tripleo-heat-templates/common/generate-config-tasks.yaml
Alex Schultz 4e39acd147 Fix privilege escalation
This change enabled become: true to the deploy step and host prep task
execution. external tasks are still become: false as they are delegated
to localhost and run as the same user running the deployment.

Change-Id: I79631ce0ed450febae96db2f32198e02eb427d91
Related-Bug: #1883609
2020-07-05 16:20:00 -04:00

64 lines
2.6 KiB
YAML

- name: Block for container-puppet tasks (generate config) during step {{ step }} with tripleo-ansible
become: true
tags:
- container_config
block:
- name: Create base directory puppet configs
file:
path: "/var/lib/tripleo-config/container-puppet-config"
mode: 0700
recurse: true
setype: svirt_sandbox_file_t
- name: "Generate container puppet configs for step {{ step }}"
container_puppet_config:
check_mode: '{{ ansible_check_mode | bool | ternary(1, 0) }}'
config_vol_prefix: "/var/lib/config-data{{ ansible_check_mode | bool | ternary('/check-mode', '') }}"
debug: "{{ docker_puppet_debug | bool }}"
net_host: true
no_archive: false
puppet_config: "/var/lib/container-puppet/{{ ansible_check_mode | bool | ternary('check-mode/', '') }}container-puppet.json"
short_hostname: "{{ ansible_hostname | lower }}"
step: "{{ step }}"
- name: "Manage Puppet containers (generate config) for step {{ step }} with tripleo-ansible"
include_role:
name: tripleo_container_manage
vars:
tripleo_container_manage_concurrency: "{{ docker_puppet_process_count }}"
tripleo_container_manage_systemd_order: false
tripleo_container_manage_systemd_teardown: false
tripleo_container_manage_config: "/var/lib/tripleo-config/container-puppet-config/step_{{ step }}"
tripleo_container_manage_config_patterns: 'container-puppet-*.json'
tripleo_container_manage_config_id: "tripleo_puppet_step{{ step }}"
tripleo_container_manage_debug: "{{ docker_puppet_debug | bool }}"
# puppet with --detailed-exitcodes will return 0 for success and
# no changes and 2 for success and resource changes. Other
# numbers are failures
tripleo_container_manage_valid_exit_code: [0, 2]
- name: Diff puppet-generated changes for check mode
become: true
shell: |
diff -ruN --no-dereference -q /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated
diff -ruN --no-dereference /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated
register: diff_results
tags:
- container_config
check_mode: no
when:
- ansible_check_mode|bool
- ansible_diff_mode
failed_when: false
changed_when: diff_results.rc == 1
- name: Diff puppet-generated changes for check mode
debug:
var: diff_results.stdout_lines
changed_when: diff_results.rc == 1
when:
- ansible_check_mode|bool
- ansible_diff_mode
tags:
- container_config