From 94e3070641e249450b6ec1aedb18c19ee8f19122 Mon Sep 17 00:00:00 2001
From: Giulio Fidente <gfidente@redhat.com>
Date: Tue, 12 Feb 2019 16:23:00 +0100
Subject: [PATCH] Restrict use of become to minimum necessary for Ceph
 deployment

We should avoid use of become: true where unnecessary because
additional files might get created with the wrong permissions.

Change-Id: I4dc71fd23134a9e4a5b2b6e93d2cf45735e71711
Related-Bug: 1813832
---
 docker/services/ceph-ansible/ceph-base.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index e26702a32d..f35bfd81f1 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -444,12 +444,12 @@ outputs:
                 content: |
                   - hosts: all
                     gather_facts: no
-                    become: true
                     tasks:
                       - name: set nodes data
                         set_fact:
                           nodes_data: "{% raw %}{{ lookup('file','./nodes_uuid_data.json') | from_json  }}{% endraw %}"
                       - name: register machine id
+                        become: true
                         # awk strips unwanted output, see LP bug #1762460
                         shell: dmidecode -s system-uuid | awk 'match($0, /[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}/) { print substr($0, RSTART, RLENGTH) }' | tr A-F a-f
                         register: machine_uuid
@@ -464,15 +464,16 @@ outputs:
                           dest: "{{playbook_dir}}/ceph-ansible/host_vars/{% raw %}{{inventory_hostname}}{% endraw %}.yml"
         - name: ceph_base_external_deploy_task
           when: step == '2'
-          become: true
           tags: ceph
           block:
             - name: run nodes-uuid
+              # needs become to be able to read the ssh private key
+              become: true
               shell:
                 list_join:
                 - ' '
                 - - ANSIBLE_LOG_PATH="{{playbook_dir}}/ceph-ansible/nodes_uuid_command.log"
-                - - ANSIBLE_CONTROL_PATH_DIR="{{playbook_dir}}/ceph-ansible/"
+                  - ANSIBLE_SSH_CONTROL_PATH_DIR="{{playbook_dir}}/ceph-ansible/"
                   - ANSIBLE_CONFIG="{{playbook_dir}}/ansible.cfg"
                   - ANSIBLE_REMOTE_TEMP=/tmp/nodes_uuid_tmp
                   - ansible-playbook
@@ -503,6 +504,7 @@ outputs:
                 register: local_backup_directory
                 ignore_errors: True
               - name: autocreate new directory for ceph-ansible fetch directory backup
+                become: true
                 file:
                   path: "{{local_ceph_ansible_fetch_directory_backup}}"
                   state: directory
@@ -582,6 +584,8 @@ outputs:
                     - '--extra-vars'
                     - '@{{playbook_dir}}/ceph-ansible/extra_vars.yml'
             - name: run ceph-ansible (immediate log at {{playbook_dir}}/ceph-ansible/ceph_ansible_command.log)
+              # needs become to be able to read the ssh private key
+              become: true
               shell: |
                 set -e
                 {% for playbook in ceph_ansible_playbooks %}