I was wondering what the best practice was in terms of which user to use for kolla-ansible and how to escalate privileges to sudo/root. I know that in Ansible there is the become playbook feature, and also that in the inventory you can specify ansible_user=$USERNAME after the hostname to perform operations on that host with that user.
Just running as my user, which is part of the docker group on the relevant hosts, has resulted in these errors:
TASK [haproxy : Setting sysctl values] *****************************************
failed: [network01] (item={u'name': u'net.ipv4.ip_nonlocal_bind', u'value': 1}) => {"failed": true, "item": {"name": "net.ipv4.ip_nonlocal_bind", "value": 1}, "module_stderr": "Shared connection to network01 closed.
", "module_stdout": "Traceback (most recent call last):
File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 371, in <module>
main()
File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 364, in main
result = SysctlModule(module)
File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 124, in __init__
self.process()
File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 172, in process
self.write_sysctl()
File \"/tmp/ansible__d5Ird/ansible_module_sysctl.py\", line 330, in write_sysctl
fd, tmp_path = tempfile.mkstemp('.conf', '.ansible_m_sysctl_', os.path.dirname(self.sysctl_file))
File \"/usr/lib/python2.7/tempfile.py\", line 314, in mkstemp
return _mkstemp_inner(dir, prefix, suffix, flags)
File \"/usr/lib/python2.7/tempfile.py\", line 244, in _mkstemp_inner
fd = _os.open(file, flags, 0600)
OSError: [Errno 13] Permission denied: '/etc/.ansible_m_sysctl_u8SELB.conf'
", "msg": "MODULE FAILURE"}
failed: [network01] (item={u'name': u'net.unix.max_dgram_qlen', u'value': 128}) => {"failed": true, "item": {"name": "net.unix.max_dgram_qlen", "value": 128}, "module_stderr": "Shared connection to network01 closed.
", "module_stdout": "Traceback (most recent call last):
File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 371, in <module>
main()
File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 364, in main
result = SysctlModule(module)
File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 124, in __init__
self.process()
File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 172, in process
self.write_sysctl()
File \"/tmp/ansible_jG46m0/ansible_module_sysctl.py\", line 330, in write_sysctl
fd, tmp_path = tempfile.mkstemp('.conf', '.ansible_m_sysctl_', os.path.dirname(self.sysctl_file))
File \"/usr/lib/python2.7/tempfile.py\", line 314, in mkstemp
return _mkstemp_inner(dir, prefix, suffix, flags)
File \"/usr/lib/python2.7/tempfile.py\", line 244, in _mkstemp_inner
fd = _os.open(file, flags, 0600)
OSError: [Errno 13] Permission denied: '/etc/.ansible_m_sysctl_IQU7c9.conf'
", "msg": "MODULE FAILURE"}
to retry, use: --limit @/home/stack/kolla-ansible/ansible/site.retry
Running as root and configuring SSH for this is viable but seems nasty, any recommendations?