From 9965cc46ff627e002ebeb1060e499c2991fc9f33 Mon Sep 17 00:00:00 2001
From: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Date: Wed, 24 Aug 2016 00:28:08 +0700
Subject: [PATCH] Specify 'become' for only neccesary tasks (all other roles)
Add become to only neccesary tasks in roles:
- aodh
- barbican
- bifrost
- ceilometer
- ceph
- chrony
- cinder
- cloudkitty
- collectd
- congress
- designate
- elasticsearch
- etcd
- freezer
- gnocchi
- grafana
- influxdb
- ironic
- iscsi
- karbor
- kibana
- kuryr
- magnum
- manila
- mistral
- mongodb
- multipathd
- murano
- octavia
- panko
- qdrouterd
- rally
- sahara
- searchlight
- senlin
- skydive
- solum
- swift
- swift
- tacker
- telegraf
- tempest
- trove
- vmtp
- watcher
- zun
Change-Id: I6e32d94d4172dd96d09d8609e8a5221ab5586a31
Partial-Implements: blueprint ansible-specific-task-become
---
ansible/roles/aodh/tasks/config.yml | 13 +++++++++++-
ansible/roles/barbican/tasks/config.yml | 15 ++++++++++++-
ansible/roles/bifrost/tasks/config.yml | 11 +++++++++-
ansible/roles/ceilometer/tasks/config.yml | 15 ++++++++++++-
ansible/roles/ceph/tasks/config.yml | 9 +++++++-
.../roles/ceph/tasks/distribute_keyrings.yml | 12 ++++++++---
ansible/roles/ceph/tasks/start_osds.yml | 2 ++
ansible/roles/chrony/tasks/config.yml | 9 +++++++-
ansible/roles/cinder/tasks/ceph.yml | 7 +++++++
ansible/roles/cinder/tasks/config.yml | 9 +++++++-
ansible/roles/cinder/tasks/external_ceph.yml | 10 +++++++++
ansible/roles/cloudkitty/tasks/config.yml | 13 +++++++++++-
ansible/roles/collectd/tasks/config.yml | 14 +++++++++++--
ansible/roles/congress/tasks/config.yml | 11 +++++++++-
ansible/roles/designate/tasks/config.yml | 19 ++++++++++++++++-
ansible/roles/elasticsearch/tasks/config.yml | 9 +++++++-
ansible/roles/etcd/tasks/config.yml | 9 +++++++-
ansible/roles/freezer/tasks/config.yml | 13 +++++++++++-
ansible/roles/gnocchi/tasks/config.yml | 11 +++++++++-
ansible/roles/grafana/tasks/config.yml | 9 +++++++-
ansible/roles/influxdb/tasks/config.yml | 9 +++++++-
ansible/roles/ironic/tasks/config.yml | 21 ++++++++++++++++++-
ansible/roles/iscsi/tasks/config.yml | 15 +++++++++++--
ansible/roles/karbor/tasks/config.yml | 13 +++++++++++-
ansible/roles/kibana/tasks/config.yml | 9 +++++++-
ansible/roles/kuryr/tasks/config.yml | 13 +++++++++++-
ansible/roles/magnum/tasks/config.yml | 11 +++++++++-
ansible/roles/manila/tasks/config.yml | 11 +++++++++-
ansible/roles/mistral/tasks/config.yml | 6 ++++++
ansible/roles/mongodb/tasks/config.yml | 9 +++++++-
ansible/roles/multipathd/tasks/config.yml | 9 +++++++-
ansible/roles/murano/tasks/config.yml | 9 +++++++-
ansible/roles/octavia/tasks/config.yml | 11 +++++++++-
ansible/roles/panko/tasks/config.yml | 13 +++++++++++-
ansible/roles/qdrouterd/tasks/config.yml | 11 +++++++++-
ansible/roles/rally/tasks/config.yml | 11 +++++++++-
ansible/roles/sahara/tasks/config.yml | 11 +++++++++-
ansible/roles/searchlight/tasks/config.yml | 11 +++++++++-
ansible/roles/senlin/tasks/config.yml | 11 +++++++++-
ansible/roles/skydive/tasks/config.yml | 9 +++++++-
ansible/roles/solum/tasks/config.yml | 9 +++++++-
ansible/roles/swift/tasks/config.yml | 18 ++++++++++++++++
ansible/roles/swift/tasks/start.yml | 1 +
ansible/roles/tacker/tasks/config.yml | 11 +++++++++-
ansible/roles/telegraf/tasks/config.yml | 11 +++++++++-
ansible/roles/tempest/tasks/config.yml | 6 +++++-
ansible/roles/trove/tasks/config.yml | 11 +++++++++-
ansible/roles/vmtp/tasks/config.yml | 7 ++++++-
ansible/roles/watcher/tasks/config.yml | 7 ++++++-
ansible/roles/zun/tasks/config.yml | 13 +++++++++++-
.../specify-task-become-84f83707f612bcf3.yaml | 4 ++--
51 files changed, 491 insertions(+), 50 deletions(-)
diff --git a/ansible/roles/aodh/tasks/config.yml b/ansible/roles/aodh/tasks/config.yml
index 996fc57f76..a6fed5eae1 100644
--- a/ansible/roles/aodh/tasks/config.yml
+++ b/ansible/roles/aodh/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
@@ -30,6 +33,8 @@
template:
src: "{{ aodh_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ aodh_policy_file }}"
+ mode: "0660"
+ become: true
register: aodh_policy_overwriting
when:
- aodh_policy_file is defined
@@ -46,6 +51,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: aodh_config_jsons
when:
- item.value.enabled | bool
@@ -68,6 +75,8 @@
- "{{ node_custom_config }}/aodh/{{ item.key }}.conf"
- "{{ node_custom_config }}/aodh/{{ inventory_hostname }}/aodh.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/aodh.conf"
+ mode: "0660"
+ become: true
register: aodh_confs
when:
- item.value.enabled | bool
@@ -85,6 +94,8 @@
template:
src: "wsgi-aodh.conf.j2"
dest: "{{ node_config_directory }}/aodh-api/wsgi-aodh.conf"
+ mode: "0660"
+ become: true
register: aodh_conf_wsgi
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
index c379c253d1..ce971d3c97 100644
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "barbican-api/vassals"
- "barbican-keystone-listener"
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: barbican_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -47,6 +52,8 @@
- "{{ node_custom_config }}/barbican-api/barbican-api.ini"
- "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api.ini"
dest: "{{ node_config_directory }}/barbican-api/vassals/barbican-api.ini"
+ mode: "0660"
+ become: true
register: barbican_api_ini
when:
- inventory_hostname in groups['barbican-api']
@@ -69,6 +76,8 @@
template:
src: "{{ node_custom_config }}/barbican/barbican-api-paste.ini"
dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini"
+ mode: "0660"
+ become: true
when:
- inventory_hostname in groups['barbican-api']
- service.enabled | bool
@@ -88,6 +97,8 @@
- "{{ node_custom_config }}/barbican/{{ item.key }}.conf"
- "{{ node_custom_config }}/barbican/{{ inventory_hostname }}/barbican.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/barbican.conf"
+ mode: "0660"
+ become: true
register: barbican_confs
when:
- item.value.enabled | bool
@@ -100,6 +111,8 @@
template:
src: "{{ barbican_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ barbican_policy_file }}"
+ mode: "0660"
+ become: true
register: barbican_policy_overwriting
when:
- barbican_policy_file is defined
diff --git a/ansible/roles/bifrost/tasks/config.yml b/ansible/roles/bifrost/tasks/config.yml
index 11a59a6d3c..5b95d20fd4 100644
--- a/ansible/roles/bifrost/tasks/config.yml
+++ b/ansible/roles/bifrost/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "bifrost"
@@ -14,6 +17,8 @@
- "{{ node_custom_config }}/{{ item }}.yml"
- "{{ node_custom_config }}/bifrost/{{ item }}.yml"
dest: "{{ node_config_directory }}/bifrost/{{ item }}.yml"
+ mode: "0660"
+ become: true
with_items:
- "bifrost"
- "dib"
@@ -23,6 +28,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/bifrost/{{ item }}"
+ mode: "0660"
+ become: true
with_items:
- "rabbitmq-env.conf"
@@ -30,6 +37,8 @@
template:
src: "{{ item.src }}"
dest: "{{ node_config_directory }}/bifrost/{{ item.dest }}"
+ mode: "0660"
+ become: true
with_items:
- { src: "id_rsa", dest: "id_rsa" }
- { src: "id_rsa.pub", dest: "id_rsa.pub" }
diff --git a/ansible/roles/ceilometer/tasks/config.yml b/ansible/roles/ceilometer/tasks/config.yml
index 64efe47ef9..955a29db51 100644
--- a/ansible/roles/ceilometer/tasks/config.yml
+++ b/ansible/roles/ceilometer/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: ceilometer_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -51,6 +56,8 @@
- "{{ node_custom_config }}/ceilometer/{{ item.key }}.conf"
- "{{ node_custom_config }}/ceilometer/{{ inventory_hostname }}/ceilometer.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/ceilometer.conf"
+ mode: "0660"
+ become: true
register: ceilometer_confs
when:
- item.value.enabled | bool
@@ -67,6 +74,8 @@
template:
src: "{{ item }}.j2"
dest: "{{ node_config_directory }}/ceilometer-notification/{{ item }}"
+ mode: "0660"
+ become: true
register: ceilometer_events
when:
- inventory_hostname in groups[service.group]
@@ -107,6 +116,8 @@
- "{{ node_custom_config }}/panko/panko.conf"
- "{{ node_custom_config }}/panko/{{ inventory_hostname }}/panko.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/panko.conf"
+ mode: "0660"
+ become: true
register: panko_confs
when:
- enable_panko | bool
@@ -136,6 +147,8 @@
template:
src: "{{ ceilometer_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ ceilometer_policy_file }}"
+ mode: "0660"
+ become: true
register: policy_jsons
when:
- ceilometer_policy_file is defined
diff --git a/ansible/roles/ceph/tasks/config.yml b/ansible/roles/ceph/tasks/config.yml
index 7aa953bfac..470302c5ee 100644
--- a/ansible/roles/ceph/tasks/config.yml
+++ b/ansible/roles/ceph/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "ceph-mon"
- "ceph-osd"
@@ -16,6 +19,8 @@
template:
src: "{{ item.name }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.name }}/config.json"
+ mode: "0660"
+ become: true
when:
- inventory_hostname in groups[item.group]
with_items:
@@ -41,6 +46,8 @@
- "{{ node_custom_config }}/ceph.conf"
- "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf"
dest: "{{ node_config_directory }}/{{ item }}/ceph.conf"
+ mode: "0660"
+ become: true
with_items:
- "ceph-mon"
- "ceph-osd"
diff --git a/ansible/roles/ceph/tasks/distribute_keyrings.yml b/ansible/roles/ceph/tasks/distribute_keyrings.yml
index efbd373150..7be4cb25db 100644
--- a/ansible/roles/ceph/tasks/distribute_keyrings.yml
+++ b/ansible/roles/ceph/tasks/distribute_keyrings.yml
@@ -12,21 +12,25 @@
ceph_files: "{{ (ceph_files_json.stdout | from_json) }}"
- name: Pushing Ceph keyring for OSDs
+ become: true
bslurp:
src: "{{ item.content }}"
dest: "{{ node_config_directory }}/ceph-osd/{{ item.filename }}"
- mode: 0600
sha1: "{{ item.sha1 }}"
+ mode: 0600
+ become: true
with_items:
- "{{ ceph_files['ceph.client.admin.keyring'] }}"
when: inventory_hostname in groups['ceph-osd']
- name: Pushing Ceph keyrings for Mons
+ become: true
bslurp:
src: "{{ item.content }}"
dest: "{{ node_config_directory }}/ceph-mon/{{ item.filename }}"
- mode: 0600
sha1: "{{ item.sha1 }}"
+ mode: 0600
+ become: true
with_items:
- "{{ ceph_files['ceph.client.admin.keyring'] }}"
- "{{ ceph_files['ceph.client.mon.keyring'] }}"
@@ -35,11 +39,13 @@
when: inventory_hostname in groups['ceph-mon']
- name: Pushing Ceph keyrings for RGWs
+ become: true
bslurp:
src: "{{ item.content }}"
dest: "{{ node_config_directory }}/ceph-rgw/{{ item.filename }}"
- mode: 0600
sha1: "{{ item.sha1 }}"
+ mode: 0600
+ become: true
with_items:
- "{{ ceph_files['ceph.client.admin.keyring'] }}"
- "{{ ceph_files['ceph.client.radosgw.keyring'] }}"
diff --git a/ansible/roles/ceph/tasks/start_osds.yml b/ansible/roles/ceph/tasks/start_osds.yml
index d44efe094b..cd51d9ce87 100644
--- a/ansible/roles/ceph/tasks/start_osds.yml
+++ b/ansible/roles/ceph/tasks/start_osds.yml
@@ -12,6 +12,7 @@
osds: "{{ (osd_lookup.stdout.split('localhost | SUCCESS => ')[1]|from_json).disks|from_json }}"
- name: Mounting Ceph OSD volumes
+ become: true
mount:
src: "UUID={{ item.fs_uuid }}"
fstype: "{{ ceph_osd_filesystem }}"
@@ -23,6 +24,7 @@
become_method: sudo
- name: Gathering OSD IDs
+ become: true
command: "cat /var/lib/ceph/osd/{{ item['fs_uuid'] }}/whoami"
with_items: "{{ osds }}"
register: id
diff --git a/ansible/roles/chrony/tasks/config.yml b/ansible/roles/chrony/tasks/config.yml
index 9afc2f7ffb..972b7ea8f2 100644
--- a/ansible/roles/chrony/tasks/config.yml
+++ b/ansible/roles/chrony/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "chrony"
@@ -11,6 +14,8 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
with_items:
- "chrony"
notify:
@@ -20,6 +25,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/chrony/chrony.conf"
+ mode: "0660"
+ become: true
with_first_found:
- "{{ node_custom_config }}/chrony/{{ inventory_hostname }}/chrony.conf"
- "{{ node_custom_config }}/chrony/chrony.conf"
diff --git a/ansible/roles/cinder/tasks/ceph.yml b/ansible/roles/cinder/tasks/ceph.yml
index 2be771b6aa..53d1f47d81 100644
--- a/ansible/roles/cinder/tasks/ceph.yml
+++ b/ansible/roles/cinder/tasks/ceph.yml
@@ -7,6 +7,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
@@ -24,6 +28,8 @@
- "{{ node_custom_config }}/ceph.conf"
- "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/ceph.conf"
+ mode: "0660"
+ become: true
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
@@ -67,6 +73,7 @@
content: "{{ item.content }}\n\r"
dest: "{{ node_config_directory }}/{{ item.service_name }}/ceph.client.{{ item.key_name }}.keyring"
mode: "0600"
+ become: true
with_items:
- { service_name: "cinder-volume", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
- { service_name: "cinder-backup", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
diff --git a/ansible/roles/cinder/tasks/config.yml b/ansible/roles/cinder/tasks/config.yml
index 13fa9e2133..b00c99f19a 100644
--- a/ansible/roles/cinder/tasks/config.yml
+++ b/ansible/roles/cinder/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: cinder_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -69,6 +74,8 @@
- "{{ node_custom_config }}/cinder/{{ item.key }}.conf"
- "{{ node_custom_config }}/cinder/{{ inventory_hostname }}/cinder.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/cinder.conf"
+ mode: "0660"
+ become: true
register: cinder_confs
when:
- item.value.enabled | bool
diff --git a/ansible/roles/cinder/tasks/external_ceph.yml b/ansible/roles/cinder/tasks/external_ceph.yml
index 90f1c6fb6e..d23b20d2d9 100644
--- a/ansible/roles/cinder/tasks/external_ceph.yml
+++ b/ansible/roles/cinder/tasks/external_ceph.yml
@@ -7,6 +7,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
@@ -23,6 +27,8 @@
- "{{ node_custom_config }}/cinder/ceph.conf"
- "{{ node_custom_config }}/cinder/{{ item.key }}/ceph.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/ceph.conf"
+ mode: "0660"
+ become: true
when:
- item.value.enabled | bool
- inventory_hostname in groups[item.value.group]
@@ -36,6 +42,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_config_directory }}/cinder-volume/"
+ mode: "0660"
+ become: true
with_fileglob:
- "{{ node_custom_config }}/cinder/cinder-volume/ceph.client*"
when:
@@ -49,6 +57,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_config_directory }}/cinder-backup/"
+ mode: "0660"
+ become: true
with_fileglob:
- "{{ node_custom_config }}/cinder/cinder-backup/ceph.client*"
when:
diff --git a/ansible/roles/cloudkitty/tasks/config.yml b/ansible/roles/cloudkitty/tasks/config.yml
index e62b2a2eb1..20504639bd 100644
--- a/ansible/roles/cloudkitty/tasks/config.yml
+++ b/ansible/roles/cloudkitty/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: cloudkitty_config_jsons
when:
- item.value.enabled | bool
@@ -50,6 +55,8 @@
- "{{ node_custom_config }}/cloudkitty/{{ item.key }}.conf"
- "{{ node_custom_config }}/cloudkitty/{{ inventory_hostname }}/cloudkitty.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/cloudkitty.conf"
+ mode: "0660"
+ become: true
register: cloudkitty_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -65,6 +72,8 @@
template:
src: "wsgi-cloudkitty.conf.j2"
dest: "{{ node_config_directory }}/cloudkitty-api/wsgi-cloudkitty.conf"
+ mode: "0660"
+ become: true
register: cloudkitty_conf_wsgi
when:
- inventory_hostname in groups[service.group]
@@ -76,6 +85,8 @@
template:
src: "{{ cloudkitty_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ cloudkitty_policy_file }}"
+ mode: "0660"
+ become: true
register: cloudkitty_policy_overwriting
when:
- cloudkitty_policy_file is defined
diff --git a/ansible/roles/collectd/tasks/config.yml b/ansible/roles/collectd/tasks/config.yml
index eddcd8122a..f3432177cd 100644
--- a/ansible/roles/collectd/tasks/config.yml
+++ b/ansible/roles/collectd/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,7 +16,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}/collectd.conf.d"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -23,6 +29,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: collectd_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -37,6 +45,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/collectd/collectd.conf"
+ mode: "0660"
+ become: true
with_first_found:
- "{{ node_custom_config }}/collectd/{{ inventory_hostname }}/collectd.conf"
- "{{ node_custom_config }}/collectd/collectd.conf"
diff --git a/ansible/roles/congress/tasks/config.yml b/ansible/roles/congress/tasks/config.yml
index 779b504478..233c9e5412 100644
--- a/ansible/roles/congress/tasks/config.yml
+++ b/ansible/roles/congress/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when: inventory_hostname in groups[item.value.group]
with_dict: "{{ congress_services }}"
@@ -28,6 +31,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: congress_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -47,6 +52,8 @@
- "{{ node_custom_config }}/congress/{{ item.key }}.conf"
- "{{ node_custom_config }}/congress/{{ inventory_hostname }}/congress.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/congress.conf"
+ mode: "0660"
+ become: true
register: congress_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -64,6 +71,8 @@
template:
src: "{{ congress_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ congress_policy_file }}"
+ mode: "0660"
+ become: true
register: congress_policy_overwriting
when:
- congress_policy_file is defined
diff --git a/ansible/roles/designate/tasks/config.yml b/ansible/roles/designate/tasks/config.yml
index 05721cb0fd..a227da8ded 100644
--- a/ansible/roles/designate/tasks/config.yml
+++ b/ansible/roles/designate/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: designate_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -55,6 +60,8 @@
- "{{ node_custom_config }}/designate/{{ item.key }}.conf"
- "{{ node_custom_config }}/designate/{{ inventory_hostname }}/designate.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/designate.conf"
+ mode: "0660"
+ become: true
register: designate_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -74,6 +81,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/designate-worker/pools.yaml"
+ mode: "0660"
+ become: true
register: designate_pool
when:
- inventory_hostname in groups[service.group]
@@ -90,6 +99,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/designate-backend-bind9/named.conf"
+ mode: "0660"
+ become: true
register: designate_named
when:
- designate_backend == 'bind9'
@@ -107,6 +118,8 @@
template:
src: "rndc.conf.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/rndc.conf"
+ mode: "0660"
+ become: true
register: designate_rndc_conf
when:
- designate_backend == 'bind9' and designate_backend_external == 'no'
@@ -122,6 +135,8 @@
template:
src: "rndc.key.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/rndc.key"
+ mode: "0660"
+ become: true
register: designate_rndc_key_file
when:
- designate_backend == 'bind9' and designate_backend_external == 'no'
@@ -145,6 +160,8 @@
template:
src: "{{ designate_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ designate_policy_file }}"
+ mode: "0770"
+ become: true
register: designate_policy_overwriting
when:
- designate_policy_file is defined
diff --git a/ansible/roles/elasticsearch/tasks/config.yml b/ansible/roles/elasticsearch/tasks/config.yml
index 958f71d3f2..ade859543c 100644
--- a/ansible/roles/elasticsearch/tasks/config.yml
+++ b/ansible/roles/elasticsearch/tasks/config.yml
@@ -12,7 +12,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -22,6 +25,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: elasticsearch_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -34,6 +39,8 @@
template:
src: "elasticsearch.yml.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.yml"
+ mode: "0660"
+ become: true
register: elasticsearch_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/etcd/tasks/config.yml b/ansible/roles/etcd/tasks/config.yml
index dba8fef697..eac9c07625 100644
--- a/ansible/roles/etcd/tasks/config.yml
+++ b/ansible/roles/etcd/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- item.value.enabled | bool
- item.value.host_in_groups | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: etcd_config_jsons
when:
- item.value.enabled | bool
@@ -28,6 +33,8 @@
name: "{{ item.value.container_name }}"
image: "{{ item.value.image }}"
volumes: "{{ item.value.volumes }}"
+ mode: "0660"
+ become: true
register: check_etcd_containers
when:
- action != "config"
diff --git a/ansible/roles/freezer/tasks/config.yml b/ansible/roles/freezer/tasks/config.yml
index 211aeed518..8f6015b223 100644
--- a/ansible/roles/freezer/tasks/config.yml
+++ b/ansible/roles/freezer/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: freezer_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -42,6 +47,8 @@
template:
src: "wsgi-freezer-api.conf.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/wsgi-freezer-api.conf"
+ mode: "0660"
+ become: true
register: wsgi_freezer_api
when:
- inventory_hostname in groups[item.value.group]
@@ -61,6 +68,8 @@
- "{{ node_custom_config }}/freezer/{{ item.key }}.conf"
- "{{ node_custom_config }}/freezer/{{ inventory_hostname }}/{{ item.key }}.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/freezer-api.conf"
+ mode: "0660"
+ become: true
register: freezer_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -73,6 +82,8 @@
template:
src: "{{ freezer_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ freezer_policy_file }}"
+ mode: "0770"
+ become: true
register: freezer_policy_overwriting
when:
- freezer_policy_file is defined
diff --git a/ansible/roles/gnocchi/tasks/config.yml b/ansible/roles/gnocchi/tasks/config.yml
index 1f6d47b788..394b263b08 100644
--- a/ansible/roles/gnocchi/tasks/config.yml
+++ b/ansible/roles/gnocchi/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: gnocchi_config_jsons
when:
- item.value.enabled | bool
@@ -51,6 +56,8 @@
- "{{ node_custom_config }}/gnocchi/{{ item.key }}.conf"
- "{{ node_custom_config }}/gnocchi/{{ inventory_hostname }}/gnocchi.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/gnocchi.conf"
+ mode: "0660"
+ become: true
register: gnocchi_confs
when:
- item.value.enabled | bool
@@ -67,6 +74,8 @@
template:
src: "wsgi-gnocchi.conf.j2"
dest: "{{ node_config_directory }}/{{ item }}/wsgi-gnocchi.conf"
+ mode: "0660"
+ become: true
register: gnocchi_wsgi_conf
when:
- inventory_hostname in groups['gnocchi-api']
diff --git a/ansible/roles/grafana/tasks/config.yml b/ansible/roles/grafana/tasks/config.yml
index 13b0e51878..cd889529d2 100644
--- a/ansible/roles/grafana/tasks/config.yml
+++ b/ansible/roles/grafana/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: grafana_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -30,6 +35,8 @@
- "{{ node_custom_config }}/{{ item.key }}.ini"
- "{{ node_custom_config }}/grafana/{{ inventory_hostname }}/{{ item.key }}.ini"
dest: "{{ node_config_directory }}/grafana/grafana.ini"
+ mode: "0660"
+ become: true
register: grafana_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/influxdb/tasks/config.yml b/ansible/roles/influxdb/tasks/config.yml
index b1aae85017..98153f5627 100644
--- a/ansible/roles/influxdb/tasks/config.yml
+++ b/ansible/roles/influxdb/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/influxdb"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/influxdb/config.json"
+ mode: "0660"
+ become: true
register: influxdb_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -27,6 +32,8 @@
template:
src: "{{ role_path }}/templates/{{ item }}.conf.j2"
dest: "{{ node_config_directory }}/influxdb/influxdb.conf"
+ mode: "0660"
+ become: true
register: influxdb_confs
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml
index 0dab3e7650..381d02c500 100644
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "ironic-api"
- "ironic-conductor"
@@ -32,6 +35,8 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
with_items:
- "ironic-api"
- "ironic-conductor"
@@ -50,6 +55,8 @@
- "{{ node_custom_config }}/ironic/{{ item }}.conf"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic.conf"
dest: "{{ node_config_directory }}/{{ item }}/ironic.conf"
+ mode: "0660"
+ become: true
with_items:
- "ironic-api"
- "ironic-conductor"
@@ -65,12 +72,16 @@
- "{{ node_custom_config }}/ironic-inspector/inspector.conf"
- "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf"
dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf"
+ mode: "0660"
+ become: true
when: inventory_hostname in groups['ironic-inspector']
- name: Copying over dnsmasq.conf
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-dnsmasq/dnsmasq.conf"
+ mode: "0660"
+ become: true
with_first_found:
- "{{ node_custom_config }}/ironic/ironic-dnsmasq.conf"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic-dnsmasq.conf"
@@ -81,6 +92,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/default"
+ mode: "0660"
+ become: true
with_first_found:
- "{{ node_custom_config }}/ironic/pxelinux.default"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default"
@@ -95,6 +108,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/default"
+ mode: "0660"
+ become: true
with_first_found:
- "{{ node_custom_config }}/ironic/ironic_pxe_uefi.default"
- "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ironic_pxe_uefi.default"
@@ -107,6 +122,8 @@
copy:
src: "{{ node_custom_config }}/ironic/{{ item }}"
dest: "{{ node_config_directory }}/ironic-pxe/{{ item }}"
+ mode: "0660"
+ become: true
with_items:
- "ironic-agent.kernel"
- "ironic-agent.initramfs"
@@ -120,6 +137,8 @@
template:
src: "{{ ironic_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item }}/{{ ironic_policy_file }}"
+ mode: "0770"
+ become: true
with_items:
- "ironic-api"
- "ironic-conductor"
diff --git a/ansible/roles/iscsi/tasks/config.yml b/ansible/roles/iscsi/tasks/config.yml
index 08c0aa5e09..a73cbde849 100644
--- a/ansible/roles/iscsi/tasks/config.yml
+++ b/ansible/roles/iscsi/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when: ( ( inventory_hostname in groups['compute'] or inventory_hostname in groups['cinder-volume'] ) and enable_cinder | bool and enable_cinder_backend_iscsi | bool )
or ( inventory_hostname in groups['ironic-conductor'] and enable_ironic | bool )
with_items:
@@ -13,6 +16,8 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
when: ( ( inventory_hostname in groups['compute'] or inventory_hostname in groups['cinder-volume'] ) and enable_cinder | bool and enable_cinder_backend_iscsi | bool )
or ( inventory_hostname in groups['ironic-conductor'] and enable_ironic | bool )
with_items:
@@ -22,7 +27,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- enable_cinder_backend_lvm | bool
- inventory_hostname in groups['tgtd']
@@ -33,8 +41,11 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
when:
- enable_cinder_backend_lvm | bool
- inventory_hostname in groups['tgtd']
+ - enable_cinder_backend_lvm | bool
with_items:
- "tgtd"
diff --git a/ansible/roles/karbor/tasks/config.yml b/ansible/roles/karbor/tasks/config.yml
index 09dd01298a..80e06f82e4 100644
--- a/ansible/roles/karbor/tasks/config.yml
+++ b/ansible/roles/karbor/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}/providers.d"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: karbor_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -34,6 +39,8 @@
- "{{ node_custom_config }}/karbor/{{ item.key }}.conf"
- "{{ node_custom_config }}/karbor/{{ inventory_hostname }}/karbor.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/karbor.conf"
+ mode: "0660"
+ become: true
register: karbor_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -51,6 +58,8 @@
template:
src: "providers.d/openstack-infra.conf.j2"
dest: "{{ node_config_directory }}/{{ service_name }}/providers.d/openstack-infra.conf"
+ mode: "0660"
+ become: true
register: openstack_infra_conf
when:
- inventory_hostname in groups[service.group]
@@ -65,6 +74,8 @@
name: "{{ item.value.container_name }}"
image: "{{ item.value.image }}"
volumes: "{{ item.value.volumes }}"
+ mode: "0660"
+ become: true
register: check_karbor_containers
when:
- action != "config"
diff --git a/ansible/roles/kibana/tasks/config.yml b/ansible/roles/kibana/tasks/config.yml
index 7c19abf702..2306b4a617 100644
--- a/ansible/roles/kibana/tasks/config.yml
+++ b/ansible/roles/kibana/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: kibana_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -25,6 +30,8 @@
template:
src: "{{ item.key }}.yml.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.yml"
+ mode: "0660"
+ become: true
register: kibana_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/kuryr/tasks/config.yml b/ansible/roles/kuryr/tasks/config.yml
index 86cdd4a3b3..f4c0fddc60 100644
--- a/ansible/roles/kuryr/tasks/config.yml
+++ b/ansible/roles/kuryr/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: kuryr_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -49,6 +54,8 @@
- "{{ node_custom_config }}/kuryr/{{ item.key }}.conf"
- "{{ node_custom_config }}/kuryr/{{ inventory_hostname }}/{{ item.key }}.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/kuryr.conf"
+ mode: "0660"
+ become: true
register: kuryr_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -63,6 +70,8 @@
template:
src: "kuryr.spec.j2"
dest: "{{ node_config_directory }}/{{ item }}/kuryr.spec"
+ mode: "0660"
+ become: true
register: kuryr_spec
when:
- inventory_hostname in groups[service.group]
@@ -76,6 +85,8 @@
template:
src: "{{ kuryr_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ kuryr_policy_file }}"
+ mode: "0660"
+ become: true
register: kuryr_policy_overwriting
when:
- kuryr_policy_file is defined
diff --git a/ansible/roles/magnum/tasks/config.yml b/ansible/roles/magnum/tasks/config.yml
index 0d8468eed8..ba18435738 100644
--- a/ansible/roles/magnum/tasks/config.yml
+++ b/ansible/roles/magnum/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: magnum_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -50,6 +55,8 @@
- "{{ node_custom_config }}/magnum/{{ item.key }}.conf"
- "{{ node_custom_config }}/magnum/{{ inventory_hostname }}/magnum.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/magnum.conf"
+ mode: "0660"
+ become: true
register: magnum_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -63,6 +70,8 @@
template:
src: "{{ magnum_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ magnum_policy_file }}"
+ mode: "0660"
+ become: true
register: magnum_policy_overwriting
when:
- magnum_policy_file is defined
diff --git a/ansible/roles/manila/tasks/config.yml b/ansible/roles/manila/tasks/config.yml
index 2a9496608e..cf0ef2b70c 100644
--- a/ansible/roles/manila/tasks/config.yml
+++ b/ansible/roles/manila/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: manila_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -49,6 +54,8 @@
- "{{ node_custom_config }}/manila/{{ item.key }}.conf"
- "{{ node_custom_config }}/manila/{{ inventory_hostname }}/manila.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/manila.conf"
+ mode: "0660"
+ become: true
register: manila_confs
when:
- item.key in [ "manila-api", "manila-data", "manila-scheduler" ]
@@ -74,6 +81,8 @@
- "{{ node_custom_config }}/manila/{{ item }}.conf"
- "{{ node_custom_config }}/manila/{{ inventory_hostname }}/manila.conf"
dest: "{{ node_config_directory }}/{{ item }}/manila.conf"
+ mode: "0660"
+ become: true
register: manila_conf_share
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/mistral/tasks/config.yml b/ansible/roles/mistral/tasks/config.yml
index ef063c4967..623bf03147 100644
--- a/ansible/roles/mistral/tasks/config.yml
+++ b/ansible/roles/mistral/tasks/config.yml
@@ -4,6 +4,8 @@
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
recurse: yes
+ mode: "0770"
+ become: true
when: inventory_hostname in groups[item.value.group]
with_dict: "{{ mistral_services }}"
@@ -28,6 +30,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: mistral_config_jsons
when:
- item.value.enabled | bool
@@ -47,6 +51,8 @@
- "{{ node_custom_config }}/mistral/{{ item.key }}.conf"
- "{{ node_custom_config }}/mistral/{{ inventory_hostname }}/mistral.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/mistral.conf"
+ mode: "0660"
+ become: true
register: mistral_confs
when:
- item.value.enabled | bool
diff --git a/ansible/roles/mongodb/tasks/config.yml b/ansible/roles/mongodb/tasks/config.yml
index 606a9d9b54..0236d1b09f 100644
--- a/ansible/roles/mongodb/tasks/config.yml
+++ b/ansible/roles/mongodb/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: mongodb_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -25,6 +30,8 @@
template:
src: "{{ item.key }}.conf.j2"
dest: "{{ node_config_directory }}/mongodb/{{ item.key }}.conf"
+ mode: "0660"
+ become: true
register: mongodb_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/multipathd/tasks/config.yml b/ansible/roles/multipathd/tasks/config.yml
index a831b32a6c..13bfa6c07d 100644
--- a/ansible/roles/multipathd/tasks/config.yml
+++ b/ansible/roles/multipathd/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when: inventory_hostname in groups['compute']
with_items:
- "multipathd"
@@ -12,6 +15,8 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
when: inventory_hostname in groups['compute']
with_items:
- "multipathd"
@@ -20,5 +25,7 @@
template:
src: "{{ role_path }}/templates/multipath.conf.j2"
dest: "{{ node_config_directory }}/{{ item }}/multipath.conf"
+ mode: "0660"
+ become: true
with_items:
- "multipathd"
diff --git a/ansible/roles/murano/tasks/config.yml b/ansible/roles/murano/tasks/config.yml
index 91db61fd33..0b4bde0ca4 100644
--- a/ansible/roles/murano/tasks/config.yml
+++ b/ansible/roles/murano/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
with_items:
- "murano-api"
- "murano-engine"
@@ -29,6 +32,8 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
with_items:
- "murano-api"
- "murano-engine"
@@ -44,6 +49,8 @@
- "{{ node_custom_config }}/murano/{{ item }}.conf"
- "{{ node_custom_config }}/murano/{{ inventory_hostname }}/murano.conf"
dest: "{{ node_config_directory }}/{{ item }}/murano.conf"
+ mode: "0660"
+ become: true
with_items:
- "murano-api"
- "murano-engine"
diff --git a/ansible/roles/octavia/tasks/config.yml b/ansible/roles/octavia/tasks/config.yml
index 97aca8799d..91745ac559 100644
--- a/ansible/roles/octavia/tasks/config.yml
+++ b/ansible/roles/octavia/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: octavia_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -32,6 +37,8 @@
- "{{ node_custom_config }}/octavia/{{ item.key }}.conf"
- "{{ node_custom_config }}/octavia/{{ inventory_hostname }}/octavia.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/octavia.conf"
+ mode: "0660"
+ become: true
register: octavia_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -46,6 +53,8 @@
copy:
src: "{{ node_custom_config }}/octavia/{{ item }}"
dest: "{{ node_config_directory }}/octavia-worker/{{ item }}"
+ mode: "0660"
+ become: true
register: octavia_worker_certificate
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/panko/tasks/config.yml b/ansible/roles/panko/tasks/config.yml
index e57430fe22..5d461362bd 100644
--- a/ansible/roles/panko/tasks/config.yml
+++ b/ansible/roles/panko/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: panko_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -47,6 +52,8 @@
- "{{ node_custom_config }}/panko/{{ item.key }}.conf"
- "{{ node_custom_config }}/panko/{{ inventory_hostname }}/{{ item.key }}.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/panko.conf"
+ mode: "0660"
+ become: true
register: panko_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -61,6 +68,8 @@
template:
src: "wsgi-panko.conf.j2"
dest: "{{ node_config_directory }}/{{ item }}/wsgi-panko.conf"
+ mode: "0660"
+ become: true
register: panko_wsgi
when:
- inventory_hostname in groups[service.group]
@@ -74,6 +83,8 @@
template:
src: "{{ panko_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ panko_policy_file }}"
+ mode: "0660"
+ become: true
register: panko_policy_overwriting
when:
- panko_policy_file is defined
diff --git a/ansible/roles/qdrouterd/tasks/config.yml b/ansible/roles/qdrouterd/tasks/config.yml
index 2f9fbf4db0..bf898184af 100644
--- a/ansible/roles/qdrouterd/tasks/config.yml
+++ b/ansible/roles/qdrouterd/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: qdrouterd_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -27,6 +32,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/qdrouterd/qdrouterd.conf"
+ mode: "0660"
+ become: true
register: qdrouterd_confs
when:
- inventory_hostname in groups[service.group]
@@ -44,6 +51,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/qdrouterd/qdrouterd-sasl.conf"
+ mode: "0660"
+ become: true
register: qdrouterd_sasl_confs
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/rally/tasks/config.yml b/ansible/roles/rally/tasks/config.yml
index d82204f734..a3d2b595ab 100644
--- a/ansible/roles/rally/tasks/config.yml
+++ b/ansible/roles/rally/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: rally_config_jsons
when:
- item.value.enabled | bool
@@ -46,6 +51,8 @@
- "{{ role_path }}/templates/rally.conf.j2"
- "{{ node_custom_config }}/rally.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.conf"
+ mode: "0660"
+ become: true
register: rally_confs
when:
- item.value.enabled | bool
@@ -58,6 +65,8 @@
template:
src: "{{ rally_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ rally_policy_file }}"
+ mode: "0660"
+ become: true
register: rally_policy_overwriting
when:
- rally_policy_file is defined
diff --git a/ansible/roles/sahara/tasks/config.yml b/ansible/roles/sahara/tasks/config.yml
index c6d2ddae1d..c86d177fed 100644
--- a/ansible/roles/sahara/tasks/config.yml
+++ b/ansible/roles/sahara/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: sahara_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -50,6 +55,8 @@
- "{{ node_custom_config }}/sahara/{{ item.key }}.conf"
- "{{ node_custom_config }}/sahara/{{ inventory_hostname }}/sahara.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/sahara.conf"
+ mode: "0660"
+ become: true
register: sahara_confs
when:
- inventory_hostname in groups[item.value.group]
@@ -63,6 +70,8 @@
template:
src: "{{ sahara_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ sahara_policy_file }}"
+ mode: "0660"
+ become: true
register: sahara_policy_overwriting
when:
- sahara_policy_file is defined
diff --git a/ansible/roles/searchlight/tasks/config.yml b/ansible/roles/searchlight/tasks/config.yml
index 4b968b800b..5971d64595 100644
--- a/ansible/roles/searchlight/tasks/config.yml
+++ b/ansible/roles/searchlight/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: searchlight_config_jsons
when:
- item.value.enabled | bool
@@ -46,6 +51,8 @@
- "{{ node_custom_config }}/searchlight.conf"
- "{{ node_custom_config }}/searchlight/{{ inventory_hostname }}/searchlight.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/searchlight.conf"
+ mode: "0660"
+ become: true
register: searchlight_confs
when:
- item.value.enabled | bool
@@ -59,6 +66,8 @@
template:
src: "{{ searchlight_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ searchlight_policy_file }}"
+ mode: "0660"
+ become: true
register: searchlight_policy_overwriting
when:
- searchlight_policy_file is defined
diff --git a/ansible/roles/senlin/tasks/config.yml b/ansible/roles/senlin/tasks/config.yml
index a7aeb800e6..519244d7d5 100644
--- a/ansible/roles/senlin/tasks/config.yml
+++ b/ansible/roles/senlin/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: senlin_config_jsons
when:
- item.value.enabled | bool
@@ -50,6 +55,8 @@
- "{{ node_custom_config }}/senlin/{{ item.key }}.conf"
- "{{ node_custom_config }}/senlin/{{ inventory_hostname }}/senlin.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/senlin.conf"
+ mode: "0660"
+ become: true
register: senlin_confs
when:
- item.value.enabled | bool
@@ -63,6 +70,8 @@
template:
src: "{{ senlin_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ senlin_policy_file }}"
+ mode: "0660"
+ become: true
register: senlin_policy_overwriting
when:
- senlin_policy_file is defined
diff --git a/ansible/roles/skydive/tasks/config.yml b/ansible/roles/skydive/tasks/config.yml
index 9a992f71b6..cb50ba599e 100644
--- a/ansible/roles/skydive/tasks/config.yml
+++ b/ansible/roles/skydive/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: skydive_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -26,6 +31,8 @@
template:
src: "{{ item.key }}.conf.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/skydive.conf"
+ mode: "0660"
+ become: true
register: skydive_confs
when:
- item.value.enabled | bool
diff --git a/ansible/roles/solum/tasks/config.yml b/ansible/roles/solum/tasks/config.yml
index 1061f16853..f724397f43 100644
--- a/ansible/roles/solum/tasks/config.yml
+++ b/ansible/roles/solum/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: solum_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -35,6 +40,8 @@
- "{{ node_custom_config }}/solum/{{ item.key }}.conf"
- "{{ node_custom_config }}/solum/{{ inventory_hostname }}/solum.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/solum.conf"
+ mode: "0660"
+ become: true
register: solum_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/swift/tasks/config.yml b/ansible/roles/swift/tasks/config.yml
index f66aa2b2d5..670600201e 100644
--- a/ansible/roles/swift/tasks/config.yml
+++ b/ansible/roles/swift/tasks/config.yml
@@ -4,6 +4,8 @@
path: "{{ node_config_directory }}/{{ item }}"
state: "directory"
recurse: yes
+ mode: "0770"
+ become: true
with_items:
- "swift"
- "swift-account-auditor"
@@ -26,6 +28,8 @@
template:
src: "{{ item }}.json.j2"
dest: "{{ node_config_directory }}/{{ item }}/config.json"
+ mode: "0660"
+ become: true
with_items:
- "swift-account-auditor"
- "swift-account-reaper"
@@ -54,6 +58,8 @@
- "{{ node_custom_config }}/swift/{{ item }}.conf"
- "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf"
dest: "{{ node_config_directory }}/swift-{{ item }}/swift.conf"
+ mode: "0660"
+ become: true
with_items:
- "account-auditor"
- "account-reaper"
@@ -81,6 +87,8 @@
- "{{ node_custom_config }}/swift/{{ item }}.conf"
- "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf"
dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf"
+ mode: "0660"
+ become: true
with_items:
- "account-auditor"
- "account-reaper"
@@ -98,6 +106,8 @@
- "{{ node_custom_config }}/swift/{{ item }}.conf"
- "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf"
dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf"
+ mode: "0660"
+ become: true
with_items:
- "container-auditor"
- "container-replicator"
@@ -115,6 +125,8 @@
- "{{ node_custom_config }}/swift/{{ item }}.conf"
- "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf"
dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf"
+ mode: "0660"
+ become: true
with_items:
- "object-auditor"
- "object-expirer"
@@ -132,6 +144,8 @@
- "{{ node_custom_config }}/swift/{{ item }}.conf"
- "{{ node_custom_config }}/swift/{{ inventory_hostname }}/{{ item }}.conf"
dest: "{{ node_config_directory }}/swift-{{ item }}/{{ item }}.conf"
+ mode: "0660"
+ become: true
with_items:
- "proxy-server"
@@ -139,12 +153,16 @@
template:
src: "rsyncd.conf.j2"
dest: "{{ node_config_directory }}/swift-rsyncd/rsyncd.conf"
+ mode: "0660"
+ become: true
- name: Copying over Swift ring files
copy:
src: "{{ node_custom_config }}/swift/{{ item }}"
dest: "{{ node_config_directory }}/swift/{{ item }}"
backup: yes
+ mode: "0660"
+ become: true
with_items:
- "account.builder"
- "account.ring.gz"
diff --git a/ansible/roles/swift/tasks/start.yml b/ansible/roles/swift/tasks/start.yml
index 7dfbc8404c..c020e9519f 100644
--- a/ansible/roles/swift/tasks/start.yml
+++ b/ansible/roles/swift/tasks/start.yml
@@ -20,6 +20,7 @@
inventory_hostname in groups['swift-object-server']
- name: Mounting Swift disks
+ become: true
mount:
src: "UUID={{ item.fs_uuid }}"
fstype: xfs
diff --git a/ansible/roles/tacker/tasks/config.yml b/ansible/roles/tacker/tasks/config.yml
index d5b8de471a..a94dd3f9c8 100644
--- a/ansible/roles/tacker/tasks/config.yml
+++ b/ansible/roles/tacker/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled
@@ -30,6 +33,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: tacker_config_jsons
with_dict: "{{ tacker_services }}"
when:
@@ -50,6 +55,8 @@
- "{{ node_custom_config }}/tacker/{{ item.key }}.conf"
- "{{ node_custom_config }}/tacker/{{ inventory_hostname }}/tacker.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/tacker.conf"
+ mode: "0660"
+ become: true
register: tacker_confs
with_dict: "{{ tacker_services }}"
when:
@@ -63,6 +70,8 @@
template:
src: "{{ tacker_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ tacker_policy_file }}"
+ mode: "0660"
+ become: true
register: tacker_policy_overwriting
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/telegraf/tasks/config.yml b/ansible/roles/telegraf/tasks/config.yml
index 85676221ab..5be8c231f5 100644
--- a/ansible/roles/telegraf/tasks/config.yml
+++ b/ansible/roles/telegraf/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}/config"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "telegraf.json.j2"
dest: "{{ node_config_directory }}/telegraf/config.json"
+ mode: "0660"
+ become: true
register: telegraf_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -27,6 +32,8 @@
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/telegraf/telegraf.conf"
+ mode: "0660"
+ become: true
register: telegraf_confs
when:
- inventory_hostname in groups[service.group]
@@ -44,6 +51,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_config_directory }}/telegraf/config"
+ mode: "0660"
+ become: true
register: telegraf_plugin
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/tempest/tasks/config.yml b/ansible/roles/tempest/tasks/config.yml
index 80f02dc02f..ea5931c728 100644
--- a/ansible/roles/tempest/tasks/config.yml
+++ b/ansible/roles/tempest/tasks/config.yml
@@ -3,7 +3,9 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +15,7 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
register: tempest_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -29,6 +32,7 @@
- "{{ role_path }}/templates/tempest.conf.j2"
- "{{ node_custom_config }}/tempest.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/tempest.conf"
+ mode: "0660"
register: tempest_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml
index 8cb2473d37..56c8a2713e 100644
--- a/ansible/roles/trove/tasks/config.yml
+++ b/ansible/roles/trove/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -13,6 +16,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: trove_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -25,6 +30,8 @@
template:
src: "{{ item.key }}.conf.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.conf"
+ mode: "0660"
+ become: true
register: trove_conf_file
when:
- item.key in [ "trove-conductor", "trove-taskmanager" ]
@@ -46,6 +53,8 @@
- "{{ node_custom_config }}/trove/{{ item.key }}.conf"
- "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/trove.conf"
+ mode: "0660"
+ become: true
register: trove_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/vmtp/tasks/config.yml b/ansible/roles/vmtp/tasks/config.yml
index b62b709007..b107d67dfa 100644
--- a/ansible/roles/vmtp/tasks/config.yml
+++ b/ansible/roles/vmtp/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -28,6 +31,8 @@
- "{{ node_custom_config }}/{{ item }}"
- "{{ node_custom_config }}/vmtp/{{ item }}"
dest: "{{ python_path }}/vmtp/{{ item }}"
+ mode: "0660"
+ become: true
register: vmtp_confs
when:
- inventory_hostname in groups[service.group]
diff --git a/ansible/roles/watcher/tasks/config.yml b/ansible/roles/watcher/tasks/config.yml
index 0c5bace05f..d17c6d5fb7 100644
--- a/ansible/roles/watcher/tasks/config.yml
+++ b/ansible/roles/watcher/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when:
- inventory_hostname in groups[item.value.group]
- item.value.enabled | bool
@@ -30,6 +33,7 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
register: watcher_config_jsons
when:
- inventory_hostname in groups[item.value.group]
@@ -51,6 +55,7 @@
- "{{ node_custom_config }}/watcher/{{ item.key }}.conf"
- "{{ node_custom_config }}/watcher/{{ inventory_hostname }}/watcher.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/watcher.conf"
+ mode: "0660"
register: watcher_confs
when:
- inventory_hostname in groups[item.value.group]
diff --git a/ansible/roles/zun/tasks/config.yml b/ansible/roles/zun/tasks/config.yml
index 5d58cc5a04..d85fe5e982 100644
--- a/ansible/roles/zun/tasks/config.yml
+++ b/ansible/roles/zun/tasks/config.yml
@@ -3,7 +3,10 @@
file:
path: "{{ node_config_directory }}/{{ item.key }}"
state: "directory"
- recurse: yes
+ owner: "{{ config_owner_user }}"
+ group: "{{ config_owner_group }}"
+ mode: "0770"
+ become: true
when: inventory_hostname in groups[item.value.group]
with_dict: "{{ zun_services }}"
@@ -28,6 +31,8 @@
template:
src: "{{ item.key }}.json.j2"
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+ mode: "0660"
+ become: true
register: zun_config_jsons
when:
- item.value.enabled | bool
@@ -48,6 +53,8 @@
- "{{ node_custom_config }}/zun/{{ item.key }}.conf"
- "{{ node_custom_config }}/zun/{{ inventory_hostname }}/zun.conf"
dest: "{{ node_config_directory }}/{{ item.key }}/zun.conf"
+ mode: "0660"
+ become: true
register: zun_confs
when:
- item.value.enabled | bool
@@ -63,6 +70,8 @@
template:
src: "wsgi-zun.conf.j2"
dest: "{{ node_config_directory }}/zun-api/wsgi-zun.conf"
+ mode: "0660"
+ become: true
register: zun_conf_wsgi
when:
- inventory_hostname in groups[service.group]
@@ -74,6 +83,8 @@
template:
src: "{{ zun_policy_file_path }}"
dest: "{{ node_config_directory }}/{{ item.key }}/{{ zun_policy_file }}"
+ mode: "0660"
+ become: true
register: zun_policy_overwriting
when:
- zun_policy_file is defined
diff --git a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
index 1f7484bca7..b61a371671 100644
--- a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
+++ b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
@@ -2,5 +2,5 @@
prelude: >
Specify Ansible "become" for only necessary tasks.
features:
- - Add "become" to necessary tasks of general roles.
- - Add "become" to necessary tasks of default roles.
+ - Increase security by add "become" to only
+ necessary Ansible tasks.