diff --git a/playbooks/group_vars/afs.yaml b/playbooks/group_vars/afs.yaml index 2314190b2e..d6fa5c665f 100644 --- a/playbooks/group_vars/afs.yaml +++ b/playbooks/group_vars/afs.yaml @@ -1 +1,6 @@ iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] + +# we allow a special key deployed on the mirror-update hosts to run a +# restricted script that runs "vos release" with localauth +# permissions, to avoid timeouts. See vos-release role. +bastion_key_exclusive: false \ No newline at end of file diff --git a/playbooks/roles/vos-release/README.rst b/playbooks/roles/vos-release/README.rst index 27d2b9d1f4..7683e52692 100644 --- a/playbooks/roles/vos-release/README.rst +++ b/playbooks/roles/vos-release/README.rst @@ -5,10 +5,10 @@ Install a user and script to do remote ``vos release`` with timeouts. This relies on ``vos_release_keypair`` which is expected to be a -single keypair from the mirror-update host. It will allow that -keypair to run ``/usr/local/bin/vos_release.sh``, which filters the -incoming command. Releases are expected to be triggered on the update -host with:: +single keypair set previously by hosts in the "mirror-update" group. +It will allow that keypair to run ``/usr/local/bin/vos_release.sh``, +which filters the incoming command. Releases are expected to be +triggered on the update host with:: ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release . diff --git a/playbooks/roles/vos-release/tasks/main.yaml b/playbooks/roles/vos-release/tasks/main.yaml index de42074e2e..cb38a5fa5c 100644 --- a/playbooks/roles/vos-release/tasks/main.yaml +++ b/playbooks/roles/vos-release/tasks/main.yaml @@ -9,11 +9,13 @@ - name: Ensure update key assert: that: - - vos_release_keypair is defined + - hostvars[item]['vos_release_keypair'] is defined + with_inventory_hostnames: mirror-update - name: Install vos release key authorized_key: user: 'root' state: present - key: '{{ vos_release_keypair["public_key"] }}' - key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' \ No newline at end of file + key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}' + key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' + with_inventory_hostnames: mirror-update \ No newline at end of file