From cd3a910ac0a8a4dfc76a9e1555fdbb6241b761ea Mon Sep 17 00:00:00 2001
From: jkilpatr <jkilpatr@redhat.com>
Date: Wed, 20 Jul 2016 09:40:43 -0400
Subject: [PATCH] Removed Ansible become from Conmon install

This commit changes the conmon install playbook as well as the
required tasks and handlers to use become instead of having
the whole playbook run as root by ansible_become. The playbook
has been tested against my own cloud.

https://trello.com/c/KBFbahdV/38-ansible-remove-ansible-become-from-vars-and-use-become-instead

Change-Id: Icf89451371dd9fc5da9880d6a00ae91c88011970
---
 ansible/install/connmon.yml                      |  2 --
 ansible/install/roles/cinder/handlers/main.yml   |  4 ++++
 ansible/install/roles/cinder/tasks/main.yml      |  2 ++
 ansible/install/roles/connmon/tasks/main.yml     | 15 ++++++++-------
 ansible/install/roles/heat/handlers/main.yml     |  4 ++++
 ansible/install/roles/heat/tasks/main.yml        |  2 ++
 ansible/install/roles/keystone/handlers/main.yml |  5 +++++
 ansible/install/roles/keystone/tasks/main.yml    |  2 ++
 ansible/install/roles/neutron/handlers/main.yml  |  4 ++++
 ansible/install/roles/neutron/tasks/main.yml     |  2 ++
 ansible/install/roles/nova/handlers/main.yml     |  4 ++++
 ansible/install/roles/nova/tasks/main.yml        |  2 ++
 12 files changed, 39 insertions(+), 9 deletions(-)

diff --git a/ansible/install/connmon.yml b/ansible/install/connmon.yml
index d66ed2c41..cae83e710 100644
--- a/ansible/install/connmon.yml
+++ b/ansible/install/connmon.yml
@@ -6,7 +6,6 @@
 - hosts: undercloud
   remote_user: "{{ local_remote_user }}"
   vars:
-    ansible_become: true
     undercloud: true
   roles:
   - common
@@ -15,7 +14,6 @@
 - hosts: controller
   remote_user: "{{ host_remote_user }}"
   vars:
-    ansible_become: true
     undercloud: false
   roles:
   - common
diff --git a/ansible/install/roles/cinder/handlers/main.yml b/ansible/install/roles/cinder/handlers/main.yml
index 277125ae8..5fb094553 100644
--- a/ansible/install/roles/cinder/handlers/main.yml
+++ b/ansible/install/roles/cinder/handlers/main.yml
@@ -5,6 +5,7 @@
 
 - name: unmanage cinder services
   command: pcs resource unmanage {{ item }}
+  become: true
   with_items:
     - openstack-cinder-api
     - openstack-cinder-scheduler
@@ -13,6 +14,7 @@
 
 - name: restart cinder services
   service: name={{ item }} state=restarted
+  become: true
   with_items:
     - openstack-cinder-api
     - openstack-cinder-scheduler
@@ -20,6 +22,7 @@
 
 - name: manage cinder services
   command: pcs resource manage {{ item }}
+  become: true
   with_items:
     - openstack-cinder-api
     - openstack-cinder-scheduler
@@ -28,6 +31,7 @@
 
 - name: cleanup cinder services
   command: pcs resource cleanup {{ item }}
+  become: true
   with_items:
     - openstack-cinder-api
     - openstack-cinder-scheduler
diff --git a/ansible/install/roles/cinder/tasks/main.yml b/ansible/install/roles/cinder/tasks/main.yml
index 300253943..57249fd1e 100644
--- a/ansible/install/roles/cinder/tasks/main.yml
+++ b/ansible/install/roles/cinder/tasks/main.yml
@@ -6,12 +6,14 @@
 - name: Check for connmon in cinder.conf
   shell: grep -Eq 'connection\s?=\s?mysql:' /etc/cinder/cinder.conf
   register: cinder_mysql
+  become: true
   ignore_errors: true
   changed_when: false
 
 - name: Enable Connmon in cinder.conf
   shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/cinder/cinder.conf
   when: cinder_mysql.rc == 0
+  become: true
   notify:
     - unmanage cinder services
     - restart cinder services
diff --git a/ansible/install/roles/connmon/tasks/main.yml b/ansible/install/roles/connmon/tasks/main.yml
index e245334ec..da0ffcae0 100644
--- a/ansible/install/roles/connmon/tasks/main.yml
+++ b/ansible/install/roles/connmon/tasks/main.yml
@@ -5,9 +5,11 @@
 
 - name: Install pip
   easy_install: name=pip
+  become: true
 
 - name: Install connmon
   pip: name=connmon
+  become: true
 
 #
 # Connmon Setup
@@ -20,9 +22,11 @@
     owner: root
     group: root
     mode: 0644
+  become: true
 
 - name: Install Screen for connmon
   yum: name=screen state=latest
+  become: true
   when: undercloud
 
 # To remove the screen session: screen -X -S connmond kill
@@ -31,12 +35,6 @@
   when: undercloud
   changed_when: false
 
-- name: Change connmon result owner
-  command: chown "{{ local_remote_user }}":"{{ local_remote_user }}" /tmp/connmon_results.csv
-  when: undercloud
-  changed_when: false
-  ignore_errors: true
-
 ### begin firewall ###
 # we need TCP/5555 open
 # determine firewall status and take action
@@ -76,8 +74,9 @@
 - name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
   shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
   ignore_errors: true
+  become: true
   register: iptables_tcp5800_exists
-  failed_when: iptables_tcp{{connmon_port}}_exists == 127
+  failed_when: iptables_tcp{{connmon_port}}_exists == 127i
   no_log: true
 
 - name: (connmon) Add firewall rule for TCP/{{connmon_port}} (iptables-services)
@@ -87,12 +86,14 @@
     regexp: '^INPUT -i lo -j ACCEPT'
     insertbefore: '-A INPUT -i lo -j ACCEPT'
     backup: yes
+  become: true
   when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
   register: iptables_needs_restart
 
 - name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
   shell: systemctl restart iptables.service
   ignore_errors: true
+  become: true
   when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
 
 ### end firewall ###
diff --git a/ansible/install/roles/heat/handlers/main.yml b/ansible/install/roles/heat/handlers/main.yml
index 5e7ef5ab5..87d49e135 100644
--- a/ansible/install/roles/heat/handlers/main.yml
+++ b/ansible/install/roles/heat/handlers/main.yml
@@ -5,6 +5,7 @@
 #
 - name: unmanage heat services
   command: pcs resource unmanage {{ item }}
+  become: true
   with_items:
     - openstack-heat-api
     - openstack-heat-engine
@@ -12,12 +13,14 @@
 
 - name: restart heat services
   service: name={{ item }} state=restarted
+  become: true
   with_items:
     - openstack-heat-api
     - openstack-heat-engine
 
 - name: manage heat services
   command: pcs resource manage {{ item }}
+  become: true
   with_items:
     - openstack-heat-api
     - openstack-heat-engine
@@ -25,6 +28,7 @@
 
 - name: cleanup heat services
   command: pcs resource cleanup {{ item }}
+  become: true
   with_items:
     - openstack-heat-api
     - openstack-heat-engine
diff --git a/ansible/install/roles/heat/tasks/main.yml b/ansible/install/roles/heat/tasks/main.yml
index 11c26ec88..4210ec991 100644
--- a/ansible/install/roles/heat/tasks/main.yml
+++ b/ansible/install/roles/heat/tasks/main.yml
@@ -5,12 +5,14 @@
 - name: Check for connmon in heat.conf
   shell: grep -Eq 'connection\s?=\s?mysql:' /etc/heat/heat.conf
   register: heat_mysql
+  become: true
   ignore_errors: true
   changed_when: false
 
 - name: Enable Connmon in heat.conf
   shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/heat/heat.conf
   when: heat_mysql.rc == 0
+  become: true
   notify:
     - unmanage heat services
     - restart heat services
diff --git a/ansible/install/roles/keystone/handlers/main.yml b/ansible/install/roles/keystone/handlers/main.yml
index 76070420b..35cd5f602 100644
--- a/ansible/install/roles/keystone/handlers/main.yml
+++ b/ansible/install/roles/keystone/handlers/main.yml
@@ -10,6 +10,7 @@
 - name: restart httpd
   service: name=httpd state=restarted
   when: "'httpd' == '{{ keystone_deployment }}'"
+  become: true
 
 #
 # Restart keystone when in eventlet
@@ -18,18 +19,22 @@
 - name: unmanage keystone
   command: pcs resource unmanage openstack-keystone
   when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
   ignore_errors: true
 
 - name: restart keystone
   service: name=openstack-keystone state=restarted
   when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
 
 - name: manage keystone
   command: pcs resource manage openstack-keystone
   when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
   ignore_errors: true
 
 - name: cleanup keystone
   command: pcs resource cleanup openstack-keystone
   when: "'eventlet' == '{{ keystone_deployment }}'"
+  become: true
   ignore_errors: true
diff --git a/ansible/install/roles/keystone/tasks/main.yml b/ansible/install/roles/keystone/tasks/main.yml
index 765fbdab2..f82d9f8b3 100644
--- a/ansible/install/roles/keystone/tasks/main.yml
+++ b/ansible/install/roles/keystone/tasks/main.yml
@@ -24,12 +24,14 @@
 - name: Check for connmon in keystone.conf
   shell: grep -Eq 'connection\s?=\s?mysql:' /etc/keystone/keystone.conf
   register: keystone_mysql
+  become: true
   ignore_errors: true
   changed_when: false
 
 - name: Enable connmon in keystone.conf
   shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/keystone/keystone.conf
   when: keystone_mysql.rc == 0
+  become: true
   notify:
     - restart httpd
     - unmanage keystone
diff --git a/ansible/install/roles/neutron/handlers/main.yml b/ansible/install/roles/neutron/handlers/main.yml
index 1da13ab5b..36907ffa2 100644
--- a/ansible/install/roles/neutron/handlers/main.yml
+++ b/ansible/install/roles/neutron/handlers/main.yml
@@ -5,15 +5,19 @@
 
 - name: unmanage neutron-server
   command: pcs resource unmanage neutron-server
+  become: true
   ignore_errors: true
 
 - name: restart neutron-server
   service: name=neutron-server state=restarted
+  become: true
 
 - name: manage neutron-server
   command: pcs resource manage neutron-server
+  become: true
   ignore_errors: true
 
 - name: cleanup neutron-server
   command: pcs resource cleanup neutron-server
+  become: true
   ignore_errors: true
diff --git a/ansible/install/roles/neutron/tasks/main.yml b/ansible/install/roles/neutron/tasks/main.yml
index 14b6e680d..81df216bf 100644
--- a/ansible/install/roles/neutron/tasks/main.yml
+++ b/ansible/install/roles/neutron/tasks/main.yml
@@ -6,12 +6,14 @@
 - name: Check for connmon in neutron.conf
   shell: grep -Eq 'connection\s?=\s?mysql:' /etc/neutron/neutron.conf
   register: neutron_mysql
+  become: true
   ignore_errors: true
   changed_when: false
 
 - name: Enable Connmon in neutron.conf
   shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/neutron/neutron.conf
   when: neutron_mysql.rc == 0
+  become: true
   notify:
     - unmanage neutron-server
     - restart neutron-server
diff --git a/ansible/install/roles/nova/handlers/main.yml b/ansible/install/roles/nova/handlers/main.yml
index b8cd3aa68..f3b45ce40 100644
--- a/ansible/install/roles/nova/handlers/main.yml
+++ b/ansible/install/roles/nova/handlers/main.yml
@@ -5,6 +5,7 @@
 
 - name: unmanage nova services
   command: pcs resource unmanage {{ item }}
+  become: true
   with_items:
     - openstack-nova-api
     - openstack-nova-scheduler
@@ -13,6 +14,7 @@
 
 - name: restart nova services
   service: name={{ item }} state=restarted
+  become: true
   with_items:
     - openstack-nova-api
     - openstack-nova-scheduler
@@ -20,6 +22,7 @@
 
 - name: manage nova services
   command: pcs resource manage {{ item }}
+  become: true
   with_items:
     - openstack-nova-api
     - openstack-nova-scheduler
@@ -28,6 +31,7 @@
 
 - name: cleanup nova services
   command: pcs resource cleanup {{ item }}
+  become: true
   with_items:
     - openstack-nova-api
     - openstack-nova-scheduler
diff --git a/ansible/install/roles/nova/tasks/main.yml b/ansible/install/roles/nova/tasks/main.yml
index 7e31f1464..27fee5636 100644
--- a/ansible/install/roles/nova/tasks/main.yml
+++ b/ansible/install/roles/nova/tasks/main.yml
@@ -6,12 +6,14 @@
 - name: Check for connmon in nova.conf
   shell: grep -Eq 'connection\s?=\s?mysql:' /etc/nova/nova.conf
   register: nova_mysql
+  become: true
   ignore_errors: true
   changed_when: false
 
 - name: Enable Connmon in nova.conf
   shell: sed -i 's/mysql:/mysql+connmon:/g' /etc/nova/nova.conf
   when: nova_mysql.rc == 0
+  become: true
   notify:
     - unmanage nova services
     - restart nova services