CORD-807
prep for removal of gradle from platform-install
refresh apt cache
improve SSH port check
add inventory for running on head node
copy of /opt/cord happens in cord repo now
fix how SSH pubkey is handled for LXD
fix perms during pki CA dir creation
PKI/credentials permissions
retry juju add-machine
checks/pauses to allow juju or containers to be ready
Change-Id: Iababb1bd8e464ae1d44c9b252d9bc07d66cf0872
diff --git a/build.gradle b/build.gradle.todelete
similarity index 100%
rename from build.gradle
rename to build.gradle.todelete
diff --git a/inventory/head-localhost b/inventory/head-localhost
new file mode 100644
index 0000000..6446998
--- /dev/null
+++ b/inventory/head-localhost
@@ -0,0 +1,7 @@
+; used to bootstrap CiaB configs
+
+[head]
+localhost ansible_connection=local
+
+[compute]
+; empty, but needed to avoid template issues
diff --git a/roles/create-lxd/tasks/main.yml b/roles/create-lxd/tasks/main.yml
index ebeeb8c..bf02d9f 100644
--- a/roles/create-lxd/tasks/main.yml
+++ b/roles/create-lxd/tasks/main.yml
@@ -23,12 +23,10 @@
update_cache: yes
default_release: trusty-backports
-# For lookup() below
-- name: Fetch remote key
- fetch:
- src: .ssh/id_rsa.pub
- dest: /tmp/id_rsa.pub
- flat: yes
+# For lxd_profile, has to be run as normal user
+- name: Get user's SSH public key into lxd_ssh_pubkey to create LXD profile
+ set_fact:
+ lxd_ssh_pubkey: "{{ lookup('file', '{{ ansible_user_dir }}/.ssh/id_rsa.pub') }}"
- name: Create openstack LXD profile
become: yes
@@ -39,7 +37,7 @@
user.user-data: |
#cloud-config
ssh_authorized_keys:
- - "{{ lookup('file', '/tmp/id_rsa.pub') }}"
+ - "{{ lxd_ssh_pubkey }}"
description: 'OpenStack services on CORD'
devices:
eth0:
@@ -87,10 +85,11 @@
delay: 10
failed_when: all_resolved.everyone != "OK"
-- name: wait for containers to come up
+- name: Wait for containers to be accessible via SSH
wait_for:
- host={{ item.name }}
- port=22
+ host: "{{ item.name }}"
+ port: 22
+ search_regex: "OpenSSH"
with_items: "{{ head_lxd_list }}"
- name: Create /etc/ansible/hosts file
@@ -137,3 +136,4 @@
- name: Verify that we can log into every container after restarting network interfaces
when: not on_maas
command: ansible containers -m ping -u ubuntu
+
diff --git a/roles/head-prep/tasks/main.yml b/roles/head-prep/tasks/main.yml
index ee265be..4668bc1 100644
--- a/roles/head-prep/tasks/main.yml
+++ b/roles/head-prep/tasks/main.yml
@@ -5,7 +5,6 @@
apt:
name={{ item }}
update_cache=yes
- cache_valid_time=3600
with_items:
- python-pycurl
- software-properties-common
@@ -22,7 +21,6 @@
name={{ item }}
state=present
update_cache=yes
- cache_valid_time=3600
with_items:
- uvtool
- git
diff --git a/roles/juju-setup/tasks/main.yml b/roles/juju-setup/tasks/main.yml
index 554add9..9ce2279 100644
--- a/roles/juju-setup/tasks/main.yml
+++ b/roles/juju-setup/tasks/main.yml
@@ -31,6 +31,18 @@
src={{ juju_config_name }}_juju_config.yml.j2
dest={{ juju_config_path }}
+# check that containers are ready to be accessed, juju add-machine may error
+- name: Check that machines are available for Juju
+ command: ansible containers -m ping -u ubuntu
+ tags:
+ - skip_ansible_lint # connectivity check
+ retries: 3
+ delay: 10
+
+- name: Pause to allow juju to become ready
+ pause:
+ seconds: 15
+
