tripleo

standalone ansible fails when not run as root

Bug #1883609 reported by Alex Schultz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Alex Schultz
tripleo wallaby-3
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

You can run `openstack tripleo deploy` with --output-only to generate the ansible playbooks for a deployment. However if you don't run ansible-playbook with sudo on the resulting files, it fails. Since ansible can handle the privilege elevation, we should ensure we use become: true correctly on the various tasks.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/736024

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/736040

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/736047

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/736279

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/736024
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=746bd9a52b2a4288af705f161ec41736a4e3b5e3
Submitter: Zuul
Branch: master

commit 746bd9a52b2a4288af705f161ec41736a4e3b5e3
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 14:38:57 2020 -0600

    Fix host entries permissions

    The cleanup tasks needs become: true because it was created with root.

    Change-Id: Iaa39aa301be182722e0650583d1ad17c0e8dc82b
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/736040
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=c8d8e9adaf62f1b3e6a274fbb5ec17dae4dc8449
Submitter: Zuul
Branch: master

commit c8d8e9adaf62f1b3e6a274fbb5ec17dae4dc8449
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 14:47:26 2020 -0600

    Fix tripleo_hierdata permissions

    Add become: true to the tasks that need to be able to write to /etc/

    Change-Id: I24b118220ce2371f651cad6b8dfbbf5d031ee118
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/736279
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=230481674ffd577ed83573daa28b6d3e0ef57637
Submitter: Zuul
Branch: master

commit 230481674ffd577ed83573daa28b6d3e0ef57637
Author: Alex Schultz <email address hidden>
Date: Wed Jun 17 09:51:05 2020 -0600

    Move sidecar kill scripts to host prep

    These tasks are really should be managed a single time against the host
    rather than at deployment time.

    Change-Id: I535d8360493267d50196aebb6365124b67e9ba78
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/739498

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/739500

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/739540

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/739541

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/739547

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/736047
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4e39acd14771ef9e8085b29be3b9374678d8089e
Submitter: Zuul
Branch: master

commit 4e39acd14771ef9e8085b29be3b9374678d8089e
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 15:01:43 2020 -0600

    Fix privilege escalation

    This change enabled become: true to the deploy step and host prep task
    execution. external tasks are still become: false as they are delegated
    to localhost and run as the same user running the deployment.

    Change-Id: I79631ce0ed450febae96db2f32198e02eb427d91
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/739498
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=b2ea17cc8ae9ab905993763a49fb9b152af71986
Submitter: Zuul
Branch: stable/ussuri

commit b2ea17cc8ae9ab905993763a49fb9b152af71986
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 14:38:57 2020 -0600

    Fix host entries permissions

    The cleanup tasks needs become: true because it was created with root.

    Change-Id: Iaa39aa301be182722e0650583d1ad17c0e8dc82b
    Related-Bug: #1883609
    (cherry picked from commit 746bd9a52b2a4288af705f161ec41736a4e3b5e3)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/739591

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/739592

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/739595

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/739500
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=a7f9c2c0a37fe0b490a569108016d6cbb68521e7
Submitter: Zuul
Branch: stable/ussuri

commit a7f9c2c0a37fe0b490a569108016d6cbb68521e7
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 14:47:26 2020 -0600

    Fix tripleo_hierdata permissions

    Add become: true to the tasks that need to be able to write to /etc/

    Change-Id: I24b118220ce2371f651cad6b8dfbbf5d031ee118
    Related-Bug: #1883609
    (cherry picked from commit c8d8e9adaf62f1b3e6a274fbb5ec17dae4dc8449)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/739540
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=e3fb917193cc2a568c899c9e178da5222b91bad1
Submitter: Zuul
Branch: stable/train

commit e3fb917193cc2a568c899c9e178da5222b91bad1
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 14:38:57 2020 -0600

    Fix host entries permissions

    The cleanup tasks needs become: true because it was created with root.

    Change-Id: Iaa39aa301be182722e0650583d1ad17c0e8dc82b
    Related-Bug: #1883609
    (cherry picked from commit 746bd9a52b2a4288af705f161ec41736a4e3b5e3)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/739541
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=d1e80761c48c86897d4d023488af3c81e2666f87
Submitter: Zuul
Branch: stable/train

commit d1e80761c48c86897d4d023488af3c81e2666f87
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 14:47:26 2020 -0600

    Fix tripleo_hierdata permissions

    Add become: true to the tasks that need to be able to write to /etc/

    Change-Id: I24b118220ce2371f651cad6b8dfbbf5d031ee118
    Related-Bug: #1883609
    (cherry picked from commit c8d8e9adaf62f1b3e6a274fbb5ec17dae4dc8449)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/739547
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=16fc8da6349fd1f3d1e806082a454c0ed758684a
Submitter: Zuul
Branch: stable/train

commit 16fc8da6349fd1f3d1e806082a454c0ed758684a
Author: Emilien Macchi <email address hidden>
Date: Mon Jul 6 12:27:57 2020 -0400

    Manual backport of "Move sidecar kill scripts to host prep" to Train

    Manual backport of https://review.opendev.org/#/c/736279 into
    stable/train.

