Install distro_packages in pre-main

Main tasks are executed in a serial manner, so all keystone containers except the first one end up not having rsync and sshd isntalled, while we attempt to distribute fernet tokens once running against first host. So we move installation of distro_packages to pre-main step that is run in advance without serial approach. This is alternative approach to [1]. [1] https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/889936 Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/889945 Change-Id: Ia53932f60d271b8f2843b880e024caacc7ae5c3f
2023-07-28 11:29:58 +02:00 · 2023-07-28 11:29:58 +02:00 · a51651213d
parent f66934de35
commit a51651213d
3 changed files with 55 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -681,3 +681,15 @@ keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
 keystone_ssh_keypairs_principals:
  - user: "{{ keystone_system_user_name }}"
    principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}"
+
+keystone_ssh_extra_configuration:
+  - regexp: "^PermitRootLogin"
+    line: "PermitRootLogin prohibit-password"
+  - regexp: "^TCPKeepAlive"
+    line: "TCPKeepAlive yes"
+  - regexp: "^UseDNS"
+    line: "UseDNS no"
+  - regexp: "^X11Forwarding"
+    line: "X11Forwarding no"
+  - regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication no"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -95,6 +95,11 @@
  retries: 5
  delay: 2

+- name: Restart ssh
+  service:
+    name: "sshd"
+    state: "restarted"
+
 - name: Flush all of the cache in memcached
  vars:
    nc_command:
--- a/tasks/main_pre.yml
+++ b/tasks/main_pre.yml
@ -13,6 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: Gather variables for each operating system
+  include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
+        - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
+        - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
+        - "{{ ansible_facts['distribution'] | lower }}.yml"
+        - "{{ ansible_facts['os_family'] | lower }}.yml"
+      paths:
+        - "{{ role_path }}/vars"
+  tags:
+    - always
+
 - name: Create system groups
  group:
    name: "{{ item }}"
@ -64,6 +79,29 @@
      owner: root
      group: root

+- name: Install distro packages
+  package:
+    name: "{{ keystone_distro_packages }}"
+    state: "{{ keystone_package_state }}"
+    update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
+    cache_valid_time: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary(cache_timeout, omit) }}"
+  register: install_packages
+  until: install_packages is success
+  retries: 5
+  delay: 2
+  notify:
+    - Restart ssh
+
+- name: Adjust sshd configuration in container
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  with_items: "{{ keystone_ssh_extra_configuration }}"
+  notify:
+    - Restart ssh
+
 - name: Importing keystone_key_setup tasks
  import_tasks: keystone_key_setup.yml
  tags: