---
# NOTE(mgoddard): The bootstrap user may be used to create the kayobe user
# account and configure passwordless sudo. We can't assume that the bootstrap
# user account will exist after the initial bootstrapping, or that the
# current operator's key is authorised for the bootstrap user. We therefore
# attempt to access the kayobe user account via SSH, and only perform the
# bootstrap process if the account is inaccessible.
- name: Determine whether user bootstrapping is required
hosts: seed-hypervisor:seed:overcloud:infra-vms
gather_facts: false
max_fail_percentage: >-
{{ kayobe_ansible_user_max_fail_percentage |
default(host_configure_max_fail_percentage) |
default(kayobe_max_fail_percentage) |
default(100) }}
tags:
- kayobe-ansible-user
tasks:
- name: Check whether the host is accessible via SSH
raw: hostname
ignore_unreachable: true
changed_when: false
check_mode: no
register: ssh_result
- name: Group hosts requiring kayobe user bootstrapping
group_by:
key: kayobe_user_bootstrap_required_{{ ssh_result.unreachable | default(false) }}
changed_when: false
- name: Display a message when bootstrapping is required
debug:
msg: >
Cannot access host via SSH using Kayobe Ansible user account -
attempting bootstrap
when: ssh_result.unreachable | default(false)
- name: Ensure python is installed and the Kayobe Ansible user account exists
hosts: kayobe_user_bootstrap_required_True
gather_facts: no
max_fail_percentage: >-
{{ kayobe_ansible_user_max_fail_percentage |
default(host_configure_max_fail_percentage) |
default(kayobe_max_fail_percentage) |
default(100) }}
vars:
ansible_user: "{{ bootstrap_user }}"
# We can't assume that a virtualenv exists at this point, so use the system
# python interpreter.
ansible_python_interpreter: /usr/bin/python3
dnf_options:
- "-y"
- "{% if 'proxy' in dnf_config %}--setopt=proxy={{ dnf_config['proxy'] }}{% endif %}"
tags:
- kayobe-ansible-user
- ensure-python
tasks:
- name: Check if python is installed
raw: test -e /usr/bin/python3
changed_when: false
failed_when: false
register: check_python
# TODO(priteau): Support apt proxy
- name: Ensure python is installed
raw: "test -e /usr/bin/apt && (sudo apt -y update && sudo apt install -y python3-minimal) || (sudo dnf {{ dnf_options | select | join(' ') }} install python3)"
when: check_python.rc != 0
- import_role:
name: singleplatform-eng.users
vars:
groups_to_create: "{{ [{'name': 'docker'}] if 'container-engine' in group_names and container_engine == 'docker' else [] }}"
users:
- username: "{{ kayobe_ansible_user }}"
name: Kayobe deployment user
groups: "{{ ['docker'] if 'container-engine' in group_names and container_engine == 'docker' else [] }}"
append: True
ssh_key:
- "{{ lookup('file', ssh_public_key_path) }}"
become: True
- name: Ensure the Kayobe Ansible user has passwordless sudo
copy:
content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
dest: "/etc/sudoers.d/kayobe-ansible-user"
mode: 0440
become: True
- name: Verify that the Kayobe Ansible user account is accessible
hosts: seed-hypervisor:seed:overcloud:infra-vms
gather_facts: false
max_fail_percentage: >-
{{ kayobe_ansible_user_max_fail_percentage |
default(host_configure_max_fail_percentage) |
default(kayobe_max_fail_percentage) |
default(100) }}
tags:
- kayobe-ansible-user
vars:
# We can't assume that a virtualenv exists at this point, so use the system
# python interpreter.
ansible_python_interpreter: /usr/bin/python3
tasks:
- name: Verify that a command can be executed
command: hostname
changed_when: false
- name: Verify that a command can be executed with become
command: hostname
changed_when: false
become: true