b2e6edfc26
The Octavia amphora image RPM failed to install on the undercloud on Red Hat platforms. Reason was the Ansible playbook, specifically the octavia-undercloud role, runs as part of octavia_post_deploy workbook as 'mistral' user which is a non-privileged user. Because of this, the overcloud deployment exits with error when Octavia service is enabled and tries to install the RPm or updating to latest its version. This fix is not ideal. Other ways of fixing it have been attempted and didn't work. For example, moving the image installation and further image handling logic to an overcloud controller node where we would have user privileged access to install the RPM. It proved to be less optimal than current approach because a) controller node would need to be subscribed to Red Hat OpenStack Platform RPM channels which in many cases does not happen and b) would require reaching Internet to download RPM. This patch instead switches to using Ansible raw module [1] and whitelist a yum command in sudoers for mistral user. Neither yum, shell or command modules can be used as they run as Ansible sends Python code to be executed on the targeted servers. Should we've gone that path, we'd have needed to whitelist a hugly and insecure regex as follows: mistral ALL = NOPASSWD: /usr/bin/python /tmp/ansible-*/yum.py* So, instead the raw module had to be used as it bypasses Ansible's module subsystem. Ansible runs the command directly in the target host and we can predictably allow execution of that particular command with privileged access. [1] http://docs.ansible.com/ansible/latest/modules/raw_module.html Closes-Bug: #1772880 Change-Id: I84b0d4f18f1c382201dd5cf782152c5e973da513
6 lines
176 B
YAML
6 lines
176 B
YAML
---
|
|
fixes:
|
|
- Fix Octavia amphora image RPM install on undercloud node for Red Hat based
|
|
deployments (`bug 1772880
|
|
<https://bugs.launchpad.net/tripleo/+bug/1772880>`)
|