[AIR-209] Remove privilege escalation

This PS removes privilege escalation from the roles so that these roles can be used in a developer environment Change-Id: I44ddc18532ee75b0d398896d470ecf949ad4496a
2020-01-17 14:38:10 +00:00 · 2020-01-17 14:38:10 +00:00 · f3cbed1d96
commit f3cbed1d96
parent c9e3feceae
15 changed files with 41 additions and 48 deletions
--- a/examples/playbooks/libvirt/create-network.yml
+++ b/examples/playbooks/libvirt/create-network.yml
@ -1,7 +1,6 @@
 - hosts: primary
  roles:
    - role: libvirt-network
      become: true
      vars:
        network_action: create
        libvirt_network:
@ -21,7 +20,6 @@
              address: "172.22.0.1"
              netmask: "255.255.255.0"
    - role: libvirt-network
      become: true
      vars:
        network_action: rebuild
        libvirt_network:
--- a/examples/playbooks/libvirt/create-pool.yml
+++ b/examples/playbooks/libvirt/create-pool.yml
@ -1,7 +1,6 @@
 - hosts: primary
  roles:
    - role: libvirt-pool
      become: true
      vars:
        libvirt_pool:
          path: /var/lib/libvirt/airship
--- a/examples/playbooks/libvirt/create-vm.yml
+++ b/examples/playbooks/libvirt/create-vm.yml
@ -1,7 +1,6 @@
 - hosts: primary
  roles:
    - role: libvirt-domain
      become: true
      vars:
        libvirt_domain:
          state: running
@ -16,7 +15,6 @@
          interfaces:
            - network: 'provision-network'
    - role: libvirt-domain
      become: true
      vars:
        libvirt_domain:
          state: running
--- a/examples/playbooks/libvirt/create-volume.yml
+++ b/examples/playbooks/libvirt/create-volume.yml
@ -17,6 +17,5 @@
      vars:
        libvirt_volume: "{{ vol }}"
        volume_action: "{{ vol.action }}"
        ansible_become: true
      loop_control:
        loop_var: vol
--- a/roles/airship-libvirt-gate/tasks/build-infra.yml
+++ b/roles/airship-libvirt-gate/tasks/build-infra.yml
@ -16,7 +16,6 @@
    name: libvirt-pool
  vars:
    libvirt_pool: "{{ item }}"
    ansible_become: true
  with_items: "{{ airship_gate_libvirt_pools }}"
 - name: create networks
@ -24,7 +23,6 @@
    name: libvirt-network
  with_items: "{{ airship_gate_libvirt_networks }}"
  vars:
    ansible_become: true
    libvirt_network: "{{ item }}"
    network_action: create
@ -37,12 +35,10 @@
      size: "{{ chosen_flavor.ephemeral_disk_size }}"
      pool: "{{ airship_gate_names.pool }}"
    volume_action: create
    ansible_become: true
 - name: Create target volumes
  include_role:
    name: libvirt-volume
  vars:
    ansible_become: true
    libvirt_volume:
      name: "{{ airship_gate_names.target_volume_prefix }}-{{ vm_index }}"
      size: "{{ chosen_flavor.target_disk_size }}"
@ -57,7 +53,6 @@
  include_role:
    name: libvirt-domain
  vars:
    ansible_become: true
    libvirt_domain:
      state: shutdown
      name: "{{ airship_gate_names.target_vm_prefix }}-{{ vm_index }}"
@ -79,7 +74,6 @@
  include_role:
    name: libvirt-domain
  vars:
    ansible_become: true
    libvirt_domain:
      state: shutdown
      name: "{{ airship_gate_names.ephemeral_vm }}"
--- a/roles/libvirt-domain/tests/main.yml
+++ b/roles/libvirt-domain/tests/main.yml
@ -10,13 +10,10 @@
  vars:
    network_action: "{{ item.network_action }}"
    libvirt_network: "{{ item }}"
    ansible_become: true
  with_items: "{{ libvirt_networks }}"
 - name: create pool
  include_role:
    name: libvirt-pool
  vars:
    ansible_become: true
 - name: Create defined volumes
  include_role:
    name: libvirt-volume
@ -24,20 +21,16 @@
  vars:
    libvirt_volume: "{{ vol }}"
    volume_action: "{{ vol.action }}"
    ansible_become: true
  loop_control:
    loop_var: vol
 - name: create libvirt domains
  include_role:
    name: libvirt-domain
  vars:
    ansible_become: true
 - name: save information about domain
  virt:
    command: info
    name: "{{ libvirt_domain.name }}"
  register: domain_info
  become: true
 - name: debug domain-info
  debug:
    var: domain_info
--- a/roles/libvirt-install/tasks/main.yaml
+++ b/roles/libvirt-install/tasks/main.yaml
@ -29,6 +29,15 @@
        - dnsmasq
        - ebtables
      state: present
  - name: Add user "{{ ansible_user }}" to libvirt group
    become: true
    user:
      name: "{{ ansible_user }}"
      groups:
      - libvirt
      append: yes
  - name: Reset ssh connection to allow user changes to affect "{{ ansible_user }}"
    meta: reset_connection
  - name: Start libvirtd
    service:
      name: libvirtd
--- a/roles/libvirt-network/tasks/add_dhcp_hosts.yml
+++ b/roles/libvirt-network/tasks/add_dhcp_hosts.yml
@ -22,6 +22,8 @@
      - "network_args.hosts | list"
 - name: add dhcp hosts to network
  environment:
    LIBVIRT_DEFAULT_URI: qemu:///system
  shell: >-
    virsh net-update {{ network_args.name }} \
      add --section ip-dhcp-host \
--- a/roles/libvirt-network/tests/main.yml
+++ b/roles/libvirt-network/tests/main.yml
@ -11,7 +11,6 @@
  loop_control:
    loop_var: libvirt_network
  vars:
    ansible_become: true
    network_action: "{{ libvirt_network.network_action }}"
 - name: install required packages
  apt:
@ -23,7 +22,6 @@
  virt_net:
    command: info
  register: libvirt_networks_info
  become: true
 - name: debug network list
  debug:
--- a/roles/libvirt-pool/tasks/create.yml
+++ b/roles/libvirt-pool/tasks/create.yml
@ -1,17 +1,16 @@
 ---
 - name: Ensure libvirt dir storage pool directories exist
  file:
    path: "{{ libvirt_pool.path }}"
    owner: "{{ libvirt_pool.owner | default(omit) }}"
    group: "{{ libvirt_pool.group | default(omit) }}"
    mode: "{{ libvirt_pool.mode | default(omit) }}"
    state: directory
 - name: Ensure libvirt storage pools are defined
  virt_pool:
    name: "{{ libvirt_pool.name }}"
    command: define
    xml: "{{ libvirt_pool.xml | default(libvirt_pool_template_default) }}"
  register: pool_info
 - name: Ensure libvirt storage pools are built
  virt_pool:
    name: "{{ libvirt_pool.name }}"
    command: build
  when: pool_info.changed
 - name: Ensure libvirt storage pools are active
  virt_pool:
--- a/roles/libvirt-pool/tests/main.yml
+++ b/roles/libvirt-pool/tests/main.yml
@ -7,12 +7,9 @@
 - name: create pool
  include_role:
    name: libvirt-pool
  vars:
    ansible_become: true
 - name: get pool information
  virt_pool:
    command: info
  become: true
  register: storage_pools
 - name: check if pool is available and is at given directory
--- a/roles/libvirt-volume/tasks/create.yml
+++ b/roles/libvirt-volume/tasks/create.yml
@ -32,8 +32,11 @@
    - image_scheme not in libvirt_remote_scheme_list
 - name: "Create volume"
  environment:
    LIBVIRT_DEFAULT_URI: qemu:///system
  command: >-
-    virsh vol-create-as "{{ libvirt_volume.pool }}" \
+    virsh vol-create-as \
    --pool "{{ libvirt_volume.pool }}" \
    --name "{{ libvirt_volume.name }}" \
    --capacity "{{ libvirt_volume.size }}" \
    --format "{{ libvirt_volume.format | default('qcow2') }}"
@ -48,15 +51,25 @@
    - "'exists already' not in libvirt_create_volume.stdout"
 - name: "Upload volume from downloaded image"
  environment:
    LIBVIRT_DEFAULT_URI: qemu:///system
  command: >-
-    virsh vol-upload --pool "{{ libvirt_volume.pool }}" --vol "{{ libvirt_volume.name }}" --file "{{ image_dest }}"
+    virsh vol-upload \
    --pool "{{ libvirt_volume.pool }}" \
    --vol "{{ libvirt_volume.name }}" \
    --file "{{ image_dest }}"
  when:
    - "libvirt_volume.image is defined"
    - "libvirt_create_volume.rc == 0"
 - name: "Resize volume after uploading from image"
  environment:
    LIBVIRT_DEFAULT_URI: qemu:///system
  command: >-
-    virsh vol-resize --vol "{{ libvirt_volume.name }}" --pool "{{ libvirt_volume.pool }}" --capacity "{{ libvirt_volume.size }}"
+    virsh vol-resize \
    --vol "{{ libvirt_volume.name }}" \
    --pool "{{ libvirt_volume.pool }}" \
    --capacity "{{ libvirt_volume.size }}"
  when:
    - "libvirt_create_volume.rc == 0"
    - "libvirt_volume.image is defined"
--- a/roles/libvirt-volume/tests/main.yml
+++ b/roles/libvirt-volume/tests/main.yml
@ -7,8 +7,6 @@
 - name: create pool
  include_role:
    name: libvirt-pool
  vars:
    ansible_become: true
 - name: Create defined volumes
  include_role:
    name: libvirt-volume
@ -16,14 +14,14 @@
  vars:
    libvirt_volume: "{{ vol }}"
    volume_action: "{{ vol.action }}"
    ansible_become: true
  loop_control:
    loop_var: vol
 - name: save volume list
  environment:
    LIBVIRT_DEFAULT_URI: qemu:///system
  command: virsh vol-list --pool {{ libvirt_pool.name }}
  register: libvirt_pool_list
  changed_when: false
  become: true
 - name: verify volumes exist
  assert:
    that:
@ -31,3 +29,4 @@
  with_items: "{{ libvirt_volumes }}"
  loop_control:
    loop_var: vol
--- a/roles/redfish-emulator/tests/main.yml
+++ b/roles/redfish-emulator/tests/main.yml
@ -7,8 +7,6 @@
 - name: create pool
  include_role:
    name: libvirt-pool
  vars:
    ansible_become: true
 - name: Create defined volumes
  include_role:
    name: libvirt-volume
@ -16,14 +14,11 @@
  vars:
    libvirt_volume: "{{ vol }}"
    volume_action: "{{ vol.action }}"
    ansible_become: true
  loop_control:
    loop_var: vol
 - name: create libvirt domains
  include_role:
    name: libvirt-domain
  vars:
    ansible_become: true
 - name: install sushy-tools
  include_role:
    name: redfish-emulator