# For setwise operations on desired vs Juju state:
# list of active juju_machines names: juju_machines.keys()
# list of active juju_services names: juju_services.keys()
diff --git a/roles/pki-intermediate-ca/tasks/main.yml b/roles/pki-intermediate-ca/tasks/main.yml
index 8485dc2..ac066ac 100644
--- a/roles/pki-intermediate-ca/tasks/main.yml
+++ b/roles/pki-intermediate-ca/tasks/main.yml
@@ -2,9 +2,12 @@
# pki-ca/tasks/main.yml
- name: Create intermediate CA directory
+ become: yes
file:
dest: "{{ pki_dir }}/intermediate_ca"
state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
- name: Create intermediate CA openssl.cnf from template
template:
diff --git a/roles/pki-root-ca/defaults/main.yml b/roles/pki-root-ca/defaults/main.yml
index ebfd5ed..326eb36 100644
--- a/roles/pki-root-ca/defaults/main.yml
+++ b/roles/pki-root-ca/defaults/main.yml
@@ -1,6 +1,8 @@
---
# pki-root-ca/defaults/main.yml
+
pki_dir: "{{ playbook_dir }}/pki"
+credentials_dir: "{{ playbook_dir }}/credentials"
# ca parameters
ca_digest: "sha256"
diff --git a/roles/pki-root-ca/tasks/main.yml b/roles/pki-root-ca/tasks/main.yml
index eb23d09..6da6e9b 100644
--- a/roles/pki-root-ca/tasks/main.yml
+++ b/roles/pki-root-ca/tasks/main.yml
@@ -1,10 +1,21 @@
---
# pki-root-ca/tasks/main.yml
+- name: Make sure credentials directory has proper ownership
+ become: yes
+ file:
+ dest: "{{ credentials_dir }}"
+ state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0700
+
- name: Create root CA directory
+ become: yes
file:
dest: "{{ pki_dir }}/root_ca"
state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
- name: Create root CA openssl.cnf from template
template:
@@ -16,6 +27,8 @@
file:
dest: "{{ pki_dir }}/root_ca/{{ item }}"
state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
with_items:
- certs
- crl
@@ -25,6 +38,7 @@
file:
dest: "{{ pki_dir }}/root_ca/private"
state: directory
+ owner: "{{ ansible_user_id }}"
mode: 0700
- name: Create serial file
@@ -38,11 +52,14 @@
dest: "{{ pki_dir }}/root_ca/index.txt"
content: ""
force: no
+ owner: "{{ ansible_user_id }}"
+ mode: 0755
- name: Save root passphrase to root_ca/private/ca_root_phrase
copy:
dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
content: "{{ ca_root_phrase }}"
+ owner: "{{ ansible_user_id }}"
mode: 0400
- name: Generate root key
@@ -57,6 +74,7 @@
- name: Set permissions on root key
file:
dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
+ owner: "{{ ansible_user_id }}"
mode: 0400
- name: Create root certificate
diff --git a/roles/xos-install/tasks/main.yml b/roles/xos-install/tasks/main.yml
index 7154205..72c4aa0 100644
--- a/roles/xos-install/tasks/main.yml
+++ b/roles/xos-install/tasks/main.yml
@@ -17,19 +17,20 @@
- python-glanceclient
# ---- copy repos from the dev machine to the head node ----
+# note: this happens in the `cord` repo now
-- name: Create cord destination directory
- become: yes
- file:
- path: "{{ cord_dest_dir }}"
- state: directory
- mode: 0755
- owner: "{{ ansible_user_id }}"
+# - name: Create cord destination directory
+# become: yes
+# file:
+# path: "{{ cord_dest_dir }}"
+# state: directory
+# mode: 0755
+# owner: "{{ ansible_user_id }}"
-- name: Copy the whole repo tree
- synchronize:
- src: "{{ playbook_dir }}/../../../cord/"
- dest: "{{ cord_dest_dir }}/"
+# - name: Copy the whole repo tree
+# synchronize:
+# src: "{{ playbook_dir }}/../../../cord/"
+# dest: "{{ cord_dest_dir }}/"
- name: Create directory xos_services
file: