From 141b6f2018082280165be310544ed8756a6ded57 Mon Sep 17 00:00:00 2001 From: Xan Manning Date: Wed, 20 May 2020 18:50:58 +0100 Subject: [PATCH] Numerous bug fixes to do with permissions and regressions. Fix issue #25, check k3s_bind_address for readiness check Fix issue #24, become for tasks that require root --- .gitignore | 1 + README.md | 9 ++++++--- defaults/main.yml | 3 +++ handlers/main.yml | 1 + tasks/build/configure-k3s-cluster.yml | 3 +++ tasks/build/install-docker-amazon.yml | 1 + tasks/build/install-docker-opensuse-leap.yml | 1 + tasks/build/install-docker-prerequisites-debian.yml | 3 +++ tasks/build/install-docker-prerequisites-redhat.yml | 4 ++++ tasks/build/install-docker-suse.yml | 1 + tasks/build/install-docker.yml | 1 + tasks/teardown/drain-and-remove-nodes.yml | 4 ++++ tasks/teardown/uninstall-docker-amazon.yml | 1 + tasks/teardown/uninstall-docker-opensuse-leap.yml | 1 + tasks/teardown/uninstall-docker-prerequisites-debian.yml | 2 ++ tasks/teardown/uninstall-docker-prerequisites-redhat.yml | 1 + tasks/teardown/uninstall-docker-suse.yml | 1 + tasks/teardown/uninstall-docker.yml | 1 + tasks/teardown/uninstall-k3s.yml | 2 ++ 19 files changed, 38 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index c833899..5b9289d 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ VAULT_PASS vagramt/fetch vagrant/ubuntu-*.log __pycache__ +ansible.cfg diff --git a/README.md b/README.md index 5f2f240..1c7b1f9 100644 --- a/README.md +++ b/README.md @@ -81,9 +81,12 @@ consistency. | `k3s_datastore_certfile` | Define the database TLS Cert file. | _NULL_ | | `k3s_datastore_keyfile` | Define the database TLS Key file. | _NULL_ | | `k3s_become_for_all` | Enable become for all (where value for `k3s_become_for_*` is _NULL_ | `false` | -| `k3s_become_for_systemd` | Enable become for systemd | _NULL_ | -| `k3s_become_for_install_dir` | Enable become for writing to `k3s_install_dir` | _NULL_ | -| `k3s_become_for_usr_local_bin` | Enable become for writing to /usr/local/bin/ | _NULL_ | +| `k3s_become_for_systemd` | Enable become for systemd commands. | _NULL_ | +| `k3s_become_for_install_dir` | Enable become for writing to `k3s_install_dir`. | _NULL_ | +| `k3s_become_for_usr_local_bin` | Enable become for writing to `/usr/local/bin/`. | _NULL_ | +| `k3s_become_for_package_install` | Enable become for installing prerequisite packages. | _NULL_ | +| `k3s_become_for_kubectl` | Enable become for kubectl commands. | _NULL_ | +| `k3s_become_for_uninstall` | Enable become for running uninstall scripts. | _NULL_ | | `k3s_dqlite_datastore` | Use DQLite as the database backend for HA. (EXPERIMENTAL) | `false` | | `k3s_secrets_encryption` | Use secrets encryption at rest. (EXPERIMENTAL) | `false` | diff --git a/defaults/main.yml b/defaults/main.yml index dd1baa5..d348e5e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -109,3 +109,6 @@ k3s_become_for_all: false k3s_become_for_systemd: null k3s_become_for_install_dir: null k3s_become_for_usr_local_bin: null +k3s_become_for_package_install: null +k3s_become_for_kubectl: null +k3s_become_for_uninstall: null diff --git a/handlers/main.yml b/handlers/main.yml index d17cfe3..f79c517 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -19,3 +19,4 @@ name: docker state: restarted enabled: true + become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/configure-k3s-cluster.yml b/tasks/build/configure-k3s-cluster.yml index a60d346..6b581c5 100644 --- a/tasks/build/configure-k3s-cluster.yml +++ b/tasks/build/configure-k3s-cluster.yml @@ -6,6 +6,7 @@ register: k3s_slurped_control_token delegate_to: "{{ k3s_control_delegate }}" when: k3s_control_token is not defined + become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}" - name: Ensure NODE_TOKEN is formatted correctly for use in templates set_fact: @@ -35,6 +36,7 @@ - name: Wait for control plane to be ready to accept connections wait_for: port: "{{ k3s_https_port }}" + host: "{{ k3s_bind_address | default('127.0.0.1') }}" delay: 5 sleep: 5 timeout: 300 @@ -52,3 +54,4 @@ retries: 30 delay: 20 when: k3s_control_node and not k3s_no_flannel + become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/install-docker-amazon.yml b/tasks/build/install-docker-amazon.yml index cd24d37..9411787 100644 --- a/tasks/build/install-docker-amazon.yml +++ b/tasks/build/install-docker-amazon.yml @@ -6,5 +6,6 @@ creates: /etc/docker notify: - restart docker + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - meta: flush_handlers diff --git a/tasks/build/install-docker-opensuse-leap.yml b/tasks/build/install-docker-opensuse-leap.yml index 5135bd2..520848b 100644 --- a/tasks/build/install-docker-opensuse-leap.yml +++ b/tasks/build/install-docker-opensuse-leap.yml @@ -10,5 +10,6 @@ delay: 10 notify: - restart docker + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - meta: flush_handlers diff --git a/tasks/build/install-docker-prerequisites-debian.yml b/tasks/build/install-docker-prerequisites-debian.yml index 379755b..cce2984 100644 --- a/tasks/build/install-docker-prerequisites-debian.yml +++ b/tasks/build/install-docker-prerequisites-debian.yml @@ -10,6 +10,7 @@ - software-properties-common state: present register: ensure_docker_prerequisites_installed + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" until: ensure_docker_prerequisites_installed is succeeded retries: 3 delay: 10 @@ -18,9 +19,11 @@ apt_key: url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg state: present + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - name: Ensure Docker repository is installed and configured apt_repository: filename: docker-ce repo: "deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" update_cache: true + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/install-docker-prerequisites-redhat.yml b/tasks/build/install-docker-prerequisites-redhat.yml index b60ebc9..0c55483 100644 --- a/tasks/build/install-docker-prerequisites-redhat.yml +++ b/tasks/build/install-docker-prerequisites-redhat.yml @@ -5,6 +5,7 @@ name: "{{ 'python-dnf' if ansible_python_version is version_compare('3.0.0', '<') else 'python3-dnf' }}" state: present register: ensure_python_dnf_installed + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" until: ensure_python_dnf_installed is succeeded retries: 3 delay: 10 @@ -21,6 +22,7 @@ until: ensure_docker_prerequisites_installed is succeeded retries: 3 delay: 10 + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - name: Check to see if Docker repository is available for this distribution uri: @@ -40,6 +42,7 @@ state: present when: ansible_distribution | lower not in ['amazon'] and k3s_redhat_repo_check.status == 200 + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - name: Ensure Docker repository is installed and configured from file command: yum-config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo @@ -47,3 +50,4 @@ creates: /etc/yum.repos.d/docker-ce.repo when: ansible_distribution | lower not in ['amazon'] and k3s_redhat_repo_check.status != 200 + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/install-docker-suse.yml b/tasks/build/install-docker-suse.yml index 5135bd2..520848b 100644 --- a/tasks/build/install-docker-suse.yml +++ b/tasks/build/install-docker-suse.yml @@ -10,5 +10,6 @@ delay: 10 notify: - restart docker + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - meta: flush_handlers diff --git a/tasks/build/install-docker.yml b/tasks/build/install-docker.yml index de3577b..707d8ff 100644 --- a/tasks/build/install-docker.yml +++ b/tasks/build/install-docker.yml @@ -13,5 +13,6 @@ delay: 10 notify: - restart docker + become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - meta: flush_handlers diff --git a/tasks/teardown/drain-and-remove-nodes.yml b/tasks/teardown/drain-and-remove-nodes.yml index 175dae5..0392519 100644 --- a/tasks/teardown/drain-and-remove-nodes.yml +++ b/tasks/teardown/drain-and-remove-nodes.yml @@ -4,6 +4,7 @@ stat: path: "{{ k3s_install_dir }}/kubectl" register: k3s_check_kubectl + become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}" - name: Clean up nodes that are in an uninstalled state block: @@ -15,6 +16,7 @@ delegate_to: "{{ k3s_control_delegate }}" run_once: true register: kubectl_get_nodes_result + become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}" - name: Ensure uninstalled nodes are drained command: "{{ k3s_install_dir }}/kubectl drain {{ item }} --ignore-daemonsets" @@ -24,6 +26,7 @@ and hostvars[item].k3s_cluster_state is defined and hostvars[item].k3s_cluster_state == 'uninstalled' loop: "{{ play_hosts }}" + become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}" - name: Ensure uninstalled nodes are removed command: "{{ k3s_install_dir }}/kubectl delete node {{ item }}" @@ -33,6 +36,7 @@ and hostvars[item].k3s_cluster_state is defined and hostvars[item].k3s_cluster_state == 'uninstalled' loop: "{{ play_hosts }}" + become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}" when: k3s_check_kubectl.stat.exists is defined and k3s_check_kubectl.stat.exists diff --git a/tasks/teardown/uninstall-docker-amazon.yml b/tasks/teardown/uninstall-docker-amazon.yml index 5d78cc3..e8f2086 100644 --- a/tasks/teardown/uninstall-docker-amazon.yml +++ b/tasks/teardown/uninstall-docker-amazon.yml @@ -4,3 +4,4 @@ command: amazon-linux-extras uninstall docker register: uninstall_docker_from_amazon_linux changed_when: uninstall_docker_from_amazon_linux.rc == 0 + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/uninstall-docker-opensuse-leap.yml b/tasks/teardown/uninstall-docker-opensuse-leap.yml index 115f965..ceac7e7 100644 --- a/tasks/teardown/uninstall-docker-opensuse-leap.yml +++ b/tasks/teardown/uninstall-docker-opensuse-leap.yml @@ -8,3 +8,4 @@ until: ensure_docker_uninstalled is succeeded retries: 3 delay: 10 + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/uninstall-docker-prerequisites-debian.yml b/tasks/teardown/uninstall-docker-prerequisites-debian.yml index ba76a6e..d1e6544 100644 --- a/tasks/teardown/uninstall-docker-prerequisites-debian.yml +++ b/tasks/teardown/uninstall-docker-prerequisites-debian.yml @@ -6,8 +6,10 @@ repo: "deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" update_cache: false state: absent + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" - name: Ensure Docker APT key is uninstalled apt_key: url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg state: absent + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/uninstall-docker-prerequisites-redhat.yml b/tasks/teardown/uninstall-docker-prerequisites-redhat.yml index f25a88b..fcb30d7 100644 --- a/tasks/teardown/uninstall-docker-prerequisites-redhat.yml +++ b/tasks/teardown/uninstall-docker-prerequisites-redhat.yml @@ -10,3 +10,4 @@ gpgcheck: true state: absent when: ansible_distribution | lower not in ['amazon'] + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/uninstall-docker-suse.yml b/tasks/teardown/uninstall-docker-suse.yml index ed66b9b..18ece61 100644 --- a/tasks/teardown/uninstall-docker-suse.yml +++ b/tasks/teardown/uninstall-docker-suse.yml @@ -8,3 +8,4 @@ until: ensure_docker_uninstalled is succeeded retries: 3 delay: 10 + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/uninstall-docker.yml b/tasks/teardown/uninstall-docker.yml index 8da22d1..19edb65 100644 --- a/tasks/teardown/uninstall-docker.yml +++ b/tasks/teardown/uninstall-docker.yml @@ -11,3 +11,4 @@ until: ensure_docker_uninstalled is succeeded retries: 3 delay: 10 + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/uninstall-k3s.yml b/tasks/teardown/uninstall-k3s.yml index 120a3a7..e9c5217 100644 --- a/tasks/teardown/uninstall-k3s.yml +++ b/tasks/teardown/uninstall-k3s.yml @@ -21,6 +21,7 @@ register: k3s_killall changed_when: k3s_killall.rc == 0 when: check_k3s_killall_script.stat.exists + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" - name: Run k3s-uninstall.sh command: /usr/local/bin/k3s-uninstall.sh @@ -29,6 +30,7 @@ register: k3s_uninstall changed_when: k3s_uninstall.rc == 0 when: check_k3s_uninstall_script.stat.exists + become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" - name: Clean up Docker command: docker system prune -a --force