    The patch didn't apply cleanly so we manually moved the tasks so
    these tasks are managed a single time against the host rather than at
    deployment time.

    Change-Id: Idf1e24e69a485b51761c161bb939ccbba6601912
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/739592
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7168701091897dbe6180a06fd90d523da61a0f24
Submitter: Zuul
Branch: stable/train

commit 7168701091897dbe6180a06fd90d523da61a0f24
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 15:01:43 2020 -0600

    Fix privilege escalation

    This change enabled become: true to the deploy step and host prep task
    execution. external tasks are still become: false as they are delegated
    to localhost and run as the same user running the deployment.

    Change-Id: I79631ce0ed450febae96db2f32198e02eb427d91
    Related-Bug: #1883609
    (cherry picked from commit 4e39acd14771ef9e8085b29be3b9374678d8089e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/739591
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f917423be9ed0cba53889808d93e4fc0884babec
Submitter: Zuul
Branch: stable/ussuri

commit f917423be9ed0cba53889808d93e4fc0884babec
Author: Alex Schultz <email address hidden>
Date: Tue Jun 16 15:01:43 2020 -0600

    Fix privilege escalation

    This change enabled become: true to the deploy step and host prep task
    execution. external tasks are still become: false as they are delegated
    to localhost and run as the same user running the deployment.

    Change-Id: I79631ce0ed450febae96db2f32198e02eb427d91
    Related-Bug: #1883609
    (cherry picked from commit 4e39acd14771ef9e8085b29be3b9374678d8089e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/739595
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d29386d8b61e60676d84ed75d566e6eebd8a19e5
Submitter: Zuul
Branch: stable/ussuri

commit d29386d8b61e60676d84ed75d566e6eebd8a19e5
Author: Alex Schultz <email address hidden>
Date: Wed Jun 17 09:51:05 2020 -0600

    Move sidecar kill scripts to host prep

    These tasks are really should be managed a single time against the host
    rather than at deployment time.

    Change-Id: I535d8360493267d50196aebb6365124b67e9ba78
    Related-Bug: #1883609
    (cherry picked from commit 230481674ffd577ed83573daa28b6d3e0ef57637)

Emilien Macchi (emilienm)
Changed in tripleo:
milestone: victoria-1 → victoria-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/745734

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/745737

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/745734
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=c9b252815d3be19120f886e108c9f72152d79352
Submitter: Zuul
Branch: master

commit c9b252815d3be19120f886e108c9f72152d79352
Author: Alex Schultz <email address hidden>
Date: Tue Aug 11 13:36:11 2020 -0600

    Additional permission fixes for roles

    Change-Id: I015a845f0e2e440aa147a823a4bebc93d512664e
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/746228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/746229

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/745737
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=70a0991593b76bb9b1b53ff5b61f4ea2640e3d68
Submitter: Zuul
Branch: stable/ussuri

commit 70a0991593b76bb9b1b53ff5b61f4ea2640e3d68
Author: Alex Schultz <email address hidden>
Date: Tue Aug 11 14:15:53 2020 -0600

    Fix permissions for paunch

    Paunch needs to be run as root so we need a become: true in order to
    work if the playbook is not run as root.

    Change-Id: I136ff6836aa8629b037f309076b4b682e30b9de2
    Related-Bug: #1883609

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/747409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/746228
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=98be5e50532858837c3792e369ee742cd45d0cb6
Submitter: Zuul
Branch: stable/ussuri

commit 98be5e50532858837c3792e369ee742cd45d0cb6
Author: Alex Schultz <email address hidden>
Date: Tue Aug 11 13:36:11 2020 -0600

    Additional permission fixes for roles

    Change-Id: I015a845f0e2e440aa147a823a4bebc93d512664e
    Related-Bug: #1883609
    (cherry picked from commit c9b252815d3be19120f886e108c9f72152d79352)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/train)

Change abandoned by Alex Schultz (<email address hidden>) on branch: stable/train
Review: https://review.opendev.org/747409
Reason: was already backported 16fc8da634

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/746229
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=5ec8909e16f5161da4f8bcf608c2e7296b9cce16
Submitter: Zuul
Branch: stable/train

commit 5ec8909e16f5161da4f8bcf608c2e7296b9cce16
Author: Alex Schultz <email address hidden>
Date: Tue Aug 11 13:36:11 2020 -0600

    Additional permission fixes for roles

    Change-Id: I015a845f0e2e440aa147a823a4bebc93d512664e
    Related-Bug: #1883609
    (cherry picked from commit c9b252815d3be19120f886e108c9f72152d79352)

Marios Andreou (marios-b)
Changed in tripleo:
milestone: victoria-3 → wallaby-1
Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-1 → wallaby-2
Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-2 → wallaby-3
Revision history for this message
Alex Schultz (alex-schultz) wrote :

This should work now. If not, please reopen

Changed in tripleo:
status: Triaged → Fix Released
assignee: nobody → Alex Schultz (alex-schultz)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers