finished retries: 30 - name: Set BlacklistedIpAddresses fact set_fact: BlacklistedIpAddresses: "{{ (blacklist_cmd_job_result.stdout | from_yaml)['output_value'] }}" - name: Set local connection user facts set_fact: ansible_home: "{{ lookup('env', 'HOME') }}" ansible_user: "{{ lookup('env', 'USER') }}" run_once: true when: - (tripleo_target_host is defined) | ternary('ssh', 'local') == 'local' - name: Set facts for ssh servers and user private key file set_fact: set_ssh_servers: "{{ ssh_servers }}" defined_user_private_key_file: "{{ user_private_key_file | default(ansible_home ~ '/.ssh/id_rsa_tripleo') }}" run_once: true - name: Ensure .ssh directory file: path: "{{ ansible_home }}/.ssh" state: directory mode: "0700" owner: "{{ ansible_user }}" group: "{{ ansible_user }}" become: true - name: Ensure ssh key pair user: name: "{{ ansible_user }}" generate_ssh_key: true ssh_key_bits: 4096 ssh_key_file: "{{ ansible_home }}/.ssh/id_rsa" become: true - name: Stat key file stat: path: "{{ defined_user_private_key_file }}" register: key_check - name: Key block when: - user_public_key is undefined - user_private_key is undefined - user_private_key_file is undefined block: - name: Read key block run_once: true when: - key_check.stat.exists | bool block: - name: Get local private key slurp: src: "{{ defined_user_private_key_file }}" register: private_key_get become: true - name: Get local public key slurp: src: "{{ defined_user_private_key_file }}.pub" register: public_key_get become: true - name: Set key facts set_fact: user_public_key: "{{ public_key_get['content'] | b64decode }}" user_private_key: "{{ private_key_get['content'] | b64decode }}" user_private_key_file: "{{ defined_user_private_key_file }}" - name: Read and create key block run_once: true when: - not (key_check.stat.exists | bool) block: - name: Get local private key slurp: src: "{{ ansible_home }}/.ssh/id_rsa" register: private_key_get become: true - name: Get local public key slurp: src: "{{ ansible_home }}/.ssh/id_rsa.pub" register: public_key_get become: true - name: Write tripleo private key copy: content: "{{ private_key_get['content'] | b64decode }}" dest: "{{ defined_user_private_key_file }}" mode: "0600" - name: Write tripleo public key copy: content: "{{ public_key_get['content'] | b64decode }}" dest: "{{ defined_user_private_key_file }}.pub" mode: "0640" - name: Set key file fact set_fact: user_public_key: "{{ public_key_get['content'] | b64decode }}" user_private_key: "{{ private_key_get['content'] | b64decode }}" user_private_key_file: "{{ defined_user_private_key_file }}" - name: Ensure user can ssh to localhost authorized_key: user: "{{ ansible_user }}" key: "{{ user_public_key }}" become: true - name: Set node key fact set_fact: node_key_fact: "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') or (ansible_ssh_private_key_file | default(ansible_home ~ '/.ssh/id_rsa')) }}" - name: Add ssh-servers add_host: hostname: "{{ item }}" groups: tripleo_queues user_public_key: "{{ user_public_key }}" user_private_key: "{{ user_private_key }}" user_private_key_file: "{{ user_private_key_file }}" ansible_user: "{{ ssh_user | default(ansible_user) }}" ansible_ssh_private_key_file: "{{ node_key_fact }}" changed_when: false loop: '{{ set_ssh_servers | difference(((BlacklistedIpAddresses | length) < 1) | ternary([], BlacklistedIpAddresses)) }}' - name: Run Create admin hosts: localhost:tripleo_queues become: true any_errors_fatal: true gather_facts: false pre_tasks: # NOTE(cloudnull): The connection will allow for 40 minutes before failing. This time was chosen # because a server may take anywhere from 5 to 40 minutes to boot, and in large # deployments the number of "forks" may not accomodate all nodes running this # task in parallel. Because we don't know the all of the characteristics of the # machine being used, there's no way to compute the value appropriate for a # given node(s), so 40 minutes should accommodate most environments. - name: Wait for connection to become available wait_for_connection: sleep: 4 timeout: 2400 - name: Gather facts with an active connection setup: gather_subset: - '!facter' - '!ohai' roles: - role: tripleo_create_admin tripleo_admin_user: tripleo-admin tripleo_admin_pubkey: "{{ user_public_key }}" tripleo_admin_prikey: "{{ user_private_key }}" - name: Validate TripleO Admin Access hosts: localhost:tripleo_queues user: tripleo-admin gather_facts: false vars: ansible_ssh_private_key_file: "{{ user_private_key_file }}" tasks: - name: Ping host ping: {}