Ask Your Question
0

Kolla Ansible User Privileges Best Practice

asked 2016-12-20 08:43:49 -0500

thomas.oneill gravatar image

I was wondering what the best practice was in terms of which user to use for kolla-ansible and how to escalate privileges to sudo/root. I know that in Ansible there is the become playbook feature, and also that in the inventory you can specify ansible_user=$USERNAME after the hostname to perform operations on that host with that user.

Just running as my user, which is part of the docker group on the relevant hosts, has resulted in these errors:

TASK [haproxy : Setting sysctl values] *****************************************
failed: [network01] (item={u'name': u'net.ipv4.ip_nonlocal_bind', u'value': 1}) => {"failed": true, "item": {"name": "net.ipv4.ip_nonlocal_bind", "value": 1}, "module_stderr": "Shared connection to network01 closed.
", "module_stdout": "Traceback (most recent call last):
  File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 371, in <module>
    main()
  File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 364, in main
    result = SysctlModule(module)
  File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 124, in __init__
    self.process()
  File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 172, in process
    self.write_sysctl()
  File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 330, in write_sysctl
    fd, tmp_path = tempfile.mkstemp('.conf', '.ansible_m_sysctl_', os.path.dirname(self.sysctl_file))
  File \"/usr/lib/python2.7/tempfile.py\", line 314, in mkstemp
    return _mkstemp_inner(dir, prefix, suffix, flags)
  File \"/usr/lib/python2.7/tempfile.py\", line 244, in _mkstemp_inner
    fd = _os.open(file, flags, 0600)
OSError: [Errno 13] Permission denied: '/etc/.ansible_m_sysctl_u8SELB.conf'
", "msg": "MODULE FAILURE"}
failed: [network01] (item={u'name': u'net.unix.max_dgram_qlen', u'value': 128}) => {"failed": true, "item": {"name": "net.unix.max_dgram_qlen", "value": 128}, "module_stderr": "Shared connection to network01 closed.
", "module_stdout": "Traceback (most recent call last):
  File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 371, in <module>
    main()
  File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 364, in main
    result = SysctlModule(module)
  File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 124, in __init__
    self.process()
  File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 172, in process
    self.write_sysctl()
  File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 330, in write_sysctl
    fd, tmp_path = tempfile.mkstemp('.conf', '.ansible_m_sysctl_', os.path.dirname(self.sysctl_file))
  File \"/usr/lib/python2.7/tempfile.py\", line 314, in mkstemp
    return _mkstemp_inner(dir, prefix, suffix, flags)
  File \"/usr/lib/python2.7/tempfile.py\", line 244, in _mkstemp_inner
    fd = _os.open(file, flags, 0600)
OSError: [Errno 13] Permission denied: '/etc/.ansible_m_sysctl_IQU7c9.conf'
", "msg": "MODULE FAILURE"}
        to retry, use: --limit @/home/stack/kolla-ansible/ansible/site.retry

Running as root and configuring SSH for this is viable but seems nasty, any recommendations?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2016-12-20 08:45:20 -0500

thomas.oneill gravatar image

Running kolla-ansible with -e 'ansible_become=true' -e 'ansible_become_method=sudo' works for me and seems reasonable.

edit flag offensive delete link more
0

answered 2016-12-23 04:25:02 -0500

Yes, it is nasty. Because of that we are working on it: https://blueprints.launchpad.net/koll.... In the near future, probably with the Ocata release, it will be possible to run the kolla-ansible Playbooks without escalating whole hosts.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-12-20 08:43:49 -0500

Seen: 743 times

Last updated: Dec 23 '16