From 7b0ea15dbbdb8ba4b6f9fda7c53623e3197bd89c Mon Sep 17 00:00:00 2001 From: Jiri Podivin Date: Tue, 2 Jul 2024 09:07:43 +0200 Subject: [PATCH 1/5] Resolving TODO conditional nova template rendering The situation requiring the conditional implemented in 86502f8bef186b9d7da71c3d927c8752f64a716f has been resolved since merge of 05539a624fcd8baf60dcec6a60c7928edd9f4252 into dataplane-operator. The conditional serves no further purpose and should be safe to remove. Signed-off-by: Jiri Podivin --- roles/edpm_nova/tasks/install.yml | 11 +---------- roles/edpm_nova/templates/nova_compute.json.j2 | 2 -- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/roles/edpm_nova/tasks/install.yml b/roles/edpm_nova/tasks/install.yml index ceaaff8b9..3761fb773 100644 --- a/roles/edpm_nova/tasks/install.yml +++ b/roles/edpm_nova/tasks/install.yml @@ -5,15 +5,6 @@ path: "{{ edpm_nova_tls_ca_src_dir }}/tls-ca-bundle.pem" register: ca_bundle_stat_res -# TODO(slagle) This is a temporary backwards compatible task so this can merge -# independently of the dataplane-operator change. This can be removed when -# https://github.com/openstack-k8s-operators/dataplane-operator/pull/885 -# merges. Remove the check in templates/nova_compute.json.j2 as well. -- name: Check if nova-custom ca bundle exists - ansible.builtin.stat: - path: "/var/lib/openstack/cacerts/nova-custom/tls-ca-bundle.pem" - register: nova_custom_ca_bundle_stat_res - - name: Render nova container tags: - install @@ -25,9 +16,9 @@ mode: "0644" vars: ca_bundle_exists: "{{ ca_bundle_stat_res.stat.exists }}" - nova_custom_ca_bundle_exists: "{{ nova_custom_ca_bundle_stat_res.stat.exists }}" notify: - Restart nova + - name: Deploy nova container tags: - install diff --git a/roles/edpm_nova/templates/nova_compute.json.j2 b/roles/edpm_nova/templates/nova_compute.json.j2 index 0f95ceae7..136ea50fe 100644 --- a/roles/edpm_nova/templates/nova_compute.json.j2 +++ b/roles/edpm_nova/templates/nova_compute.json.j2 @@ -12,8 +12,6 @@ "/var/lib/openstack/config/nova:/var/lib/kolla/config_files:ro", {% if ca_bundle_exists|bool %} "{{ edpm_nova_tls_ca_src_dir }}/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro,z", -{% elif nova_custom_ca_bundle_exists|bool %} - "/var/lib/openstack/cacerts/nova-custom/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro,z", {% endif %} "/etc/localtime:/etc/localtime:ro", "/lib/modules:/lib/modules:ro", From 7d42f658c8a50ce9e571eb3af81a10a80086bf6b Mon Sep 17 00:00:00 2001 From: Jiri Podivin Date: Mon, 29 Jul 2024 10:42:10 +0200 Subject: [PATCH 2/5] Setting default ownership on file/dir creation Setting libvirt owner, resolving FIXME. Signed-off-by: Jiri Podivin --- .../tasks/derive_pci_device_spec.yml | 4 ++-- roles/edpm_extra_mounts/tasks/extra_mounts.yml | 4 ++-- roles/edpm_libvirt/tasks/configure.yml | 9 ++++----- roles/edpm_neutron_sriov/tasks/install.yml | 4 ++-- roles/edpm_nova/tasks/configure.yml | 8 ++++---- roles/edpm_swift/tasks/configure.yml | 8 ++++---- roles/edpm_users/tasks/main.yml | 4 ++-- 7 files changed, 20 insertions(+), 21 deletions(-) diff --git a/roles/edpm_derive_pci_device_spec/tasks/derive_pci_device_spec.yml b/roles/edpm_derive_pci_device_spec/tasks/derive_pci_device_spec.yml index 38fcef962..c7bd7c8ea 100644 --- a/roles/edpm_derive_pci_device_spec/tasks/derive_pci_device_spec.yml +++ b/roles/edpm_derive_pci_device_spec/tasks/derive_pci_device_spec.yml @@ -25,8 +25,8 @@ path: "{{ edpm_derive_pci_device_spec_conf_dir }}" setype: "container_file_t" state: directory - owner: "{{ ansible_user }}" - group: "{{ ansible_user }}" + owner: "{{ ansible_user | default(ansible_user_id) }}" + group: "{{ ansible_user | default(ansible_user_id) }}" mode: "0755" - name: Check if edpm node has the sriov nova conf diff --git a/roles/edpm_extra_mounts/tasks/extra_mounts.yml b/roles/edpm_extra_mounts/tasks/extra_mounts.yml index 67015dadf..a6a5b403e 100644 --- a/roles/edpm_extra_mounts/tasks/extra_mounts.yml +++ b/roles/edpm_extra_mounts/tasks/extra_mounts.yml @@ -19,8 +19,8 @@ ansible.builtin.file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner | default(omit) }}" - group: "{{ item.group | default(omit) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default('0775') }}" loop: "{{ edpm_default_mounts }}" tags: diff --git a/roles/edpm_libvirt/tasks/configure.yml b/roles/edpm_libvirt/tasks/configure.yml index a23d327ec..045637c25 100644 --- a/roles/edpm_libvirt/tasks/configure.yml +++ b/roles/edpm_libvirt/tasks/configure.yml @@ -16,8 +16,8 @@ path: "{{ item.path }}" state: directory setype: "{{ item.setype | default('container_file_t') }}" - owner: "{{ item.owner | default(ansible_user) }}" - group: "{{ item.group | default(ansible_user) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default(omit) }}" loop: - {"path": "/etc/tmpfiles.d/", "owner": "root", "group": "root"} @@ -36,9 +36,8 @@ src: "{{ item.src }}" dest: "/etc/{{ item.dest }}" mode: "{{ item.mode | default('0640') }}" - # FIXME: update to libvirt user/group - owner: "root" - group: "root" + owner: "{{ 'libvirt' | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ 'libvirt' | default(ansible_user) | default(ansible_user_id) }}" loop: - {"src": "virtlogd.conf", "dest": "libvirt/virtlogd.conf"} - {"src": "virtnodedevd.conf", "dest": "libvirt/virtnodedevd.conf"} diff --git a/roles/edpm_neutron_sriov/tasks/install.yml b/roles/edpm_neutron_sriov/tasks/install.yml index 6c6f7e323..315b476b9 100644 --- a/roles/edpm_neutron_sriov/tasks/install.yml +++ b/roles/edpm_neutron_sriov/tasks/install.yml @@ -20,8 +20,8 @@ path: "{{ item.path }}" setype: "container_file_t" state: directory - owner: "{{ item.owner | default(omit) }}" - group: "{{ item.group | default(omit) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default(omit) }}" loop: - {'path': "/var/lib/openstack/config/containers", "mode": "0755", "owner": "{{ ansible_user }}", "group": "{{ ansible_user }}"} diff --git a/roles/edpm_nova/tasks/configure.yml b/roles/edpm_nova/tasks/configure.yml index 92d25f42a..c07fc0c0e 100644 --- a/roles/edpm_nova/tasks/configure.yml +++ b/roles/edpm_nova/tasks/configure.yml @@ -72,8 +72,8 @@ path: "{{ item.path }}" state: "directory" setype: "container_file_t" - owner: "{{ item.owner | default(ansible_user) }}" - group: "{{ item.group | default(ansible_user) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default(omit) }}" loop: - {"path": "{{ edpm_nova_config_dest }}", "mode": "0755"} @@ -87,8 +87,8 @@ path: "{{ item.path }}" setype: "container_file_t" state: "directory" - owner: "{{ item.owner | default(omit) }}" - group: "{{ item.group | default(omit) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default(omit) }}" loop: - {"path": "/var/lib/nova", "mode": "0755"} diff --git a/roles/edpm_swift/tasks/configure.yml b/roles/edpm_swift/tasks/configure.yml index 512610f1a..c98014f83 100644 --- a/roles/edpm_swift/tasks/configure.yml +++ b/roles/edpm_swift/tasks/configure.yml @@ -34,8 +34,8 @@ path: "{{ item.path }}" state: "directory" setype: "container_file_t" - owner: "{{ item.owner | default(ansible_user) }}" - group: "{{ item.group | default(ansible_user) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default(omit) }}" loop: - {"path": "{{ edpm_swift_config_dest }}", "mode": "0755"} @@ -49,8 +49,8 @@ path: "{{ item.path }}" state: "directory" setype: "container_file_t" - owner: "{{ item.owner | default(ansible_user) }}" - group: "{{ item.group | default(ansible_user) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" mode: "{{ item.mode | default(omit) }}" loop: - {"path": "/srv/node", "mode": "0750", "owner": "swift", "group": "swift"} diff --git a/roles/edpm_users/tasks/main.yml b/roles/edpm_users/tasks/main.yml index 84c22c3d0..87829647d 100644 --- a/roles/edpm_users/tasks/main.yml +++ b/roles/edpm_users/tasks/main.yml @@ -23,8 +23,8 @@ ansible.builtin.file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner | default(omit) }}" - group: "{{ item.group | default(omit) }}" + owner: "{{ item.owner | default(ansible_user) | default(ansible_user_id) }}" + group: "{{ item.group | default(ansible_user) | default(ansible_user_id) }}" setype: "{{ item.setype | default(omit) }}" seuser: "{{ item.seuser | default(omit) }}" mode: "{{ item.mode | default(omit) }}" From 67c61ca4af66aba0948f3d169aa8b4a2d0d285e3 Mon Sep 17 00:00:00 2001 From: Jiri Podivin Date: Mon, 29 Jul 2024 16:33:50 +0200 Subject: [PATCH 3/5] Elevating permissions for dir creation Signed-off-by: Jiri Podivin --- roles/edpm_neutron_dhcp/tasks/install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/edpm_neutron_dhcp/tasks/install.yml b/roles/edpm_neutron_dhcp/tasks/install.yml index 7828df743..3af386b72 100644 --- a/roles/edpm_neutron_dhcp/tasks/install.yml +++ b/roles/edpm_neutron_dhcp/tasks/install.yml @@ -15,6 +15,7 @@ # under the License. - name: Create neutron-dhcp-agent directories + become: true ansible.builtin.file: path: "{{ item.path }}" setype: "container_file_t" From eaf59771b8fa614cf0b258ed5a862cde937dc306 Mon Sep 17 00:00:00 2001 From: jlarriba Date: Fri, 2 Aug 2024 08:54:21 +0200 Subject: [PATCH 4/5] Re-introduce a become: true that was previously wrongly removed --- roles/edpm_telemetry_logging/tasks/configure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/edpm_telemetry_logging/tasks/configure.yml b/roles/edpm_telemetry_logging/tasks/configure.yml index 12e3ef4de..46fb58c0a 100644 --- a/roles/edpm_telemetry_logging/tasks/configure.yml +++ b/roles/edpm_telemetry_logging/tasks/configure.yml @@ -42,6 +42,7 @@ remote_src: "{{ telemetry_test | default('false') }}" - name: Deploy rsyslog configuration + become: true ansible.builtin.copy: src: "{{ edpm_telemetry_logging_config_src }}/10-telemetry.conf" dest: "{{ edpm_telemetry_rsyslog_config_dest }}/10-telemetry.conf" From 96fc1490bd318e34dfbea8ce7aff7879d1e42733 Mon Sep 17 00:00:00 2001 From: jlarriba Date: Fri, 2 Aug 2024 09:00:40 +0200 Subject: [PATCH 5/5] Removed the ansible_user: root from telemetry molecule tests to not cover for missed becomes --- roles/edpm_telemetry/molecule/default/converge.yml | 2 -- roles/edpm_telemetry_logging/molecule/default/converge.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/roles/edpm_telemetry/molecule/default/converge.yml b/roles/edpm_telemetry/molecule/default/converge.yml index e14a00756..6bf2d3a0a 100644 --- a/roles/edpm_telemetry/molecule/default/converge.yml +++ b/roles/edpm_telemetry/molecule/default/converge.yml @@ -7,5 +7,3 @@ name: "osp.edpm.edpm_telemetry" vars: telemetry_test: true - ansible_user: root - ansible_user_dir: /root diff --git a/roles/edpm_telemetry_logging/molecule/default/converge.yml b/roles/edpm_telemetry_logging/molecule/default/converge.yml index 7f2b90275..d3860e22b 100644 --- a/roles/edpm_telemetry_logging/molecule/default/converge.yml +++ b/roles/edpm_telemetry_logging/molecule/default/converge.yml @@ -7,5 +7,3 @@ name: "osp.edpm.edpm_telemetry_logging" vars: telemetry_test: true - ansible_user: root - ansible_user_dir: /root