Browse Source

Fix privilege escalation

This change enabled become: true to the deploy step and host prep task
execution. external tasks are still become: false as they are delegated
to localhost and run as the same user running the deployment.

Change-Id: I79631ce0ed450febae96db2f32198e02eb427d91
Related-Bug: #1883609
(cherry picked from commit 4e39acd147)
tags/12.4.0
Alex Schultz 1 month ago
committed by Emilien Macchi
parent
commit
f917423be9
8 changed files with 39 additions and 2 deletions
  1. +1
    -0
      common/deploy-steps-playbooks-common.yaml
  2. +3
    -0
      common/deploy-steps-tasks-step-0.j2.yaml
  3. +20
    -0
      common/deploy-steps-tasks-step-1.yaml
  4. +4
    -0
      common/deploy-steps-tasks.yaml
  5. +7
    -0
      common/deploy-steps.j2
  6. +2
    -0
      common/generate-config-tasks.yaml
  7. +1
    -0
      common/hiera-steps-tasks.yaml
  8. +1
    -2
      deployment/logrotate/tmpwatch-install.yaml

+ 1
- 0
common/deploy-steps-playbooks-common.yaml View File

@@ -33,6 +33,7 @@

- hosts: "{{ deploy_target_host }}"
name: Ensure /var/lib/config-data context
become: true
gather_facts: false
any_errors_fatal: yes
tasks:


+ 3
- 0
common/deploy-steps-tasks-step-0.j2.yaml View File

@@ -5,8 +5,10 @@
msg: Use --start-at-task 'Deploy step tasks for step 0' to resume from this task
when: "tripleo_minor_update is not defined or tripleo_minor_update != 'true'"
- name: Ensure /var/log/journal exists
become: true
file: path=/var/log/journal state=directory mode=0750 owner=root group=root setype=var_log_t
- name: Create /var/lib/container-puppet
become: true
no_log: True
file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true
- name: Write container-puppet.py if Paunch is enabled
@@ -22,6 +24,7 @@
when:
- not enable_paunch|default(false)
- name: Write container-puppet.sh
become: true
no_log: True
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t



+ 20
- 0
common/deploy-steps-tasks-step-1.yaml View File

@@ -1,4 +1,5 @@
- name: Create and ensure setype for /var/log/containers directory
become: true
file:
path: /var/log/containers
state: directory
@@ -9,6 +10,7 @@
- host_config

- name: Create ContainerLogStdoutPath directory
become: true
file:
path: "{{ container_log_stdout_path }}"
state: directory
@@ -17,6 +19,7 @@
- host_config

- name: Create /var/lib/tripleo-config directory
become: true
file:
path: /var/lib/tripleo-config
state: directory
@@ -31,6 +34,7 @@
- container_startup_configs

- name: Delete existing /var/lib/tripleo-config/check-mode directory for check mode
become: true
file:
path: /var/lib/tripleo-config/check-mode
state: absent
@@ -45,6 +49,7 @@
check_mode: no

- name: Create /var/lib/tripleo-config/check-mode directory for check mode
become: true
file:
path: /var/lib/tripleo-config/check-mode
state: directory
@@ -63,6 +68,7 @@

# Puppet manifest for baremetal host configuration
- name: Write the puppet step_config manifest
become: true
no_log: True
copy:
content: "{{ lookup('file', tripleo_role_name + '/step_config.pp', errors='ignore') | default('', True) }}"
@@ -99,6 +105,7 @@

# Puppet Containers Config directory used to generate container configs
- name: Create /var/lib/container-puppet
become: true
file:
path: /var/lib/container-puppet
state: directory
@@ -109,6 +116,7 @@
- container_config_tasks

- name: Delete existing /var/lib/container-puppet/check-mode for check mode
become: true
file:
path: /var/lib/container-puppet/check-mode
state: absent
@@ -119,6 +127,7 @@
- ansible_check_mode|bool

- name: Create /var/lib/container-puppet/check-mode for check mode
become: true
file:
path: /var/lib/container-puppet/check-mode
state: directory
@@ -131,6 +140,7 @@
- ansible_check_mode|bool

- name: Write container-puppet.json file
become: true
no_log: True
copy:
content: "{{ lookup('file', tripleo_role_name + '/puppet_config.yaml', errors='ignore') | default([], True) | from_yaml | to_nice_json }}"
@@ -166,6 +176,7 @@
- container_config

- name: Create /var/lib/container-config-scripts
become: true
file:
path: /var/lib/container-config-scripts
state: directory
@@ -177,6 +188,7 @@
# /var/lib/container-startup-configs.json is removed as we now write
# per-step files instead
- name: Clean old /var/lib/container-startup-configs.json file
become: true
file:
path: /var/lib/container-startup-configs.json
state: absent
@@ -185,6 +197,7 @@

# For legacy, can be removed in Train cycle
- name: Clean old /var/lib/docker-container-startup-configs.json file
become: true
file:
path: /var/lib/docker-container-startup-configs.json
state: absent
@@ -193,6 +206,7 @@


- name: Write container config scripts
become: true
no_log: True
copy:
content: "{{ item[1].content }}"
@@ -212,6 +226,7 @@
# /var/lib/tripleo-config/container-startup-config/step_X/<container_name>.json
# Can be removed in V cycle
- name: Write /var/lib/tripleo-config/container-startup-config-readme.txt
become: true
no_log: True
copy:
content: "Container startup configs moved to /var/lib/tripleo-config/container-startup-config"
@@ -235,6 +250,7 @@
- container_startup_configs

- name: Create /var/lib/kolla/config_files directory
become: true
file:
path: /var/lib/kolla/config_files
state: directory
@@ -245,6 +261,7 @@
- container_startup_configs

- name: Create /var/lib/config-data directory
become: true
file:
path: /var/lib/config-data
state: directory
@@ -252,6 +269,7 @@
selevel: s0

- name: Write kolla config json files
become: true
no_log: True
copy:
content: "{{ item[1] | to_nice_json }}"
@@ -299,6 +317,7 @@
- container_config

- name: Create /etc/puppet/check-mode/hieradata directory for check mode
become: true
file:
path: /etc/puppet/check-mode/hieradata
state: directory
@@ -314,6 +333,7 @@
- container_config

- name: Create puppet check-mode files if they don't exist for check mode
become: true
shell: |
cp -a /etc/puppet/hiera.yaml /etc/puppet/check-mode/hiera.yaml
cp -a /etc/puppet/hieradata/* /etc/puppet/check-mode/hieradata/


+ 4
- 0
common/deploy-steps-tasks.yaml View File

@@ -3,6 +3,7 @@
#####################################################

- name: Write the config_step hieradata
become: true
no_log: True
copy:
content: "{{ dict(step=step|int) | to_json }}"
@@ -14,6 +15,7 @@
- host_config

- name: Run puppet host configuration for step {{ step }}
become: true
async: 3600
poll: 0
when: enable_puppet|bool
@@ -132,6 +134,7 @@

- name: Per step starting of the containers using tripleo-ansible
when: not enable_paunch|default(true)
become: true
environment:
TRIPLEO_MINOR_UPDATE: '{{ tripleo_minor_update | default(false) }}'
block:
@@ -158,6 +161,7 @@
########################################################

- name: "Clean container_puppet_tasks for {{ansible_hostname | lower}} step {{step}}"
become: true
file:
path: /var/lib/container-puppet/container-puppet-tasks{{step}}.json
state: absent


+ 7
- 0
common/deploy-steps.j2 View File

@@ -449,6 +449,7 @@ outputs:
any_errors_fatal: yes
tasks:
- name: Set selinux state
become: true
selinux:
policy: targeted
state: SELINUX_MODE
@@ -488,6 +489,7 @@ outputs:

- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Deploy step tasks for step 0
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes
vars:
@@ -558,6 +560,7 @@ outputs:
- "{{ tripleo_role_name ~ '/NetworkConfig' }}"

- name: NetworkConfig
become: true
block:
- name: Create /var/lib/tripleo-config/scripts directory
file:
@@ -646,6 +649,7 @@ outputs:

- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Host prep steps
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes
vars:
@@ -709,6 +713,7 @@ outputs:

- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Deploy step tasks for {{step}}
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes
# FIXME(shardy) - it would be nice to use strategy: free to
@@ -788,6 +793,7 @@ outputs:
{%- endfor %}
- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Server Post Deployments
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes
tasks:
@@ -995,6 +1001,7 @@ outputs:
{%- for step in range(0,upgrade_steps_max) %}
- hosts: DEPLOY_TARGET_HOST
name: Upgrade tasks for step {{step}}
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes
vars:


+ 2
- 0
common/generate-config-tasks.yaml View File

@@ -43,6 +43,7 @@
- name: Block for container-puppet tasks (generate config) during step {{ step }} with tripleo-ansible
when:
- not enable_paunch|default(true)
become: true
tags:
- container_config
block:
@@ -81,6 +82,7 @@
tripleo_container_manage_valid_exit_code: [0, 2]

- name: Diff puppet-generated changes for check mode
become: true
shell: |
diff -ruN --no-dereference -q /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated
diff -ruN --no-dereference /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated


+ 1
- 0
common/hiera-steps-tasks.yaml View File

@@ -2,6 +2,7 @@
include_role:
name: tripleo_hieradata
- name: Hiera symlink
become: true
file:
src: /etc/puppet/hiera.yaml
dest: /etc/hiera.yaml


+ 1
- 2
deployment/logrotate/tmpwatch-install.yaml View File

@@ -36,9 +36,8 @@ outputs:
description: Role data for tmpwatch install
value:
service_name: logrotate_tmpwatch
deploy_steps_tasks:
host_prep_tasks:
- name: install tmpwatch on the host
when: step|int == 1
package:
name: tmpwatch
state: installed

Loading…
Cancel
Save