openstack/tripleo-ansible
Code Issues Proposed changes
f9ed14f58c
tripleo-ansible/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml
Kevin Carter 43aa2c6a44
Improve deployer UX by limiting failure output potential 
This change will improve the deployer UX by ensuring that the log output does not show
failed tasks. While the potential for failed tasks should be rescued, and complete
successfully, the output confusing and could result in the operator taking unnecessary
debugging steps during a deployment. To ensure that the output is accurate and easy
to understand the playbook will now stat the required file and the needed blocks
will only execute when the appropriate conditions are met.

Change-Id: I0e69f44a6e06926a8987defa96c7ffac167ccdb5
Signed-off-by: Kevin Carter <kecarter@redhat.com>
2020-05-14 08:31:31 -05:00

241 lines
8.1 KiB
YAML
Raw Blame History

---
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Playbook for establishing ssh keys
connection: "{{ (tripleo_target_host is defined) | ternary('ssh', 'local') }}"
hosts: "{{ tripleo_target_host | default('localhost') }}"
remote_user: "{{ tripleo_target_user | default(lookup('env', 'USER')) }}"
gather_facts: "{{ (tripleo_target_host is defined) | ternary(true, false) }}"
any_errors_fatal: true
handlers:
- name: Remove mistral tmp file
file:
path: "{{ tempfile_1.path }}"
state: absent
tasks:
- name: No ssh servers defined
fail:
msg: >-
The ssh_servers option was undefined.
when:
- ssh_servers is undefined
- name: No cloud name is defined
fail:
msg: >-
The tripleo_cloud_name option was undefined.
when:
- tripleo_cloud_name is undefined
- name: Run blacklist IP check
command: >-
openstack --os-cloud undercloud stack output show {{ tripleo_cloud_name }} BlacklistedIpAddresses -f yaml
register: blacklist_cmd
changed_when: false
async: 1000
poll: 0
- name: Retrieve compute managed network ports
os_port_facts:
cloud: undercloud
filters:
status: ACTIVE
changed_when: false
register: port_check
async: 1000
poll: 0
- name: Set local connection user facts
set_fact:
ansible_home: "{{ lookup('env', 'HOME') }}"
ansible_user: "{{ lookup('env', 'USER') }}"
run_once: true
when:
- (tripleo_target_host is defined) | ternary('ssh', 'local') == 'local'
- name: Set facts for ssh servers and user private key file
set_fact:
set_ssh_servers: "{{ ssh_servers }}"
defined_user_private_key_file: "{{ user_private_key_file | default(ansible_home ~ '/.ssh/id_rsa_tripleo') }}"
run_once: true
- name: Ensure .ssh directory
file:
path: "{{ ansible_home }}/.ssh"
state: directory
mode: "0700"
owner: "{{ ansible_user }}"
become: true
- name: Ensure ssh key pair
user:
name: "{{ ansible_user }}"
generate_ssh_key: true
ssh_key_bits: 4096
ssh_key_file: "{{ ansible_home }}/.ssh/id_rsa"
become: true
- name: Stat key file
stat:
path: "{{ defined_user_private_key_file }}"
register: key_check
- name: Key block
when:
- user_public_key is undefined
- user_private_key is undefined
- user_private_key_file is undefined
block:
- name: Read key block
run_once: true
when:
- key_check.stat.exists | bool
block:
- name: Get local private key
slurp:
src: "{{ defined_user_private_key_file }}"
register: private_key_get
become: true
- name: Get local public key
slurp:
src: "{{ defined_user_private_key_file }}.pub"
register: public_key_get
become: true
- name: Set key facts
set_fact:
user_public_key: "{{ public_key_get['content'] | b64decode }}"
user_private_key: "{{ private_key_get['content'] | b64decode }}"
user_private_key_file: "{{ defined_user_private_key_file }}"
- name: Read and create key block
run_once: true
when:
- not (key_check.stat.exists | bool)
block:
- name: Get local private key
slurp:
src: "{{ ansible_home }}/.ssh/id_rsa"
register: private_key_get
become: true
- name: Get local public key
slurp:
src: "{{ ansible_home }}/.ssh/id_rsa.pub"
register: public_key_get
become: true
- name: Write tripleo private key
copy:
content: "{{ private_key_get['content'] | b64decode }}"
dest: "{{ defined_user_private_key_file }}"
mode: "0600"
- name: Write tripleo public key
copy:
content: "{{ public_key_get['content'] | b64decode }}"
dest: "{{ defined_user_private_key_file }}.pub"
mode: "0640"
- name: Set key file fact
set_fact:
user_public_key: "{{ public_key_get['content'] | b64decode }}"
user_private_key: "{{ private_key_get['content'] | b64decode }}"
user_private_key_file: "{{ defined_user_private_key_file }}"
- name: Ensure user can ssh to localhost
authorized_key:
user: "{{ ansible_user }}"
key: "{{ user_public_key }}"
become: true
- name: Block on async blacklist check
async_status:
jid: "{{ blacklist_cmd.ansible_job_id }}"
register: blacklist_cmd_job_result
until: blacklist_cmd_job_result.finished
retries: 30
- name: Set BlacklistedIpAddresses fact
set_fact:
BlacklistedIpAddresses: "{{ (blacklist_cmd_job_result.stdout | from_yaml)['output_value'] }}"
- name: Block on async port check
async_status:
jid: "{{ port_check.ansible_job_id }}"
register: port_check_job_result
until: port_check_job_result.finished
retries: 30
- name: Set ManagedIpAddresses fact
set_fact:
ManagedIpAddresses: "{{ openstack_ports | map(attribute='fixed_ips') | sum(start=[]) | map(attribute='ip_address') | list }}"
- name: Set node key fact
set_fact:
node_key_fact: "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') or (ansible_ssh_private_key_file | default(ansible_home ~ '/.ssh/id_rsa')) }}"
- name: Add ssh-servers
add_host:
hostname: "{{ item }}"
groups: tripleo_queues
user_public_key: "{{ user_public_key }}"
user_private_key: "{{ user_private_key }}"
user_private_key_file: "{{ user_private_key_file }}"
ansible_user: "{{ (item in ManagedIpAddresses) | ternary('heat-admin', (ssh_user | default(ansible_user))) }}"
ansible_ssh_private_key_file: "{{ node_key_fact }}"
changed_when: false
loop: '{{ set_ssh_servers | difference(((BlacklistedIpAddresses | length) < 1) | ternary([], BlacklistedIpAddresses)) }}'
- name: Run Create admin
hosts: localhost:tripleo_queues
become: true
any_errors_fatal: true
gather_facts: false
pre_tasks:
# NOTE(cloudnull): The connection will allow for 40 minutes before failing. This time was chosen
# because a server may take anywhere from 5 to 40 minutes to boot, and in large
# deployments the number of "forks" may not accomodate all nodes running this
# task in parallel. Because we don't know the all of the characteristics of the
# machine being used, there's no way to compute the value appropriate for a
# given node(s), so 40 minutes should accommodate most environments.
- name: Wait for connection to become available
wait_for_connection:
sleep: 4
timeout: 2400
- name: Gather facts with an active connection
setup:
gather_subset:
- '!facter'
- '!ohai'
roles:
- role: tripleo_create_admin
tripleo_admin_user: tripleo-admin
tripleo_admin_pubkey: "{{ user_public_key }}"
- name: Validate TripleO Admin Access
hosts: localhost:tripleo_queues
user: tripleo-admin
gather_facts: false
vars:
ansible_ssh_private_key_file: "{{ user_private_key_file }}"
tasks:
- name: Ping host
ping: {}
View Git Blame Copy Permalink