From 1547fc8e30df3745c615d10653e9febbbb0d37bc Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 12 Aug 2020 14:30:16 -0500 Subject: [PATCH] Fix delegation with FreeIPA cleanup Previously, we were delegating the IPA cleanup role to the undercloud via localhost. This is because the keytab used to authenticate to FreeIPA and perform the cleanup of host entries during scale down is on the undercloud. However, when using train, ansible is invoked from the mistral container when using `delegate_to: localhost`. In this case, you'll end up with a privilege escalation error: "sudo: unable to open /run/sudo/ts/mistral: Permission denied\nsudo: a password is required\n", This is because the mistral container doesn't have passwordless sudo, resulting in a failed privilege escalation. Instead, we should make sure we delegate this task to the Undercloud, where we know the tripleo-admin user is setup properly. Change-Id: I844f78c520d7b507d906faf7242e72dd717f9cb5 Related-Bug: 1891317 --- deployment/ipa/ipaservices-baremetal-ansible.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/ipa/ipaservices-baremetal-ansible.yaml b/deployment/ipa/ipaservices-baremetal-ansible.yaml index b042171f9c..c159fa0e6a 100644 --- a/deployment/ipa/ipaservices-baremetal-ansible.yaml +++ b/deployment/ipa/ipaservices-baremetal-ansible.yaml @@ -160,7 +160,7 @@ outputs: - name: unregister node from ipa server import_role: name: tripleo_ipa_cleanup - delegate_to: localhost + delegate_to: Undercloud vars: tripleo_ipa_keytab: {get_param: IdMNovaKeytab} tripleo_ipa_hosts_to_delete: