mistral-executor needs to be run as privilaged, with many mounts and dependencies

Bug #1813832 reported by Steve Baker on 2019-01-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Steve Baker

Bug Description

External deploy tasks are currently run by ansible-playbook inside the mistral-executor container. These tasks include:
- undercloud host setup (image prepare, etc)
- ceph-ansible runs
- openshift installer runs

This requires that mistral-executor be run with many mounts, and the image be installed with any dependencies these playbooks might need.

If external deploy tasks were run via localhost ssh then the configuration of the mistral-executor container would be much simpler, and developers would not need to deal with this class of obscure bugs when doing new things with external deploy tasks.

Fix proposed to branch: master
Review: https://review.openstack.org/633827

Changed in tripleo:
status: Triaged → In Progress
Changed in tripleo:
assignee: Steve Baker (steve-stevebaker) → Emilien Macchi (emilienm)
Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Steve Baker (steve-stevebaker)
Changed in tripleo:
assignee: Steve Baker (steve-stevebaker) → Emilien Macchi (emilienm)

Reviewed: https://review.openstack.org/633827
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=98fc54819ec9e07729bebde32d15bd673b502c39
Submitter: Zuul
Branch: master

commit 98fc54819ec9e07729bebde32d15bd673b502c39
Author: Steve Baker <email address hidden>
Date: Wed Jan 30 10:07:58 2019 +1300

    Break out tripleo-admin creation to its own role

    This removes some inline ansible from the mistral workflow, and allows
    this role to be reused in other contexts (such as undercloud install)

    Change-Id: Id89cc920e165c2103707609fd37639c3032cc8ea
    Partial-Bug: #1813832

Fix proposed to branch: master
Review: https://review.openstack.org/634616

Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Steve Baker (steve-stevebaker)

Fix proposed to branch: master
Review: https://review.openstack.org/634617

Reviewed: https://review.openstack.org/633850
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0d106a261d745a89e3c441ec39d378a55e53498d
Submitter: Zuul
Branch: master

commit 0d106a261d745a89e3c441ec39d378a55e53498d
Author: Steve Baker <email address hidden>
Date: Thu Jan 31 11:34:07 2019 +1300

    Create tripleo-admin user on the undercloud

    The resulting user home directory is mounted into the mistral-executor
    container. A later change in tripleo-common will populate
    .ssh/authorized_users with the generated private key so that
    mistral-executor can manage the undercloud host via ansible localhost ssh.

    Change-Id: I4c8ee04534636622581eb386c01790d6610e7f58
    Partial-Bug: #1813832
    Depends-On: Id89cc920e165c2103707609fd37639c3032cc8ea

Reviewed: https://review.openstack.org/634616
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=c1341fc4d19a3bfa40648cf893d51f9e5dfa78ba
Submitter: Zuul
Branch: master

commit c1341fc4d19a3bfa40648cf893d51f9e5dfa78ba
Author: Steve Baker <email address hidden>
Date: Mon Feb 4 09:47:50 2019 +1300

    Authorize undercloud tripleo-admin user

    This adds the public key into the .ssh/authorized_keys file
    in /home/tripleo-admin. Failure is ignored because this may be running
    on an undercloud which doesn't yet have a configured tripleo-admin
    user.

    This change also refactors the removal of the generate_playbook task
    since the playbook now just invokes a role, there is no maintainence
    benefit to justify the extra complexity.

    Partial-Bug: #1813832
    Change-Id: Id2ee912c456d66ed189fd5fdbaa5c1c3627bdf20
    Depends-On: I4c8ee04534636622581eb386c01790d6610e7f58

Reviewed: https://review.openstack.org/634617
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=d879b2aa99b7c2d3ddb79c2149e2c5bc2c1a1ae2
Submitter: Zuul
Branch: master

commit d879b2aa99b7c2d3ddb79c2149e2c5bc2c1a1ae2
Author: Steve Baker <email address hidden>
Date: Mon Feb 4 10:45:01 2019 +1300

    Use ssh in generated inventory for undercloud

    This switches over to ssh for external deploy tasks, so they are run
    in the context of the undercloud host instead of inside the
    mistral-executor container.

    Change-Id: Iae415339308a93ad49eeb7e4d7e0be2662abf0ee
    Closes-Bug: #1813832

Changed in tripleo:
status: In Progress → Fix Released

Related fix proposed to branch: master
Review: https://review.openstack.org/636107

Reviewed: https://review.openstack.org/636107
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=01a8651306082e0c7fddcebc932c420c7cb10487
Submitter: Zuul
Branch: master

commit 01a8651306082e0c7fddcebc932c420c7cb10487
Author: Giulio Fidente <email address hidden>
Date: Mon Feb 11 10:55:26 2019 +0100

    Do not mount ceph-ansible and octavia playbook within mistral container

    This is not necessary anymore given the mistral-executor container is
    executing the playbook from the node hosting the container itself.

    Change-Id: Ia71a653d9c73b5f7a4d26b76aaf1cb29b29aab5c
    Related-Bug: 1813832

Reviewed: https://review.openstack.org/636086
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5ceb3c5ec7d3e2100fc74e86660c59b090e41d31
Submitter: Zuul
Branch: master

commit 5ceb3c5ec7d3e2100fc74e86660c59b090e41d31
Author: Steve Baker <email address hidden>
Date: Mon Feb 11 17:30:51 2019 +1300

    Make ceph-ansible working dir owned by tripleo-admin

    The ceph-ansible tasks are now invoked with the tripleo-admin user,
    which doesn't by default have write access to /var/lib/mistral, but it
    does have sudo access.

    This change makes /var/lib/mistral/overcloud/ceph-ansible be owned by
    the tripleo-admin user so that subsequent tasks can write to that
    directory.

    Related-Bug: #1813832
    Change-Id: I98bb38078be84cbda3e9a9e338af0d054dc53420

This issue was fixed in the openstack/tripleo-common 10.4.0 release.

Reviewed: https://review.openstack.org/636353
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=94e3070641e249450b6ec1aedb18c19ee8f19122
Submitter: Zuul
Branch: master

commit 94e3070641e249450b6ec1aedb18c19ee8f19122
Author: Giulio Fidente <email address hidden>
Date: Tue Feb 12 16:23:00 2019 +0100

    Restrict use of become to minimum necessary for Ceph deployment

    We should avoid use of become: true where unnecessary because
    additional files might get created with the wrong permissions.

    Change-Id: I4dc71fd23134a9e4a5b2b6e93d2cf45735e71711
    Related-Bug: 1813832

Reviewed: https://review.openstack.org/637727
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f2412dacf1c0af1cddc83719d9c1c36c4d7e3449
Submitter: Zuul
Branch: master

commit f2412dacf1c0af1cddc83719d9c1c36c4d7e3449
Author: Martin André <email address hidden>
Date: Tue Feb 19 09:31:19 2019 +0100

    Make openshift-ansible working dir owned by tripleo-admin

    The openshift-ansible tasks are now invoked with the tripleo-admin
    user, which doesn't by default have write access to /var/lib/mistral,
    but it does have sudo access.

    This change makes /var/lib/mistral/<stack>/openshift be owned by the
    tripleo-admin user so that subsequent tasks can write to that
    directory.

    Change-Id: I7762af7b824ae0c7303438d48fc35c9f24a00c9c
    Related-Bug: #1813832

Reviewed: https://review.openstack.org/648259
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1a6bd0c34069b5da1ad235ee81421acee5baf894
Submitter: Zuul
Branch: master

commit 1a6bd0c34069b5da1ad235ee81421acee5baf894
Author: Steve Baker <email address hidden>
Date: Thu Mar 28 11:24:19 2019 +1300

    Use discovered private key file

    If {{playbook_dir}}/ssh_private_key exists then this will be used as
    the --private-key argument. This avoids the assumption that
    ceph-ansible should use the same private key as ansible is currently
    running under.

    Change-Id: I33c701e72196086e1f78cb09affaf9d7dcd131c6
    Related-Bug: #1813832

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers