Browse Source

Fix delegation with FreeIPA cleanup

Previously, we were delegating the IPA cleanup role to the undercloud
via localhost. This is because the keytab used to authenticate to
FreeIPA and perform the cleanup of host entries during scale down is on
the undercloud. However, when using train, ansible is invoked from the
mistral container when using `delegate_to: localhost`. In this case,
you'll end up with a privilege escalation error:

  "sudo: unable to open /run/sudo/ts/mistral: Permission denied\nsudo: a password is required\n",

This is because the mistral container doesn't have passwordless sudo,
resulting in a failed privilege escalation.

Instead, we should make sure we delegate this task to the Undercloud,
where we know the tripleo-admin user is setup properly.

Change-Id: I844f78c520d7b507d906faf7242e72dd717f9cb5
Related-Bug: 1891317
(cherry picked from commit 1547fc8e30df3745c615d10653e9febbbb0d37bc)
changes/56/745956/1
Lance Bragstad 10 months ago
parent
commit
d0c5bcac80
1 changed files with 1 additions and 1 deletions
  1. +1
    -1
      deployment/ipa/ipaservices-baremetal-ansible.yaml

+ 1
- 1
deployment/ipa/ipaservices-baremetal-ansible.yaml View File

@ -160,7 +160,7 @@ outputs:
- name: unregister node from ipa server
import_role:
name: tripleo_ipa_cleanup
delegate_to: localhost
delegate_to: Undercloud
vars:
tripleo_ipa_keytab: {get_param: IdMNovaKeytab}
tripleo_ipa_hosts_to_delete:


Loading…
Cancel
Save