Fix delegation with FreeIPA cleanup

Previously, we were delegating the IPA cleanup role to the undercloud via localhost. This is because the keytab used to authenticate to FreeIPA and perform the cleanup of host entries during scale down is on the undercloud. However, when using train, ansible is invoked from the mistral container when using `delegate_to: localhost`. In this case, you'll end up with a privilege escalation error: "sudo: unable to open /run/sudo/ts/mistral: Permission denied\nsudo: a password is required\n", This is because the mistral container doesn't have passwordless sudo, resulting in a failed privilege escalation. Instead, we should make sure we delegate this task to the Undercloud, where we know the tripleo-admin user is setup properly. Change-Id: I844f78c520d7b507d906faf7242e72dd717f9cb5 Related-Bug: 1891317
2020-08-12 14:30:16 -05:00 · 2020-08-12 14:30:16 -05:00 · 1547fc8e30
parent 60a1abe1c7
commit 1547fc8e30
1 changed files with 1 additions and 1 deletions
--- a/deployment/ipa/ipaservices-baremetal-ansible.yaml
+++ b/deployment/ipa/ipaservices-baremetal-ansible.yaml
@ -160,7 +160,7 @@ outputs:
            - name: unregister node from ipa server
              import_role:
                name: tripleo_ipa_cleanup
-              delegate_to: localhost
+              delegate_to: Undercloud
              vars:
                tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
                tripleo_ipa_hosts_to_delete: