tripleo-heat-templates/common/generate-config-tasks.yaml
Alex Schultz 7168701091 Fix privilege escalation
This change enabled become: true to the deploy step and host prep task
execution. external tasks are still become: false as they are delegated
to localhost and run as the same user running the deployment.

Change-Id: I79631ce0ed450febae96db2f32198e02eb427d91
Related-Bug: #1883609
(cherry picked from commit 4e39acd147)
2020-07-13 01:32:49 +00:00

110 lines
4.6 KiB
YAML

- name: Block for container-puppet tasks (generate config) during step 1 with paunch
when:
- enable_paunch|bool
tags:
- container_config
block:
- name: Run container-puppet tasks (generate config) during step 1 with paunch
async: 3600
poll: 0
shell: "{{ python_cmd }} /var/lib/container-puppet/container-puppet.py"
environment:
NET_HOST: 'true'
DEBUG: '{{ docker_puppet_debug | bool }}'
PROCESS_COUNT: "{{ docker_puppet_process_count }}"
CONTAINER_CLI: "{{ container_cli }}"
CONFIG: '/var/lib/container-puppet/{{ ansible_check_mode | bool | ternary("check-mode/", "") }}container-puppet.json'
CONFIG_VOLUME_PREFIX: '/var/lib/config-data{{ ansible_check_mode | bool | ternary("/check-mode", "") }}'
CHECK_MODE: '{{ ansible_check_mode | bool | ternary(1, 0) }}'
STARTUP_CONFIG_PATTERN: '/var/lib/tripleo-config/container-startup-config/*/{{ ansible_check_mode | bool | ternary("check-mode/", "") }}*.json'
MOUNT_HOST_PUPPET: '{{docker_puppet_mount_host_puppet | default(true)}}'
CONTAINER_LOG_STDOUT_PATH: "{{ container_log_stdout_path }}"
CONTAINER_HEALTHCHECK_DISABLED: "{{ container_healthcheck_disabled }}"
SHORT_HOSTNAME: "{{ ansible_hostname | lower }}"
check_mode: no
register: generate_config_async_result
- name: Wait for container-puppet tasks (generate config) to finish
async_status:
jid: "{{ generate_config_async_result.ansible_job_id }}"
register: generate_config_outputs
until: generate_config_outputs.finished
retries: 1200
delay: 3
when:
- not (ansible_check_mode | bool)
- name: "Debug output for task: Run container-puppet tasks (generate config) during step 1"
debug:
var: generate_config_outputs.stdout_lines | default([]) | union(generate_config_outputs.stderr_lines | default([]))
when:
- not (ansible_check_mode | bool)
- generate_config_outputs.rc is defined
failed_when: generate_config_outputs.rc != 0
- name: Block for container-puppet tasks (generate config) during step {{ step }} with tripleo-ansible
when:
- not (enable_paunch|bool)
become: true
tags:
- container_config
block:
- name: Create base directory puppet configs
file:
path: "/var/lib/tripleo-config/container-puppet-config"
mode: 0700
recurse: true
setype: svirt_sandbox_file_t
- name: "Generate container puppet configs for step {{ step }}"
container_puppet_config:
check_mode: '{{ ansible_check_mode | bool | ternary(1, 0) }}'
config_vol_prefix: "/var/lib/config-data{{ ansible_check_mode | bool | ternary('/check-mode', '') }}"
debug: "{{ docker_puppet_debug | bool }}"
net_host: true
no_archive: false
puppet_config: "/var/lib/container-puppet/{{ ansible_check_mode | bool | ternary('check-mode/', '') }}container-puppet.json"
short_hostname: "{{ ansible_hostname | lower }}"
step: "{{ step }}"
- name: "Manage Puppet containers (generate config) for step {{ step }} with tripleo-ansible"
include_role:
name: tripleo-container-manage
vars:
tripleo_container_manage_concurrency: "{{ docker_puppet_process_count }}"
tripleo_container_manage_systemd_order: false
tripleo_container_manage_systemd_teardown: false
tripleo_container_manage_config: "/var/lib/tripleo-config/container-puppet-config/step_{{ step }}"
tripleo_container_manage_config_patterns: 'container-puppet-*.json'
tripleo_container_manage_config_id: "tripleo_puppet_step{{ step }}"
tripleo_container_manage_debug: "{{ docker_puppet_debug | bool }}"
# puppet with --detailed-exitcodes will return 0 for success and
# no changes and 2 for success and resource changes. Other
# numbers are failures
tripleo_container_manage_valid_exit_code: [0, 2]
- name: Diff puppet-generated changes for check mode
become: true
shell: |
diff -ruN --no-dereference -q /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated
diff -ruN --no-dereference /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated
register: diff_results
tags:
- container_config
check_mode: no
when:
- ansible_check_mode|bool
- ansible_diff_mode
failed_when: false
changed_when: diff_results.rc == 1
- name: Diff puppet-generated changes for check mode
debug:
var: diff_results.stdout_lines
changed_when: diff_results.rc == 1
when:
- ansible_check_mode|bool
- ansible_diff_mode
tags:
- container_config